KYC Explained: Crypto and Compliance Are The Odd Couple, But They Must Get On
Almost 20 years after the first AML (Anti-Money Laundering) legislation arrived, regulators across the world are working to establish global KYC (Know Your Customer) standards that are now being applied to fintech and cryptocurrencies in particular. A technology sector that began with the idea of anonymous peer-to-peer payments is now seeing the value in aligning with traditional finance, and that means compliance with KYC regulations.
February 13. 2020 – by Anti Danilevski
Founder & CEO of Kick Ecosystem
Although our technology is light years ahead in some respects, crypto’s attitude to KYC has been cavalier at best, and in some cases criminally negligent (or just criminal). All that is changing, but the debate about how KYC and cryptocurrencies interact is just getting started.
“The future of personal data is the absence of personal data: all the information will be public because it is simply impossible to conceal it”
As a result of the digitisation of global finance and ever more restrictive regulations, the compliance industry is booming. What was once a minor department which caused occasional headaches for investment bankers and traders is now becoming a crucial hub for big data.
KYC is the process of verifying who you are, where your money comes from and what you do with it. No one reading this will have escaped its grasp. Between 2000 and 2010, KYC and AML legislation was passed in a wide range of jurisdiction, from the US and Canada to the majority of European nations, South African, Russian, India, Singapore, South Korea, China and Japan to name just a few. As a result, it became mandatory for banks and related financial institutions to comply with AML regulations.
Fintech companies such as cryptocurrency exchanges now view fiat on-ramps as an essential component of their product. That has created a reliance on banks and payment processors who demand the same levels of compliance they are held to themselves. Russia is one of several nations to introduce more robust KYC protocols governing the anonymous trading of digital currencies, and many more will follow suit.
For virtually all organisations who deal with payments, KYC is in place to prevent criminal activity such as fraud, money laundering, terrorist financing, use of stolen funds, bribery, corruption and other suspicious activity. Much of KYC to date has involved begrudging compliance with regulatory requirements, often in the name of consumer protection. But ultimately, it is about managing risk.
Larger businesses often administer their own KYC through internal teams while smaller businesses outsource verification processes to third-parties. Regardless of who manages KYC, the process is usually the same. Customers must send proof of ID, address, bank statements and sometimes explain the source of their funds.
How sensitive documents are stored is as important as how they are used. In the pre-cloud era, banks would employ redundancy to insure against the loss of a single document. Files would be copied and stored on a variety of unconnected servers.
Thanks to Amazon and other cloud storage providers, institutions and third-party verification providers now encrypt KYC information to AES-256 standards and store it securely in cloud servers such as Amazon S3, though this approach is by no means the standard.
A mixed picture of success
Despite the latest security measures, breaches are inevitable. The personal information of millions of users is stolen every year from the world’s most respected data centres and the most valuable technology companies. When that happens, consumers are hung out to dry. If your passport, bank details or address are leaked, the genie is out of the bottle. Consumers are put at risk, and huge punitive fines are levied on companies who fall short of their obligations. KYC may be in place to protect consumers and businesses from harm, but in solving one issue, it has created another.
The onboarding process is also cumbersome for both consumer and business. Compliance is an obstacle to effective acquisition, while ongoing compliance requests can spur consumers into looking elsewhere.
Current solutions are neither portable, universal or scalable. As compliance becomes more complex, costs soar. It’s estimated that companies spend a third of a trillion dollars on compliance every year.
These challenges must be met, but there’s no need to throw the baby out with the bathwater. By identifying and eliminating malicious participants from an ecosystem, companies not only reduce their own regulatory risks, but also build consumer trust, brand reputation and credibility with banking partners.
Personal data is a myth
There is NO personal data anymore. All your data that you once uploaded on Facebook, Instagram, any newsletters or even a bank has already leaked into the darknet. Your face is already being tracked and recognized in the streets and the subway by the cameras. The same happens with your fingerprints, purchases, cards, bills, doctor and beauty salon visits. All of it is already stored in the database of the governmental departments. The leaks are happening weekly, the thing is that not all of them appear in the news. Hence, fearing KYC is simply stupid and pointless.
The future of personal data is the absence of personal data: all the information will be public because it is simply impossible to conceal it. There soon will be a change in the whole concept of personal data, we are all waiting for complete transparency and openness. GDPR (General Data Protection Regulation) is a big mistake, an attempt to scoop out some water from a boat with a spoon, while there is a huge hole in it. However, so far we have to put up with this, since at Kick Ecosystem we are legal and act in accordance with the laws and regulations.
KYC in crypto
In the anarchic early years of Bitcoin and the first cryptocurrency exchanges, KYC was virtually unheard of. Users could transact without sharing their identity, often without even creating an account.
Now most major exchanges and crypto financial service providers have bowed to pressure from government agencies and implemented KYC measures. Users have voiced their anger, yet they encounter and accept these processes frequently in their daily lives. Within its community, crypto is still seen as a renegade force. Yet where shareholders are concerned, businesses need to play by the rules in order to attract investment and achieve exponential growth. Although progress is being made to root out illegal or unethical behaviour and legitimise our industry, over two-thirds of crypto exchanges still lacked adequate KYC last year.
Those who continue to operate without KYC will be constantly at risk, and likely will need to operate from obscure or secretive jurisdictions which insulate them from legal action. That approach hardly fills users with confidence, and ultimately they will end up cater to dark money and a small niche of legitimate, privacy-conscious consumers and as a result, expansion is virtually impossible. Meanwhile, FINMA (Swiss Financial Market Supervisory Authority) increased demands for KYC last week: now all transactions above 1000$ must obligatory pass with KYC. Previously, the limit was 5000$.
Decentralised exchanges (DEX) were once viewed as the next wave of crypto exchanges. Anonymous peer-to-peer trading can supposedly solve many of the issues with centralised exchanges, including the need for KYC. Major exchanges have already implemented their own versions of DEX but they have cherry-picked the benefits of decentralisation – lower infrastructure costs, enhanced security and user-controlled funds – but kept KYC in place. No prizes for guessing why.
Crypto is a global game and if you want to expand into new markets, you’ll need to show a track record of corporate responsibility. It’s an incredibly disruptive sector, but that doesn’t mean we have to disrupt everything we touch. Selective disruption is the smart play. Getting the right provider who can deliver a seamless experience, at a low cost to you, and guarantee (as much as it’s possible) data security – this is the real challenge we face.
The future of KYC
At the moment we are seeing the emergence of RegTech 3.0, regulatory technology which digitises a wide range of compliance processes. RegTech is designed to reduce overheads, improve consumer protection and detect risk well before regulators get involved. It harnesses a blend of emerging technologies such as AI, machine learning, RPA and biometrics, but it also signals a significant change in strategic direction. Rather than an isolated review of customers and their behaviour, compliance is now being seen as a valuable source of data, managed largely by automation and utilised to drive business goals.
Self-sovereign identity is another concept being actively explored by researchers in the blockchain world who seek an alternative to centralised online identity where verifiers, not the verified, are in control.
Decentralised digital identity (DID) enables us, in theory, to maintain total ownership of our personal data. When required, we can grant finely-grained access to individual elements of our personal data rather than an entire document, where many details may not be needed. DID is portable, allowing users to choose without being stuck with a single provider. No hacks. No forced oversharing of data.
DID uses a combination of decentralised and privacy technologies such as blockchain and zero-knowledge proofs. Systems based on verifiable claims are being built by the likes of IOP, uPport and IBM.
By creating a single, trusted source of data, decentralised identity solutions promise to eliminate data theft, streamline user and institutional processes and put the user at the centre of the compliance equation.
Yet DID still requires a trusted authority to verify data and issue credentials, and some standardisation will also need to be agreed on. Notoriously protective corporations are unlikely to give up their proprietary solutions either. For a trustless solution, plenty of trust is required. GDPR and the right to be forgotten are other potential banana skins, and there’s a concern about the reliability of technology so new it can barely be called ‘emerging’. Faced with the threat of massive fines and an exodus of disaffected customers if things go wrong, it’s a brave institution that takes a punt on untried technology that may not meet regulatory requirements in a fast-changing environment.
Decentralised identity and its application in KYC is a concept with extraordinary potential, but it’s not one I’m betting our chips on just yet.
The Kick Ecosystem approach
At this stage in the evolution of compliance technology, Kick Ecosystem isn’t ready to take a leap of faith. Selecting the right KYC partner for our new KickEX crypto exchange, which we will launch later this year, was an important choice. We’ll be using Sum & Substance, one of the market leaders in online verification and KYC/AML in Central, Eastern Europe and Asia, to assist us in onboarding our traders, meeting our regulatory obligations and managing risk.
Their crypto-specific compliance toolkit will keep our overheads and risk to a minimum while reassuring our users that we’re focused on providing a safe, secure and fraud-free platform.
We at Kick Ecosystem reduce the risks by not storing personal data in our space. If we get hacked, then no one will receive any passports, photographs or anything else from the users. We store data, passwords, and everything important in an encrypted form, initially understanding that our users can and will become the target of the hackers. Therefore, in our case, KYC is a completely safe and correct solution that protects you, for example, from buying cryptocurrency or other assets obtained from the sale of weapons or drugs, and, therefore, from becoming a participant of a crime, literally criminal money laundering.
Criticism of the existing KYC landscape is understandable and necessary. Costs are spiralling, consumers hate the inconvenience and intrusion, and if the great data miners of our time like Facebook and Equifax cannot keep our personal information safe, what hope is there for data privacy?
Frankly, your data has never been safe. One view, albeit a depressing one, is simply to assume that privacy is a fantasy and that to a degree, your data is always at risk. It’s likely that some aspects of your personal information, and mine, have been compromised already. As consumers, all we can do is pick platforms we trust, follow best security practices such as Two Factor Authentication, and assume the worst.
For a nascent, high-risk, scam-heavy sector like cryptocurrencies which has been unregulated for most of its short history, the benefits of KYC far outweigh the cost.
I have faith that the RegTech revolution will reduce friction and cost in the medium term ,while we wait for the self-sovereign pioneers to usher in the next Age of Identity. In the meantime, if you’re a legitimate crypto enterprise who wants access to honest customers in the most commercially important jurisdictions, the question is not whether to KYC, but how.
Crypto cannot challenge the existing order without playing by some of their rules. With KYC, the juice is worth the squeeze.