KYC (Know Your Customer) measures focus on verifying the identity of customers and sufficiently understanding their background and risk profile. They are part of the general AML (Anti-Money Laundering) duties almost all companies are requested to take care of.
The 4th AMLD (Anti-Money Laundering Directive, Directive (EU) 2015/849) states that «customer due diligence measures shall comprise», among other things, «identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source.»
Hence, crypto-businesses are under a statutory duty to establish AML programs which are similar to those of traditional institutions: client identification at the time of onboarding, transaction monitoring for suspicious activities, sanction lists screening.
In its July 2014 Opinion, the European Banking Authority (EBA) recommended bringing into the scope of the AMLD crypto-to-fiat exchanges and providers of virtual currency custodian wallet services to mitigate the risks of money laundering and/or the financing of terrorism arising from those activities.
Legislative amendments to this effect were ultimately agreed in the context of the 5AMLD negotiations such that providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers are “obliged entities” within the scope of the AMLD.
As is well known, the AMLD5 is required to be implemented into national law by 10th January 2020. In the crypto-world, third-party providers usually run KYC processes. Also when an external tool is used, the blockchain-company remains responsible for such controls.
While the identification of a customer is now quite an easy task, it must be noted that the crypto-market exposes its operators to unique risks and challenges, especially when it comes to the detection of suspicious activities.
A pain in the neck: the crypto-assets provenance
The nature of the blockchain and its underlying encryption features allow for a higher degree of privacy and anonymity for certain crypto-assets.
On the one hand, the counterparty of a crypto-transaction is identified not by a name or an account number, but by a cryptographic address. These addresses can be created at any time, by anyone, anywhere in the world. And many of them have no available KYC information.
On the other hand, the blockchain itself preserves and makes accessible by anyone all the addresses and the transactions involved.
Further, emerging cryptographic mechanisms (including zero-knowledge proofs, ring signatures, and other privacy-focused approaches) might impact an organisation’s ability to determine the provenance of some crypto-assets.
In a recent written advice (9 January 2019 | ESMA50- 157-1391), the European Securities and Markets Authority highlighted «the need to appreciate the risks not only in relation to the issuance and distribution of crypto-assets, but also their trading and their safekeeping, i.e.: the whole lifecycle of crypto-assets.»
It goes without saying that a certain degree of anonymity does not mean that a transaction is intrinsically illegal or malicious. In any case, anonymity presents a unique challenge to KYC programs: how to maintain the ability to assess the provenance of a customer’s crypto-asset? How to identify the parties the client is transacting with? How to monitor the overall crypto-transaction activity?
The Blockchain is a problem and a solution at the same time. It provides crypto-businesses with a technological advantage to analyse and determine the provenance of customers’ crypto-assets. Which is not an easy task, but third party providers can be of help.
By using external investigating tools, crypto-businesses have the chance to build a view of the provenance of customers’ crypto-assets and mitigate the risk to be involved in unlawful uses of cryptos.
KYC programs are not a mere matter of compliance
KYC protocols prove that a company is doing its business trustworthily and, in this way, can attract more reliable clientele. Each customer is guaranteed that they will always deal with users as much honest and dependable as them.
Then, KYC best practices help a business to gather useful data about its clients’ profile. With full respect for the applicable data protection regulations, it can offer them customised solutions, to better serve their needs.
Finally, while its compliance unit guarantees the compliance of the company with the law, the rest of the team can focus on designing excellent applications to make the most complex technology accessible for everyone, and valuable resources are not funnelled away from your core business.