Crypto KYC: Identity Verification Requirements for Exchanges

Crypto KYC is the identity layer that turns a crypto exchange from an open marketplace into a regulated obliged entity. Founders and compliance officers searching "crypto KYC" rarely want a dictionary definition. They want the concrete obligation: which data to collect, how to verify it, which thresholds trigger checks, and how the rules differ between the European Union and the United States. This guide answers those questions from primary statutory sources, then routes you to the wider crypto compliance requirements framework.

What is crypto KYC? (definition and why exchanges must do it)

Crypto KYC (Know Your Customer) is the anti-money-laundering law process of Customer Due Diligence (CDD): identifying a customer, verifying their identity from a reliable and independent source, and monitoring the relationship over time. It is not a generic onboarding step. It is a legal obligation that binds crypto exchanges as obliged entities under both EU and US law (AMLR Art. 20; 31 CFR 1023.220).

The reason exchanges must run KYC is structural. Anti-money-laundering and counter-terrorist-financing law treats financial intermediaries as gatekeepers. If an exchange does not know who its customers are, it cannot detect illicit flows, freeze sanctioned parties, or file the reports regulators expect. KYC is therefore the foundation on which transaction monitoring, sanctions screening and suspicious-activity reporting are built. Skip it, and every downstream control fails.

Throughout this guide, "crypto KYC" and "CDD" describe the same legal substance. KYC is the operational name the industry uses; CDD is the term written into the statutes. Where a figure or article number appears, it comes from primary law, and FATF figures are flagged because the FATF text could not be verified directly (see the comparison section).

KYC, CDD and EDD: how the terms relate

Three acronyms dominate this field, and conflating them is a common compliance error. KYC and CDD describe the baseline identity process that every customer goes through. Enhanced Due Diligence (EDD) is the intensified version of that process, applied only to higher-risk customers (AMLR; 4AMLD Arts. 20–22).

In practice the relationship is a tier. CDD is the floor that applies to all onboarding. EDD adds extra steps, such as senior-management approval and establishing source of wealth, when a customer is a politically exposed person, sits in a high-risk third country, or enters a cross-border correspondent relationship. Simplified due diligence sits below the floor for demonstrably low-risk situations, but it never removes the obligation entirely. For an exchange, the working model is simple: run CDD on everyone, escalate to EDD where risk indicators fire.

Who is obliged: CASP, MSB and VASP

One real-world actor, a crypto exchange, carries three legal labels depending on jurisdiction. In the European Union it is a crypto-asset service provider (CASP) authorised under MiCA, subject to the AML single rulebook. In the United States it typically operates as a money transmitter and money services business (MSB) under 31 CFR 1010.100(ff), which captures transmission of "other value that substitutes for currency." Globally, the FATF standard-setter calls it a virtual asset service provider (VASP).

Reconciling these labels matters because the underlying KYC duty is the same while the statutory hooks differ. An EU CASP looks to the AMLR and 4AMLD; a US MSB looks to the Bank Secrecy Act, its Customer Identification Program and its AML-program rule. The FATF VASP framework is the connective tissue that both regimes transpose. For the licensing path behind each label, see licensed VASP obligations and exchange licensing.

The four customer due diligence (CDD) measures

EU anti-money-laundering law sets out four CDD measures that every obliged entity, including a crypto exchange, must apply. They are the core of crypto KYC and appear, in materially identical form, in the AML single rulebook and the directive it builds on (AMLR Art. 20; 4AMLD Art. 13).

Infographic 1 placeholder (four-CDD-measures ring) renders here, before the four H3s.

1. Identify and verify the customer

The first measure is to identify the customer and verify that identity using documents, data or information from a reliable and independent source (AMLR Art. 20; 4AMLD Art. 13). "Reliable and independent" is the operative phrase: the exchange cannot simply accept a self-declared name. It must cross-check against a source it did not control, whether a government ID, an authoritative database, or a regulated data provider.

2. Identify the beneficial owner

Where the customer is a legal entity, the exchange must identify the beneficial owner and take reasonable measures to verify that person: the natural person or persons who ultimately own or control the entity. The EU indicator is a shareholding of 25% plus one share or ownership above 25% (AMLR Art. 20; 4AMLD Art. 3(6)). The beneficial-ownership section below expands this point.

3. Assess the purpose and nature of the relationship

The third measure requires the exchange to assess, and where relevant obtain information on, the purpose and intended nature of the business relationship (AMLR Art. 20; 4AMLD Art. 13). For an exchange this typically means understanding why the customer is trading, expected volumes, and the source of the assets being deposited, so that later activity can be measured against a baseline.

4. Ongoing monitoring

The fourth measure is ongoing monitoring of the business relationship: scrutinising transactions to ensure they are consistent with the customer's risk profile and keeping documents and data up to date (AMLR Art. 20; 4AMLD Art. 13). Monitoring is not a one-time gate at onboarding; it is a continuing statutory pillar, explored in its own section below.

What customer data must a crypto exchange collect?

The clearest statutory data list comes from the US Customer Identification Program, which sets a defined minimum that exchanges in many jurisdictions treat as a practical baseline (31 CFR 1023.220). The EU does not enumerate identical fields, but its "reliable and independent source" standard produces a comparable data set in practice.

Minimum identifying data (US CIP)

Before opening an account, the obliged entity must obtain at minimum the following identifying information for each customer (31 CFR 1023.220(a)(2)(i)):

• Name.
• Date of birth (for individuals).
• Address (a residential or business street address).
• Identification number. For US persons, a taxpayer identification number (SSN or TIN). For non-US persons, a passport number and country of issuance, an alien identification card number, or the number and country of another government-issued document evidencing nationality or residence.

This is the floor, not the ceiling. Many exchanges collect additional attributes such as nationality and occupation to support risk scoring, but the four items above are the statutory minimum a US CIP must capture and verify.

Proof of address and biometric / liveness checks

Two checks that customers encounter constantly, a proof-of-address document and a biometric or liveness selfie, are industry practice and supervisory expectation rather than a single named statutory line item. Proof of address (a utility bill or bank statement) supports the verification of the residential address, and biometric liveness binds the submitted document to the live person (31 CFR 1023.220; EU "reliable and independent source", AMLR). Present them to your customers as what they are: well-established methods of meeting the legal verification standard, not extra statutory obligations.

How does a crypto exchange verify identity?

Identity verification under the US CIP falls into two families, documentary and non-documentary, both anchored to the same goal: confirming the customer is who they claim to be from a source the exchange did not manufacture (31 CFR 1023.220). EU law frames the same expectation through its "reliable and independent source" standard (AMLR Art. 20).

Documentary verification

Documentary verification relies on original or certified documents. For an individual, the standard is an unexpired government-issued photo identification, such as a passport or driver's licence. For a legal entity, the exchange examines formation and registration documents, such as articles of incorporation or a certificate of good standing (31 CFR 1023.220). This is usually the first route an exchange attempts, because a clean government document satisfies the verification standard directly.

Non-documentary verification

Where documents are insufficient or unavailable, non-documentary methods fill the gap. The CIP recognises contacting the customer, comparing the submitted data against consumer-reporting or other database sources, checking references with another financial institution, and obtaining financial statements (31 CFR 1023.220). For a digital-first exchange, electronic database checks and consumer-reporting matches do much of this work at onboarding scale.

Recordkeeping, government-list comparison and customer notice

Verification does not end when the account opens. The CIP requires the exchange to retain the identifying information for five years, to compare each customer against government lists of known or suspected terrorists, and to provide customers with notice that it is collecting information to verify identity (31 CFR 1023.220). These three obligations turn a one-off check into a durable, auditable record.

Mid-content discovery CTA renders here (gold-bordered accent, animates on view): Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers, no commitment. Book a Call

From our practice. In our advisory work helping exchange operators set up KYC programmes, the recurring failure point is not the document capture step but the documentation of decisions. Regulators rarely fault an exchange for collecting the wrong field; they fault it for being unable to show, after the fact, why a borderline customer was accepted, why a verification method was chosen, or when data was last refreshed. We design KYC procedures so that the four CDD measures and the five-year recordkeeping duty are evidenced by default, not reconstructed under examination pressure.

Beneficial ownership and the 25% threshold

When the customer is a company rather than a person, the exchange must look through the corporate veil to the natural person in control. EU law sets a clear quantitative indicator: a beneficial owner is, in the first instance, a natural person holding 25% plus one share or an ownership interest of more than 25% in the customer entity (AMLR Art. 20; 4AMLD Art. 3(6)). Member States may set lower indicators.

Identifying and verifying the natural person in control

The obligation is to identify the natural person or persons who ultimately own or control the legal-entity customer, and to take reasonable measures to verify that identity (AMLR Art. 20; 4AMLD Art. 3(6)). Where no natural person can be identified through the ownership test, senior managing officials may be treated as beneficial owners so that the chain never ends in a void. For a layered ownership structure, this can mean tracing through multiple entities until a qualifying natural person is found.

EU vs US beneficial-ownership approach

The EU codifies a 25% statutory threshold. The US takes a different route: a risk-based Customer Identification Program plus a separate Customer Due Diligence rule for legal-entity customers that combines an equity prong and a control prong (31 CFR 1023.220). The precise text of the US beneficial-ownership rule (31 CFR 1010.230) was not verified at the source for this guide, so present the US side at concept level and confirm the exact prongs before relying on them operationally (see Open questions).

Enhanced due diligence (EDD), PEPs and sanctions screening

Baseline CDD is not always enough. EU law requires Enhanced Due Diligence in defined higher-risk situations, and both regimes expect continuous screening against sanctions and watchlists (4AMLD Arts. 20–22; 31 CFR 1023.220).

When EDD applies

EDD is triggered by elevated risk rather than customer choice. The principal triggers are politically exposed persons, customers connected to high-risk third countries, and cross-border correspondent relationships (AMLR; 4AMLD). When a trigger fires, the exchange does not refuse the customer automatically; it applies additional measures proportionate to the risk and documents the rationale.

Extra checks for politically exposed persons (PEPs)

A PEP is a person who holds, or has held, a prominent public function, and their family members and close associates. For PEPs, EU law requires three additional steps: senior-management approval to establish or continue the relationship, establishing the source of wealth and source of funds involved, and enhanced ongoing monitoring (4AMLD Arts. 20–22). FATF Recommendation 12 is the international PEP standard that this transposes (FATF Recommendations).

Sanctions, PEP and adverse-media screening

Screening sits alongside CDD as a continuous control. US CIP rules require comparison against government lists of known or suspected terrorists (31 CFR 1023.220), and sanctions, PEP and adverse-media screening at onboarding and on an ongoing basis is standard obliged-entity practice under both regimes. Because there is no dedicated sanctions page in our library, the wider crypto compliance requirements pillar covers sanctions screening in context, and our AML red flags guide complements the transaction-monitoring side.

Ongoing monitoring and re-verification

Ongoing monitoring is frequently misunderstood as a separate compliance task. It is not. It is the fourth statutory CDD pillar, written into the same articles as customer identification (AMLR Art. 20; 4AMLD Art. 13). KYC therefore does not finish at onboarding; it runs for the life of the relationship.

Transaction scrutiny against the risk profile

The monitoring duty has two limbs. First, scrutinise transactions throughout the relationship to ensure they remain consistent with the customer's risk profile and, where necessary, the source of funds. Second, keep the underlying documents and data current (AMLR Art. 20; 4AMLD Art. 13). Activity that diverges sharply from the baseline established during onboarding is exactly what monitoring is designed to surface.

How often must KYC be refreshed?

Re-verification flows from the duty to keep customer data up to date, but the law does not fix a single calendar interval. Periodicity is risk-based: higher-risk customers and PEPs are refreshed more often than low-risk retail accounts (AMLR Art. 20; 4AMLD Art. 13). We deliberately do not state a fixed number of months here, because no statute sets one; an exchange should define its own risk-tiered review cycle and be able to justify it. KYC is one component of a broader programme, so it is best designed alongside the steps to build an AML program.

The crypto Travel Rule: what data must accompany a transfer?

Running parallel to KYC is the Travel Rule, a recordkeeping and transmission obligation that requires originator and beneficiary data to travel with a transfer. For crypto, the EU and US rules diverge sharply on thresholds, which makes this one of the most misunderstood corners of compliance (TFR Art. 14; 31 CFR 1010.410(f)). For a deeper treatment, see the crypto Travel Rule.

EU Travel Rule (TFR Art. 14): no de-minimis for crypto transfers

Under the EU Transfer of Funds Regulation, a crypto-asset transfer must be accompanied by originator information (name; the DLT address or crypto-asset account number; plus the address, official personal document number or customer identification number, or alternatively the date and place of birth) and beneficiary information (name; DLT address or account number) (TFR Art. 14). Critically, there is no de-minimis threshold for crypto transfers: the requirement applies regardless of amount and whether the transfer is domestic or cross-border. The exact field list above is reproduced from a summarised reading of the article and is flagged for verification against the statute text (see Open questions).

Self-hosted (unhosted) wallet transfers above EUR 1,000

For transfers to or from a self-hosted (unhosted) wallet that exceed EUR 1,000, the CASP must take adequate measures to assess whether the wallet address is owned or controlled by its own customer (TFR Art. 14(5)). This is not a ban on self-hosted transfers; it is an extra verification step above the EUR 1,000 line, sitting on top of the no-threshold data-transmission duty.

US BSA Travel Rule (USD 3,000)

The US Travel Rule operates on a different model. It applies at USD 3,000 or more (31 CFR 1010.410(f)). At or above that threshold the transmittor's financial institution must obtain, retain and transmit the transmittor's name, address, account number, the amount and the execution date, plus the recipient's name, address, account and any identifier "to the extent received." Intermediary and receiving institutions must forward the data downstream.

Infographic 2 placeholder (threshold comparison) renders here, between the Travel Rule and the EU-vs-US-vs-FATF comparison.

Crypto KYC requirements: EU vs US vs FATF

The same exchange can face materially different KYC and Travel Rule obligations depending on where its customers and operations sit. The table below summarises the headline differences. EU and US figures are primary-sourced; FATF figures are marked unverified because the FATF text could not be retrieved at the source (HTTP 403), so they are cited by name only.

EU regime (AMLR / 4AMLD / TFR)

In the EU, CDD is triggered when establishing a business relationship, on an occasional transaction of at least EUR 10,000, on any crypto-asset transfer, on suspicion of money laundering or terrorist financing, or where there are doubts about previously obtained data (AMLR Art. 19). The beneficial-owner indicator is 25% plus one share, and crypto transfers carry no Travel Rule de-minimis (TFR Art. 14). One caveat applies: the AML single rulebook (AMLR) is in force but phased in application, while the older 4AMLD set a EUR 15,000 occasional-transaction figure. Confirm which instrument is operative for your timeline before relying on the EUR 10,000 figure (see Open questions).

US regime (BSA: CIP, AML program, Travel Rule)

A US crypto exchange operating as an MSB runs a risk-based Customer Identification Program at account opening rather than a fixed monetary CDD threshold (31 CFR 1023.220). It must also maintain a four-pillar AML program: written policies and internal controls, a designated compliance officer, ongoing training, and an independent review (31 CFR 1022.210(d)). The Travel Rule bites at USD 3,000 (31 CFR 1010.410(f)), and CIP records are kept for five years (31 CFR 1023.220).

FATF standards (R.10, R.12, R.15, R.16)

FATF is the global standard-setter whose Recommendations underpin both regimes. Recommendation 10 sets the CDD standard, R.12 covers PEPs, R.15 extends the standards to new technologies and virtual assets, and R.16 is the wire-transfer or Travel Rule (FATF Recommendations). FATF standards are binding only as transposed by member jurisdictions, which is why the operative numbers above come from EU and US law. We name the Recommendations but do not state FATF numeric thresholds here, because the FATF source could not be verified directly (see Open questions).

Switzerland context (AMLA / FINMA / SRO)

For exchanges anchored in Switzerland, the Crypto Valley jurisdiction where our firm is based, the Anti-Money Laundering Act and the FinIA/FinSA framework mandate KYC and CDD for crypto businesses, supervised through FINMA and self-regulatory organisation membership. We keep this section at summary level because the precise AMLA article numbers and AMLO-FINMA verification thresholds were not verified at the source for this guide; treat it as a credibility cue rather than a citation until confirmed (see Open questions). The wider licensed VASP obligations guide covers the Swiss licensing path, and DeFi KYC obligations addresses the harder question of decentralised platforms.