Why KYC for Crypto Exchanges falls short in exposing criminal or fraudulent accounts

KYC for Crypto is a series of checks performed by exchanges to verify customer identity and to assess account holder risk. This process of due diligence helps safeguard against exchanges being used by criminal entities for money laundering and other illegal activities.

Without an industry-standard set of checks to conduct, or even a globally accepted definition of KYC, this article explores the challenges faced by exchanges in conducting consistent and appropriate levels of risk assessment to expose criminal activities and to avoid regulatory scrutiny.

Crypto Exchange KYC

Many people ask “why don’t crypto exchanges identify and remove fraudulent or suspicious accounts?”

Cryptocurrency exchanges face several challenges when it comes to Know Your Customer (KYC) due diligence. Here are some of the key issues:

  1. Identity Verification: Verifying the identity of users can be challenging, especially if they provide false information. It’s difficult for exchanges to confirm the accuracy of the information provided.
  2. Fake Documentation: Users may submit fake or forged documents, making it hard for exchanges to distinguish between genuine and counterfeit documents.
  3. International Regulations: Exchanges often operate globally, which means they must comply with different regulatory standards across jurisdictions. This can create complexity.
  4. Data Privacy: Exchanges need to balance KYC requirements with data privacy laws. They must collect and store personal data securely while ensuring compliance with regulations such as General Data Protection Regulations (GDPR).
  5. Customer Experience: Lengthy and cumbersome KYC processes can lead to a poor user experience, potentially driving customers away from the platform.
  6. Scalability: As the user base grows, exchanges must ensure their KYC processes can scale accordingly. Manual verification becomes increasingly challenging as the user base expands.
  7. Costs: Implementing and maintaining robust KYC processes can be costly, particularly for smaller exchanges. The cost may involve hiring specialised personnel, implementing technology, and managing legal and compliance issues.
  8. Risk of Fraud and Money Laundering: Despite KYC processes, there’s always a risk of fraudulent activities and money laundering, which could result in legal and financial consequences for the exchanges.
  9. Regulatory Compliance: Meeting the constantly evolving regulatory requirements in the cryptocurrency space can be challenging. Failure to comply with these regulations can result in penalties or legal action.
  10. Technological Solutions: Finding effective and reliable technological solutions for identity verification and KYC processes can be a significant hurdle. Exchanges often invest in inadequate identity verification systems to keep up with the evolving landscape of fraud – knowing such systems fall significantly short in addressing the problem.
  11. User Anonymity: Balancing the need for KYC with the desire for some users to remain anonymous can be a challenge. Some users are attracted to cryptocurrencies because of the perceived anonymity, but regulatory requirements often demand the opposite.
  12. Geographical Variances: Every country has different KYC requirements, making it difficult to achieve a consistent risk mitigation model.

Addressing these challenges requires continuous improvement and innovation in KYC processes and the use of advanced technology such as biometrics, AI, blockchain analytics, and forensic investigation techniques to enhance security, streamline the process, and improve user experience.

How do crypto exchanges identify fraudulent account holders?

Identifying a fraudulent cryptocurrency account holder is a critical aspect of KYC due diligence. Here are some common signs and methods that exchanges use to identify fraudulent account holders:

  1. Unusual Behavior:
    • Sudden and unexplained large transactions.
    • Repeated attempts to execute high-risk transactions.
    • Transactions inconsistent with the user’s known financial behavior.
  2. Identity Verification:
    • Request multiple forms of identification, such as a government-issued ID, proof of address, and possibly even a selfie with the ID.
    • Cross-verify the provided information to detect inconsistencies.
    • Look for any discrepancies between the provided information and the information obtained from public records.
  3. Monitoring Transactions:
    • Flag transactions that are significantly different from the usual pattern of activity.
    • Look for irregular transactions, especially those consistent with money laundering or other fraudulent activities.
  4. Blockchain Analysis:
    • Analyse blockchain activity to identify potentially fraudulent transactions or patterns.
    • Use blockchain analytics tools to trace the origin of funds and identify any suspicious activities.
  5. Risk Assessment:
    • Implement risk assessment tools to evaluate the risk associated with each user.
    • Develop a risk scoring system to flag potentially fraudulent accounts.
  6. Geolocation Verification:
    • Cross-check the user’s provided location with their IP address and other available data.
    • Look for inconsistencies that might suggest the user is attempting to hide their true location.
  7. Pattern Recognition:
    • Use machine learning algorithms to detect patterns indicative of fraudulent behavior.
    • Look for suspicious activities, such as a large number of failed logins, multiple account creations from the same IP address, or frequent changes to account details.
  8. Communication Analysis:
    • Monitor communication with the user for suspicious activity or inconsistencies.
    • Be wary of users who avoid direct communication or refuse to provide additional information when requested.
  9. Blacklist Screening:
    • Compare user information against blacklists of known fraudsters, sanctioned entities, or politically exposed persons (PEPs).
    • Regularly update and maintain these blacklists.
  10. Two-Factor Authentication (2FA):
    • Implement 2FA to add an extra layer of security, making it harder for fraudsters to gain unauthorised access to accounts.
  11. Artificial Intelligence and Machine Learning:
    • Utilise AI and machine learning algorithms to analyse vast amounts of data and detect suspicious patterns or behaviours.
  12. Community Reporting:
    • Encourage their community to report any suspicious activity, ensuring that users and administrators alike can help maintain security.
  13. Regulatory Compliance:
    • Ensure that KYC procedures comply with relevant regulatory requirements to mitigate the risk of fraudulent activity.
  14. Educational Material:
    • Provide educational resources to help users recognise and avoid scams and fraudulent activities.

By implementing these strategies, exchanges can minimise (but not eliminate) the risk of criminals creating accounts to commit illegal activities.

In reality, fraud, scams, money laundering, and terrorism financing are now being facilitated through cryptocurrency exchanges and wallets on an industrial scale.
This is due extensively to the KYC tools and processes exchanges use to “Know their customer” being woefully inadequate for purpose.

The consequences of inadequate KYC

The consequences of an exchange not implementing adequate KYC processes can be immeasurable and can notably lead to

  • criminals targeting specific exchanges due to a lack of (KYC) security
  • exchanges being legally culpable by facilitating crypto-related crimes and money laundering activities
  • legal or law enforcement actions against exchanges
  • increased regulatory scrutiny and/or fines
  • risk of licenses being revoked
  • reputational damage
  • user migration
  • loss of revenue

Crypto Exchange regulatory fines

Regulatory fines for cryptocurrency exchanges can vary widely depending on the jurisdiction and the specific violation. However, to give you an idea, here are some examples of regulatory fines that cryptocurrency exchanges might face for non-compliance or violation of regulations in various countries:

  1. United States:
    • In the United States, fines can vary depending on the violation and the regulator involved.
    • For example, in 2024, Binance received a $4.3 billion penalty for violating federal anti-money laundering and sanctions laws through lapses in internal controls 
    • In 2020, the U.S. Securities and Exchange Commission (SEC) fined several cryptocurrency companies for offering unregistered securities. Fines ranged from hundreds of thousands to millions of dollars.
    • In 2019, the Financial Crimes Enforcement Network (FinCEN) imposed a civil money penalty against an individual for violating the Bank Secrecy Act (BSA) by failing to register as a money services business and failing to implement and maintain an effective anti-money laundering (AML) program.
  2. European Union (EU):
    • In the EU, fines can also vary based on the specific violation and the regulatory body involved.
    • For instance, under the General Data Protection Regulation (GDPR), fines for data breaches can be up to €20 million or 4% of the company’s global annual revenue, whichever is higher.
  3. United Kingdom:
    • In the UK, the Financial Conduct Authority (FCA) has the authority to issue fines to cryptocurrency exchanges for non-compliance with regulations.
    • In 2020, the FCA fined a major cryptocurrency exchange for failing to implement effective AML controls. The fine was £3.2 million.
  4. Japan:
    • Japan’s Financial Services Agency (FSA) has the authority to impose fines on cryptocurrency exchanges.
    • In 2018, the FSA issued administrative penalties against several exchanges, ordering them to improve their internal controls and risk management systems.
  5. South Korea:
    • In South Korea, the Financial Services Commission (FSC) has the authority to impose fines on cryptocurrency exchanges.
    • In 2020, the FSC fined a major cryptocurrency exchange for violating the Act on Reporting and Use of Certain Financial Transaction Information.
  6. Australia:
    • In Australia, the Australian Transaction Reports and Analysis Centre (AUSTRAC) has the authority to impose fines on cryptocurrency exchanges for AML and counter-terrorism financing (CTF) violations.
    • In 2020, AUSTRAC ordered a major cryptocurrency exchange to pay a fine of AUD $225 million for breaching AML/CTF laws.
  7. Singapore:
    • In Singapore, the Monetary Authority of Singapore (MAS) has the authority to impose fines on cryptocurrency exchanges for non-compliance.
    • In 2020, the MAS fined a major cryptocurrency exchange for violating AML and CTF regulations.

These examples demonstrate the significant financial penalties that cryptocurrency exchanges can face for regulatory violations. It’s important for exchanges to maintain compliance with all relevant regulations and standards to avoid fines and other legal consequences.

The inherent problem with KYC for Crypto Exchanges

Criminals often use sophisticated methods to conceal their identities and locations, and frequently use fake or cloned ID’s during account registration, a tactic prevalent in cryptocurrency investment scams and romance fraud.

Furthermore, crypto transactions are designed to be pseudonymous, meaning that wallet addresses are not directly tied to individuals’ names or personal information.

Such concealment measures inherently make it difficult for exchanges to verify the true identify of account holders, and even more difficult for financial crime investigators to identify who’s facilitating, connected to, or is ultimately responsible for a crime.

The KYC and AML (Anti-Money Laundering) tools widely used by exchanges to conduct account holder risk assessments are incapable of linking digital data, for example fake ID’s, IP addresses, and wallet transactions, to real-world data to verify whether an account holder (or their third-party connections) present a threat.

Such tools, although effective to a degree are limited to, and ultimately determine risk by, conducting only a digital footprint analysis. Here-in lies part of the problem.
When tasked to interpret data beyond official records, for example assessing an individual’s behavioural insights via deep social media analysis, 80% of information online contains misinformation.

As such, the vast majority of reports produced remain of relatively low quality, and have little impact on the scale and complexity of money laundering, or other financial and economic crimes, and do little to mitigate organisational risk or to avoid regulatory scrutiny.

So what’s the solution?

The solution lies in KYC models that move strongly away from compliance-based processes, taking a more ‘intelligence’ and ‘investigator-led’ approach, augmenting old KYC/AML frameworks into a more risk-focused model.

Such models apply sophisticated investigation techniques to expose increasingly complex modus operandi used by criminals to avoid detection.

This includes conducting extensive (global) first- and third-party risk assessments by linking true or false IDs to seemingly unconnected people involved in criminal, fraudulent or suspicious activities, by seeing beyond an individual’s digital, transactional and social footprint, criminal records and financial history, to secure a true understanding of the risk an individual poses to the exchange.

Discuss KYC for Crypto Solutions

To discuss KYC for Crypto solutions and please contact us.