Table of Contents:
As cryptocurrencies opened the door for a new generation of users of financial products, we’re witnessing the increasing extent of regulations that are gradually coming into play. On one hand, the crypto ecosystem and participants see KYC/AML practices as a threat to privacy, data security, and decentralization. Meanwhile, regulators are more concerned with terrorism financing and other activities that involve money laundering.
Regulatory compliance is an everyday discussion for those working in crypto and the traditional financial sector. As the rate of financial crimes continues to rise and financial systems progressively digitalize, governments are trying to eradicate money laundering, terrorism financing and prevent financial breaches.
In this article, we will make a case for and against the concept of two of the most well-known regulatory practices, KYC and AML, and explore innovations that restore the public's trust in regulation and achieve compliance without sacrificing users’ right to privacy.
What are KYC/AML practices?
KYC and AML practices are standard regulatory policies guiding the operations of financial institutions. They are part of the laid-down rules for businesses that offer financial services to the public within a particular geographical area, e.g., cryptocurrency exchanges.
KYC and AML are terms often used interchangeably, yet they do not share the same meaning. KYC is only one of the several steps that financial institutions and businesses in general take to comply with AML regulations.
Know-Your-Customer (KYC), refers to the checks and steps that a business conducts/takes to know who their customers are, confirm their customers’ identities, and understand the risk that each customer poses to the business. Usually, the first phase of the KYC process requires collecting customer information, followed by customer due diligence (CDD), which involves identity verification, watchlist screening, risk assessment (to determine whether a customer has a higher risk profile) and ongoing monitoring. For high-risk customers or high-value transactions, KYC via enhanced due diligence (EDD) policies comes into play. In crypto, KYC means that these practices are implemented in a way that is suitable for cryptocurrency enterprises.
When the Financial Action Task Force was established in 1989 by a number of nations and international organizations, Anti-Money-Laundering practices gained more worldwide attention.
Anti-Money-Laundering (AML), is the wider set of steps that financial institutions and businesses take to prevent bad actors from moving their illicit gains. Principally, AML regulations hinder global criminal activities like terrorist financing and block the movement of funds owned by drug rings, human traffickers, and other criminals. Typical AML programs involve transaction monitoring, KYC compliance, identifying and reporting suspicious transactions to regulators, record keeping and auditing, etc.
Why are crypto believers often against these practices?
KYC&AML practices are common in crypto, with centralized exchanges readily adopting them to comply with global financial regulations. It is not unusual for big exchanges like Coinbase or Binance to suspend accounts and pause withdrawals for some users due to suspicious account activity under the pretense of complying with these regulations.
These measures, as well as the large amounts of data users need to provide to comply, as well as data breaches in the space, have raised concerns in the crypto space, where user privacy and decentralization are founding concepts and seen as the highest standards. However, critics have a hard time explaining how else bad actors could be discouraged from 'cleaning' illicit money through cryptocurrencies.
Arguments for & against KYC/AML
As the popular saying goes, every coin has two sides. The common KYC/AML practices solve many regulatory and compliance issues for financial institutions but create problems with data laws, data security, and privacy.
Money laundering and other financial crimes usually have to go through banks, and one way to prevent or combat these crimes is to regulate the money flowing through institutions. Without KYC/AML, bad actors would have a field day when moving proceeds from illegal businesses. Because of this, most jurisdictions frown at platforms that require no identity disclosure.
As regulators in the financial sector and governments seek to combat financial crime, terrorism financing, and the movement of illicit money, they hold banks and exchanges responsible for their customers' actions. When a financial institution partners with individuals or organizations without being fully aware of their past and present business dealings, it leaves them prone to being hit by lawsuits and fines. Between 2008 and 2018, financial institutions have had to pay over $25 billion in penalties due to KYC/AML violations and other slipups related to global sanctions.
No business has the ultimate goal of losing money to such avoidable incidents; hence, the strict implementation of this. If only for their own benefit, institutions try to remain compliant with financial laws. In this sense, you could say that incentives are set in place for marketplaces, banks, and crypto exchanges to stay on top of the activity going on within them.
Most of the benefits of effective KYC and AML practices go to the businesses enforcing them, while users are left with several doubts and questions. Today, many see KYC and AML requirements as data harvesting endeavors, with concerns over data safety, security, and usage growing. Many believe that in providing personal information to pass KYC verification exercises, users give away their privacy rights.
Once too often data breaches from these platforms have ended up in the hands of malicious actors. Users’ sensitive data getting hacked or leaked from big organizations has become almost a norm lately. Because of this, many have genuine concerns regarding data protection and questions about the rationale of KYC practices.
In the crypto space, pseudonymity is precious, but most big exchanges require customers to fulfill KYC verification to access their services or increase their capabilities. Most users also believe these businesses leverage their personal information in untoward ways, such as to sell them to advertisers.
As we have seen above, data breaches are fairly common. This worries more than one user, as criminals can access sensitive information like credit card details or addresses by hacking into financial institutions' databases.
Since KYC/AML practices require users to provide sensitive information to third parties, individuals are worried over companies' ability to keep their data safe and away from the reach of fraudsters. It’s worth noting that data is often not just reviewed once and then discarded, but goes on to form part of data bases forever.
The General Data Protection Regulation (GDPR) law came into force in 2018, forcing regulated institutions to review their operations regarding customer data.
On the surface, the GDPR appears to contradict KYC/AML practices. Yet, the regulation only insists on the right ways to collect, use, and secure customer data, in which some of these procedures fail the compliance test. In other words, these procedures often do not store and handle user data following legal specifications.
The seven principles of the GDPR are as follows:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality (security).
KYC and AML practices depend on data sharing, especially between companies and third parties, e.g., foreign entities. Also, some businesses outsource their KYC procedures.
Data sharing and KYC outsourcing directly contradict the GDPR, which only permits data transfers for important reasons of public interest. Some institutions alo hold customer information for unspecified periods after their partnerships have ended, directly contradicting the storage limitation principle of the GDPR.
ZK proofs & decentralized identifiers: The future of KYC/AML
As the concepts of KYC/AML practices and privacy concerns continue to be debated, organizations are beginning to devise new methods to remain compliant with KYC, AML and GDPR laws. Companies have begun to deploy innovations like homomorphic encryption and secure multi-party computation to enhance customer privacy and allow access to the information needed for KYC and AML procedures.
The crypto space, however, continues to be skeptical about these new methods, as they fail to give users control over their digital identity. Instead of them, other more decentralized options are under development, some of which can allow users to gain more control over their data.
For example, self-sovereign identity on the blockchain has been endlessly quoted as “the future of digital identification”. Other cryptographic innovations like zero-knowledge proofs (ZK Proofs) and decentralized identifiers (DIDs) also lead the way in the race to replace traditional procedures.
How ZK Proofs will replace KYC/AML
Popular for its successful implementation in creating privacy on the blockchain, the concept of zero-knowledge proofs (ZKPs) is a proven way of confirming a transaction/ownership without revealing sensitive information about its underlying data. Identity solutions based on this, such as Polygon’s Polygon ID, utilize ZKPs.
ZKP-based KYC solutions are superior to their traditional counterparts in that traditional KYC solutions require users to share their information across several platforms repeatedly. With ZKPs, users can present all needed documents to a trusted KYC provider to verify their identities and issue a ZKP. This proof can then be used for subsequent KYC verification exercises without sharing the information therein.
ZK Proofs are on-chain activities, and blockchain ledgers are immutable, which implies that whatever information the zero-knowledge proof holds is true and has remained unchanged since its verification. Trust is restored between KYC providers, businesses, and the end-users, and individuals can remain in full control of their data.
ZKPs also allow for selective disclosures: in special circumstances only, and with users' consent, a KYC provider may disclose users' information to a trusted third party like law enforcement agencies. For example, Panther Protocol enables users to leverage features such as Panther Reveals which generate zero-knowledge reports to voluntarily disclose compliance with select counterparties.
How Decentralized Identifiers can replace KYC/AML
A decentralized identifier, DID, refers to a cryptographically verifiable framework that consists of information (documents, certificates, and other personally identifiable information) unique to an individual or organization. With a DID, users can store identifiers like government-issued identity documents, etc., in a private wallet built on a public blockchain.
Traditional KYC practices require users to submit information which in turn is verified by a centralized registration authority. Decentralized identifiers do a similar job, with the difference that the user can control how much information they give out. Entities can then verify the information provided via a blockchain-based ledger to determine its authenticity.
With DIDs, users can prove they are above a certain age limit, for instance, without disclosing their exact date of birth. Since users can create identifiers using trusted systems on the blockchain, private data exchange between individuals and businesses is possible. Thanks to this, traditional KYC&AML practices can give way to a more practical framework, where businesses can remain compliant with regulations and collect data without threatening privacy, data security, and breaching data laws.
Most crypto users are increasingly concerned with identity verification or KYC procedures. However, most importantly, they are concerned with whatever happens to their data after it is collected. Especially when it comes to users’ sensitive data associated with their financial transactions, KYC procedures are being questioned by privacy and security advocates.
With cryptographic concepts like zero-knowledge proofs and decentralized identifiers (DID), individuals can pass KYC checks without giving out sensitive information and yet achieve regulatory compliance.
By leveraging zero-knowledge technology, banks, cryptocurrency exchanges, and other regulated institutions can access customer information without violating their privacy, prevent data breaches, and stay compliant with data protection laws — a win-win situation for everyone.
Panther is a decentralized protocol that enables interoperable privacy in DeFi using zero-knowledge proofs.
Users can mint fully-collateralized, composable tokens called zAssets, which can be used to execute private, trusted DeFi transactions across multiple blockchains.
Panther helps investors protect their personal financial data and trading strategies, and provides financial institutions with a clear path to compliantly participate in DeFi.