To combat this, traditional businesses, governments and regulators require individuals to identify themselves in person, with a government-issued photo ID, fill out and sign forms. Banks, governments, regulators and other institutions claim that this KYC process is for our own protection, as well as theirs, since it allows them to attach an ID to financial activity on a given account or transaction.
So, what is KYC?
KYC stands for ‘Know Your Customer’. It refers to the verification processes and safeguards that are implemented by the recipient of an application to validate the applicant’s identity. In simple terms, it is one of the main tools used by a person or company to prove whether the other party is who they claim to be.
Why is KYC important?
These systems are put into effect not only to protect customers from fund and data-theft, but also:
- to protect the institutions from fines and legal penalties that they could face if they do not comply with the requisite procedures outlined by local authorities, and
- to prevent money-laundering, tax-evasion and terrorist financing – think about people on sanctions’ lists.
What are some real-world examples of KYC practices?
Aside from the example cited above, other traditional KYC approaches include:
- pre-arranged questions and answers between the two parties for future transactions,
- complicated user-names and passwords that are difficult to hack and that need to be periodically changed,
- background checks and credit ratings. This includes attempts at authenticating documents, which is why they often require that the original document be shown, or that the copy of the document be stamped or apostilled by a legitimate body such as the police or high court, and
- fingerprint scans, in the most extreme cases.
What is the attitude towards KYC in crypto?
The world of cryptocurrency was created as a regulation free zone. Decentralized, permission-less, digital cash and censorship resistant are concepts that are largely incompatible with KYC policies. Many blockchain platforms provide users with a trustless system, where users have varying degrees of anonymity, with all transactions and agreements being simultaneously traceable and secure. The ‘trustless’ aspect comes into play due to all transactions and data being permanently and unalterably stored on the blockchain, which is distributed across a large number of nodes on the network. Blockchains typically have protocols that require a consensus mechanism across their decentralized network in order to alter any data stored on them.
This arguably means that two of the core values of implementing a blockchain system are addressing the crypto-community’s need for protection against digital fraud and theft, while still allowing for them to maintain anonymity and privacy when conducting their transactions and other activities online. There are ICOs that are trying to find a way to put our identities on-chain and establish more secure protocols for institutions to authenticate ID information and conduct KYC processes without compromising user data. A look at our ICO lists will reveal a few specialized data-sharing/KYC ICOs. These offer the added benefit of eliminating the need for resubmitting the same information multiple times to different entities.
KYC concerns regarding ICOs themselves
The issue of KYC regarding an ICO or token fraud is arguably the bigger issue and is possibly a factor discouraging mainstream adoption and investment in ICOs and cryptocurrencies. There have been a variety of cryptocurrency scams over the years. Some scams have successfully made off with many millions of dollars raised in their fake ICOs, with investors having no recourse for tracing or reclaiming their stolen funds. This is one of the reasons why many credit card companies in America have banned purchasing and transacting cryptocurrencies through their cards. Another being their fear of being penalized by the US Securities and Exchange Commission (SEC) for aiding in the sale of non-compliant ICOs and money-laundering via cryptocurrency.
The very anonymity and decentralization that blockchain affords, also makes it easier for scammers to commit their crimes, since they prey on the less knowledgeable users in the space. It is difficult to trace the individuals behind these scams. This introduces a new problem: which KYC checks can potential investors recur to, to identify potential scams? Unfortunately, there is no fool-proof method currently available to users, so they will have to do their own due diligence. Some methods have been outlined towards the end of this piece.
If you’re interested in a more detailed description of the SEC’s activities and concerns against ICOs, you can find more information here.
Which methods do ICOs adopt for KYC purposes?
On the other hand, the ICO themselves started implementing their own KYC mechanisms to protect themselves from contributions from individuals that could be involved in criminal activity. Nevertheless, the industry has no standard, basically because the space is decentralized. Some ICOs only require your email, name and ETH address, and take you at your word when you tick the ‘I am not a US citizen’ box. Others require more intensive application procedures that are more in-line with those used by banks and other financial institutions.
Which firms implement KYC processes for ICOs?
As stated previously, there are a number of current and completed ICOs that plan on creating data-sharing and KYC compliance platforms. While there are some that focus on general data and KYC authentication services, there are also a few industry-specific platforms, including:
Clears is an upcoming ICO that aims to create a platform for standardized KYC verification processes, as well as easily transferable data-sharing. Their main markets will be within the cryptocurrency, ICO and Fintech industries. These processes will be autonomous and will include data authentication such as financial history checks and identity confirmation, as well as criminal history and mental health queries. All data transacted will be encrypted and will require the approval of the party who submitted the data, when a client requests disclosure.
KYC Spider is a platform that specializes in performing KYC checks on behalf of ICOs and other blockchain-based companies. These processes seem to follow the usual checks described above, with the main difference being that the data is stored in a central location, making it accessible to other clients in the future, pending approval from the data-owner.
They operate in compliance with the data privacy laws instituted by Switzerland, and all data is processed and stored there, Part of their screening includes country and personal risk ratings as well as other relevant information. They also provide other relevant services such as software to help counter money-laundering. Data storage is centralized, so many of these KYC solutions have that single point of failure that blockchain solves.
Do these firms conduct on-chain or off-chain KYC procedures?
In most cases, data will need to be submitted and stored off-chain. However, once the data is acquired, it is encrypted. Some KYC solutions offer to store ID data on-chain so that it cannot be tampered with or read by malicious parties, although these systems are generally still under development. There are numerous projects that have whitepapers detailing how IDs can be uploaded to a blockchain, encrypted and decrypted on-demand and when authorization is given. Encrypted data is autonomously sent to the applicant and their node then processes the coded data itself as indicating the authenticity of the platform user.
What happens to that KYC data base once the ICO is over?
Nevertheless, for as long as KYC data is centralized and stored in servers controlled by the companies that conduct the process, the issue of what happens with that data once the ICO is over, is contentious. Many ICOs that require contributors to comply with KYC requirements promise the following:
- Some ICOs ensure that all data is secure, either through encryption or through general centralized storage means.
- They may offer the option to delete user data upon request. Even encrypted data, which should not be legible to anyone, should be scrubbed off servers to provide users with some kind of guarantee that it will not be misused after the ICO. The ICO could keep a record on external hard drives that are kept off line for their own compliance requirements depending on the jurisdiction. Again, this entails users trusting those who are launching the ICO, which is anathema to cryptocurrency enthusiasts.
- Users who invest their trust in an ICO to keep their data safe will likely have to make do with a disclaimer either on the ICOs website or in its whitepaper, stating that user data will not be shared or sold to third parties without the user’s explicit consent.
How relevant is KYC in a world in which tokens are traded on decentralized exchanges and you lose track of who has them?
Once the ICO is over, and buyers log onto exchanges to sell their tokens, initial KYC procedures may lose their relevance. KYC is relevant for both the ICO and the original buyer, as these have legal ramifications for both parties. This doesn’t mean that its relevance extends to the secondary market, where users can acquire ICO tokens through decentralized exchanges without going through KYC procedures.
For instance, when an ICO launches in Europe in order to avoid SEC compliance concerns, it will not accept purchases from the US or other restricted countries. Nevertheless, those users who want to buy into the ICO but are not allowed to participate due to these restrictions, can in theory wait until the ICO is over and then acquire the token on a decentralized exchange. Likewise, any individual who was blacklisted due to criminal activity, can still acquire the tokens at an exchange and circumvent KYC. This makes KYC functionally useless.