If you have a bank account in the US, then whether you realize it or not, you’re subject to the regulations outlined in KYC and AML. And until recently, applications based on blockchain technologies weren’t forced to comply with these regulations, however, this has all recently changed and it’s throwing the cryptocurrency world for a loop.
What is KYC?
KYC stands for know your customer and it refers to a set of policies which indicate what type of information banks must collect, and retain, about their customers. This information includes scanning an ID such as a drivers license or passport, as well as maintain a record of an address on file and proof of said address. Besides just collecting said information, the bank must also follow up frequently to ensure that the information is up to date and correct. This all came about in order for the US government to attempt and control criminals’ use of banks for illegal activities such as money laundering.
What is AML?
AML stands for Anti-Money Laundering, and refers to a set of regulations which apply to how a financial institution must monitor the use of funds by its customers. AML has been around since the 1930’s, when it was started in order to curb the mob centric activities of the time. This policies have received a recent update in 2001 thanks to the Patriot Act, which made them more stringent than ever. Just like KYC, AML is used to prevent and catch money laundering thieves, as well as monitor funds and report the possibility when they may be going to fund terrorism. Many people use the terms KYC and AML interchangeably, but while KYC is a part of AML, they are not the same thing. KYC is a simple collection of documents, while AML is a continued monitoring of transactions by a financial institution. AML is accomplished by the monitoring of large transactions (namely those over the amount of $10,000) as well as transactions which occur internationally (such as those to offshore accounts etc.) These suspicious, or large transactions could possibly be denied, or if the financial institution is suspicious enough, they may even be reported to the Financial Action Task Force (FATF).
Besides just monitoring to ensure all financial institutions are following AML and KYC, the FATF also monitors something known as EDD or Enhanced Due Diligence. EDD is a calculated measure of risk a financial institution must carry out on a prospective customer before allowing them to have an account at their institution. This could mean anything from asking the customer to answer a few extra questions, or even as invasive as a background check. The process chosen is decided by the company implementing them. The EDD rules and regulations are not well established like AML and KYC, and thus this area of compliance can often come back to haunt institutions. This is because it’s very easy for the FATF to claim an institution did not carry out proper EDD and then slap them with fines if one of their customers is caught performing illegal activities.
KYC, AML and Crypto
Until the year 2019, the US government never specified how KYC and AML were to apply to cryptocurrencies, however, now they have, and it isn’t good. According to a statement released in late November of last year, all companies operating on the blockchain must apply to all the same regulations as the brick and mortar institutions. Of course, in the cryptocurrency world, this is not only easier said than done, but unfortunately quite dangerous in ways most consumers don’t understand.
When it comes to KYC at a brick and mortar bank, they simply copy your ID and take some form of proof of address to keep on file. The file is probably a server for just that bank branch and is updated every few years. If you close your account, some information is kept on file for up to seven years, then it is destroyed by the bank. When it comes to blockchain, if a company uploads your data to the blockchain, well then it is there forever. It can never be removed or destroyed. Besides just that, the only exchanges collecting KYC data are the CEFI ones, and these apps are often victims of data hacks which result in the exposure of customer data. This can be extremely dangerous because remember, data is never deleted. So, if you have an account on an exchange in 2017, even if that exchange possibly gets hacked in 2035, if they stored your KYC info on the blockchain, it will still be there. This is especially a risk for those who choose to use smaller or less developed exchanges.
Enforcing KYC on the blockchain isn’t any easier, besides all the aforementioned issues above, people previously were used to the ability to create accounts on blockchain apps with pseudonyms. This is a problem because now all sorts of financial apps and exchanges are having to go back and ask their customers for information. And often times, if the information gathered doesn’t match what’s on file, an account is closed even though the consumer created and was previously approved for the account without AML in mind. And AML has even more issues than that. According to the regulations, any transfers to off shore accounts must be monitored, but often times, CEFI exchanges don’t ask for the customer location when transactions are perpetuated. Also, there’s the issue of the transfer amount limit (typically $10,000) because of the large swings in cryptocurrency prices. For example, a transfer of one Bitcoin in 2016, was a $1,000 transfer. As of the writing of this article, that same transfer today would be over $17,000. This is over a long period of time, but cryptocurrencies have been known to swing massively and quickly—so how is a company supposed to know what and when they have to report?
Not only that, but KYC and AML have been ruled to apply to both CEFI and DEFI apps, which this is easy for CEFI apps to regulate, but not DEFI. And the US government realizes this, which is why they have decided to step in and monitor DEFI transactions. Of course, they can’t gather the KYC info they would like, but the US government has begun flagging Bitcoin addresses under the AML policies and blacklisting accounts which they believe are performing illegal activities. While they can’t stop black listed accounts from trading, they can monitor the activity, and try to trace it back to a person. And they can attempt to stop a transfer from a blacklisted DEFI address if the person tries to send crypto to a CEFI account. This is all very complicated however, because of the pricing issue above. How is the US government going to block all accounts with transfers over ten thousand dollars?
Overall, applying KYC and AML to the cryptocurrency world is an absolute nightmare. And because CEFI exchanges have to comply, a number of people have begun switching over to DEFI exchanges for this exact reason. After all, the whole point of cryptocurrencies were decentralized funds, and any funds monitored by KYC or AML policies are no longer decentralized. The US government may not believe they are currently overstepping their bounds, but there is certainly a fine line between using KYC and AML to keep citizens safe, and using KYC and AML to enact mass surveillance on a population.