Know Your Customer (KYC) is the process financial institutions use to verify a customer’s identity, assess their risk profile, and monitor activity for suspicious behavior.
In crypto, KYC means uploading ID and proof of address before you can trade on a centralized exchange, and as of 2026, with US 1099-DA reporting and full MiCA enforcement in the EU, it’s effectively mandatory across regulated platforms.
What is KYC?
KYC is the set of policies and procedures requiring regulated institutions to verify customer identities, understand their financial activity, and assess risk. It originated in banking and now extends to brokerages, payment processors, fintech apps, and crypto exchanges.
In the US, KYC sits under the Bank Secrecy Act as expanded by the USA PATRIOT Act; global standards come from the Financial Action Task Force (FATF); in the EU, the Markets in Crypto-Assets Regulation (MiCA) governs crypto-specific KYC. The goal: prevent money laundering, terrorism financing, fraud, and sanctions evasion.
What documents do you need for KYC?
Verification tierDocuments typically requiredBasic identificationGovernment-issued photo ID (passport, driver’s license, national ID)Address verificationUtility bill, bank statement, or lease — usually under three months oldBiometricLive selfie plus a liveness checkHigher-tier / EDDSource of funds documentation, tax records, employment verificationVerification tierBasic identificationDocuments typically requiredGovernment-issued photo ID (passport, driver’s license, national ID)Verification tierAddress verificationDocuments typically requiredUtility bill, bank statement, or lease — usually under three months oldVerification tierBiometricDocuments typically requiredLive selfie plus a liveness checkVerification tierHigher-tier / EDDDocuments typically requiredSource of funds documentation, tax records, employment verification
For most retail users, the first three are enough. Higher tiers typically unlock larger limits or products like OTC trading.
Why KYC exists: AML, terrorism financing, and fraud prevention
KYC is the front door of a broader Anti-Money Laundering (AML) regime. Without verified identities, institutions can’t tell legitimate customers from shell companies moving proceeds of crime; with them, suspicious activity reports name real people and sanctions lists become enforceable.
The case for KYC in crypto was sharpened by catastrophic failures: Mt. Gox’s 2014 collapse and FTX’s 2022 implosion both happened at platforms with demonstrably weak compliance. By 2025, an estimated 92% of centralized crypto exchanges globally are fully KYC compliant.
The KYC process: 5 core components
Modern KYC systems are designed to balance speed, compliance, and risk management. Together, these components form the backbone of how crypto platforms satisfy AML obligations and manage financial-crime risk.
Customer Identification Program (CIP)
The CIP is the formal written policy defining how an institution identifies new customers. In the US, CIPs are mandated by Section 326 of the USA PATRIOT Act, which requires institutions to collect at minimum four items: name, date of birth, address, and an identification number (Social Security or tax ID for US persons, passport number for non-residents). CIPs also specify how that information is verified (through documents, database and credit-bureau checks, or both) and require screening against sanctions and terrorist lists.
Customer Due Diligence (CDD)
If CIP is the policy, CDD is the act, gathering and verifying customer information to understand who someone is and what activity to expect. Standard CDD typically collects identity documents, proof of address, occupation and source of income, expected account activity, and (for businesses) beneficial ownership for anyone holding 25% or more.
CDD is risk-based. A retail user buying $200 of bitcoin monthly gets a light touch; a $250,000 wire from a FATF grey-list jurisdiction gets a far closer look, possibly escalating to enhanced due diligence. CDD also continues past onboarding: institutions periodically refresh information when patterns shift.
Enhanced Due Diligence (EDD)
EDD applies to higher-risk customers. Common triggers: Politically Exposed Persons (PEPs) and their close associates, high-value or sustained large-volume activity, customers in FATF high-risk jurisdictions, and complex ownership structures like shell companies and trusts.
On top of CDD, EDD verifies where money is actually coming from: source of funds (the specific origin of deposited assets – property sale, salary, business revenue) and source of wealth (the broader origin of the customer’s financial position).
It typically requires senior-management approval and more frequent monitoring. For crypto users, EDD usually surfaces as a request for extra documents after a large deposit — tax records, employment letters, originating bank statements.
Ongoing monitoring
KYC isn’t a one-time gate. Activity is continuously screened against your risk profile and against patterns associated with financial crime: structuring, layering, transfers to sanctioned wallets. This is where KYC hands off to Know Your Transaction (KYT) systems. Anything anomalous can trigger a manual review, a transaction freeze, or a Suspicious Activity Report.
Risk assessment
Everything above feeds a risk rating. Institutions tier customers as low, medium, or high risk based on identity factors (jurisdiction, occupation, PEP status), product factors, and behavioral factors. The rating determines monitoring intensity and re-review frequency.
KYC vs AML vs KYT: what’s the difference?
XKYCAMLKYTStands forKnow Your CustomerAnti-Money LaunderingKnow Your TransactionWhat it doesVerifies who you areDetects and prevents money launderingMonitors transactions in real timeWhen it happensAt onboarding, then periodic reviewAn ongoing frameworkPer-transactionExampleUploading your passportAn exchange’s overall compliance programFlagging a $50,000 transfer to a sanctioned walletXStands forKYCKnow Your CustomerAMLAnti-Money LaunderingKYTKnow Your TransactionXWhat it doesKYCVerifies who you areAMLDetects and prevents money launderingKYTMonitors transactions in real timeXWhen it happensKYCAt onboarding, then periodic reviewAMLAn ongoing frameworkKYTPer-transactionXExampleKYCUploading your passportAMLAn exchange’s overall compliance programKYTFlagging a $50,000 transfer to a sanctioned wallet
The simplest way to keep them straight: AML is the overall regime; KYC verifies identity; KYT watches the transactions. KYC and KYT both sit inside AML.
KYC in crypto: how exchanges verify you
Crypto exchanges adopted KYC later than banks, but regulatory pressure has closed the gap. From 2017 onward, jurisdictions began requiring exchanges to register and run full KYC/AML programs. The FATF Travel Rule, issued in 2019 and tightened since, requires identifying information to travel with crypto transfers between regulated platforms.
Today every major centralized exchange (Coinbase, Binance, Kraken, Bitstamp, Gemini) runs full KYC. Decentralized exchanges like Uniswap, PancakeSwap, and Bitcoin.com’s Verse DEX generally don’t, because they’re non-custodial protocols. In the EU, MiCA’s full enforcement began in December 2024, introducing zero-threshold KYC: every transfer between regulated providers must carry identifying information, regardless of size.
How long does KYC take?
Basic KYC usually completes in minutes: automated systems check your ID, run a liveness check, and approve the account. Delays come from poor photo quality, name or address mismatches, or routing through sanctioned regions. Enhanced verification can take several days because it requires manual review.
What happens if you fail KYC?
A failed check usually doesn’t mean a permanent ban. The common outcomes are an account restriction or a request for additional documents, and funds already on the platform are typically recoverable through appeals. Closure is reserved for suspected fraud, sanctions matches, or repeated failures. If you fail, read the rejection reason and submit better documentation rather than retrying with the same materials.
Is your KYC data safe?
This is the honest weak spot. KYC creates centralized repositories of sensitive identity data (passport scans, addresses, biometrics) that persist long after any transaction has settled. Those repositories are valuable targets, and the track record is uneven: Coinbase disclosed an insider-driven leak in 2024, BitMart and several mid-tier exchanges have had verification documents exposed, and a Plaid-related incident affected Gemini customers. The stolen data tends to be the kind you can’t easily change.
Mitigations: prefer regulated exchanges with strong security records, use unique emails and strong passwords per platform, enable hardware-based 2FA, and consider self-custody for assets you don’t actively trade.
No-KYC crypto exchanges: can you trade without it?
Yes, with caveats. The main no-KYC venues are decentralized exchanges where you swap from a self-custody wallet through smart contracts, peer-to-peer platforms like Bisq and Hodl Hodl, and some non-custodial bitcoin services.
Trade-offs are real: lower liquidity, no direct fiat on-ramps, and regulatory risk in some jurisdictions. The 2026 wave is narrowing the gap, with MiCA pushing regulated treatment further into DeFi, and US Treasury guidance has begun targeting front-ends of non-custodial services.
For most users, the realistic posture is hybrid: KYC at a regulated exchange for fiat on/off-ramps and active trading, self-custody and DEXs for everything else.
What’s changing in 2026: MiCA, 1099-DA, and the future of KYC
- US – Form 1099-DA: Starting in 2026, US crypto exchanges and brokers must report customer transactions to the IRS on Form 1099-DA, effectively guaranteeing full KYC at every regulated US platform.
- EU – MiCA enforcement: Fully enforced since December 2024. Crypto-asset service providers (CASPs) must obtain authorization by July 1, 2026 or cease regulated operations in the bloc.
- EU Travel Rule: Zero-threshold information-transfer requirements are in force, every transfer between regulated providers must carry sender and recipient information.
- UK: Companies House identity verification for directors and persons with significant control is phasing in through end of 2026.
- Emerging tech: Zero-knowledge proofs let users prove an attribute (over 18, not sanctioned, resident in an approved jurisdiction) without disclosing the underlying data. Reusable digital-identity schemes like the EU’s eIDAS 2.0 wallet aim to let users verify once and present credentials to multiple services.
The direction is clear: regulated crypto will look more like regulated banking, with the bet that better identity tech makes that less invasive.
Closing thoughts
KYC has become the price of entry for participating in the regulated crypto economy. What started as a banking compliance requirement is now deeply embedded in centralized exchanges, driven by global AML rules, MiCA enforcement in Europe, and new IRS reporting obligations in the US. For most users, the process is straightforward: verify your identity once, gain access to trading, and move between crypto and traditional finance more easily.
But KYC also introduces trade-offs. The same systems designed to prevent fraud, sanctions evasion, and money laundering create centralized databases of sensitive personal information that can become targets for breaches or misuse. As regulation tightens in 2026, crypto users increasingly have to balance convenience and compliance against privacy and self-sovereignty.
The likely future is a hybrid one. Regulated exchanges will continue to function more like traditional financial institutions, while self-custody wallets and decentralized protocols remain important alternatives for users who prioritize control and privacy.
