Know Your Customer verification is the gateway to every regulated digital asset relationship. Before a customer can trade, deposit, withdraw, or access any regulated crypto service, the service provider must verify that customer’s identity to a standard that satisfies the applicable regulatory framework. KYC is not a one-time onboarding exercise – it is an ongoing obligation that includes customer due diligence at onboarding, enhanced due diligence for high-risk customers, ongoing monitoring of customer activity and risk profiles, and periodic re-verification to ensure information remains current.
The requirements differ materially across jurisdictions, and getting them wrong carries severe consequences. This guide maps the specific KYC verification requirements for digital asset service providers across every major regulatory jurisdiction.
The KYC Compliance Framework
Three Pillars of Customer Due Diligence
Customer Identification Program (CIP): The minimum baseline requirement in most jurisdictions. The VASP must collect identifying information from the customer – name, date of birth, address, and identification number – and verify that information using reliable, independent sources.
Customer Due Diligence (CDD): A deeper assessment that includes understanding the purpose and intended nature of the business relationship, identifying the beneficial owner of accounts held by legal entities, and conducting ongoing monitoring to ensure transactions are consistent with the customer’s known profile and risk level.
Enhanced Due Diligence (EDD): Additional measures required for high-risk customers, including politically exposed persons, customers in high-risk jurisdictions, customers with complex ownership structures, and those whose transaction patterns raise concerns. EDD typically requires senior management approval, source of wealth and source of funds documentation, and more frequent ongoing monitoring.
United States: FinCEN Requirements
Regulatory Framework
Under the Bank Secrecy Act and FinCEN regulations, money services businesses – including crypto exchanges and certain other VASPs – must implement a Customer Identification Program as part of their AML compliance program.
Individual Customer Requirements
Minimum CIP Data Collection:
- Full legal name
- Date of birth
- Residential address (a PO Box is not sufficient as the sole address)
- Identification number (Social Security Number for US persons; passport number and country of issuance or alien identification card number for non-US persons)
Identity Verification Methods:
- Documentary verification: Government-issued photo identification (US driver’s license, state ID, passport, or military ID). At least one document must contain a photograph.
- Non-documentary verification: Cross-referencing customer information against consumer reporting agencies, public databases, or other reliable sources. Many VASPs use identity verification providers (Sumsub, Jumio, Onfido) that perform automated document verification and facial biometric matching.
Timing: Verification must be completed within a reasonable time after account opening. Most crypto VASPs require verification before enabling trading or withdrawal functionality.
Business Customer Requirements
- Entity name, principal place of business, employer identification number (EIN)
- Beneficial Ownership Rule (31 CFR 1010.230): Identification and verification of all individuals who own 25% or more of the legal entity and one individual with significant management responsibility
- Articles of incorporation or formation documents
- Board resolution or certificate of incumbency for authorized signatories
Enhanced Due Diligence Triggers
- PEP status (current or former senior government officials, their immediate family members, and known close associates)
- Customers in FATF-identified high-risk jurisdictions
- Anonymous or nominee accounts
- Transactions involving high-risk geographies or involving known darknet addresses
- Cash-intensive businesses or money service businesses as customers
European Union: MiCA and AMLD Requirements
Regulatory Framework
The EU’s AML framework for crypto-asset service providers operates under the Anti-Money Laundering Regulation (AMLR), effective July 2027, and the existing AMLD framework as implemented by each member state. MiCA requires CASPs to apply customer due diligence measures consistent with AML requirements.
Individual Customer Requirements
Standard CDD Data Collection:
- Full name
- Date and place of birth
- Nationality
- Residential address
- National identity number or equivalent
Identity Verification:
- Government-issued identity document (passport, national ID card, or residence permit)
- Proof of address (utility bill, bank statement, or government correspondence dated within the last three months)
- Many member states require electronic identity verification (eIDAS-compatible) or video identification for remote onboarding
- Biometric verification (facial matching against identity document photo) is increasingly standard
EU Transfer of Funds Regulation Requirements: For all crypto-asset transfers, CASPs must collect originator and beneficiary information regardless of amount. For transfers exceeding EUR 1,000 from self-hosted wallets, CASPs must verify that the wallet is owned by the customer.
Business Customer Requirements
- Company name, legal form, and registration number
- Registered office address and principal place of business
- Directors and senior management identification
- Ultimate beneficial ownership identification and verification for all persons holding more than 25% (to be lowered to 15% or even 5% for high-risk situations under AMLR)
- Proof of incorporation and good standing
Member State Variations
While MiCA harmonizes the CASP licensing framework, AML implementation remains subject to national transposition of EU directives. Key variations include:
- Germany (BaFin): Requires video identification (VideoIdent) for remote customer onboarding at crypto businesses. Strong emphasis on ongoing monitoring.
- France (AMF): Accepts electronic verification methods; detailed ACPR guidance on beneficial ownership verification.
- Netherlands (AFM/DNB): Strict approach to beneficial ownership verification; enhanced due diligence required for customers from tax haven jurisdictions.
- Ireland (Central Bank): Risk-based approach allowing flexible verification methods but requiring documented risk assessment.
United Kingdom: FCA Requirements
Regulatory Framework
The UK Money Laundering Regulations 2017 (as amended) require crypto-asset businesses registered with the FCA to implement CDD measures.
Individual Customer Requirements
- Full name
- Date of birth
- Residential address
- Photographic identity verification (passport or UK driving license)
- Proof of address (bank statement, utility bill, council tax bill, or HMRC correspondence)
- Electronic verification using credit reference agency data is widely accepted
Risk-Based Approach
The FCA expects a risk-based approach to CDD, with the level of verification proportionate to the assessed risk. The FCA’s guidance for crypto-asset businesses emphasizes:
- Assessment of the customer’s source of crypto-assets
- Understanding the purpose of the business relationship
- Enhanced due diligence for customers with significant crypto holdings acquired outside regulated exchanges
- Ongoing monitoring with particular attention to transactions involving privacy coins or mixing services
Singapore: MAS Requirements
Regulatory Framework
Payment service providers licensed under the Payment Services Act must comply with MAS Notice PSN01 on Prevention of Money Laundering and Countering the Financing of Terrorism.
Individual Customer Requirements
- Full name
- Unique identification number (NRIC for Singapore citizens/PRs, passport number for foreign nationals)
- Residential address
- Date of birth
- Nationality
- Identity verification through Singapore MyInfo digital identity system, or documentary verification with facial biometric matching
- For non-face-to-face onboarding: additional measures such as certified document copies, first payment from a bank account in the customer’s name, or video verification
MAS-Specific Considerations
MAS has imposed additional specific requirements for digital payment token service providers:
- Risk assessment must specifically consider crypto-specific risks including the use of anonymity-enhancing technologies
- Customer risk categorization must account for the types of digital assets the customer intends to trade
- Ongoing monitoring must include blockchain analytics-based transaction screening
Hong Kong: SFC/HKMA Requirements
Individual Customer Requirements for VATPs
- Full name as shown on identity document
- Hong Kong Identity Card number (HKID) for local residents, passport number for non-residents
- Residential address
- Date of birth
- Nationality
- Documentary verification with certified copies or electronic verification
- The SFC requires VATPs to conduct suitability assessments for retail clients, including assessment of knowledge and experience with virtual assets
Professional Investor Requirements
Hong Kong VATPs initially restricted services to professional investors only. The SFC’s expanded framework now permits retail access with additional protections, but the onboarding process must include:
- Client risk profiling questionnaire
- Assessment of virtual asset knowledge and trading experience
- Establishment of exposure limits for non-professional investors
Dubai: VARA Requirements
Individual Customer Requirements
- Full name
- Date of birth
- Nationality
- Residential address
- Emirates ID (for UAE residents), passport and visa copy (for non-residents)
- Source of wealth documentation for accounts exceeding specified thresholds
- Biometric verification including facial recognition
- VARA requires real-time sanctions screening at onboarding and ongoing
Business Customer Requirements
VARA imposes comprehensive corporate KYC requirements:
- Trade license and commercial registration
- Memorandum and articles of association
- Board resolution authorizing the account opening
- Beneficial ownership identification to the level of natural persons (no minimum threshold – all beneficial owners must be identified)
- UBO verification through documentary evidence
- Ongoing monitoring of corporate structure changes
KYC Technology Solutions
Identity Verification Providers
Sumsub: Comprehensive KYC/KYB platform supporting 14,000+ document types from 220+ countries. Offers automated document verification, facial biometric matching, liveness detection, AML screening, and ongoing monitoring. Pricing typically $1-5 per verification depending on volume and modules used. Strong presence in crypto industry.
Jumio: AI-powered identity verification with document scanning, facial recognition, and liveness detection. Supports 5,000+ document types. Strong emphasis on fraud prevention with proprietary Jumio KYX platform. Pricing typically $2-8 per verification.
Onfido: Document verification and facial biometric matching using AI-based analysis. Atlas AI engine provides real-time fraud detection. Supports 2,500+ document types. Widely used by European crypto platforms. Pricing typically $1-6 per verification.
Persona: Flexible identity verification platform with modular workflow builder. Supports document verification, database verification, phone verification, and selfie matching. Strong API-first approach for developers. Growing adoption in crypto.
Veriff: Video-based identity verification with AI-assisted document analysis and biometric matching. Strong coverage in European markets. Offers reusable identity verification for returning customers.
Blockchain-Native Identity Solutions
Civic: Decentralized identity verification that allows users to create reusable verified identities. Reduces repeated KYC friction for users operating across multiple platforms.
Polygon ID: Zero-knowledge proof-based identity system that allows users to prove their identity status without revealing underlying personal data. Emerging technology with potential to transform KYC for DeFi.
Cost Analysis for KYC Operations
| Component | Cost Range | Notes |
|---|---|---|
| Identity verification (per check) | $1-8 | Varies by provider, volume, and modules |
| Address verification | $0.50-3 | Often bundled with identity verification |
| PEP/sanctions screening | $0.10-1 | Per screening; ongoing monitoring extra |
| Biometric liveness detection | $0.50-3 | Critical for remote onboarding |
| Business verification (KYB) | $10-50 | Per entity; includes registry checks |
| Ongoing monitoring (per customer/year) | $1-5 | AML screening and profile updates |
| Manual review (per case) | $5-25 | For failed automated verification |
Compliance Metrics
VASPs should track the following KYC operational metrics:
- Verification pass rate: Industry benchmark 85-95% for automated verification. Rates below 80% suggest overly restrictive rules or document coverage gaps.
- Average verification time: Target under 2 minutes for automated, under 24 hours for manual review.
- False rejection rate: Target below 5%. Higher rates create customer friction without compliance benefit.
- Re-verification completion rate: Target above 90% for periodic re-verification campaigns.
- EDD trigger rate: Typically 5-15% of customers require enhanced due diligence.
- Onboarding abandonment rate: Industry average 30-40%. High rates may indicate excessive friction in the verification process.
Regulatory Examination Expectations
Examiners reviewing KYC compliance will typically assess:
- CIP program adequacy: Are all required data elements collected? Is verification performed using acceptable methods?
- Risk rating methodology: Is the customer risk rating methodology documented, consistent, and appropriate for the firm’s risk profile?
- EDD procedures: Are high-risk customers identified and subject to appropriate enhanced due diligence?
- Beneficial ownership: For entity accounts, are all beneficial owners identified and verified?
- Ongoing monitoring: Is customer information kept current? Are periodic reviews conducted based on risk rating?
- Record retention: Are KYC records retained for the required period (typically 5 years after the end of the business relationship)?
- Technology validation: Has the identity verification technology been validated for accuracy and reliability?
- Sample file review: Examiners will pull a sample of customer files to verify compliance in practice, not just in policy.
Compliance teams should maintain examination-ready customer files and conduct periodic quality assurance reviews of a random sample of onboarding files to identify and remediate any deficiencies before an examination occurs.
For KYC platform options, see the Sumsub profile and Sumsub vs Jumio comparison. For the KYC glossary entry, see What is KYC Verification?. For beneficial ownership requirements, see What is Beneficial Ownership?. For the AML program framework, see the AML program guide. For official guidance, see FATF customer due diligence guidance and FinCEN CDD requirements.