Depending on the jurisdiction, Know Your Customer (often abbreviated as “KYC”) regulations are relevant to almost all institutions dealing with money, meaning virtually any business needs to know their customers’ identities. KYC isn’t only for DAOs, and it isn’t just for decentralized finance. It isn’t even just for finance. But in finance, which includes DeFi, KYC is a very big deal.
The big deal sometimes gets lost in the sea of acronyms that surround the DeFi industry and the sometimes overlapping acronyms embedded in traditional financial institutions. The world of fraud and financial crimes is filled with abbreviations.
It isn’t just KYC. Anti-money laundering (AML) and countering the funding of terrorism (CFT) are sometimes merged into AML/CFT. Another acronym used often is FATF – for the Financial Action Task Force, the global money laundering and terrorist financing watchdog.
The jargon can get pretty dense with acronyms, so we’ll try to provide definitions and context as we explore the fascinating world of decentralized finance and identity verification.
Financial crime desperately needs a Jack Klugman-like character and a TV show. If it worked back in 1976 for what Quincy, M.E. called “the fascinating sphere of police work, the world of forensic medicine,” it should work for financial crimes, right?
Such a show hasn’t yet been written, so we’ve compiled a guide to DeFi KYC. This Dyme Piece provides insight into how Dyme manages KYC and its importance to the DeFi industry.
What is KYC?
The acronym KYC means Know Your Customer. Since KYC also involves the identity of corporations and other legal entities, it is sometimes expanded to Know Your Client.
A KYC check is the process of collecting and verifying identity information from a customer or client such that they are known by the entity doing the check. Beyond simply knowing their identity, the term includes more than verifying the customer’s identity. To pass KYC means to have confidence the customers are not bad actors.
The Bank Secrecy Act (BSA) and KYC in the United States
KYC and anti-money laundering (AML) are often used interchangeably in the decentralized finance community. In the United States, the Bank Secrecy Act (BSA) and related regulations impose obligations on banking institutions to assist U.S. government agencies in detecting and preventing money laundering.
A DeFi service’s claim that it is or plans to be “fully decentralized” does not impact its status as a financial institution under the BSA. However, a DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized or decentralized, will be required to comply with BSA obligations, including AML/CFT obligations. The BSA imposes such commitments on a wide range of financial entities. Whether an entity, including DeFi platforms, is a covered financial institution will depend on specific facts and circumstances surrounding its financial activities.
FATF: The Global Money Laundering and Terrorist Financing Watchdog
Under the standards set by the Financial Action Task Force (FATF), the global standard-setting body for AML/CFT, DeFi services that lack an entity with sufficient control or influence over the service may not be explicitly subject to AML/CFT obligations, which could lead to potential gaps for DeFi services in jurisdictions like the United States.
This means that different jurisdictions tackle anti-money laundering in different ways. For example, the United States Department of the Treasury recently released an assessment of the risk of illicit financial transactions using DeFi protocols. In the evaluation, Treasury described how going beyond the FATF standard and enabling stricter KYC processes for DeFi platforms made sense. While DeFi industry leaders endorsed KYC solutions, Treasury’s construct of going beyond the standards for traditional finance was met with skepticism.
In some cases, it was met with outrage. Regardless, money laundering happening is a universally bad thing, whether in decentralized finance or a local bank branch.
What are the three components of KYC?
Customer Identification Program
The first step in the KYC process is establishing that the customer is who they claim to be. This requires any customer – both individual and corporate – to have their identity verified. The verification process is called a Customer Identification Program (CIP.)
Certain information and identity documents are collected for individuals, including the identified ultimate beneficial owners (UBOs) of corporate entities. AML regulations generally include name, date of birth, nationality, country of residence, physical address, and a tax ID or national ID number.
The identity documents help to confirm the information provided in the KYC compliance process. For instance, proof of address, like a utility bill, can validate a physical address. Proof of identity, like a passport, can validate the date of birth, name, and nationality. Depending on the country, other documents may fill in the information gaps.
This is one area where DeFi KYC is important, as most institutional investors who have bought into DeFi protocol token sales are corporate entities. Their KYC process is similar, though the documentation is understandably different. Corporate customers, or entities, have their own set of KYC measures to follow.
The documents and questions tend to include corporate name, location and articles of incorporation, partnership agreements, business licenses, and financial statements. A table of investors is also needed to determine the UBOs mentioned earlier.
A DeFi platform is uniquely positioned to take advantage of technology tools readily available to engage in smart compliance. Verification beyond documents and questions can be used. For example, the location of the IP address of the device submitting the application can support or inform the customer’s residency.
By implementing a robust CIP as part of their KYC program, financial institutions can meet their regulatory obligations and demonstrate their commitment to preventing financial crimes and protecting their customers and the broader financial system.
Customer Due Diligence
By this point in the article, you probably expect Customer Due Diligence to be shortened to CDD. You’re right. CDD establishes a customer’s risk level and how much they can be trusted.
There are three levels of CDD: Basic, Simplified, and Enhanced. And shockingly, they’re called BDD, SDD, and EDD. Basic is done on everyone and typically includes a check against sanctions lists and lists of Politically Exposed Persons (a PEP list.)
Simplified and Enhanced Due Diligence are conducted as needed to gather more detailed information about a customer, particularly those considered higher-risk, such as politically exposed persons (PEPs) or customers from high-risk jurisdictions.
The purpose of EDD is to obtain a deeper understanding of a customer’s activities, sources of wealth, and potential risk factors to ensure they are not engaged in money laundering, terrorist financing, or other illegal activities.
EDD can involve collecting additional information beyond what is typically obtained during standard KYC due diligence, and extensive EDD may be required, including external data sources and further verification checks.
Regulators specify the need to carry out EDD but do not detail the exact steps to be taken. Thus, it is up to DeFi platforms to establish the appropriate risk level and build suitable KYC solutions to meet those requirements.
CDD is an ongoing process, not just carried out when onboarding a new customer. CDD continues during the life of the customer’s relationship because their activity and risk profile can change over time. Periodic CDD monitoring is the standard, with frequency varying based on their risk profile. Audit of CDD is both an internal process and is expected of regulators, so full CDD and EDD records must be kept.
Ongoing Monitoring
KYC is not just about checking new customers during onboarding. This is important, of course, and will establish the identity and initial risk level of the customer. Still, financial institutions must also have a program in place for ongoing KYC checks and monitoring.
Ongoing monitoring will identify changes in customer activity that may warrant an adjustment in risk profile or further investigation. The level and frequency of monitoring will depend on the customer’s perceived risk and the institution’s strategy.
Monitoring should look at factors including:
- Customer transaction types, frequency, and amounts
- Changes in customer or transaction locations
- Inclusion on Politically Exposed Persons (PEP) or sanction lists
- Adverse media coverage
Who Needs KYC?
Reasonably, all DeFi platforms should have KYC in place. DeFi projects which hold the “unregulated DeFi” position are typically sued by regulators and subject to scrutiny by law enforcement agencies.
Using KYC measures used by traditional finance and working with decentralized financial transactions is often a good first step.
Implementing KYC at Dyme
Dyme evaluated a half dozen third-party providers to support our know your customer (KYC) process and risk management program. Internally, we used the term “decentralized compliance” to describe the ideal state of automated risk management and secure access to the collected information.
We will keep working toward that ideal state. It’s a long road.
Dyme’s CIP
Dyme’s KYC measures begin with CIP. From our mobile-first web app, Dyme collects information and documents for verification. We also use technology to identify the use of VPNs, which might indicate an intent to bypass our processes.
We use third-party APIs to identify the device’s location during the customer application. Dyme requires location information during sign-up and sign-in, amplifying the importance of location information.
Thus, Dyme combines technology and information collection to inform our CIP.
Dyme’s CDD
This is the central piece of Dyme’s compliance program. Using third-party services, Dyme performs biometric analysis on users and compares that to the images on their documents, checks documents and written responses against more than 10,000 data sources to confirm or inform risk level, and evaluates the accuracy of submitted documents against more than 4,000 types of identity documents.
Dyme uses technical means of data collection for tasks as varied as informing location and revealing the use of VPN technology. Dyme’s web app requires users to allow geo-information sharing as a condition of use, which aligns with the best practices described earlier in this Dyme Piece.
Dyme’s third-party service provider consolidates the evaluation into a numeric score using a series of weighted factors. The consolidation allows Dyme to manage the due diligence process programmatically. This support Dyme’s efforts to move toward decentralized compliance.
Dyme’s Ongoing Monitoring
Dyme uses a third-party service to monitor PEP list inclusion, sanction list inclusion, and adverse media for our users. The frequency of the monitoring depends on the risk level of the user’s CDD.
We also identify each customer’s location at the start of each application session using third-party technology APIs.
Closing
Keeping bad actors from infecting DeFi platforms is a collective effort. Unfortunately, regulatory regimes don’t provide clear guidance on how to comply, focusing on end goals and forcing businesses to implement different solutions in their way.
Fortunately, DeFi applications can both work together toward bringing KYC into decentralized finance (DeFi). They can examine the work of existing financial services firms to understand how they manage risk and perform KYC.
