Crypto Know Your Customer (KYC) is the identity-verification process that a crypto exchange, wallet, or Virtual Asset Service Provider (VASP) applies to every user it onboards, under Anti-Money Laundering (AML) law. At its core, crypto KYC is the same as banking KYC: collect identity, verify it, screen it, and monitor behaviour after. The difference is that crypto lives on public ledgers, moves across borders in seconds, and started life with a strong anti-identity culture that regulators have since pushed back against.
This guide takes the global picture seriously, then does something most crypto KYC articles skip: it covers India, which since March 2023 has been one of the most consequential crypto AML jurisdictions in the world.
What is Crypto KYC?
Crypto KYC is the set of identity and due diligence checks a VASP or crypto platform runs to confirm who its users are, screen them for sanctions and financial-crime risk, and monitor their activity over time. It exists because financial regulators classify most crypto services as obligated entities under AML law, which means the same rules that apply to banks apply to exchanges.
Definition and Scope
At a practical level, crypto KYC covers identity capture at sign-up, verification of ID documents, liveness and biometric checks, sanctions and Politically Exposed Person (PEP) screening, risk scoring, and ongoing transaction monitoring. It is not a one-time gate. It is a lifecycle. A strong baseline KYC programme for a crypto platform maps closely to the same baseline a bank runs; our general KYC compliance guide covers those fundamentals. For crypto-specific plug-in, sign up to see how HyperVerge handles it.
Why Crypto Needs KYC: Privacy vs Compliance
Crypto started with a strong philosophical preference for pseudonymity. Regulators, looking at the same property, saw a laundering and sanctions-evasion risk. That tension has not gone away, but the regulatory side has largely won in centralised crypto. The United States, the European Union, the United Kingdom, Singapore, the UAE, and India have all mandated KYC for regulated intermediaries. Our breakdown of money laundering risks in cryptocurrency captures why regulators intervened. Privacy is still a live concern, but the privacy fight is now about how KYC data is handled, not whether KYC should exist.
That settles the “what and why.” The more practical question is: who actually has to do this?
Who Must Do Crypto KYC?
The short answer is: anyone that falls within a regulator’s definition of a VASP, a Money Service Business (MSB), or a Virtual Digital Asset (VDA) service provider. That covers more of the crypto ecosystem than many operators initially expected.
Centralised Exchanges (CEXs)
Every centralised crypto exchange operating in a FATF-aligned jurisdiction must run KYC. That is true whether the exchange offers fiat on-ramps, crypto-only trading, or derivative products. Many exchanges have tried limiting KYC to withdrawal or large-trade thresholds, and most have been pushed by regulators to KYC at sign-up instead.
Custodial Wallets
If a wallet provider holds private keys on behalf of the user, it is custodial. Custody triggers VASP classification in most jurisdictions. That means custodial wallets carry the same KYC obligations as exchanges, regardless of how they are branded.
Decentralised Exchanges (DEXs): The Grey Zone
A true DEX where users retain full self-custody and the protocol only facilitates peer-to-peer swaps is the grey zone. FATF guidance has been pushing to extend obligations to anyone who controls or has sufficient influence over a protocol, but national implementation varies widely. Expect this zone to narrow over the next two to three years.
VDA Service Providers in India
India moved decisively in March 2023. Every entity that falls within the definition of a VDA service provider, whether Indian or foreign, must now register with FIU-IND as a reporting entity and run a full KYC/AML programme. The practical effect is captured well in Medianama’s coverage of FIU-IND enforcement against offshore crypto platforms: “Since March 2023, VDA service providers operating in India, whether domestic or foreign, are required to register with FIU-IND as reporting entities under the AML/CFT framework.” No offshore carve-outs apply.
The perimeter is set. The next question is what the programme has to look like inside that perimeter.
The 3 Components of Crypto KYC
A crypto KYC programme rests on three interlocking components. They mirror the structure of any AML programme, adapted for crypto-specific risks.
Customer Identification Program (CIP)
CIP is the identity gate. It captures government-issued ID, address proof, a selfie, and device and session signals. Indian VDA platforms typically collect PAN and Aadhaar at this step, with strong liveness and selfie-match checks layered in. The output of CIP is a unique, verified identity record that downstream systems can query.
Customer Due Diligence (CDD / EDD)
CDD builds the risk profile. The platform captures declared activity, source of funds, and in some cases source of wealth. High-risk users, PEPs, users from high-risk jurisdictions, or accounts with unusual funding patterns, trigger Enhanced Due Diligence. EDD adds deeper source-of-funds checks and senior-approval steps before the relationship proceeds. See our AML compliance overview for how CDD fits into the broader AML chain.
Ongoing Transaction Monitoring
Monitoring is what makes the programme continuous. On crypto, this means both traditional behavioural monitoring, structuring, sudden spikes, rapid in-and-out, and wallet-level blockchain analytics to check for counterparties linked to sanctioned addresses, mixers, or known fraud clusters. Our guide to AML transaction monitoring covers the mechanics at the AML layer.
With the components defined, the practical onboarding flow follows predictably.
The Crypto KYC Process Step by Step
The typical crypto KYC flow runs five steps, usually completed in a single sitting, sometimes with a manual review for complex cases.
Step 1: ID and Document Collection
The user uploads a government-issued photo ID (passport, national ID, or in India, Aadhaar with PAN). Platforms often request proof of address for higher tiers. Document capture should be done via camera, not via upload of stored files, to block recycled or edited documents. See our PAN KYC verification guide for the India-specific layer.
Step 2: Biometric and Liveness Checks
A selfie is captured and matched against the photo on the ID. Liveness detection confirms that the person on screen is live and present, not a photo, screen replay, or deepfake. This step has become the most important defence against synthetic-identity attacks on crypto platforms.
Step 3: AML and Sanctions Screening
The verified identity is screened against sanctions lists (UN, OFAC, EU, MHA India), PEP databases, and adverse-media sources. In crypto, the screen also extends to any declared external wallet addresses. Our sanctions screening explainer covers the full screening stack.
Step 4: Risk Scoring and Tier Assignment
Each verified user is scored low, medium, or high risk based on identity, geography, declared activity, and initial signals. The score maps to a tier: basic, intermediate, or enhanced KYC. Platforms often use tiers to gate features, deposit and withdrawal caps, fiat on-ramp access, and derivatives trading.
Step 5: Ongoing Monitoring
After onboarding, behavioural monitoring runs continuously. Triggers like a large first-time deposit, a counterparty flagged by blockchain analytics, or a change in declared details kick off a review. Periodic re-KYC refreshes the identity record on a cadence set by policy, usually 1 to 3 years depending on the risk tier.
The operational flow is shaped by the regulators that sit behind it. The global picture sets the floor.
The Global Regulatory Framework
Crypto KYC lives under a layered set of global and regional frameworks. They are not identical, but they rhyme.
FATF Guidance and the Travel Rule
The Financial Action Task Force recommended in 2019 that its Travel Rule be extended to Virtual Assets and VASPs. The Travel Rule requires originator and beneficiary information to accompany transactions above a specified monetary amount. See Notabene’s overview of the Crypto Travel Rule for a clean primer: “The Crypto Travel Rule requires virtual asset service providers (VASPs) to identify and share the origins and destinations of crypto transactions above a specific threshold.” KYC is the prerequisite. Without verified identity data, the Travel Rule is impossible to enforce.
United States (BSA, FinCEN, MSB Classification)
In the United States, most VASPs are classified as Money Service Businesses (MSBs) under the Bank Secrecy Act. That brings them inside FinCEN’s jurisdiction, with obligations to register, run a written AML programme, file CTRs and SARs, and comply with the US Travel Rule threshold.
European Union (MiCA and AMLR)
The EU Markets in Crypto-Assets regulation (MiCA) applies a consistent licensing regime to crypto-asset service providers across member states. Alongside it, the new EU Anti-Money Laundering Regulation and the Anti-Money Laundering Authority (AMLA) give the bloc a single AML supervisor for the highest-risk entities. The combination pushes every EU-facing VASP toward a unified compliance floor.
United Kingdom (FCA Crypto-Asset Registration)
UK crypto-asset firms must register with the Financial Conduct Authority under the Money Laundering Regulations. Registration is contingent on a credible KYC/AML programme. A separate Financial Promotions regime governs how firms can market to UK consumers. Both regimes sit on top of KYC, not in place of it.
Global is the floor. India is where the operational reality for most regional platforms plays out.
Crypto KYC in India (FIU-IND and PMLA)
India’s crypto AML framework came together quickly. Between March and May 2023, the Ministry of Finance brought Virtual Digital Asset services under the Prevention of Money Laundering Act, the Ministry of Electronics and Information Technology took a parallel position on online gaming intermediaries, and FIU-IND began registering domestic and offshore exchanges as reporting entities. For a good legal primer on how the PMLA route works for digital-first operators, see law.asia’s PMLA explainer, which captures the section 2(wa) reporting-entity classification now extended to VDAs. Our broader overview of cryptocurrency law and regulations around the world provides the global comparator.
PMLA Extension to Virtual Digital Assets (2023)
The March 2023 notification brought a defined set of VDA activities, exchange, transfer, safekeeping, administration, and financial service participation, squarely within the PMLA. Any entity performing those activities in or toward the Indian market is a reporting entity, subject to KYC, monitoring, reporting, and recordkeeping duties.
FIU-IND Registration Requirements
Every VDA service provider must register with FIU-IND, designate a Principal Officer and Designated Director, and begin filing STRs, CTRs, and CCRs through the FINGate portal. Registration is not optional, and failure to register is itself a violation. This is the single most consequential compliance step for anyone running crypto services in India. Our guide to the anonymous crypto wallet risk landscape captures why regulators moved so firmly on registration.
Offshore Exchange Registrations
The 2023 framework applies whether the exchange is based in India or not. Several offshore exchanges responded by registering with FIU-IND in order to continue serving Indian users; others withdrew from the market. Medianama’s coverage notes that multiple global platforms have registered with FIU-IND and resumed services on that basis. Operators considering the Indian market should plan registration as a condition of entry, not a later-stage compliance cleanup.
Aadhaar eKYC and Video KYC for Crypto Platforms
India’s digital identity stack is what makes compliant onboarding at scale viable. Aadhaar eKYC gives instant identity verification; Video KYC provides the regulated remote alternative for higher-assurance onboarding. Our overview of Aadhaar eKYC benefits and the RBI Video KYC guidelines explainer set out how both work. For sector-specific detail, our crypto verification solution page shows the full stack tuned for VDA providers, and our cryptocurrency AML guide goes deeper on the AML layer.
PAN Linkage and Tax Intersection
Since 2022, crypto transactions in India attract a 1% Tax Deducted at Source (TDS) under section 194S of the Income Tax Act. The practical implication for KYC is that PAN is a necessary identifier for both tax and AML compliance. For entity users, Know Your Business (KYB) processes have to accommodate that. Our KYB for crypto explainer covers the entity-side.
The framework is demanding. The attack surface is evolving just as fast.
Crypto KYC Challenges
A mature crypto KYC programme has to contend with a set of problems that banking programmes rarely meet at the same intensity.
Privacy Concerns
Users entering crypto often value privacy, and regulators require identity. Platforms square this circle through data minimisation, clear retention policies, encryption at rest, and audited third-party processors. Treat privacy as a design constraint, not an afterthought.
Global Variability and Regulatory Arbitrage
A crypto exchange that operates across ten jurisdictions is complying with ten overlapping rulebooks. Inconsistent Travel Rule thresholds, differing sanctions expectations, and uneven enforcement create structural pressure to pick the easiest jurisdiction. That pressure is real, but it is narrowing as FATF tightens mutual evaluations.
Deepfake and Synthetic Identity Attacks
Crypto KYC is the most deepfake-targeted identity channel today. Attackers use face-swap models and liveness-spoof attacks at scale, looking for accounts they can use to cash out stolen crypto. The defensive response is multi-signal liveness, device integrity checks, and continuous monitoring that links multiple accounts by shared behaviour.
DEX and DeFi KYC Tension
Fully decentralised protocols do not have a natural customer-relationship point at which to run KYC. Regulators are responding by targeting the builders, the front ends, and any governance entity with enough influence. Over time, expect DeFi applications to separate into compliant front ends and truly permissionless smart contracts.
Challenges shape design. Tiering is how most platforms convert design into a user-visible policy.
KYC Tiers on Crypto Exchanges
Most exchanges present KYC as tiered access. Users start low and can verify up.
No-KYC / Limited Access Tier
This tier, where it still exists, typically gives a view-only experience or tightly capped trading. It is vanishing from regulated exchanges and persists mainly at the edges of the market.
Basic KYC
Basic KYC collects ID and a selfie, unlocks standard trading, and enables moderate deposit and withdrawal limits. It is the most common tier for casual users.
Full / Enhanced KYC
Full KYC adds proof of address, source-of-funds declarations, and sometimes a video verification. It unlocks fiat on- and off-ramps, higher limits, and access to derivatives products. For institutional customers, this tier shades into Know Your Business.
Tiering is also a compliance signal. Platforms that permit meaningful activity without KYC attract regulatory attention fast.
Consequences of Poor Crypto KYC
Weak crypto KYC produces outcomes that rarely stay internal. They show up in fines, lost banking relationships, and public enforcement.
Regulatory Fines and Deregistration
Regulators can fine, suspend, or deregister non-compliant VASPs. In India, FIU-IND has the statutory power to restrict non-compliant VDA service providers, and has used it. In the United States, FinCEN penalties for Bank Secrecy Act violations can run into tens of millions of dollars. Licence or registration loss is effectively market exit.
Banking and Payment-Rail Risk
Exchanges that lose a fiat banking partner or a card acquirer lose customer access in one of the most damaging ways possible. Banks and processors are watching enforcement closely. Even a warning letter can prompt a de-risking decision upstream.
The costs are heavy enough that “minimally compliant” is not a safe place to sit. The rational platform invests in KYC ahead of the regulator’s arrival.
Crypto platforms in India now operate inside a live, enforced compliance regime. A thin KYC stack is no longer an option. HyperVerge gives VDA service providers Aadhaar eKYC, Video KYC, PAN verification, sanctions and PEP screening, and blockchain-aware monitoring under a single platform. Sign up to see the crypto KYC stack.
FAQs
What is KYC in crypto and why is it required?
KYC in crypto is the identity verification process that exchanges, wallets, and other Virtual Asset Service Providers run on every user. It is required because AML laws classify most crypto services as obligated entities, which means identity, screening, and monitoring are legally mandated.
Do all crypto exchanges require KYC?
Every centralised crypto exchange operating in a FATF-aligned jurisdiction requires KYC. A small number of unregulated or offshore platforms still operate without it, but they are increasingly cut off from fiat banking and payment networks.
What happens if a crypto exchange does not do KYC?
An exchange that skips KYC risks fines, deregistration, criminal action against officers, and withdrawal of banking and payment-rail support. In India, FIU-IND has blocked and issued takedown actions against non-registered offshore VDA platforms.
What is the Travel Rule in crypto?
The FATF Travel Rule requires VASPs to share originator and beneficiary information for crypto transactions above a specified threshold. It complements KYC: the Travel Rule uses the verified identity data that KYC produces.
Can you use crypto without KYC?
Users can hold self-custodied crypto in their own wallets without KYC. But every time they touch a regulated intermediary, an exchange, a custodial wallet, a fiat on-ramp, KYC becomes required.
What documents are needed for crypto KYC?
Typically a government-issued photo ID, a selfie for biometric match, and proof of address. In India, PAN and Aadhaar are commonly required. Higher tiers add source-of-funds documentation.
What is a VASP?
A Virtual Asset Service Provider is any entity that exchanges, transfers, custodies, or administers virtual assets as a business. FATF introduced the term, and national regulators have localised it, for example, as VDA service providers under Indian law.
Is crypto KYC safe?
Responsible platforms protect KYC data with encryption, strict access controls, and data minimisation. Risk comes less from KYC itself and more from platforms with poor security hygiene. Users should look for transparent data handling and regulatory registration.
