What is KYC and why do crypto exchanges require it?
Know Your Customer (KYC) is the process by which a financial service verifies the identity of its users. In traditional banking it means presenting a passport and a utility bill. In crypto, it means uploading government-issued ID, taking a selfie, and — on some platforms — proving the source of funds for larger deposits. KYC is not optional for regulated exchanges: it is a legal requirement under anti-money-laundering laws in every major jurisdiction.
The reason regulators require KYC in crypto is the same reason they require it in banking: to prevent the financial system from being used to launder the proceeds of crime or finance terrorism. Blockchain transactions are pseudonymous, not anonymous — but without KYC, connecting on-chain addresses to real-world identities requires forensic investigation. KYC short-circuits that by requiring identity verification before funds can be deposited or withdrawn.
What documents are typically required for crypto KYC?
- Government-issued photo ID — passport, national ID card, or driver's licence. Must be valid and clearly readable.
- Proof of address — utility bill, bank statement, or government letter dated within the last three months. Some platforms accept digital bank statements.
- Selfie or liveness check — a photo of you holding your ID, or a short video clip, to confirm the document belongs to you.
- Source of funds declaration — required for high-volume users or when depositing large sums. You may need to show bank statements, payslips, or business accounts.
- Source of wealth declaration — for high-net-worth users or large crypto positions. Explains how you accumulated the assets, not just the specific funds being deposited.
Tier-based KYC is common. On exchanges like Binance and Coinbase, basic email verification allows small withdrawals. Full KYC (ID + selfie) unlocks higher limits. Enhanced due diligence (source of funds) applies to very large accounts.
What is AML and how does it work in crypto?
Anti-Money-Laundering (AML) refers to the broader set of controls that financial institutions use to detect, prevent, and report money laundering. KYC is one component of AML. Other components include transaction monitoring, sanctions screening, Suspicious Activity Reports (SARs), and — specific to crypto — blockchain analytics.
Exchanges use blockchain analytics tools (Chainalysis, Elliptic, TRM Labs) to score incoming deposits based on their transaction history. Funds that have passed through addresses associated with darknet markets, ransomware wallets, or sanctioned entities will trigger enhanced review or automatic rejection. This is why a deposit from a freshly generated address is generally low-risk, while a deposit from a mixer or a hacked exchange address may be blocked.
The three stages of money laundering that AML targets
- Placement — Introducing illicit funds into the financial system. In crypto, this often means converting cash to crypto through peer-to-peer trades, Bitcoin ATMs, or unregulated exchanges.
- Layering — Disguising the trail through multiple transactions, mixing services, chain-hopping, or privacy coins.
- Integration — Making the funds appear legitimate, often by converting back to fiat through exchanges, OTC desks, or real-estate purchases.
Regulated exchanges are required to have controls at each stage. KYC prevents anonymous placement. Transaction monitoring and blockchain analytics detect layering. Enhanced due diligence on large withdrawals disrupts integration.
How blockchain analytics tools work
Blockchain analytics firms build databases linking wallet addresses to real-world entities — exchanges, darknet markets, mixers, sanctions targets — by analysing on-chain clustering patterns, tracing funds through multiple hops, and combining on-chain data with off-chain intelligence (law enforcement data, breach disclosures, open-source information).
When you deposit crypto to a regulated exchange, the exchange's AML tool queries the origin address's risk score. A clean address from a long-held personal wallet scores low risk. An address that received funds from a known ransomware wallet scores high risk and may trigger a freeze and a SAR filing with the relevant financial intelligence unit.
Sanctions screening in crypto: what it means for users
OFAC (the US Office of Foreign Assets Control) maintains a list of sanctioned individuals, entities, and wallet addresses. US exchanges — and any exchange that processes USD or wants access to US correspondent banking — must screen all users and transactions against OFAC's SDN list. Similar lists exist in the UK, EU, and other jurisdictions.
If your wallet address appears on a sanctions list (because it was involved in illicit activity, or in rare cases, by mistake), your funds at regulated exchanges may be frozen. Getting off a sanctions list requires a formal petition to the relevant authority — a slow and expensive process. This is why using mixing services or privacy protocols that obscure transaction history creates compliance risk even for users with legitimate funds.
What triggers enhanced due diligence (EDD)?
- Deposits or withdrawals above $10,000 (US) or equivalent thresholds in other jurisdictions.
- Politically Exposed Persons (PEPs) — senior politicians, executives of state-owned enterprises, and their family members.
- Customers in high-risk jurisdictions as designated by FATF or national regulators.
- Unusual transaction patterns — deposits from multiple sources followed by rapid withdrawal to a new address.
- Inconsistency between stated occupation and transaction volumes.
- Funds linked to high-risk addresses by blockchain analytics.
Decentralised exchanges and KYC: the grey zone
Decentralised exchanges (DEXs) like Uniswap and dYdX operate via smart contracts and do not have a central operator who could collect KYC. Regulators are aware of this and are exploring two approaches: requiring KYC at the fiat on-ramp and off-ramp level (so that funds entering and leaving the crypto ecosystem are verified, even if DEX activity is unverified), and potentially requiring DEX front-end operators to implement identity checks.
The EU's MiCA regulation does not directly apply to fully decentralised protocols with no identifiable issuer or provider. However, the question of whether a DAO governance token constitutes a security, and whether governance participants have legal obligations, remains unsettled in 2026.
How to stay KYC/AML compliant as a crypto user
- Complete KYC honestly and fully on every regulated platform you use. Providing false information is fraud.
- Keep records of your transaction history, including the source of funds for large deposits.
- Avoid mixing services, privacy coins for large amounts, or protocols that have been flagged by OFAC.
- If you receive funds from unknown sources (unsolicited airdrops, potential dusting attacks), research the source before moving them.
- If you are flagged by an exchange's AML system, cooperate with their compliance team and provide documentation explaining the source of funds.
This article is for informational purposes only and does not constitute legal or financial advice. AML/KYC requirements vary by jurisdiction. Consult a compliance professional for guidance specific to your situation.




