KYC/AML Pipeline Architecture

TL;DR

• KYC (Know Your Customer) is the identity verification pipeline that every user passes through before they can trade or withdraw — it combines document verification, biometric liveness checks, and sanctions/PEP screening into a single onboarding flow
• The pipeline is tiered: Simplified Due Diligence (SDD) for low-risk users, standard Customer Due Diligence (CDD) for most retail, and Enhanced Due Diligence (EDD) for PEPs, high-risk jurisdictions, and large-volume accounts — each tier adds verification steps and ongoing monitoring intensity
• Document verification extracts data from government-issued IDs (passport, driver's license, national ID) using OCR, then cross-checks security features (holograms, microprints, MRZ codes) against a database of 14,000+ document templates — NFC chip reading is becoming mandatory in some jurisdictions for tamper-proof verification
• Liveness detection prevents fraudsters from using photos, masks, or deepfakes to pass biometric checks — modern systems build a 3D facial map in under a second and detect injection attacks where synthetic video is fed directly into the camera pipeline, bypassing the physical camera entirely
• Sanctions screening runs customer data against OFAC's SDN list, EU consolidated sanctions, UN sanctions, and jurisdiction-specific lists — this happens at onboarding and continuously as lists are updated, because OFAC enforces on a strict liability basis (ignorance is not a defense)
• PEP screening identifies Politically Exposed Persons and their close associates, automatically triggering Enhanced Due Diligence — PEP status alone does not block onboarding but requires senior management approval and enhanced ongoing monitoring
• Ongoing transaction monitoring (KYT — Know Your Transaction) uses blockchain analytics to score every deposit and withdrawal in real time, flagging funds that have touched sanctioned wallets, darknet markets, mixers, ransomware addresses, or other high-risk categories
• Risk scoring is a composite number derived from identity risk (document quality, liveness confidence), geographic risk (jurisdiction, IP geolocation), behavioral risk (transaction patterns, velocity), and blockchain exposure risk (Chainalysis/Elliptic scores) — this score determines monitoring intensity and can trigger re-verification
• Major vendors: Sumsub and Jumio for identity verification and liveness, Chainalysis KYT and Elliptic for blockchain analytics, with Onfido (now Entrust IDV) as an alternative — vendor selection depends on jurisdiction coverage, document database breadth, and API latency requirements
• Regulatory drivers: BSA (US), MiCA and 6AMLD (EU), FATF Recommendations (global) — MiCA became fully enforceable December 30, 2024, with over 50 crypto firms losing licenses by February 2025 for failing KYC/AML requirements
• The cost of getting it wrong: Binance paid $4.3 billion in November 2023 for systematic AML/KYC failures, the largest settlement in crypto history — Coinbase was fined $100 million in 2023 — these are not theoretical risks

---

1. Why KYC/AML Exists in Crypto

Crypto exchanges are classified as Money Services Businesses (MSBs) in the US under the Bank Secrecy Act and as Virtual Asset Service Providers (VASPs) under FATF terminology. This classification carries the same KYC/AML obligations as traditional financial institutions: verify who your customers are, screen them against sanctions and watchlists, monitor their transactions for suspicious activity, and file Suspicious Activity Reports (SARs) when something looks wrong.

The regulatory logic is straightforward. Pseudonymous blockchain addresses make crypto an attractive channel for money laundering, sanctions evasion, and terrorist financing. KYC/AML requirements force exchanges to be the checkpoint — the point where pseudonymous on-chain activity connects to a verified real-world identity.

Three regulatory frameworks drive most of the requirements:

Bank Secrecy Act (BSA) — United States Requires MSBs to implement a written AML program, perform Customer Identification Program (CIP) checks, file SARs for suspicious transactions above $5,000, and file Currency Transaction Reports (CTRs) for transactions above $10,000. FinCEN is the primary enforcer.

Markets in Crypto-Assets (MiCA) — European Union Became fully enforceable December 30, 2024. Requires CASPs (Crypto-Asset Service Providers) to implement KYC/AML procedures equivalent to those required of traditional financial institutions. Mandates the Travel Rule with no transition period. More than 50 crypto firms had licenses revoked by February 2025 for non-compliance.

FATF Recommendations — Global The Financial Action Task Force sets the global standard. Recommendation 10 requires CDD. Recommendation 16 requires the Travel Rule. Recommendation 20 requires SAR filing. Countries that don't implement FATF standards risk being placed on the FATF "grey list," which restricts their financial institutions' access to the global banking system.

---

2. The End-to-End KYC Pipeline

A user's journey from signup to fully verified account passes through multiple verification stages. Each stage can pass, fail, or escalate to manual review.

User Signup
    |
    v
+-------------------+
| 1. Data Collection |  Name, DOB, address, nationality,
|    (Self-declared) |  tax ID, source of funds
+-------------------+
    |
    v
+-------------------+
| 2. Document        |  Upload government ID (passport,
|    Verification    |  driver's license, national ID)
|                    |  OCR extraction + template matching
|                    |  + NFC chip read (if supported)
+-------------------+
    |
    v
+-------------------+
| 3. Liveness Check  |  Selfie capture with passive liveness
|    + Face Match    |  3D face map vs. document photo
|                    |  Injection attack detection
+-------------------+
    |
    v
+-------------------+
| 4. Sanctions &     |  OFAC SDN, EU sanctions, UN sanctions
|    PEP Screening   |  PEP databases, adverse media
|                    |  Fuzzy name matching
+-------------------+
    |
    v
+-------------------+
| 5. Risk Scoring    |  Composite score from identity,
|                    |  geography, behavior signals
|                    |  Determines CDD tier
+-------------------+
    |
    +---> Low risk:    SDD   --> Approved (basic limits)
    |
    +---> Medium risk: CDD   --> Approved (standard limits)
    |
    +---> High risk:   EDD   --> Manual review queue
    |                           Senior management approval
    |                           Source of funds documentation
    |
    +---> Rejected     --> Account blocked / SAR filed

The entire automated pipeline — from document upload to approval — typically completes in 30-90 seconds for standard CDD. EDD cases requiring manual review can take 24-72 hours.

---

3. Document Verification

Document verification is the foundation of the KYC pipeline. The system must confirm that the document is genuine, unaltered, and belongs to the person presenting it.

How It Works

When a user uploads a government-issued ID, the verification system performs several checks in sequence:

Step 1: Document Classification The system identifies the document type (passport, driver's license, national ID, residence permit) and the issuing country. This determines which template to match against.

Step 2: Data Extraction (OCR) Optical Character Recognition extracts all text fields — name, date of birth, document number, expiration date, nationality. For passports and many national IDs, the Machine Readable Zone (MRZ) provides a structured, checksummed data source that is more reliable than visual text OCR.

Step 3: Template Matching The extracted document is compared against a database of known document templates. Sumsub's database contains over 14,000 document templates. The system checks:

• Font consistency (correct typeface for the issuing country/document version)
• Hologram and watermark placement
• Microprint patterns
• Color profile and background patterns
• Security feature positions (e.g., UV-reactive elements in scanned documents)
• Document dimensions and layout

Step 4: Forgery Detection AI models look for signs of tampering:

• Pixel-level inconsistencies around text fields (suggesting text was digitally altered)
• Mismatched fonts or font sizes within the same field
• Incorrect security feature patterns
• Photo substitution artifacts (edges, lighting mismatches around the portrait)
• Metadata anomalies in the uploaded image file (EXIF data, compression artifacts)

Step 5: NFC Chip Verification (When Available) Modern passports and some national IDs contain NFC chips that store the holder's data and photo, digitally signed by the issuing government. Reading this chip provides the strongest verification signal because:

• The data is cryptographically signed — any alteration is detectable
• The chip photo can be compared to both the document photo and the liveness selfie
• It proves the physical document exists (you cannot NFC-read a photoshopped image)

NFC verification is now mandatory for KYC in Turkey, Thailand, and Vietnam, and is increasingly requested by regulators elsewhere.

Document Verification Results

Result	Meaning	Next Step
APPROVED	Document is genuine, data extracted	Proceed to liveness
REJECTED	Document is fraudulent or unreadable	User asked to retry or account blocked
NEEDS_REVIEW	Ambiguous result (poor image quality, unusual document)	Manual review queue
EXPIRED	Document is past its expiration date	User asked to provide valid document

Failure Modes

The most common document verification failures are not fraud — they are user errors:

1. Glare on the document — reflective surfaces catch light, obscuring security features
2. Blurry images — motion blur or focus issues make OCR unreliable
3. Cropped or partial captures — edges of the document cut off
4. Expired documents — legitimate but no longer valid
5. Unsupported document types — the specific document version is not in the template database

Genuine fraud (forged documents, digitally altered IDs) accounts for a smaller but more consequential portion of failures. The rise of AI-generated document images is an emerging threat, though current template-matching systems catch most synthetic documents because they fail on security feature details.

---

4. Liveness Detection and Biometric Matching

Liveness detection answers a deceptively simple question: is the person in front of the camera a real, live human being? This matters because without it, a fraudster could pass document verification with a stolen ID and then hold a printed photo or play a video of the ID holder to pass the selfie check.

The Threat Landscape

The attack surface for biometric verification has expanded dramatically:

Attack Sophistication (low to high):

Level 1: Printed photo held in front of camera
          Detection: Trivial (2D, no depth, no micro-movements)

Level 2: Video replay on a screen
          Detection: Moderate (screen edges, moire patterns, refresh rate)

Level 3: 3D-printed or silicone mask
          Detection: Hard (realistic depth, some texture)

Level 4: Real-time deepfake (face swap software)
          Detection: Very hard (realistic movement, expression)

Level 5: Injection attack (synthetic feed replaces camera)
          Detection: Requires device-level integrity checks
          783% increase in 2024 (iProov data)

In February 2024, a finance worker in Hong Kong wired $25 million after a video call where every participant — the "CFO" and several "colleagues" — was a deepfake. This was a social engineering attack, not a KYC bypass, but it demonstrated the quality of current deepfake technology.

How Modern Liveness Detection Works

Passive Liveness (Friction-Light) The user takes a single selfie. The system analyzes the image for signs of life without requiring the user to perform any action. AI models examine:

• Skin texture and pore detail (photos and screens lack micro-texture)
• Light reflection patterns in the eyes (3D objects reflect differently than 2D surfaces)
• Depth estimation from monocular cues
• Sub-pixel analysis for screen artifacts (moire patterns, pixel grids)

Passive liveness is preferred for user experience — it adds no friction. Most modern providers (Sumsub, Jumio) use passive liveness as the default.

Active Liveness (Challenge-Response) The user is asked to perform an action: turn their head, blink, smile, or read a phrase aloud. The system verifies the action was performed naturally. This is harder to defeat with static images or pre-recorded video but adds friction and can fail for users with disabilities.

Active liveness is typically reserved as a fallback when passive liveness confidence is low.

Injection Attack Detection (IAD) The newest and most critical layer. An injection attack bypasses the camera entirely — the attacker feeds a synthetic video stream directly into the application's camera pipeline at the software level. The camera never sees a real face because the camera is never used.

Detection methods include:

• Device integrity checks (is the camera feed coming from the actual hardware camera?)
• Frame metadata analysis (synthetic frames have different timing and encoding characteristics)
• Environmental consistency checks (lighting, background noise)

The European technical specification CEN/TS 18099 now defines Injection-Attack Detection requirements, and the forthcoming ISO 25456 standard will establish global testing procedures.

Face Match

After liveness is confirmed, the system compares the live selfie to the document photo. This is a standard face-matching operation: the AI extracts facial feature vectors from both images and computes a similarity score. A match above the threshold (typically 85-95% similarity, depending on the provider's configuration) passes.

Face match failures often result from:

• Significant aging between the document photo and the selfie
• Different lighting conditions
• Glasses, hats, or facial hair changes
• Low-quality document photos (older IDs with grainy prints)

---

5. Sanctions and PEP Screening

Sanctions screening is non-negotiable. OFAC enforces on a strict liability basis — an exchange can face civil penalties even if it had no knowledge it was transacting with a sanctioned party. There is no "we didn't know" defense.

Sanctions Lists

Exchanges must screen against multiple overlapping lists:

List	Maintained By	Scope	Update Frequency
SDN List (Specially Designated Nationals)	OFAC (US Treasury)	Individuals, entities, vessels, crypto addresses	Multiple times per month
Consolidated Sanctions List	EU	Individuals and entities subject to EU restrictive measures	As needed
UN Security Council Sanctions	United Nations	Global sanctions for terrorism, proliferation	As resolutions pass
HMT Sanctions List	UK Treasury	UK-specific sanctions	As needed
SECO Sanctions	Switzerland	Swiss-specific sanctions	As needed
Jurisdiction-specific lists	Various	Country-level sanctions and designations	Varies

Since November 2018, OFAC has added cryptocurrency wallet addresses directly to the SDN list. This means exchanges must screen not only customer names and identification data but also deposit and withdrawal addresses against known sanctioned wallets.

The Fuzzy Matching Problem

Sanctions screening is not a simple database lookup. Names are transliterated across alphabets (Arabic to Latin, Cyrillic to Latin), misspelled, abbreviated, or intentionally varied. A screening system must handle:

• Transliteration variants: Muhammad / Mohammed / Mohamed / Mohamad
• Name order differences: First-Last vs. Last-First
• Missing diacritics: Muller vs. Mueller vs. Muller
• Partial matches: screening "Ali Hassan" should flag "Ali Hassan al-Majid"
• Phonetic similarity: names that sound alike but are spelled differently

This is why sanctions screening uses fuzzy matching algorithms (Levenshtein distance, Jaro-Winkler, phonetic encoding) rather than exact string matching. The tradeoff is false positives — the fuzzier the matching, the more legitimate customers get flagged for manual review.

A typical crypto exchange running sanctions screening on all customers will see a false positive rate of 2-5%, depending on their customer base demographics and matching threshold configuration. Each false positive requires manual review by a compliance analyst, creating significant operational overhead.

PEP Screening

Politically Exposed Persons — heads of state, senior government officials, military leaders, senior judiciary members, and their immediate family and close associates — are screened separately because they represent elevated corruption and bribery risk.

PEP status does not automatically disqualify someone from using an exchange. But it triggers Enhanced Due Diligence:

• Senior management must approve the account opening
• Source of wealth and source of funds must be documented
• Transaction monitoring thresholds are lowered (more transactions flagged for review)
• Periodic re-screening is required (PEP status can change)

PEP databases are maintained by commercial providers (Dow Jones, Refinitiv, ComplyAdvantage) and typically cover:

• Current and former PEPs (many jurisdictions require screening for years after leaving office)
• Relatives and Close Associates (RCAs)
• State-Owned Enterprise (SOE) senior officials

Adverse Media Screening

Beyond sanctions and PEP lists, many exchanges screen against adverse media — news articles linking individuals to financial crime, fraud, corruption, or other criminal activity. This is typically done through commercial databases that aggregate and categorize news articles with natural language processing.

Adverse media hits do not automatically trigger account restrictions but contribute to the risk score and may trigger EDD.

---

6. Risk Scoring

Risk scoring synthesizes all available signals into a single composite score that determines the customer's due diligence tier and ongoing monitoring intensity.

Risk Dimensions

+------------------------------------------------------------------+
|                      COMPOSITE RISK SCORE                         |
+------------------------------------------------------------------+
|                                                                    |
|  Identity Risk          Geographic Risk        Behavioral Risk     |
|  +--------------+       +--------------+       +--------------+   |
|  | Doc quality  |       | Country of   |       | Transaction  |   |
|  | Liveness     |       |   residence  |       |   velocity   |   |
|  |   confidence |       | Nationality  |       | Deposit/     |   |
|  | Face match   |       | IP geoloc    |       |   withdraw   |   |
|  |   score      |       | VPN/proxy    |       |   patterns   |   |
|  | Data         |       |   detection  |       | Peer group   |   |
|  |   consistency|       | FATF grey/   |       |   deviation  |   |
|  |              |       |   blacklist  |       |              |   |
|  +--------------+       +--------------+       +--------------+   |
|                                                                    |
|  Blockchain Exposure Risk              Screening Risk              |
|  +------------------------+           +------------------+        |
|  | Chainalysis/Elliptic   |           | Sanctions match  |        |
|  |   risk score           |           | PEP status       |        |
|  | Exposure to mixers,    |           | Adverse media    |        |
|  |   darknet, sanctioned  |           | Watchlist hits   |        |
|  |   wallets              |           |                  |        |
|  | Direct vs. indirect    |           |                  |        |
|  |   exposure             |           |                  |        |
|  +------------------------+           +------------------+        |
+------------------------------------------------------------------+

Risk Tiers and Due Diligence Levels

Risk Tier	Score Range	Due Diligence	Verification Requirements	Limits
Low	0-30	SDD (Simplified)	Basic ID + selfie, automated screening	Standard
Medium	31-60	CDD (Standard)	Full document verification + liveness, automated screening	Standard
High	61-80	EDD (Enhanced)	Full verification + proof of address + source of funds documentation + manual review	Reduced until cleared
Critical	81-100	EDD + Senior Review	Everything above + senior management approval + ongoing enhanced monitoring	Blocked until cleared

Geographic Risk Weighting

Geographic risk is one of the heaviest factors. Customers from FATF grey-listed or blacklisted jurisdictions automatically receive elevated risk scores:

FATF Black List (High-Risk Jurisdictions Subject to a Call for Action) As of 2025: North Korea, Iran, Myanmar. Accounts from these jurisdictions are typically blocked outright.

FATF Grey List (Jurisdictions Under Increased Monitoring) As of early 2025 includes countries like South Sudan, Syria, Yemen, and others with identified strategic deficiencies. Accounts from grey-listed countries receive elevated risk scores and typically require EDD.

Sanctioned Jurisdictions Beyond FATF lists, jurisdiction-level sanctions (e.g., comprehensive US sanctions on Cuba, Iran, North Korea, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine) may require outright blocking rather than enhanced due diligence.

Dynamic Re-Scoring

Risk scores are not static. They are recalculated when:

• Sanctions lists are updated (customer data is re-screened)
• Transaction patterns change (velocity spikes, unusual destinations)
• Blockchain analytics flag new exposure (a previously clean wallet receives funds from a sanctioned address)
• Adverse media hits appear
• A SAR is filed on the customer
• The customer's jurisdiction changes regulatory status

---

7. Ongoing Transaction Monitoring (KYT)

KYC verifies identity at onboarding. KYT (Know Your Transaction) monitors activity continuously after that. This is where blockchain analytics providers — Chainalysis, Elliptic, TRM Labs — earn their keep.

How Blockchain Analytics Works

When a customer deposits crypto to the exchange, the analytics system traces the fund origin:

Deposit arrives at exchange
    |
    v
+---------------------------+
| Blockchain Analytics      |
| (Chainalysis KYT /        |
|  Elliptic Navigator)      |
+---------------------------+
    |
    | Traces fund flow backward through the blockchain
    |
    v
+---------------------------+
| Risk Classification       |
|                           |
| SEVERE: Sanctioned wallet,|
|   terrorist financing     |
|   --> Block + SAR         |
|                           |
| HIGH: Darknet market,     |
|   ransomware, mixer       |
|   (direct exposure)       |
|   --> Hold + investigate  |
|                           |
| MEDIUM: Indirect exposure |
|   (2-3 hops from high-    |
|   risk source), gambling  |
|   --> Flag + monitor      |
|                           |
| LOW: Clean fund origin,   |
|   known exchanges,        |
|   verified entities       |
|   --> Process normally    |
+---------------------------+
    |
    v
Alert generated (if applicable)
    |
    v
Compliance team reviews
    |
    +---> Clear: transaction proceeds
    +---> Suspicious: SAR filed, account restricted
    +---> Sanctioned: funds frozen, regulatory report

Direct vs. Indirect Exposure

A critical distinction in blockchain analytics is between direct and indirect exposure:

Direct exposure: The funds came directly from a flagged address. A deposit directly from a known darknet market wallet is direct exposure. This almost always triggers a hold and investigation.

Indirect exposure: The funds passed through one or more intermediate addresses before reaching the exchange. A deposit that is three hops removed from a mixer has indirect exposure. The risk diminishes with each hop, but sophisticated laundering chains are designed to create this exact distance.

Chainalysis KYT and Elliptic both assess both direct and indirect exposure, with configurable thresholds for how many hops to trace and what percentage of indirect exposure triggers an alert.

Withdrawal Screening

Withdrawal screening is the mirror of deposit screening. Before funds leave the exchange, the destination address is checked:

• Is the address on the OFAC SDN list?
• Has the address been flagged by blockchain analytics as high-risk?
• Is the address associated with a sanctioned entity, darknet market, or other illicit service?

If the destination address is flagged, the withdrawal is held for review. This is separate from the Travel Rule compliance flow (covered in the Travel Rule doc) — withdrawal screening happens even in jurisdictions where the Travel Rule doesn't apply.

SAR Filing

When transaction monitoring identifies suspicious activity, the exchange must file a Suspicious Activity Report with FinCEN (in the US) or the equivalent Financial Intelligence Unit in other jurisdictions.

Key SAR requirements:

• Must be filed within 30 calendar days of detecting suspicious activity
• If no suspect is identified at detection, the exchange has an additional 30 days (60 days total)
• The $5,000 threshold applies — transactions below this can still be reported but are not required
• SARs are confidential — the exchange cannot inform the customer that a SAR has been filed
• Continuing activity does not require a separate investigation for each SAR; risk-based monitoring is sufficient (per October 2025 FinCEN guidance)

---

8. KYC Vendor Landscape

The KYC/AML technology stack typically involves two categories of vendors: identity verification providers (document + biometric) and blockchain analytics providers (transaction monitoring + address screening).

Identity Verification Providers

	Sumsub	Jumio	Onfido (Entrust IDV)
Headquarters	Europe	Palo Alto, CA	London (acquired by Entrust 2024)
Document database	14,000+ templates	5,000+ templates	4,500+ templates
Liveness	Passive + active, injection detection	AI/ML-driven passive, active fallback	Atlas AI, passive liveness
NFC verification	Supported	Supported	Supported
Crypto focus	Strong — built for crypto/fintech	Broader financial services	Broader financial services
AML screening	Built-in sanctions/PEP/adverse media	Separate AML product (Jumio Screening)	Separate (Entrust infrastructure)
Travel Rule	Built-in Travel Rule compliance	Not integrated	Not integrated
Pricing model	Flexible, packages for smaller companies	Premium, enterprise-focused	Premium, enterprise-focused
Notable crypto clients	Binance, Bybit, OKX, Backpack	Coinbase (historically)	Various fintech
Key strength	End-to-end KYC/KYB/AML + Travel Rule in one platform	Accuracy and fraud detection	Clean UX, low manual review rates

Sumsub dominates the crypto exchange market because it offers the full compliance stack in one platform: document verification, liveness, sanctions screening, PEP checks, adverse media, Travel Rule compliance, and transaction monitoring. For exchanges operating in multiple jurisdictions, this consolidation reduces integration complexity significantly.

Jumio is stronger in traditional financial services and where maximum fraud detection accuracy is the priority. Its AI/ML models have been training for over a decade and have processed billions of verifications.

Onfido (now Entrust IDV after the 2024 acquisition) was historically popular for its developer-friendly API and low manual review rates. The Entrust acquisition added enterprise security infrastructure but shifted the product somewhat away from the crypto-native market.

Blockchain Analytics Providers

	Chainalysis	Elliptic	TRM Labs
Product	KYT (Know Your Transaction)	Navigator, Lens	TRM Forensics, TRM Transaction Monitoring
Risk categories	LOW, MEDIUM, HIGH, SEVERE	Configurable risk scores	Configurable risk scores
Chain coverage	40+ blockchains	40+ blockchains	30+ blockchains
Government relationships	Primary vendor for US federal agencies (FBI, IRS-CI, DEA)	UK NCA, Europol	US government contracts
Address attribution	Largest attribution database	Strong, particularly cross-chain	Growing database
Key strength	Market-dominant, deepest attribution data, government intelligence sharing	Cross-chain tracing, sanctions screening depth	Modern API, competitive pricing
Typical clients	Coinbase, Kraken, Binance	PayPal, Revolut	Circle, FTX (historically)
Alert latency	Seconds (real-time API)	Seconds (real-time API)	Seconds (real-time API)

Chainalysis is the de facto standard. Its dominance stems from a flywheel effect: government agencies use Chainalysis for investigations, which feeds intelligence back into the attribution database, which makes the product more accurate, which attracts more exchange clients, which provides more transaction data for attribution. The company has processed intelligence from nearly a decade of blockchain forensics.

Elliptic differentiates on cross-chain tracing. As funds increasingly move between chains (e.g., Bitcoin to Ethereum via bridges), the ability to trace across chain boundaries is critical. Elliptic's Navigator platform is particularly strong here.

TRM Labs is a newer entrant that competes on modern API design and competitive pricing. It has grown rapidly, particularly among mid-tier exchanges and compliance teams that find Chainalysis pricing prohibitive.

---

9. The Verification Flow in Practice

Here is what a typical crypto exchange KYC flow looks like from the user's perspective, and what happens behind the scenes at each step.

Step 1: Account Creation (No KYC Required)

Most exchanges allow account creation with just an email address. At this stage, the user can browse markets and see prices but cannot deposit, trade, or withdraw. This is intentional — it allows users to explore the platform before committing to verification.

Step 2: Basic Verification (Tier 1)

The user provides:

• Full legal name
• Date of birth
• Country of residence
• (Sometimes) phone number

Behind the scenes:

• Name + DOB + country are screened against sanctions lists and PEP databases
• IP geolocation is checked against the declared country of residence
• If the user's IP is from a sanctioned jurisdiction or uses a known VPN/proxy, the flow may be blocked or flagged

This tier typically unlocks small deposit limits (e.g., $10,000-$50,000 cumulative).

Step 3: Full Verification (Tier 2)

The user provides:

• Government-issued photo ID (uploaded or camera capture)
• Selfie with liveness check
• (In some jurisdictions) proof of address (utility bill, bank statement)

Behind the scenes:

• Document verification pipeline runs (classification, OCR, template matching, forgery detection)
• Liveness check confirms the selfie is from a live person
• Face match compares the selfie to the document photo
• All extracted data is screened against sanctions, PEP, and adverse media databases
• Risk score is calculated
• If CDD tier: approved automatically
• If EDD tier: routed to manual review queue

This tier unlocks standard trading limits and full withdrawal access.

Step 4: Enhanced Verification (Tier 3 — When Triggered)

Triggered by high risk scores, PEP status, or high-volume activity. The user provides:

• Source of funds documentation (bank statements, employment letters, tax returns)
• Source of wealth explanation
• Additional address verification
• Business documentation (for corporate accounts)

Behind the scenes:

• Manual compliance review by a trained analyst
• Senior management approval for PEP accounts
• Enhanced monitoring rules are configured for the account
• Re-verification may be scheduled (e.g., annual review)

Step 5: Ongoing Monitoring (Continuous)

After onboarding, every transaction is monitored:

• Deposits: blockchain analytics check fund origins
• Withdrawals: destination address screening + Travel Rule compliance (where applicable)
• Trading patterns: velocity, volume, and behavior anomalies
• Periodic re-screening: customer data checked against updated sanctions/PEP lists

Ongoing Monitoring Triggers:

+------------------+     +------------------+     +------------------+
| Transaction      |     | List Updates     |     | Behavioral       |
| Monitoring       |     |                  |     | Analytics        |
|                  |     |                  |     |                  |
| Every deposit/   |     | Daily sanctions  |     | Weekly/monthly   |
| withdrawal       |     | list refresh     |     | pattern analysis |
| screened in      |     | re-screens all   |     | peer group       |
| real time        |     | active customers |     | comparison       |
+--------+---------+     +--------+---------+     +--------+---------+
         |                        |                        |
         v                        v                        v
+--------------------------------------------------------------+
|                    ALERT MANAGEMENT                           |
|                                                              |
|  Auto-clear (low risk)  |  Queue for review  |  Auto-block  |
+--------------------------------------------------------------+
         |                        |                        |
         v                        v                        v
    No action              Analyst review           Freeze account
                           |          |              File SAR
                           v          v
                        Clear      Escalate
                                   File SAR

---

10. Failure Modes and Lessons from Enforcement Actions

Binance — $4.3 Billion Settlement (November 2023)

The largest KYC/AML enforcement action in crypto history. Binance settled with FinCEN, OFAC, and IRS Criminal Investigation for systematic failures:

• No meaningful KYC for years: Binance deliberately avoided implementing KYC screening for large segments of its user base, particularly users who signed up before KYC was eventually implemented
• No transaction monitoring: Failed to report over 100,000 suspicious transactions linked to money laundering, ransomware, terrorist financing, and child exploitation
• Sanctions evasion: Processed transactions involving sanctioned jurisdictions (Iran, Cuba, Syria) without adequate controls
• Internal culture: Internal communications showed senior employees discussing how to help users circumvent KYC requirements

CEO Changpeng Zhao resigned and personally pleaded guilty, paying a $50 million fine. The company was placed under a five-year monitorship.

The lesson: KYC/AML is not optional, and retroactive compliance does not erase past violations. Binance's current compliance program is one of the most rigorous in the industry — but only after a $4.3 billion lesson.

Coinbase — $100 Million Fine (January 2023)

The New York State Department of Financial Services (NYDFS) fined Coinbase $100 million — $50 million in penalties and $50 million required investment in compliance. The specific failures:

• Inadequate transaction monitoring systems
• Backlog of unreviewed alerts (over 100,000 alerts in the queue at one point)
• SAR filing delays
• Insufficient KYC for some high-risk customers

Coinbase's case illustrates a different failure mode than Binance: not deliberate evasion but operational overwhelm. The compliance team could not keep pace with growth, alerts piled up, and review quality deteriorated.

Lessons for Pipeline Design

Failure Mode	Root Cause	Design Mitigation
No KYC at all	Business decision to prioritize growth	Regulatory requirement — not negotiable
KYC without ongoing monitoring	Treat KYC as one-time onboarding	Continuous monitoring is a separate, equally important pipeline
Alert backlog	Monitoring generates more alerts than team can review	Tune thresholds, implement auto-clearing for low-risk alerts, hire proportionally
SAR filing delays	No SLA tracking on alert-to-SAR pipeline	Automated SLA alerts, escalation procedures
Sanctions list staleness	Lists updated but not re-screened against existing customers	Daily automated re-screening of full customer base
Single-vendor dependency	One analytics provider misses a categorization	Multi-vendor approach (e.g., Chainalysis + Elliptic) for critical screening

---

11. Emerging Challenges

Deepfakes and AI-Generated Identities

Deepfake attacks on KYC systems grew over 2,000% in the three years leading to 2025 and now represent roughly one in fifteen identity fraud attempts. The cost of generating a convincing deepfake face has dropped below $20. Injection attacks — which feed synthetic video directly into the camera pipeline — increased 783% in 2024 alone (iProov data) and 88% year-over-year in 2025 (Jumio data).

The defense is multi-layered: passive liveness, injection attack detection, device integrity verification, and document forensics working in combination. No single layer is sufficient. The European CEN/TS 18099 standard and the forthcoming ISO 25456 standard are formalizing requirements for injection-resistant verification systems.

Cross-Chain Fund Tracing

As DeFi bridges, cross-chain swaps, and chain-hopping become more common, tracing the origin of funds across chain boundaries becomes harder. A user can swap BTC for ETH via a cross-chain bridge, then swap ETH for USDC on a DEX, then deposit USDC to an exchange. Tracing the original BTC source through these hops requires analytics that span multiple blockchains and protocols.

Elliptic and Chainalysis both offer cross-chain tracing, but coverage is not universal. Newer chains and bridges often have limited analytics coverage, creating blind spots.

Privacy Coins and Mixers

Monero, Zcash (shielded transactions), and mixing services like Tornado Cash intentionally obscure fund origins. For exchanges that list privacy coins, deposit screening is inherently limited — the analytics provider may be unable to determine the fund source at all.

Many exchanges have delisted Monero and other privacy coins specifically because of compliance challenges. Others accept privacy coin deposits but require Enhanced Due Diligence for any user who deposits them.

Regulatory Fragmentation

There is no single global KYC/AML standard. BSA requirements (US) differ from MiCA (EU) differ from FSA requirements (Japan) differ from VARA requirements (Dubai). An exchange operating globally must implement jurisdiction-specific verification flows, screening thresholds, and monitoring rules. This creates significant engineering and operational complexity.

The Travel Rule adds another layer: different jurisdictions have different thresholds, different data requirements, and different verification provider networks (see the Travel Rule doc for details on how jurisdiction routing works).

---

Key Takeaways

1. KYC is a pipeline, not a checkpoint. Document verification, liveness, sanctions screening, and risk scoring are sequential stages that must all pass. Ongoing monitoring after onboarding is equally important.

2. Tiered due diligence is the standard. Not every customer needs the same level of verification. Risk scoring determines whether a customer gets SDD, CDD, or EDD, and the score changes over time.

3. Sanctions screening is strict liability. OFAC does not care whether you knew the customer was sanctioned. If you processed the transaction, you are liable. This makes real-time screening and daily list re-screening non-negotiable.

4. Blockchain analytics closes the gap that identity verification cannot. KYC tells you who the customer claims to be. KYT tells you where their money comes from and goes. Both are required for a complete compliance picture.

5. Deepfakes and injection attacks are the new frontier. The verification industry is in an arms race with AI-generated fraud. Multi-layered detection (passive liveness + injection detection + device integrity) is the minimum viable defense.

6. The cost of non-compliance is existential. Binance's $4.3 billion fine and Coinbase's $100 million fine are not outliers — they are the precedent. Regulators have demonstrated willingness to impose penalties that threaten a company's viability.

---

Related Docs

• Travel Rule — jurisdiction-based Travel Rule compliance for deposits and withdrawals (Sumsub for EU/UAE, Sygna for Japan)
• Withdrawal Delay — how withdrawal delays interact with compliance holds
• Market Surveillance — post-trade surveillance for manipulation detection
• Custody & Key Management — how assets are secured after compliance clears