When a crypto exchange asks you to submit a government ID, a selfie, and sometimes proof of address, it doesn't feel optional — because it isn't. This requirement comes from financial regulation, not from exchange design. KYC, or Know Your Customer, is the legal obligation at the intersection of traditional financial compliance and the on-ramp to crypto markets.
The confusion is understandable. Crypto transactions at the base protocol level require no identity whatsoever — Bitcoin doesn't know or care who sent it. So why do exchanges insist on it? The short answer: exchanges that handle fiat currency (dollars, euros, pounds) are classified as financial institutions in most jurisdictions, and financial institutions operate under specific anti-money laundering obligations that require them to verify who their customers are.
The Regulatory Framework Behind KYC
KYC isn't a crypto-specific invention. It's a standard requirement across banking, brokerage, and most financial services.
The foundational layer is the Bank Secrecy Act (BSA), passed in the United States in 1970. The BSA requires financial institutions to maintain records of customer identities, report transactions over certain thresholds, and flag suspicious activity. When the US government determined that crypto exchanges handling fiat fall under this framework, exchanges became subject to the same rules.
In practice, this means US-based exchanges must register as Money Services Businesses (MSBs) with FinCEN — the Financial Crimes Enforcement Network, the Treasury bureau that administers the BSA. MSB status comes with mandatory compliance obligations, including a Customer Identification Program (CIP). The CIP is the mechanism behind the ID verification process: exchanges must collect name, date of birth, address, and an identifying document number for every customer, then verify this information through independent means.
At the international level, the Financial Action Task Force (FATF) — an intergovernmental body — sets AML standards that over 200 jurisdictions have adopted. FATF classifies exchanges as Virtual Asset Service Providers (VASPs) and subjects them to the same anti-money laundering and customer due diligence requirements as banks. When a country adopts FATF's 40 Recommendations, KYC for exchanges becomes a domestic legal requirement, not a voluntary policy.
The regulatory chain runs: FATF recommends → national governments implement → exchanges comply or lose operating licenses and banking relationships.
Where the Constraints Actually Live
The binding constraint for most exchanges isn't ethics or even business strategy — it's access to banking. Banks process fiat deposits and withdrawals. Banks are themselves subject to heavy AML regulation and conduct due diligence on their own customers, which includes the businesses they bank. An exchange that doesn't implement adequate KYC will find it difficult or impossible to maintain banking relationships, which means it can't accept or return fiat currency to users.
This is a hard constraint. Without fiat on-ramps and off-ramps, an exchange is only useful to people who already hold crypto — a much smaller market.
A secondary constraint is licensing. Most major jurisdictions now require explicit operating licenses — the EU's MiCA framework, the UK's FCA registration, US state-by-state money transmitter licenses in addition to FinCEN registration. Licenses require demonstrated AML compliance.
Beyond those, there's OFAC compliance: exchanges operating in US-linked markets must screen customers against the Treasury's Specially Designated Nationals (SDN) list to avoid facilitating transactions with sanctioned individuals or entities.
The Travel Rule
One element worth understanding in more depth: the FATF Travel Rule (Recommendation 16) extends KYC obligations beyond customer onboarding into the transaction itself. It requires VASPs to collect and transmit originator and beneficiary information — name, account, and identifying details — for crypto transfers above certain thresholds. In the US, that threshold is $3,000. FATF's international guidance sets it at $1,000 / €1,000.
This mirrors longstanding wire transfer rules for traditional banks. The practical challenge for crypto is that blockchains don't natively carry this information — the base protocol has no identity layer. VASPs must implement additional messaging infrastructure to exchange Travel Rule data with counterparty exchanges. The systems for this (TRISA, TRP, OpenVASP) are still being standardized across jurisdictions, which is why enforcement has been uneven.
What's Changing
Travel Rule enforcement is tightening. More jurisdictions are moving from "adopted" to "actively enforced," and the gaps that allowed some exchanges to avoid compliance are closing. This creates pressure on exchanges operating across jurisdictions with different standards.
MiCA (Markets in Crypto-Assets Regulation), in full effect in the EU as of 2024, creates a harmonized licensing framework across EU member states. EU-based exchanges — and non-EU exchanges serving EU customers — face a more uniform KYC and AML compliance structure than existed before.
Broker reporting rules in the US, established via the 2021 Infrastructure Investment and Jobs Act, require crypto brokers to report customer transaction data to the IRS. Implementation has been phased, but the direction is toward greater tax reporting — and more robust identity verification to make that reporting accurate.
The non-custodial question is unresolved. Decentralized exchanges (DEXes) like Uniswap operate without holding customer funds or controlling private keys. Whether they qualify as MSBs or VASPs under current law is contested. The CFTC filed suit against Uniswap Labs in 2024. FinCEN has proposed expanding rules to cover non-custodial protocols. This is live legal and political territory — not settled law.
What Would Confirm This Direction
Travel Rule infrastructure becoming standardized across major jurisdictions, with enforcement actions against non-compliant exchanges. Additional countries adopting MiCA-equivalent licensing frameworks. US courts or regulators explicitly classifying certain DEX operators as financial intermediaries subject to BSA/MSB obligations.
What Would Invalidate or Change It
Court rulings establishing that non-custodial software operators don't qualify as financial intermediaries would limit KYC obligations to custodial venues. A formal regulatory exemption for peer-to-peer software would reduce the scope of required compliance. Alternatively, a political shift reversing US crypto reporting requirements could soften domestic enforcement — though it wouldn't eliminate FATF-driven obligations in other jurisdictions.
Timing
Now: KYC is mandatory for regulated custodial exchanges in every major market. This isn't changing. If an exchange allows fiat on-ramps without identity verification, it's operating outside major regulatory jurisdictions or outside the law.
Next: Travel Rule infrastructure standardizing across jurisdictions (12–24 months). Continued regulatory pressure on non-custodial and offshore venues.
Later: The DEX / non-custodial compliance question will eventually be resolved by court decisions or legislation — but the timeline is multi-year and highly jurisdiction-dependent.
What This Does Not Mean
KYC requirements attach to exchanges acting as financial intermediaries. They don't extend to software, self-custody wallets, or the base-layer blockchain protocols themselves. Sending crypto from a personal wallet to another address requires no identity verification — the blockchain has no mechanism for it. The identity requirement attaches to the regulated entities that bridge fiat and crypto, not to the underlying network.
That's the mechanism. Whether any particular exchange's compliance implementation is adequate, fair, or well-designed is a separate question.
