Start typing to search 100+ guides and coin pages.
Safety, Tax & Regulation

KYC & AML in Crypto

Why exchanges ask for your ID, and how anti-money-laundering rules apply.

intermediate · 6 min read · Updated January 1, 2026

Know Your Customer (KYC) is the process by which a financial service verifies the real-world identity of its users, while Anti-Money Laundering (AML) is the broader set of laws and procedures designed to prevent illegally obtained funds from being disguised as legitimate wealth. Together, KYC and AML explain why a crypto exchange asks for your passport before you can withdraw funds — and why that request comes from regulators, not just corporate policy.

Cryptocurrency’s ability to move value across borders quickly made it attractive to bad actors early on. Regulators responded by extending the same rules that apply to banks and brokerages to crypto businesses. Understanding how these rules work helps you navigate exchanges more confidently and think clearly about the trade-offs between privacy and compliance.

Why KYC Exists

The foundation is a simple problem: financial institutions can be — intentionally or not — used as conduits for dirty money. A criminal who earns money through illegal activity needs to make it appear legitimate before spending it openly. Passing it through a financial system that asks no questions is one way to do that.

KYC emerged in traditional banking as a first line of defense. Before opening an account, banks are legally required to confirm that a customer is who they claim to be. This creates an audit trail: if illicit funds move through the system, investigators can follow the paper trail back to real people.

When crypto exchanges grew large enough to handle billions in daily volume, financial regulators classified them as money service businesses (MSBs) or virtual asset service providers (VASPs) — depending on the jurisdiction. That classification brought the same KYC obligations that apply to a bank or currency exchange desk.

What KYC Actually Requires

A typical KYC process at a centralized exchange proceeds in tiers. Light verification — email and password — might allow you to buy small amounts. As your activity grows, the exchange asks for more:

Verification tierTypical requirementsCommon limits
BasicEmail, country of residenceSmall purchases, no withdrawals
StandardGovernment-issued photo ID, date of birthModerate buy limits
EnhancedProof of address (utility bill, bank statement)Higher limits
Institutional / VIPSource of funds documentation, company recordsCustom or unlimited

The ID check usually involves uploading a scan of a passport or driver’s license, then a live selfie or short video to confirm you are the document’s owner. This step — called liveness detection — guards against someone using a stolen ID image.

Some jurisdictions also require you to declare the source of significant funds. If you deposit a large sum, you may be asked to explain where it came from: salary, investment proceeds, an inheritance, and so on.

How AML Works in Practice

KYC is the identity layer. AML is the ongoing monitoring layer. Even after you have passed identity checks, exchanges are required to watch for patterns that suggest money laundering or terrorism financing. Common red flags include:

  • Sudden large deposits followed by immediate withdrawals to new addresses
  • Many small transactions that together exceed reporting thresholds (a tactic called “structuring” or “smurfing”)
  • Transactions to or from addresses flagged by blockchain analytics firms as linked to scams, darknet markets, or sanctioned entities
  • Account activity inconsistent with a user’s stated occupation or income

When a flagged pattern is detected, the compliance team may freeze a withdrawal, request additional documentation, or in serious cases file a Suspicious Activity Report (SAR) with the relevant financial intelligence unit. In the United States, for example, exchanges registered with FinCEN are required to file SARs for transactions that look suspicious and exceed certain thresholds.

The Role of Blockchain Analytics

One tool unique to crypto compliance is on-chain tracing. Because most blockchains are public ledgers (see how blockchain works), every transaction is permanently recorded. Firms like Chainalysis and Elliptic build databases that link wallet addresses to known entities — exchanges, mixers, darknet markets, ransomware groups — and assign risk scores.

When you withdraw crypto from an exchange, the exchange may check whether your destination address has any known association with illicit activity. Similarly, when you deposit crypto, the exchange may screen the coins’ recent transaction history. This is sometimes called “travel rule” compliance: just as wire transfers must carry sender and recipient information, crypto transfers above certain amounts are increasingly required to carry identifying metadata when moving between regulated platforms.

Centralized vs. Decentralized Exchanges

KYC and AML obligations apply to businesses, not to software. A centralized exchange has employees, a legal entity, and a physical presence in at least one jurisdiction — so it can be regulated and held accountable. A truly decentralized protocol running as smart contracts on a blockchain is harder to regulate because there is no central operator to serve with a legal obligation.

This is one reason regulators have focused attention on the front-end interfaces and developers of decentralized protocols, even when the underlying contracts are autonomous. The legal picture is still evolving, and different countries have reached different conclusions about where the compliance obligation sits.

Worth knowing: “Unhosted wallets” — self-custody wallets that you control directly — are not currently subject to KYC requirements in most jurisdictions. The obligation sits with the regulated service, not with you personally holding your own keys.

Global Patchwork of Rules

AML standards are set internationally by the Financial Action Task Force (FATF), an intergovernmental body that issues guidance which member countries are expected to implement. But implementation varies:

  • The European Union has rolled out successive Anti-Money Laundering Directives (AMLD) that explicitly cover crypto asset service providers.
  • The United States requires crypto exchanges to register with FinCEN and comply with the Bank Secrecy Act, which mandates record-keeping and reporting.
  • Some jurisdictions have lighter-touch regimes, which is why certain exchanges have historically incorporated in places like the Cayman Islands or Seychelles — though regulators in larger markets still assert jurisdiction if those platforms serve their residents.

For a broader look at the legal landscape, see crypto regulation overview.

Privacy Considerations

KYC sits in direct tension with one of the values many early crypto users held dear: financial privacy. When you hand over your ID to an exchange, you are creating a link between your government identity and your on-chain activity. If that exchange is hacked — and several have been — your personal data may be exposed. If regulations change, that data could be shared more broadly.

This tension has driven interest in privacy-preserving technologies and in decentralized alternatives. Neither path is a perfect solution: privacy coins attract regulatory scrutiny of their own, and truly decentralized exchanges trade convenience and liquidity for anonymity.

Key Takeaways

  • KYC verifies who you are; AML monitors how you use financial services — both are legal requirements for regulated crypto businesses in most jurisdictions.
  • Centralized exchanges are classified similarly to banks and currency exchanges, which is why they ask for government-issued ID.
  • AML goes beyond identity checks: ongoing transaction monitoring and blockchain analytics are used to flag suspicious patterns.
  • The FATF sets international AML standards, but each country implements rules differently, creating a global patchwork.
  • Decentralized protocols do not currently face the same KYC obligations as centralized businesses, though this is an active area of regulatory debate.
  • Passing KYC creates a link between your identity and your on-chain activity — a genuine privacy trade-off worth understanding before you sign up.

Next up: Crypto and Taxes