Chapter 01 · 7 min read
What KYC Actually Is
Stripping away the regulatory jargon. KYC is three concrete questions: Is this a real human? Is this the human they claim to be? Are they a person we're allowed to do business with?
"KYC" stands for Know Your Customer. The phrase comes out of US banking regulation in the 1970s, when Congress was trying to make it harder to launder cash. The compliance industry has spent fifty years inventing acronyms on top of it.
Underneath all the documentation, KYC reduces to three concrete questions:
- Is this a real human? (Liveness — they're not a deepfake or a photograph held up to a webcam.)
- Is this the human they claim to be? (Identity — the document they presented is real and matches the face.)
- Are they a human we're allowed to do business with? (Screening — they're not on a sanctions list, not a politically exposed person, not in the news for the wrong reasons.)
Why KYC exists
The official answer: anti-money-laundering law (AML), counter-terrorism financing (CTF), and a stack of consumer protection regulations.
The practical answer: when you accept money from strangers on the internet, some of those strangers will be using you to launder funds, evade sanctions, or commit fraud. KYC is the audit trail you produce when a regulator asks how you tried to stop it.
Who needs to do it
If you accept payments, lend money, hold deposits, transmit value, or facilitate transactions between strangers — you almost certainly need KYC. The threshold varies by jurisdiction:
- US: Required by FinCEN for all "money services businesses" (MSBs). State licensing layers add more.
- EU: 6th Anti-Money Laundering Directive (6AMLD) — applies to almost any financial service.
- UK: FCA-regulated firms must perform Customer Due Diligence (CDD), with Enhanced Due Diligence for high-risk customers.
- Singapore, Hong Kong, Australia: Each has their own framework, all conceptually similar.
The three flavors
Within KYC, you'll usually pick one of three depths:
| Flavor | Checks | When to use |
|---|---|---|
| Lite | Document only | Low-risk products, prepaid wallets under regulatory thresholds |
| Standard | Document + liveness | Most consumer financial products |
| Enhanced | Document + liveness + sanctions/PEP/adverse media | High-value accounts, lending, crypto on/off-ramps |
Things you'll get wrong
- Treating KYC as a one-time event. Identities change. People move countries, change names, end up on lists. Re-screening is a compliance requirement in most jurisdictions.
- Storing documents forever. You're required to retain proof of KYC for 5–7 years in most regimes. After that, you're required to delete it. Both halves matter.
- Letting customers self-identify their country. Use IP, SIM country, document country — and reconcile.
- Skipping KYC for "trial users." If they can move money or value through your product, KYC applies.
The honest summary
KYC is not a checkbox. It is a continuous process of building, maintaining, and demonstrating reasonable confidence that the people transacting on your platform are who they say they are. The regulators don't care if you got it right — they care if you tried.
The cost of getting it right is paying for verification at the gate. The cost of getting it wrong is a fine measured in percentages of revenue, plus the criminal liability of your compliance officer.
Choose to pay at the gate.