Know Your Customer (KYC) - The Foundation

Every regulated financial institution must maintain a Customer Identification Program with four core elements:

CIP REQUIREMENTS FRAMEWORK

Different customer types require different information:

Individual customers:

INDIVIDUAL CIP REQUIREMENTS

- Full legal name
- Date of birth
- Residential address (not P.O. Box for verification)
- Identification number:

- Place of birth
- Nationality
- Phone number
- Email address
- Occupation/source of income

- High-risk country residence
- Politically Exposed Person status
- High-value accounts
- Cash-intensive businesses

Business/Entity customers:

ENTITY CIP REQUIREMENTS

- Legal name
- Business registration number
- Principal place of business
- Formation jurisdiction and date
- Legal form (corporation, LLC, partnership, etc.)

- Individuals with authority to transact
- Their individual CIP information
- Authorization documentation

- Individuals owning 25%+ (most jurisdictions)
- Individuals with significant control
- Complete ownership chain if complex structure

- Certificate of incorporation/formation
- Business license
- Articles of incorporation/operating agreement
- Board resolution authorizing account
- Good standing certificate

KYC TIMING REQUIREMENTS

The traditional approach: examine government-issued identification documents.

DOCUMENTARY VERIFICATION

Verifying identity without physical document examination:

NON-DOCUMENTARY VERIFICATION

- Credit bureau data (Experian, Equifax, TransUnion)
- Government databases (where accessible)
- Public records databases
- Utility connection records
- Bank account verification

1. Customer provides information
2. Information compared against databases
3. Match confidence score generated
4. Pass/fail threshold applied

- Questions derived from credit/public records
- "Which of these addresses have you lived at?"
- "What was your previous car loan lender?"
- Increasingly deprecated due to data breaches

- Phone number ownership verification
- Carrier records check
- Two-factor authentication

- Email domain validation
- Account age/activity signals
- Two-factor authentication

Increasingly common, especially for remote onboarding:

BIOMETRIC VERIFICATION METHODS

- Compare selfie to ID photo
- Liveness detection (prevent photo spoofing)
- 3D mapping for higher assurance
- AI-powered matching algorithms

1. Customer uploads/scans ID document
2. System extracts photo from document
3. Customer takes selfie
4. System compares ID photo to selfie
5. Liveness check confirms real person

- Less common for remote onboarding
- Used for in-person and ongoing authentication
- Mobile device integration growing

- Used primarily for ongoing authentication
- Customer service applications
- Less common for initial verification

- False acceptance rates: <0.1% for quality systems
- False rejection rates: 1-5% (legitimate customers rejected)
- Demographic bias concerns (historical accuracy variations)
- Privacy implications of biometric data storage
- Regulatory frameworks emerging (BIPA in Illinois, GDPR)

Emerging approaches to streamline verification:

DIGITAL IDENTITY LANDSCAPE

- EU: eIDAS-compliant national eIDs
- Estonia: Digital ID fully integrated
- India: Aadhaar (1.3B+ enrolled)
- Singapore: SingPass
- US: Mobile driver's licenses (emerging)

- Bank-verified identity sharing
- Telecom-verified identity
- Shared KYC utilities (consortium approach)
- SSI (Self-Sovereign Identity) - emerging

- Jumio, Onfido, Veriff (document + biometric)
- Experian, LexisNexis (database verification)
- Plaid (bank account verification)
- Persona, Alloy (orchestration platforms)

- Basic document verification: $1-5 per check
- Document + biometric: $2-8 per check
- Database verification: $0.50-2 per check
- Full orchestration: $5-15 per customer

- Most use verification-as-a-service
- Quality varies significantly
- Cost pressure vs. compliance thoroughness
- Tiered verification common (limits by level)

---

Shell companies and complex structures can hide who actually controls an account:

THE BENEFICIAL OWNERSHIP PROBLEM

Example scenario:
"Sunrise Trading LLC" opens account at exchange
Documents show company exists, registered in Delaware
Principal is "Jane Doe" - but who actually owns Sunrise?

Possible structures:
Sunrise Trading LLC (US)
└─ Owned by Offshore Holdings Ltd (Cayman)
└─ Owned by ABC Trust (BVI)
└─ Beneficiary: Unknown

BENEFICIAL OWNERSHIP RULES BY JURISDICTION

BENEFICIAL OWNERSHIP VERIFICATION CHALLENGES

Not all customers are equal risk. Compliance resources should focus on higher-risk situations:

RISK-BASED APPROACH PRINCIPLES

Three levels of due diligence:

• Lower-risk customers

• Reduced verification requirements

• Example: Low-value prepaid cards, regulated counterparties

• Not available in all jurisdictions

• Default level for most customers

• Full CIP requirements

• Standard verification

• Baseline monitoring

• High-risk customers/situations

• Additional verification steps

• More information required

• Increased monitoring

• Senior management approval often required

CUSTOMER RISK FACTORS

ENHANCED DUE DILIGENCE REQUIREMENTS

Special category requiring universal enhanced due diligence:

POLITICALLY EXPOSED PERSONS

- Heads of state/government
- Senior politicians
- Senior military officials
- Judiciary leadership
- Senior state-owned enterprise executives
- Senior party officials

- Family members of PEPs
- Close associates of PEPs
- These "by association" categories challenging

- Position enables corruption
- May have immunity from prosecution
- Often wealthy without legitimate explanation
- Historically associated with money laundering

- Commercial PEP databases (World-Check, LexisNexis)
- Coverage varies significantly
- False positives common (similar names)
- Ongoing monitoring required (positions change)

- Mandatory EDD
- Senior management approval
- Source of wealth verification
- Enhanced monitoring
- Cannot decline solely for PEP status (discrimination concerns)

---

KYC COST BREAKDOWN

KYC's IMPACT ON CRYPTO ECONOMICS

✅ KYC requirements are universal in regulated finance. Every licensed exchange, bank, and money transmitter must implement CIP. This is not optional or variable—it's table stakes.

✅ Verification technology has dramatically improved. Document + biometric verification achieves >99% accuracy for identity confirmation. Remote onboarding is now feasible and common.

✅ Risk-based approach is the standard. Regulators expect proportionate response to risk. Not every customer needs enhanced due diligence. Documentation of risk methodology is essential.

✅ Beneficial ownership identification is increasingly mandatory. Post-2018 (US CDD rule) and similar global requirements mean entity customers must disclose ownership. Corporate registries expanding.

⚠️ Optimal KYC stringency. How much verification is "enough"? More KYC catches more fraud but creates more friction. The balance point is debated and evolving.

⚠️ Digital identity future. Will government-issued digital IDs become universal? Will self-sovereign identity gain traction? The verification landscape is in transition.

⚠️ Cross-border KYC harmonization. Will global standards emerge beyond FATF principles? Currently, significant variation creates compliance complexity.

⚠️ Privacy-preserving compliance. Can zero-knowledge proofs or similar technology enable compliance without data collection? Technically possible, not yet accepted by regulators.

🔴 "KYC is optional for crypto." No licensed exchange can operate without KYC. Exchanges that claim otherwise are either unlicensed (risky) or serving jurisdictions without requirements (also risky).

🔴 "All KYC is equally rigorous." Quality varies enormously. Tier 1 basic verification is not equivalent to full CIP. Exchange licensing jurisdiction matters for KYC quality.

🔴 "KYC protects customers." KYC protects the financial system from abuse. It incidentally protects customers by excluding bad actors, but the primary purpose is institutional, not consumer, protection.

🔴 "Once KYC'd, always KYC'd." Requirements include ongoing monitoring and periodic refresh. Initial verification is just the beginning.

KYC is the price of entry to the regulated financial system. It's expensive, creates friction, and has legitimate privacy concerns. It's also non-negotiable for any institution that wants banking relationships, regulatory licenses, and long-term viability. For XRP, this means ODL and institutional adoption depend on robust KYC infrastructure at partner institutions. Understanding KYC operations helps evaluate which exchanges and corridors are sustainable versus which are regulatory accidents waiting to happen.

Assignment: Create a comparative matrix analyzing KYC requirements across three major XRP exchanges from different jurisdictions (one US, one EU, one Asian), identifying gaps, best practices, and implications for users.

Requirements:

Part 1: Exchange Selection and Basic Information (100 words)

• One US-based (e.g., Coinbase, Kraken)

• One EU-based (e.g., Bitstamp, Kraken EU)

• One Asian (e.g., bitFlyer, Binance Japan, SBI VC Trade)

• Name and headquarters location

• Licensing jurisdiction(s)

• Year established

Part 2: KYC Requirements Comparison Matrix (Table)

Create a matrix comparing:

Part 3: Analysis (200-250 words)

• Which is most stringent? Why?
• Which provides best user experience?
• What explains the differences (regulatory environment)?
• Which would you consider "best practice"?

Part 4: Implications (100-150 words)

• XRP holders choosing an exchange

• ODL corridor viability

• Institutional adoption

• Maximum 2 pages

• Include source links for each exchange's KYC requirements

• Professional comparison format

• Research accuracy (30%): Are requirements correctly documented?

• Comparison quality (25%): Is the matrix complete and clear?

• Analysis depth (25%): Are differences meaningfully explained?

• Practical implications (20%): Are conclusions actionable?

Time investment: 2 hours
Value: Develops practical skill in evaluating exchange compliance quality

1. CIP Components Question (Tests Knowledge):

Which of the following is NOT one of the four core elements of a Customer Identification Program (CIP)?

A) Collection of customer identifying information
B) Verification of identity through documentary or non-documentary means
C) Comparison with government sanctions lists
D) Disclosure of customer information to other financial institutions

Correct Answer: D
Explanation: CIP requires: (1) information collection, (2) verification, (3) recordkeeping, and (4) sanctions screening. Disclosure to other institutions is not a CIP element—in fact, customer information generally cannot be shared without consent or legal requirement. The Travel Rule (covered in later lessons) requires information sharing with counterparty institutions for transfers, but this is separate from CIP requirements.

2. Verification Methods Question (Tests Understanding):

A crypto exchange uses facial recognition to match a customer's selfie to their uploaded passport photo. What type of verification is this?

A) Documentary verification only
B) Non-documentary verification only
C) Biometric verification combined with documentary verification
D) Risk-based verification

Correct Answer: C
Explanation: This process combines documentary verification (passport examination) with biometric verification (facial recognition matching selfie to passport photo). This combination approach is standard for remote digital onboarding because it verifies both that the document is valid AND that the person presenting it is the person in the document. Non-documentary alone would use database matching without documents.

3. Beneficial Ownership Question (Tests Application):

A limited liability company wants to open an exchange account. The LLC is owned 50% by John Smith, 30% by ABC Holdings (a Cayman company), and 20% by Jane Doe. Which individuals must be identified as beneficial owners?

A) Only John Smith (largest shareholder)
B) John Smith and Jane Doe (individuals only)
C) John Smith, Jane Doe, and the beneficial owners of ABC Holdings who own 25%+ of ABC
D) No beneficial ownership required for LLCs

Correct Answer: C
Explanation: The 25% threshold requires identifying John Smith (50% owner). Jane Doe's 20% doesn't meet threshold. But ABC Holdings' 30% interest must be traced—who owns ABC Holdings? If ABC has any 25%+ owners, they become beneficial owners of the LLC. Additionally, individuals with significant control must be identified regardless of ownership percentage. Option D is wrong—LLCs absolutely require beneficial ownership identification.

4. Risk-Based Approach Question (Tests Critical Thinking):

An exchange customer is a charity operating in a high-risk country, with donations from multiple countries. What level of due diligence is appropriate?

A) Simplified due diligence—charities are low risk
B) Standard due diligence—same as any customer
C) Enhanced due diligence—multiple risk factors present
D) Rejection—too high risk to onboard

Correct Answer: C
Explanation: Multiple risk factors warrant EDD: (1) charities are inherently higher risk for terrorism financing, (2) high-risk country operations, (3) international fund flows. EDD would include source of funds investigation, enhanced identity verification of principals, and increased monitoring. SDD is wrong—charities are explicitly high-risk in most frameworks. Rejection isn't automatic—EDD allows risk to be managed. The risk-based approach means proportionate response, not blanket rejections.

5. Exchange Evaluation Question (Tests Practical Application):

You're evaluating two exchanges for XRP custody. Exchange A requires only email verification and offers immediate trading. Exchange B requires government ID, facial verification, and source of funds documentation for large accounts. Which exchange poses lower long-term operational risk?

A) Exchange A—lower friction means better user experience and likely more users
B) Exchange B—comprehensive KYC indicates regulatory compliance and sustainable banking relationships
C) They're equivalent—KYC doesn't affect operational risk
D) Cannot determine without more information

Correct Answer: B
Explanation: Exchange A's minimal KYC suggests either: (1) unlicensed operation, (2) jurisdiction with minimal requirements, or (3) non-compliance with requirements. All create elevated risk of regulatory action, banking relationship loss, or exchange failure. Exchange B's comprehensive KYC indicates regulatory compliance, sustainable banking relationships, and lower probability of forced closure. User friction is a trade-off, but long-term operational sustainability is more important for custody.

For Next Lesson:
Lesson 3 examines transaction monitoring—how financial institutions analyze customer behavior to detect suspicious patterns. We'll explore rule-based detection, behavioral analytics, the false positive challenge, and how blockchain analytics integrates with traditional monitoring. This is where KYC knowledge gets applied: knowing your customer enables understanding whether their transactions make sense.

End of Lesson 2

Total words: ~5,600
Estimated completion time: 55 minutes reading + 2 hours for deliverable