KYC (Know Your Customer) measures form the backbone of anti-money laundering (AML) and counter-terrorist financing (CTF) regimes worldwide. By requiring financial institutions (and increasingly, other businesses such as crypto exchanges and crowdfunding platforms) to verify the identity of their clients, KYC processes aim to detect suspicious activity early, mitigate fraud, and prevent misuse of the financial system.

Since its mandatory introduction through the Patriot Act after 9/11, it has become embedded in society and grown into a multi-billion dollar industry. Given how critical a role it plays in the compliance industry, with the sole purpose of preventing financial crime, it would be a shame if this measure was largely ineffective at stopping financial crime whilst actively harming users. 

KYC in practice

The deterrence for financial criminals using KYC is that, in theory, they should submit their own documents which authorities could trace them to. However, it’s very easy for criminals to circumvent KYC through a set of different options. There is a big marketplace for KYC’d accounts for any service you could possibly be interested in, which is probably the easiest way to undermine the system, but there’s way more. Money mules, where criminals have dedicated individuals to perform KYC for them, are prevalent amongst criminals and extremely hard to counter from a compliance perspective as these money mules are often also used to maintain accounts and provide additional information if required. More recently, synthetic identities are creating a real threat for standard compliance systems. Originally done simply through photoshop, the rise of generative AI has made this a whole lot easier; already there are generative AI platforms dedicated specifically to creating fake KYC documents. In other words, sophisticated criminals seldom expose themselves directly; they leverage obvious weaknesses in the system to slip through compliance checks.

Consequently, the very deterrent meant to stop illicit behavior turns into a minor speed bump for criminal networks, if even that. Meanwhile, regular people face the brunt of KYC’s burdens. Every time you hand over your personal documents, you trust that platform to protect your sensitive data. Yet, as we’ve seen from the Celsius and FTX failures (and others before them), personal information held by financial institutions can become a prime target for hackers—or can be misused if the organization itself is badly managed. When such breaches happen, user data is up for grabs on the dark web, potentially leading to identity theft and other forms of fraud.

These platforms that demand so much personal data act as honeypots—storing troves of sensitive information that attract malicious actors. When breaches occur, the potential harm to everyday users can be enormous: not only do they risk losing funds tied up in a compromised platform, but they also face long-term identity risks if their documents are circulated illegally.

KYC was introduced with the laudable goal of deterring financial crime, yet as it stands, it disproportionately burdens ordinary users while failing to stop bad actors. KYC is simply a box-ticking exercise; and if regulators are serious about stopping financial crime they need to turn to technology providers to work together to bolster both the security and efficiency of new compliance technologies.