KYC/AML compliance for wallets and exchanges might be easier than you think!

Sure, Know-Your-Customer (KYC) and Anti-Money Laundering (AML) laws aren’t very popular in crypto-land. However, they are a necessary evil, and wallets and exchanges should ensure they are legally compliant. And KYC/AML compliance is easier than you might think.

This guide is a blog-article, and should not be relied upon, or otherwise construed/taken as legal advice. Consult your own lawyer!

KYC and AML laws exist to combat money laundering and financing of terrorism. On a global level, these laws are quite similar across jurisdictions as they are inspired by the same FATF recommendations.

In this article, I’ll specifically cover the implementation of these recommendations in the European Union and the United States. We will do so by first looking at KYC/AML for wallets, and then KYC/AML for exchanges.

The goal here is not to go too in-depth into the law or its definitions. I won’t get into the details of registration/licensing schemes or effective design of compliance processes once subjected to KYC/AML laws.

Instead, this article will explain how wallets and exchanges can try to ensure they don’t fall under the scope of KYC/AML laws.

KYC/AML for wallets

For wallet developers, having to implement KYC/AML would be more than annoying. It goes against the very principles of why users would own crypto.

Compliance for wallets (EU law)

In the EU, KYC/AML laws are based on the 5th AML Directive. Introduced in 2019, the Directive for the first time specifically covers virtual currencies. In a nutshell, European KYC/AML laws are only applicable to ‘obliged entities’.

Wallet providers in the EU are only considered obliged entities when they take custody of the user’s private keys (which is a no-no anyways for crypto-fanatics). Because of this, anyone that offers non-custodian wallets in the EU does not need to worry about KYC/AML compliance.

Compliance for wallets (U.S. law)

In the U.S., KYC/AML laws are regulated by FinCEN. Its KYC/AML laws are applicable to Money Services Businesses (MSB). So-called ‘money transmitters’ are seen as MSBs. In other words, if you are a money transmitter, extensive compliance obligations are applicable to you.

In its 2019 Guidance on Convertible Virtual Currencies (CVCs), FinCEN made the same distinction as the EU. The regulator clarified that custodian wallet providers are money transmitters, while non-custodian wallets are not.

In other words, if a wallet operator does not hold the private keys of the user, KYC/AML laws are not applicable.

Wallets with fiat gateways

In short, wallet operators have to ensure they do not hold the private keys of their users to make sure they aren’t caught by KYC/AML law.

But there’s more to it.

As mentioned, the EU’s KYC/AML regime applies to ‘obliged entities’. Aside from custodian wallet providers, another category of obliged entities are ‘providers engaged in exchange services between virtual currencies and fiat currencies’ (Art. 2(1)(3)(g)).

For wallet providers, a fiat onramp can provide a much-needed source of revenue. However, as soon as a wallet allows for the exchange of fiat currencies (EUR, USD, etc.) to cryptocurrencies, it would classify as an obliged entity in the EU, and a MSB in the U.S.

To get around this problem, wallet providers can integrate fiat gateways of third-parties. There are many third-party fiat gateways (with widgets and/or APIs that can be implemented by others), who take the compliance burden upon themselves.

However, third-party fiat to crypto gateways specialize in certain regions. To provide local payment methods and get global coverage, developers have to integrate multiple gateways to provide a good fiat to crypto onramp. This is a lot of work: they have to go through each providers’ KYC, negotiation and contracting processes, and then integrate their APIs.

Instead, it’s easier to integrate a fiat-to-crypto gateway aggregator like Onramper is the easiest option.

KYC/AML for exchanges

The KYC/AML for exchanges is similar to wallets. Again, let’s briefly give over applicable EU and U.S. law.

KYC/AML for exchanges in the EU

As mentioned, any party which allows for the exchange between fiat currencies (USD, EUR, etc.) and cryptocurrencies, is an obliged entity. Interestingly, crypto-crypto exchanges are not caught by this definition. As such, crypto-crypto exchanges are not subject to the various registration schemes, compliance requirements, and reporting obligations in the EU’s member states.

Again, to enable user to buy crypto with fiat, it is therefore wise to outsource the fiat<>crypto conversion to a third-party fiat-crypto gateway (see comparison of gateways).

KYC/AML for exchanges in the U.S

The applicability of the U.S. KYC/AML regime for exchanges is a bit stricter than in the EU. In its 2013 VC Guidance, FinCEN makes clear that an:

“exchanger of convertible virtual currencies that accepts and transmits a convertible virtual currency, or buys or sells convertible virtual currency in exchange for currency of legal tender or another convertible virtual currency for any reason is a money transmitter under FinCEN’s regulations, unless a limitation to or exemption from the definition applies to the person”

In other words, both fiat-crypto and crypto-crypto exchanges are subject to the Bank Secrecy Act’s KYC/AML regime.

In the U.S., the only way exchanges can be designed in order to not be deemed a MSB, is by being fully decentralized. If a platform only provides for the communication between parties, and the parties themselves settle any matched transactions through their own wallets, a trading platform does not qualify as a money transmitter.

Of course, exchange operators should still be careful of listing securities, something the founders of EtherDelta (once the most-used DEX) had to learn the hard way.

To onramp users from the fiat world, outsourcing to fiat gateways that have obtained licenses on both the federal and state-level is the way forward.

Conclusion

First of all, do your own research and hire a lawyer. Second of all, don’t take custody of your users funds if you don’t want to fall under KYC/AML regulations. Give them control of their private keys. Third, don’t do conversions between fiat currencies and cryptocurrencies yourself, unless you want to get licensed/registered with the regulators of all jurisdictions where you operate actively. Instead, integrate a third-party fiat gateway.

About the author: Thijs Maas has been active as legal consultant in the crypto-space since 2017, author of ‘Understanding Token Offerings’ (Cambridge University Press, forthcoming) and co-founder of Onramper, a fiat gateway aggregator.