What is KYC/AML?

KYC stands for Know Your Customer. AML stands for Anti-Money Laundering. Together they are the compliance regime that every regulated financial service — including every major crypto exchange, custodian, and fiat on-ramp — operates under. They shape what data a service collects about you, what transactions it will and will not support, and what it does when a transaction looks unusual. For crypto, they are the point where the pseudonymous on-chain world meets the identified off-chain one.

What KYC requires

When you open an account at Coinbase, Binance, Kraken, or any fiat-connected crypto service, the onboarding flow asks for government ID, address, sometimes a selfie, occasionally a source-of-funds declaration. The service is legally required to verify these. Depending on jurisdiction, the specifics vary — the US Bank Secrecy Act and FinCEN rules, the EU's AML directives and MiCA, the UK's FCA framework — but the basic shape is the same: before letting you move material amounts of money, the service needs to know who you are.

Tiered KYC is common. Low-volume users may only need basic identification. Higher-volume users, or users attempting withdrawals above a threshold, get asked for more documentation: proof of address, source-of-funds explanation, sometimes a video call. Very high-volume users may be subjected to Enhanced Due Diligence, which is a fancy term for a compliance team actually reading the file.

The practical consequence is that there is a bright line between pseudonymous crypto (self-custody, DEXs) and identified crypto (centralized exchanges, custodians). When you move funds from one side to the other, the identified side records who you are and where the funds came from.

What AML requires

AML is broader than KYC. It is the ongoing obligation to monitor transactions for patterns consistent with money laundering, terrorist financing, or sanctions evasion. Exchanges employ transaction-monitoring systems (Chainalysis, TRM, Elliptic) that flag activity of interest: deposits from known illicit addresses, structured withdrawals (many small ones to avoid reporting thresholds), unusual jumps in volume, interactions with mixers.

When a transaction gets flagged, the exchange may require additional documentation before releasing funds, may freeze the account, may file a Suspicious Activity Report (SAR) with the relevant financial intelligence unit, and in some cases will file a report and freeze the account simultaneously.

The SAR itself is confidential — the customer is not told it has been filed. Whether the report ever leads to anything depends on the regulator, but the data is accumulated and cross-referenced with law enforcement databases.

The travel rule

An increasingly important piece of AML is the "travel rule," which requires that identifying information about the sender and recipient "travel" with transfers above a threshold between regulated entities. Originally a banking rule, it has been extended to crypto by FATF (Financial Action Task Force) recommendations and is being implemented in various ways across jurisdictions.

Practically, this means that when Coinbase sends your funds to Kraken, both exchanges are required to exchange data about who is sending and receiving. Services like Notabene and Sumsub provide the infrastructure for this exchange. For transfers to self-custody wallets, the rules are less uniform — in some jurisdictions, the exchange must verify the ownership of the destination wallet; in others, a simpler attestation suffices.

The tension with pseudonymous crypto

Crypto's original appeal, at least in early Bitcoin culture, was pseudonymous peer-to-peer payments. KYC/AML is structurally at odds with that: its entire purpose is to identify counterparties. The tension plays out across every regulatory cycle.

Centralized exchanges largely ceded the ground: they accept KYC as the price of operating legally. Decentralized protocols have tried harder to resist, with mixed success. Tornado Cash, a mixer used to anonymize Ethereum transactions, was sanctioned by the US Treasury's OFAC in 2022 — an unprecedented step of sanctioning a smart contract rather than a person. Several developers were arrested. The legal contours are still being fought over.

On the other end of the spectrum, sophisticated protocols now offer selective-disclosure schemes where users can prove compliance (e.g., "I am not on a sanctions list") without revealing full identity. Aztec, Railgun, and other privacy-oriented systems have experimented with this. The regulatory acceptance remains uncertain.

For the individual user

Most ordinary crypto users experience KYC as a minor inconvenience during onboarding and occasionally during unusual withdrawals. A few practical points matter.

First, once you KYC with an exchange, your identity is linked to any on-chain addresses you withdraw to. Chain analysis tools can see that wallet 0xabc... withdrew from a KYC'd Coinbase account belonging to Jane Doe. If you care about privacy, you should understand that the moment fiat moves through an identified service, your future activity from that address is identified too.

Second, moving funds from sanctioned or illicit addresses through a KYC'd service will, sooner or later, lead to account freezes and investigations. Receiving funds that were themselves tainted — even several hops back — can also cause trouble. Using block explorers and chain-analysis tools to check the provenance of received funds is prudent.

Third, KYC data is itself a target. Exchange hacks that leak customer KYC data have happened multiple times (Ledger 2020, Coinsquare, BlockFi). A leaked KYC database is dangerous because it links real identities to crypto holdings — information useful to phishers, extortionists, and physical attackers. Using minimum necessary KYC and unique email addresses per exchange is sensible hygiene.

Why it matters

KYC/AML is not going away. Every integration between crypto and traditional finance — ETFs, stablecoin issuance, institutional custody, payment rails — passes through some form of it. Understanding what the rules require, what data services collect, and how on-chain activity ties back to identified accounts is essential for anyone moving real money in and out of crypto. Pretending the compliance layer does not exist is the fastest way to get frozen mid-withdrawal with a support ticket that cannot be resolved.