Know Your Peer: The Good & Bad About KYC and the Way Out of This

March 21st, 2025

Intro

First things first, this isn’t an article where I’ll try to convince you that Know-Your-Customer (KYC) is actually a good and positive practice and that it’s the only way we are going to get wider adoption of crypto, nor will I pose a stance claiming that the crypto industry has won and KYC is a thing of the past.

Instead, I want to set up a ground for reason and pragmatism, looking into why we are still bothered with KYC - where it can harm legitimate attempts to create a new financial paradigm and where we can embrace it. Why focus on “finance”? Because that’s mostly where the KYC compliance and requirements come from.

I’m also certain I didn’t nearly exhaust the number of examples of different projects tackling the “Know your Peer” challenges - this is a prompt to the reader: please share the article and comment with the missing interesting solutions which I’ve left out of the spotlight.

The whole article is written from my perspective, as Josef, the founder of PWN.

Now finally, let's dive into history a bit.

Where Did This KYC Thing Come From?

Note: If you get bored easily reading bland facts, I suggest you skip this section.

1. Bank Secrecy Act of 1970

The U.S. was one of the first countries to introduce regulations aimed at combating financial crimes. The Bank Secrecy Act required financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000, and ensure that banks were not used for money laundering[1]. Although the term KYC was not specifically mentioned in the initial Bank Secrecy Act itself, it laid the groundwork for what would later fall under the KYC umbrella.

Note that these regulations predate popular cryptographic protocols such as Diffie-Hellman (1976) and the RSA algorithm (1977).

2. Financial Action Task Force (FATF)

KYC became a critical part of Anti-Money Laundering (AML) initiatives in the 1970s and 1980s. FATF, established in 1989 by the G7, played a significant role in setting international standards for AML efforts, including KYC procedures. The FATF issued 40 Recommendations that serve as a global framework for combating financial crime[2]. It established the term "customer due diligence" (CDD), which is often used interchangeably with KYC in FATF recommendations, urging institutions to:

Identify and verify the identity of customers
Identify beneficial owners of corporate entities and trusts
Monitor and report suspicious transactions

3. USA PATRIOT Act of 2001

After the September 11 attacks, the USA PATRIOT Act expanded KYC requirements significantly[3]. This act is one of the first major regulations to explicitly mandate KYC procedures in the U.S. It required financial institutions to develop and implement a Customer Identification Program (CIP) as part of their broader anti-money laundering (AML) efforts. CIP regulations outlined four basic requirements of KYC:

Obtain identifying information (name, date of birth, address, and identification number)
Verify the identity of the customer (using documents or non-documentary methods)
Maintain records of the information
Screen customers against government lists of known or suspected terrorists

4. European Union - The Regulatory Endgame

The EU followed the Patriot Act shortly after with its own AML directives, hardening the rules for CDD/KYC in other sectors as well[4].

3rd EU AML Directive (2005):
- Required financial institutions to verify clients' identities before establishing business relationships.
- Defined high-risk clients (politically exposed) and included the same requirements for lawyers, accountants, and casinos.
4th EU AML Directive (2015) further expanded on the compliance requirements, covering a wider spectrum of entities with low thresholds for triggering KYC checks.
5th EU AML Directive (2018)[5]:
- Expanded KYC to cover cryptocurrency exchanges and wallet providers.
- Enhanced transparency for prepaid cards and anonymous payment methods.
6th EU AML Directive (2021):
- Extended the definition of money laundering offenses.
- Introduced criminal liability for entities failing to comply with KYC regulations.

There you go. Of course, the world isn't just the US & EU, but these have definitely influenced the setup in other countries as well.

Different Perspectives

The statist side of the argument will claim that KYC is a rational requirement to ensure enforceability of AML, and if businesses want to operate within a regulated market with all of its protections, they have to enforce some sort of tracking on the transaction or customer level. They won't be wrong.

The anarchists or libertarians will likely claim that KYC is just stupid surveillance bureaucracy, which pushes the burden of law enforcement onto businesses—effectively showing that the state is incompetent to even come up with enforceable laws. And it doesn’t stop actual bad actors. They won't be wrong either.

The average Joe will likely feel like he is going through a security check at the airport, letting others breach his privacy as if he were a terrorist, only so he can achieve a goal like traveling or using a service (i.e., collecting his paycheck) every time he faces yet another ID scan and selfie.

Oof, that was exhausting. Well, luckily for now, individuals who engage in private transactions that don’t reach "professional scale" (whatever that means) are generally not required to conduct these identity checks on their counterparties themselves. Peer-to-peer means freedom, hurrah! Kind of, as some jurisdictions have started banning cash transactions above certain amounts, effectively pushing people back into the KYC'd zone.

Increasingly, countries are starting to enforce tighter rules around cryptocurrency transactions as well, essentially trying to identify people on the loose ends (KYC on exchanges) and likely keeping an eye on the flow of transactions happening from these ends. So, DYOR, be vigilant, and don’t take this write-up as an excuse for breaking the law.

Why Is KYC Good for Crypto?

Let’s not get into the "if you have nothing to hide, you have nothing to lose" argument—that’s obviously not true, but more on that later. How can crypto benefit from KYC?

Increased Trust & Legitimacy (for an Average Joe)

If one of the problems of our industry is distrust and lack of legitimacy in the general public, then using gateways where people feel "comfortable" is a way they can be onboarded—even if it's through custodial means. Centralized exchanges are usually the place where people get their first crypto, and given how many shady exchanges have disappeared with people’s money or have been hacked, having centralized crypto exchanges regulated (and AML compliant) is likely a net benefit for crypto. Similarly, other custodial solutions that offer to manage "your" crypto for you—reaching even solutions such as Ledger's or Sygnum's web3 recovery—can foster trust.

Increased Exposure to the Rest of the Economy

Let’s face it, crypto can’t be indefinitely perpetuated by the steam evaporating from deflationary memes. Crypto can be the 'real world' if and only if it also solves 'real world' issues. Many of these issues are bound to physical objects (even if just physical papers)—yeah, we don’t live in a fully digitized utopia yet, and we may never. One of the use cases of blockchain is a simple track record. It’s a ledger, and it can, should, and will be used as a ledger for things like tokenized assets, RWAs, and records of rights, duties, and contracts. Like it or not, many of these objects have their own respective regulations that don’t even touch financial institutions, and many future use cases will benefit from having solid KYC solutions that can associate addresses with individuals in the real world.

What's Bad About KYC for Crypto?

How Can You Regulate Something You Don't Understand?

Firstly, crypto has proven that the free financial system is not only hard to capture, it’s even hard to understand for the average policymaker. I don’t mean to shame the forty-something white-collar boomers in Central Bank offices, nah, no no no. I’m shaming us, the crypto industry. Understanding the full scope of what we have built here is damn hard. Even for ourselves—plus we do a lousy job explaining it. Also, we are in uncharted territory, building things that never existed before in a necessarily globalized internet era. Most of the successful apps on-chain are simply experiments that played out well.

Not Everyone Is a Terrorist or a Business!

Not everyone on-chain is running a business, so why should they be constrained by disclosing their identity when they don’t want to handle large transactions? I don’t have comprehensive data about this, but my hunch is that we are still talking about bringing institutions on-chain as a major milestone, so that makes me think that the majority of users are still individuals transacting among each other.

Everybody Knows Your Customer

KYC compliance is also achieved by suboptimal means; oftentimes intermediaries perform the process just to tick a checkbox for a potential audit. Compliance means storing some personal information indefinitely, and as we are periodically reminded, these personal data honeypots get hacked all the time. [6][7][8]

KYC requirements, as we know them, are simply not doing it. What we see is literally a 20th century compliance framework being applied to 21st century technology - it can’t keep up with technological progress, and in its current form it mostly constraints people who still care about compliance, while those who don’t care simply ignore it. While its primary goal is to decrease financial crimes and later make funding terrorism impossible, it does so at the cost of exposing retail to data theft.

Source: https://x.com/DarkWebInformer/status/1841606471605244320

Know Your Peer

Disclaimer: What follows certainly isn’t any legal advice but rather an opinion about how the ideal optimistic situation could look like. We won’t know if these solutions would indeed be sufficient for the regulators as acceptable, but the point is that we can spearhead attempts to mitigate transacting with bad actors ourselves today.

Now we know how we ended up in the current situation: We perform the KYC ritual so Kim can’t buy more rockets and ISIS more purses. We also know that it’s, in fact, the regulator being interested in all of the KYC details rather than the business themselves (to some extent). Arguably, businesses in crypto, like exchanges, wouldn’t be interested in validating your ID unless this was required by the regulator. Very likely, they are not interested in having the additional exposure of keeping your records and potentially getting fined and sued for the data leaks. They could be interested in some of your private data for marketing, but would they require your ID and photo? I don’t think so.

Let’s focus on DeFi as an emerging industry example. In true DeFi, there are no banks as transactional intermediaries; actually, in true DeFi, there shouldn’t be any transactional intermediary but the tech/code, which acts as the blindfolded, unbiased Lady Justice.

If there is no intermediary who could potentially engage in money laundering? Whose responsibility is it to comply? Of course, we won't truly know until there is social consensus and perhaps rulings, but for the sake of this article, let’s optimistically assume the following: It’s not the medium that carries responsibility but the people and entities on both sides of using that medium.

Just as cash itself, nor the issuer of cash, is responsible for whatever the two counterparties do with it, I’d argue that responsibility lies with the counterparties engaging via blockchain-deployed code. In an ideal world, this should be the case for true DeFi protocols where there is really no custodian operating between the two counterparties.

So it’s you, dear “peer.”

If you engage in a transaction with a counterparty that could trigger compliance tests (especially when you are a business), IMHO it’s you who should be worried about KYC compliance, and not the platform/protocol you are using. In the end, it’s your books.

What Can We Do to Self-Regulate Today?

I think it’s safe to assume that we don’t want to be supporting bad guys, and if we could choose not to engage with them in trading/exchanging, we wouldn’t.

So what can we do?

Let’s start with the ugly.

Protocol Censorship (Blacklists)

In pooled DeFi, there is not much one can do as an individual. The pools act like black boxes, and unless the protocols implement a form of censorship (like an address blacklist), you are kind of transacting with everyone in the system, including the bad guys. The protocols would have to specifically blacklist the bad addresses, but there is an issue—the bad guys can always spin up a new address that isn’t on the blacklist and be back in the game in no time. So, that’s not a very clever solution.

Whitelisting

An alternative approach is to constrain the protocol usage only to the “good guys,” meaning that only a specific set of addresses can use a protocol. Multiple tokenized “fintech” protocols have chosen this pathway. Even AAVE has experimented with a similar approach with the Project Arc in the past.

Now that we’ve included intermediary arbiters maintaining a white-/blacklist, a fair question comes to mind in both cases: Is this still even DeFi? I’d argue that it is not.

What’s the Downside Here?

Unless the transactional systems enable the creation of isolated markets using some form of opt-in whitelist or they are based on the p2p premise already—like intent/orderbook-based DEXes and lending protocols—you can’t do much with the existing DeFi stack of pooled liquidity (both AMM DEXes or pool-based lending protocols such as AAVE or Compound) and stay 100% compliant with existing regulatory requirements (if you care about them).

The pooled capital smart contract protocols are great. They deal with a lot of capital inefficiencies and leverage the fact that smart contracts enable the minimization of trust for deploying capital into the same basket with others while not letting someone else run away with your money. But they do a terrible job in situations where your worries aren’t just market participation but also compliance with existing frameworks. For that, there is pure peer-to-peer.

Note: Before we do that, I’d like to mention yet another disclaimer. I’m not an anti-KYC or anti-state maximalist, but rather a surveillance & nation-state minimalist. I dislike both to a large extent, but I’m all for pragmatism and reducing inefficiencies. I’m also very much pro-freedom, and I think that individuals should be able to choose to comply with regulations without having to return their cryptonative and cypherpunk badge.

Know Your Peer

Finally, let’s talk about selective disclosure and self-regulation. I’d say that’s the optimal pathway to enabling closer entanglement of DeFi with the legacy accounting system today.

Selective Disclosure:

Very likely, you as an individual won’t be required to identify the counterparty directly unless you want to ensure you are not transacting with someone on a sanctioned list. If you are a regulated business, however, you might have to go one step further and require the full KYC data set from the party you are transacting with—including copies of documents—or simply get validation of someone’s age without full disclosure.

As a business, you can either:

Simply create your own list of identified addresses followed by your own data storage procedure.
Use a 3rd party service such as the infamous Fractal ID (sorry, not sorry) or Privado (you can use these also to just ensure age checks).

As an individual, you can get a bit more creative. Let’s say you only care about not transacting with sanctioned countries or people below a certain age, but you want to preserve privacy in your operation, avoid potential data leaks, or ensure there is a real single human involved in the transaction. Luckily today, there are means to achieve that, such as:

zkPassport: Enables you to get a ZK validation of someone’s country of origin or possession of a passport.
Privado.ID: Provides a slightly more comprehensive toolset to prove more about a particular address.
WorldID: Enables you to ensure you transact more than a certain amount with an individual.

In all cases here, identity theft is still possible, but that’s also possible and happens in TradFi, so it’s not an argument for dismissing the solutions. Also worth noting that there is no real precedence for the ZK solutions to be accepted as sufficient by the regulators - but I don’t think that should stop us from turning them into a standard either.

General Self-Regulation:

Most blockchains have the double-edged sword issue in the form of transparency. Thanks to companies like Chainalysis, the crypto industry has sobered up from claiming that cryptocurrencies are generally private. Thankfully, there are still projects like ZCash, Railgun, and many others fighting for “privacy by default.” That, however, also means an opportunity—an opportunity for creating “credit scores” that can help you identify trustworthy peers based on provable behavior.

Why bother with just a number associated with an unidentified address? Plenty of reasons:

You can filter counterparties you want to engage with—whether community members, builders, or people passing a certain expertise level.
You may only want to engage with those that fit your value set.
You may adjust rates for counterparties more likely to repay loans on time (and vice versa).

Generally speaking, credit scores were invented to manage counterparty risks and lend capital efficiently. Today, we can also use them to encourage good/intended behavior. If you now think that’s the “Chinese social credit scoring,” think much smaller—community-level scoring.

There are many projects attempting to build a comprehensive scoring framework. Here are a few examples:

TalentProtocol or Onchainscore (from the Base ecosystem).
Legion.cc: Developed their own scoring method.
Credit Bureau: Provides a comprehensive dataset about financial behavior.

While these tools are imperfect until we achieve a comprehensive and standardized “Decentralized Identity” (DID) functional across ecosystems, they can be sufficient for many cases.

Utilizing such reputation systems in combination with tools like zkPassport allows you to programmatically ensure compliance and manage risks.

Closing Words

If you were hoping to hear that KYC is a thing of the past, I’m sorry to say, but the AML bureaucracy is very likely here to stay. Sure, you can bury your head in the sand and act like it’s not affecting you. And of course you can escape using apps where KYC is a curse word as a sovereign being. If you’re an individual occasionally transacting, that might work in plenty of cases. If you’re a business or a professional in a highly regulated industry, that might however backfire. But there’s another perspective as well - it’s not only about compliance and legality, it’s also about personal values and minimizing instances where you’d be helping or supporting a bad cause or outcome with your actions.

Optimistically integrating privacy-preserving ways to Know Your Peer and self-regulating ourselves to circumvent bad actors is a better scenario than facing irrational KYC requirements on DeFi usage due to a few bad apples. I’m also not saying we should stop fighting for privacy rights, quite the contrary my appeal is that we should implement them before they are necessary and educate policy makers to prove that privacy preserving approach to KYC measures is the only way.

Key takeaways:

Today, we have tools to automate much of the KYC bureaucracy and hopefully some regulators will acknowledge this is the best of both worlds of AML and GDPR perspective
We can make an effort to avoid doing things we’d objectively say we don’t want to do, like trading against kids or lending money to the bad guys also without laws requiring this.