KYC and AML: subtleties of the functioning of procedures

Verification on the exchange
Exchange verification is a big problem for technology companies, financial institutions and government agencies today. This task is no less urgent for the crypto industry: on the one hand, it is necessary to maintain the necessary privacy and protect user data from hacking and “third parties”, on the other hand, something must be done about the growth of fraud with cryptocurrency.

KYC / AML rules, offering a solution to the problem of identification, ensure the acceptance of cryptocurrencies in society, but at the same time, they cause conflict between users and regulators. Let's look at what this contradiction is, what the rules themselves are, how to pass verification on the exchange and comply with all KYC/AML rules.

What is verification on the exchange
Regulation of the crypto industry and the role of GDPR
What is KYC and ALM What is KYC
What is AML

What data needs to be disclosed

How to get verified on the exchange

Pros and cons of verification on the exchange

What is verification on the exchange

Verification on the exchange
Verification on the exchange

is the process of verifying the data of a user of a cryptocurrency exchange in order to confirm his identity. The client must provide his data, such as copies of his passport, TIN, bank account statements to confirm his registration, and consent to the processing and verification of information by representatives of the cryptocurrency exchange.

For financial regulators and governments, KYC and AML are critical as a way to prevent crimes related to money laundering, theft and other illegal activities. The use of these policies legalizes the crypto industry. That's why they are important.

☝️

When verification on the exchange is a mandatory element, regulators are confident in the legality of the transaction.

Thus, the user confirms that he is a law-abiding citizen, and the state has no grounds for claims against him.

So, verification on the exchange provides:

Customer safety, as they increase the reliability of the project/team and all participants in operations;
Compliance by cryptocurrency exchange exchanges with international norms that promote mass adoption of cryptocurrencies;
Protecting projects, partially proving that the projects are not a scam;
Investment security - no one wants to take part in financing criminals or money launderers.

Speaking about the benefits of digital identity, it should be noted that thanks to it, billions of people have access to financial systems. Another thing is developing countries, where more than 1.2 billion do not have such an opportunity precisely because of the lack of customer identification and transaction authentication.

The combination of KYC and AML puts the individual at the center of the financial services industry and controls their personal data.

Verification system in Unihost

When a fraudster contacts us, there are two scenarios:

Nice option. We request documents from the fraudster and determine that his card is stolen (or the person simply refuses to undergo verification or does not respond to our letter). We make refunds as quickly as possible - this saves us from a potential complaint from the bank, and, accordingly, from chargebacks.
A pleasant and unacceptable option. We request documents from the fraudster, incorrectly determine their authenticity and provide a service (ours or our partners’). The bank sends a request for a refund, we do it and lose the funds. Sometimes we lose another $20 if the bank did not waste time on an official request and made a chargeback. The situation plays out according to the scenario with Stepan at the beginning of the article - the seller is left with only losses.

To reduce risks as much as possible, we first verify the transaction, then the client, and then his order. The first protects us from already known scammers, the second from new ones, and the third from abuses.

Transaction verification

With a new order from an unverified client, we:

We check it using the FraudRecord module. This is an international database of unreliable clients, scammers and other bad guys.
We check the number of unsuccessful payment attempts. If there are less than two, everything is OK. If there are more of them, we proceed to client verification and put the “suspicious” label.
We check whether the client's IP is unique. Often clients who have already been blocked due to fraud create new accounts under different names.
We check the correspondence of the geo-IP with the billing country. Many scammers pay with cards from Europe and the USA, but are themselves located in the CIS or China.

For repeat orders and renewals, the client only needs to go through step 2.

Client verification

Identity verification is needed to ensure that the client is a living person and to make sure that the payment method really belongs to him. To do this, we request documents from the client confirming his identity.

Only government-issued documents from the following list are accepted:

Passport;
An identification card (Identity Card, also known as ID) is an analogue of a passport in many countries;
Driving License with photo;
Temporary Resident Card
Certificate of temporary/permanent residence permit (Residence permit)

We carefully check all documents for compliance with state standards. Although often a fake is identified at first glance. So, one of the clients sent a passport with the date of birth “December 30, 1792”.

To verify the payment method, we require a photo of the bank card (with the front side visible, but the CVV closed) or a screenshot of the payment from PayPal, which shows that the payment was made on our website. This point is already familiar to many.

Project verification

We ask you to describe the project when ordering a server or VPS. Moreover, we send back a simple “website for us” with a request to tell in more detail: what the client/company does, what will be posted on the site. After all, the client could be a child porn site, and this is already a problem.

If a project plans to send letters, we require proof that the recipient database was collected by the client himself, and that the recipients themselves have passed double opt-in verification.

List of projects that we do not accept:

DDoS attacks on other resources;
port scanners;
sites calling for terrorist activities, cruelty, violence, etc.;
child porn, bestiality and other smut;
outgoing spam;
phishing sites.

Regulation of the crypto industry and the role of GDPR

The legality of verification on the exchange
There is no global regulation of the crypto industry. Each country develops its own set of laws and regulations. At the same time, the G-20 Financial Stability Board, the International Monetary Fund, the US Securities and Exchange Commission (SEC) and many other regulators are seeking consensus to bring uniformity in regulatory oversight across the cryptocurrency ecosystem.

One such example is the General Data Protection Regulation (GDPR), which is aimed at unifying user data protection standards across the European Union (EU). The GDPR came into force recently - on May 25, 2020. Thus, according to the regulation, users and organizations must comply with KYC/AML (know your customer/money laundering) norms designed to ensure the security of customer data.

☝️

Currently, the US, UK and many other countries have also made KYC and AML regulations an integral part of their cryptocurrency regulatory frameworks.

However, KYC and AML regulations are also the main obstacle to crypto protection, since they contradict one of the fundamental ideas of the blockchain - anonymity. In other words, cryptocurrency transactions must be anonymous and untraceable. But since regulators are concerned about the problem of cybercrime, it is precisely anonymity that gives them an intolerable migraine. That is why the need to undergo verification on cryptocurrency exchanges is now becoming more and more common.

What are KYC and ALM

Digital Identity KYC and ALM
With billions of fiat currencies becoming digital and vice versa every day, governments and financial institutions feel the urgent need to track this movement.

☝️

They believe that the absence of such control is fraught with catastrophic consequences for the financial and territorial security of states.

In fact, this is the real reason why authorities are seeking to restrict the cryptocurrency market and introduce mandatory verification on cryptocurrency exchanges.

Despite different approaches, for any government, eliminating anonymity is task No. 1. Accordingly, anonymous accounts are increasingly prohibited. Thus, in South Korea, the authorities have banned all anonymous crypto accounts.

What is KYC

KYC as an element of verification on the exchange
KYC or “know your customer” norm refers to the process of identifying customers and verifying their identity. Essentially, KYC is used by a company whenever someone tries to open an account on an exchange or conduct a financial transaction. The KYC process usually includes:

Identity verification and proof of citizenship;
Checking the user for participation in illegal activities;
Studying the source of funds and destination;
Finding suspicious transactions or assessing too large transaction volumes.

The purpose of KYC is mainly to weed out those who, for whatever reason, are not eligible to use the service. For example, minors, undocumented immigrants, or people with criminal records. Moreover, information from the collected database should be provided to law enforcement agencies to investigate crimes.

What is AML

AML is similar to KYC, but focuses on “anti-money laundering”, where illegally obtained proceeds are attempted to be converted into “clean” and “legitimate” assets. The AML process includes:

Monitoring transactions worth over $10 thousand;
Requiring reporting of certain types of transactions;
Control of the movement of coins both abroad and within the country;
Obtaining KYC information to confirm a person's identity and check whether they were involved in illegal activities.

These steps are designed to help recognize and seize illicit funds and prevent crime.

Risks associated with fraud

As you already understand, fraud is bad. Let's now specify this “bad” and highlight the list of risks that it carries for any company, as well as Unihost, as a hosting provider.

Direct losses on commissions for chargebacks

All financial risks for the transaction are borne by the seller, as the recipient of the funds. This means that he must take measures to combat fraud. And if these measures are insufficient and the seller made an illegal payment, then when returning the funds, the bank will punish the seller with a fine of $20.

I advise you to introduce a Customer Due Diligence procedure for all orders.

Abuses

Customers who use the services for illegal purposes (selling stolen credit cards, phishing, DDoS attacks, etc.) are subject to abuse. Abuses are official requests to stop illegal activities.

Naturally, such unreliable clients need to be blocked and the funds paid should be returned to them. Naturally, this negatively affects our reputation with payment processing.

Reputation with payment processing

The presence of chargebacks and refunds reflects poorly on the reputation of the payment processor. In addition, any processing has restrictions on the volume of refunds as a percentage of monthly turnover and the frequency of refunds. Exceeding the limits may result in penalties from the payment processor, up to and including complete refusal to cooperate. I advise you to check the client once again rather than lose your partner - the payment processor.

Legal risks

Legal risks are associated with anti-money laundering (AML) policies and non-compliance with any law or regulation. It can include anything: from fines to criminal cases.

In the modern legal environment of the CIS, this risk is minimal. But it’s still worth taking it into account. To minimize risks, implement a CDD client verification system.

What data needs to be disclosed

Data for verification on the exchange
☝️

The main focus of KYC/AML procedures is identity verification and proof of residence.

The user is required to provide accurate information, otherwise they will be classified as suspicious and will be subject to a strict fraud investigation process.

To be verified on the exchange, the user will need to provide a passport, driver's license, or other government ID.

A form of identification using a credit card, social network profile, or student ID is unacceptable if the identification document does not have a photograph or its expiration date has expired.

In the case of investors, a check is also made on the net worth (if a person declares, for example, $1 million). The user will be required to confirm the presence of assets.

It is important to comply with the period for providing information about yourself, otherwise the verification will be disqualified. Processing time may take up to 4 weeks

, starting from the completion of the KYC application process.

Where does fraud come from?

If the card itself had been stolen, everything would be clear. But how can you steal the details of the card that Stepan constantly carries in his wallet?

Here are the main ways:

Stepan enters his card details on a site with a low level of security (for example, without an SSL certificate) and it is intercepted by a fraudster.
Stepan follows the link and logs into his PayPal wallet, but does not notice that the domain address is pavpai.com. Thanks to the fake page, the fraudster gains access to Stepan’s wallet and can dispose of it at his own discretion. These fake sites are called phishing.
Stepan inserted his card into the ATM, which is equipped with a skimming device. The device read his card details and now the fraudster has full access.
Stepan did not take care of the security of his wallet and set his date of birth as the password for Internet banking. Since Stepan is a public person and information about his date of birth is publicly available, it was not difficult for the fraudster to guess the password.
Tens of thousands of stolen card and PayPal account data are sold absolutely freely on the Internet. And this is on an open network. Dark Net has already started this business long ago.

How to get verified on the exchange

The process of passing verification on the exchange
How to pass verification on the exchange:

Find the appropriate section for verification on the exchange website.
Enter correct
personal information.
Attach scanned documents to confirm your identity and registration.
In most cases, take a selfie.
Click on the “Submit for Verification” button.
Wait for verification on the exchange.

Below we will look at the verification process on the exchange step by step.

To register a new account - for example, on the Binance exchange - the user must complete the following steps:

In the top menu of the website, find the “Registration” button and click on it;

Binance exchange page

Fraud in practice

Let's look at a practical example of Fraud:

Stepan is an ordinary person. Trusting, a little naive. Offers to increase income by 10 centimeters per month hit Stepan where it hurts, and he pays for a course to increase income. But he did not take into account that the site on which he made the payment was unsafe, and his bank card data was intercepted by a fraudster.
The fraudster is looking for ways to drain the money received, finds a seller and buys a product from him for $100 using a stolen card. Tip 1: it is always good to have an anti-fraud system that will identify the Fraudster and will not allow him to even make a payment on the site.
The seller is still a newbie, so any sale for him means champagne and applause. He doesn't believe in Fraud yet, so he goes to his supplier and buys a product for $80, which he later sells to the scammer, having no idea that he is actually a scammer and the money is stolen. At first glance, the seller made $20 and everything is fine. Alas, not for long. Tip 2: You cannot pay your partners without carefully checking your payment.
A month has passed and Stepan is not happy - his income has not increased, but on the contrary - money is actively disappearing from his bank card. Stepan nervously looks at his account statement and tries to understand where his hard-earned money goes: “So, this is $100 for a course to increase income, this is $20 for dinner at a restaurant... And what is this for $100? I was sleeping at that time, I couldn’t make this payment, and I didn’t order sneakers on Amazon!”
Stepan runs to his bank in a panic and tearfully asks for the money back.
The bank satisfies the request - there is unauthorized activity from their client’s bank card. The bank requests a forced refund (chargeback) from the seller's account ($100), and also charges a $20 commission for the chargeback to occur. Tip 3: it is the seller’s responsibility to check the payment for fraud, and if there is fraud, the bank will charge a fine. The bank almost always satisfies the client's request (chargeback).

Summary of the story:

Stepan is happy because he got his money back and can find a new course to increase his income.
The bank fulfilled the client’s request, increased its reputation in his eyes and complied with the requirements of AML/KYC/CIF policies (see below).
The payment processor has made a note to itself that the merchant it serves is making fraudulent payments and may itself be involved in fraud. After N similar cases, the payment processing will simply refuse to provide services to this seller.
The supplier made money on the seller's order, he is not obliged to make a return. Fraud protection is the seller's problem.
The fraudster got the opportunity to get the product for free (that is, for someone else’s money).
Well, the seller suffers a $200 loss ($80 to the supplier, $100 returned to Stepan and $20 as a bank fine). Overall, the seller in this story looks something like this: