KYC, AML, PEPs, ETC (And other TLAs)

Iain Robertson — Advisor, Chainium

So before I start please note — I’m not an expert! I’m simply sharing what I’ve learnt whilst putting together a token sale with the fantastic team at Chainium. If you want to add, comment or correct me — please join the conversation below…….

What’s the problem?

If you are going to accept money pseudo-anonymously over the internet, it’s probably wise to check who that money is coming from. Why?

Well firstly, because that person might not be the kind of person you want to do business with. Either for ethical reasons or for your own personal security. Secondly, you almost certainly have some legal or regulatory obligation to find out who they are. And thirdly, purely from a practical perspective, you may find it very hard to do anything with the money you raise if you can’t provide details of where it came from. Most banks, for example, have minimum requirements before accepting funds.

So Know Your Customer (KYC) is the answer?

KYC is part of the answer. If you follow token sales you will have seen that, as with any new trend, there are many variations of KYC being implemented. Some teams require KYC for all token purchases, some for purchases over a particular value, some do AML too, some do KYC only for fiat, and some still don’t do KYC at all.

So how can you know what you “should” be doing? Well the short answer is — it depends. We are talking about managing risk here — there are few binary answers. But lets start with untangling some of the basics.


KYC is the process of recording and verifying the identity of your customers (whether a person or a company). This might simply mean manually recording a customers name and address and crosschecking those details with a national ID document.

In the modern world, of course, this process is done online. So you need a method to scan and upload ID documents, you need an automated method to read and cross check the ID details, you need to consider how long are you going to store your customer’s (very personal) data for, and how you keep it secure. You also need to think about what countries your customers are coming from and which ID docs are valid in each.

As you might imagine there are many service providers out there who will do this for you and integrate within your own website, typically through an API, dynamically generated link or embedded iframe.

The clever stuff that these providers offer are validation checks to ensure that the ID documents uploaded are legit, and not fakes. Different ID documents do this differently through the use of special fonts, layouts, backgrounds, holograms and other security measures.

One of the most commonly used KYC providers in the crypto space is Jumio’s Netverify service. Jumio has provided KYC for a number of high profile token sales and a lot of the big exchanges, including Coinbase.

What’s special about Jumio’s service? Well, consider this. What if I simply stole somebody else’s ID and uploaded that for my KYC? It’s not mine, but the KYC process will complete without a problem, as the ID is real.

Jumio counters this problem by getting customers to upload a selfie with their photo ID. They then run a pattern-matching algorithm to check that the person on the selfie is the person in the picture on the ID document. Clever stuff.

Anti Money Laundering (AML)

However clever it is, KYC only deals with identify verification. It doesn’t tell you whether that person is somebody you want to do business with. AML complements KYC by checking a customer’s verified identity against one or more lists of “bad guys”.

Now of course the definition of a “bad guy” is a very subjective call. But it typically depends on 1) your organization’s risk appetite and 2) where in the world you are.

Politically Exposed Persons (PEPS) & Sanctions

As a minimum, AML processes will check that potential customers are not on one or more national Sanctions and Politically Exposed Persons lists. Simplistically these lists are made up of people like Kim Yong-Un and his pals, guys you definitely don’t want to do business with.

But bear in mind regulators in different countries maintain different lists. If you are a US company there are Russian PEPs you would be required to exclude, but if you are a Russian company the opposite may be true.

Those other three letter acronyms (TLAs)?

As well as PEPs and Sanctions there are other proprietary lists you can use to further filter out the customers you don’t want. Relatives and Close Associates of PEPS (RCAs), Special Interest Persons and Entities (SIPs / SIEs) and the catchy titled Other Official Lists (OOLs).

Then add on checks to weed out customers that score highly under adverse media tests, customers with criminal convictions, civil convictions, bankruptcy proceedings or who are just under suspicion by law enforcement agencies. There are also technical checks available such as databases of BTC and ETH addresses that have been linked with prior known scams.

Helpfully all these lists and checks can be provided by one of four major providers:

· Experian

· Equifax Watchlist

· Thomson Reuters World Check

· RDC Grid from

Prices are influenced by the type of checks you want, the volume of checks and whether you want manual help to deal with potential “false positives”. False positives occur when somebody gets flagged on a list but further manual investigation shows they are not the banned person. Remember some unfortunate souls shares their name with Kim Jung-Un!


Sounds complicated? Well it can be, and as such there are also third party providers who will build a bespoke “risk management” solution for you, basically helping you design and implement KYC and AML processes that are fit for your specific circumstances. Blockhaus and Passfort are both worth checking out.

So what KYC/AML should I expect to see in a legit token sale?

Firstly — no KYC or AML should be a big red flag. I’m not pretending to be an expert but a token sale that hasn’t even thought about this would worry me, and it should worry you to.

Second the specifics don’t necessarily matter. What you should be looking for is a well-articulated risk-based approach. This should take into account decisions such as the token sale legal framework (utility, software license or security), the KYC/AML requirements in the country the company is incorporated and the nationalities that are excluded from the sale.

You should expect to see that the approach has been reviewed and accepted by the team’s legal counsel, banking/finance partner and regulator.

I hope this helps lay out the basics. If you are want to add to the conversation please comment below.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.