Crypto KYC Requirements 2026 — CASP Operational Compliance Guide

What crypto KYC actually involves

Crypto KYC (Know Your Customer) is the customer identification, verification, and ongoing monitoring framework that CASPs must operate. The compliance build has six operational components:

1. Customer identification — collecting name, date of birth, address, nationality, identification document number
2. Identity verification — through reliable independent sources, typically document + biometric verification
3. Beneficial ownership verification — for corporate customers, identifying ultimate beneficial owners (25%+ threshold typically)
4. PEP and sanctions screening — politically exposed persons + EU consolidated sanctions list + national lists
5. Customer risk assessment — risk-rating each customer to determine due-diligence intensity
6. Ongoing monitoring — transaction monitoring, periodic refresh, behavioural analytics

Each component has detailed operational requirements under MiCA, AMLR, and national AML implementing legislation. The compliance build is more demanding than pre-MiCA VASP registration framework required.

Customer identification framework

Customer identification is the entry point of KYC. The operator collects:

Individual customers:

• Full legal name
• Date of birth
• Nationality
• Residential address (verified through proof-of-address documentation)
• Identification document type and number
• Tax identification number where applicable

Corporate customers:

• Legal entity name
• Registration number
• Jurisdiction of incorporation
• Registered office address
• Business activity description
• Senior management identification
• Beneficial ownership identification

The information collection happens at onboarding and must be refreshed periodically based on customer risk profile.

Identity verification — beyond self-attestation

AMLR and MiCA require identity verification through reliable independent sources. Customer self-attestation alone does not satisfy the requirement.

Document verification. Customer submits government-issued photo identification (passport, national ID, driver licence in some jurisdictions). The document is verified through:

• Document authentication checking — security feature validation, MRZ data extraction, document database checks
• Cross-reference with customer-provided information
• Tamper detection

Biometric verification. Customer captures live face image:

• Liveness detection — confirming live customer rather than photo of photo
• Biometric face match — comparing live image to document photo
• Quality assessment — image quality sufficient for reliable match

Address verification. Customer submits proof-of-address documentation:

• Utility bill, bank statement, or government correspondence within 3 months
• Name and address match customer-provided information
• Document authenticity assessment

Technology providers handle the verification workflow — Sumsub, Onfido, Jumio, IDnow, Veriff, and similar providers operate identity verification infrastructure that CASPs integrate.

Beneficial ownership verification

Corporate customers require beneficial ownership transparency. The framework applies:

25%+ ownership threshold. Persons holding 25% or more of ownership/control are beneficial owners. Multiple beneficial owners may exist for a single corporate entity.

Alternative criteria. Where no person holds 25%+, alternative criteria apply — control through other means, control via family/agreement, senior management as fallback.

Verification requirements. Beneficial owners must be identified, verified through reliable sources, screened against PEP and sanctions lists, and risk-assessed.

Registry verification. EU AMLR expects registry verification where available. UK Persons of Significant Control register, EU Ultimate Beneficial Ownership registers (UBO), and similar national frameworks provide verification sources.

Complex structures. Layered ownership through holding companies, trusts, foundations, or other structures requires careful beneficial-ownership identification. Operators face the question of who the ultimate natural-person beneficial owner is.

PEP and sanctions screening

Politically Exposed Persons (PEPs) and sanctions screening operate continuously:

PEP categories:

• Foreign PEPs — heads of state, senior politicians, senior judicial/military, senior executives of state-owned enterprises
• Domestic PEPs — same categories within the operator’s home jurisdiction
• International organisation PEPs — senior officials of international organisations

Family members and close associates of PEPs are also subject to enhanced scrutiny.

Sanctions lists:

• EU consolidated sanctions list
• UN Security Council sanctions lists
• US OFAC SDN list (mandatory for any US-touching activity)
• UK sanctions list
• National sanctions lists (Switzerland SECO, Singapore MAS, Japan FSA, etc.)
• Industry-specific lists (Russia/Belarus comprehensive sanctions, etc.)

Screening at onboarding — initial screening against all applicable lists.

Ongoing screening — daily or near-daily re-screening to catch new designations and status changes. Manual or technology-based depending on operator scale.

Alert handling — investigation workflow for screening alerts. False-positive disposition. Confirmed-match escalation to compliance and regulatory reporting.

Enhanced due diligence triggers

Standard customer due diligence applies to typical customers. Enhanced due diligence (EDD) applies to higher-risk customers:

Geographic risk. Customers from high-risk jurisdictions identified by FATF, EU, or operator-specific risk assessment.

Customer-type risk. PEPs, family members, and close associates. Non-resident customers in some operator frameworks. Complex corporate structures.

Transaction-value risk. High-value transactions or unusual transaction patterns relative to customer profile.

Product-risk. Privacy-coin transactions, mixer/tumbler activity, decentralised exchange interaction, high-velocity trading patterns.

EDD requirements:

• Additional information collection — source of funds, source of wealth, business activity context
• Senior management approval for onboarding
• Enhanced ongoing monitoring with shorter refresh cycles
• Larger transaction-monitoring thresholds with closer review

EDD applies for the duration of the customer relationship, not just at onboarding.

Ongoing monitoring framework

KYC is not a one-time exercise. Ongoing monitoring covers:

Transaction monitoring. Real-time or near-real-time analysis of customer transaction patterns. Rule-based detection of unusual patterns. Machine-learning behavioural analytics. Alert escalation framework.

Periodic CDD refresh. Customer information refreshed periodically — typically annually for standard customers, quarterly or more frequent for EDD-flagged customers, on material change events (PEP status change, sanctions designation, jurisdiction change).

Behavioural analytics. Pattern-detection across customer activity — transaction frequency, value distribution, counterparty patterns, geographic activity. Deviations from customer baseline trigger investigation.

Suspicious activity reporting. Where activity warrants investigation and the result is reportable suspicion, the operator files Suspicious Activity Reports (SARs) with national FIU (Financial Intelligence Unit). SAR framework operates under national AML legislation.

Customer file maintenance. All customer interactions, CDD updates, screening alerts, monitoring outputs, and SAR filings maintained in customer file. Audit-ready data structure for supervisor and law-enforcement requests.

Cost and operational profile

First-year crypto KYC compliance build for a mid-tier EU CASP runs EUR 200-500k typically. Components:

• KYC technology integration (identity verification provider, transaction monitoring, sanctions screening): EUR 50-150k
• AML and compliance team build (MLRO + compliance officers + AML analysts): EUR 100-250k
• Procedure documentation and operational framework: EUR 25-50k
• Training and certification: EUR 10-25k
• Pre-authorisation supervisor engagement on KYC framework: EUR 15-30k

Ongoing operational cost runs EUR 100-300k per year for a mid-tier CASP. Larger operators with substantial customer volumes scale up significantly.

The compliance build is one of the more demanding aspects of MiCA CASP operations. Operators that underbudget or under-resource the KYC build face material supervisor risk and enforcement exposure.

Practical takeaways

Crypto KYC compliance in 2026 is operationally demanding and produces real cost. Three principles for CASPs:

Build verification through reliable independent sources, not self-attestation. Document verification + biometric face match + liveness detection is the operational standard. Customer-provided information without independent verification fails MiCA/AMLR requirements.

Build for ongoing monitoring, not just onboarding. Transaction monitoring, periodic CDD refresh, and behavioural analytics are core requirements. Onboarding-only KYC builds fail supervisor expectations.

Plan PEP and sanctions screening as continuous operations. Daily re-screening, alert handling workflow, and confirmed-match escalation are operational realities. Screening at onboarding only is not compliant.

For corrections, updates, or counsel referrals on crypto KYC compliance, email [email protected].