What every major exchange asks for
The major US and EU exchanges converged on a tiered KYC model. The first tier opens the account and lets the user trade up to modest limits. Higher tiers unlock larger limits and add documentation. The standard tier 1 stack:
- Government photo ID. Passport, driver license, or national identity card. Image upload front and back where applicable. Live capture preferred to file upload because it lets the IDV provider check liveness during capture.
- Selfie liveness check. A short video of the user following on-screen prompts (turn head, blink, hold a randomly-generated token to the camera). Matches the selfie to the ID portrait and confirms the user is present.
- Proof of address. Utility bill, bank statement, or government letter within the last 90 days. Required at tier 1 in EU jurisdictions and at higher tiers in the US.
- Identity questions. Name, date of birth, residential address, nationality, SSN or tax ID for US users, similar national identifier in other jurisdictions.
Tier 2 and above add source-of-funds documentation (employer letter, recent pay stubs, business registration if self-employed), enhanced sanctions and PEP screening, and in some cases a live video call with a compliance officer. Limits at tier 2 typically run into six figures of monthly trading.
The regulatory stack: FATF, FinCEN, MiCA
Three regimes shape what an exchange must do.
- FATF Recommendation 16 (Travel Rule). Virtual Asset Service Providers (VASPs) must collect and share originator and beneficiary information on crypto transfers above USD/EUR 1,000. Implementation runs through messaging protocols (IVMS 101 standard, TRP, OpenVASP, Sygna). The travel rule lives on top of the KYC layer.
- FinCEN MSB registration (US). Crypto exchanges operating in the US register as Money Services Businesses with FinCEN, file BSA-compliant suspicious activity reports (SARs) and currency transaction reports (CTRs), and run the Customer Due Diligence rule covered in our KYC primer and BOI guide. State-level money transmitter licenses add a separate layer.
- MiCA (EU). Markets in Crypto-Assets regulation. Crypto-Asset Service Providers (CASPs) obtain national-competent-authority authorization, meet capital and governance rules, and run AML/KYC at AMLD level. MiCA stages through 2024 and 2025; full applicability across the EU is in effect by 2026.
- National regimes. UK FCA registration for cryptoasset firms, Singapore MAS Payment Services Act, Japan FSA registration, Hong Kong SFC licensing, similar regimes elsewhere. Each adds country-specific KYC and reporting on top of FATF baseline.
What crypto KYC adds on top: blockchain analytics
Standard KYC tells the exchange who its customer is. Blockchain analytics tells the exchange where the customer's money came from. The 2026 analytics layer combines:
- Address risk scoring. Chainalysis, Elliptic, TRM Labs, Crystal: each maintains a graph of clusters labeled by activity (exchange, mixer, sanctioned address, darknet market, ransomware payment, scam). Incoming deposits get scored by the cluster they originated from.
- Transaction tracing. Multi-hop tracing of funds from the original on-chain source to the exchange deposit. Funds passing through known mixers (Tornado Cash, ChipMixer historical) trigger enhanced review even without direct sanctioned-address taint.
- Sanctions screening. OFAC-sanctioned addresses (the Specially Designated Nationals list extends to wallet addresses) trigger automatic blocks at major exchanges.
- Behavioral analytics. Velocity, transaction count, deposit-and-withdraw patterns. Patterns inconsistent with the stated user profile trigger review.
The analytics layer is what differentiates crypto compliance from traditional financial-services compliance. A bank knows who its customer is from KYC; a crypto exchange knows who the customer is AND can trace the on-chain provenance of funds in a way that has no analog in traditional banking.
Identity verification tells the exchange who you are. Blockchain analytics tells the exchange where your money came from. Crypto compliance needs both.
The fraud patterns the IDV layer catches
Identity fraud is the densest crypto onboarding problem. The 2026 patterns:
- Photoshopped IDs. Real ID with edited name, DOB, or photo. ELA on the edited fields plus AAMVA barcode payload mismatch catches them.
- AI-generated portraits. GAN or diffusion-model face pasted onto a real ID template. GAN fingerprint detection on the portrait region catches them.
- Deepfake injection on liveness. A pre-recorded or live-rendered deepfake video presented to the IDV liveness check. Modern liveness providers use random prompts and behavioral signals to defeat this; the threat continues to evolve.
- Identity loans and synthetic identities. A real person's ID used by an attacker (with or without the real person's consent), or a fabricated identity composed of real and fake elements. Catches require pattern analysis across the broader account population.
- Document substitution attacks. A valid ID at upload, swapped for a deepfake during liveness, swapped back after onboarding. Continuous re-verification mitigates.
Forensic AI on the ID at upload catches categories 1 and 2 reliably. Major IDV providers (Onfido, Persona, Veriff, Jumio) add liveness and behavioral checks. The 2026 stack runs both layers in series.
The FATF Travel Rule in practice
The Travel Rule is the most operationally distinctive crypto-compliance burden. When a VASP-to-VASP transfer above the threshold occurs (USD/EUR 1,000 in most jurisdictions), the originating VASP must send the recipient VASP:
- Originator name, account number (wallet address or internal ID), and physical address.
- Beneficiary name and account number.
- In some jurisdictions, originator date of birth or government ID number.
The data exchange runs over interoperability protocols built on IVMS 101 data standard: TRP (Travel Rule Protocol), Sygna Bridge, OpenVASP, Notabene, Sumsub. The sunrise problem (one side has Travel Rule infrastructure, the counterparty does not) is being solved gradually. Self-hosted-wallet transfers (where there is no counterparty VASP) are subject to specific rules that vary by jurisdiction.
Frequently asked questions
Can I open a crypto account without KYC?
At a regulated US or EU exchange, no. Trading limits typically require KYC tier 1 minimum. Unregulated offshore exchanges may operate without KYC but expose the user to legal and operational risk including loss of funds, sanctions exposure, and the inability to off-ramp to fiat at regulated institutions.
What if my ID is rejected at KYC?
Common causes: image quality (poor lighting, glare, crop), expired ID, name mismatch between application and ID, address proof too old, or forensic-AI flag on the document. Resolve by re-uploading a fresh image, updating the address proof, or contacting support. If the rejection is forensic-AI based and the ID is genuine, the appeal path is usually documented.
Do DEXs collect KYC?
Pure smart-contract protocols generally do not, but front-end interfaces and fiat on-ramps increasingly do. Major DEX aggregators in 2026 have added KYC to fiat on-ramps and high-value swaps. The regulatory pressure is increasing; the operational implementation is uneven.
How do I prove source of funds for a large deposit?
For salary income, recent pay stubs plus employer verification (see our employment-letter guide). For business income, business registration plus tax returns (see our tax verification guide). For inheritance or asset sale, supporting documentation. Crypto-funded deposits require Chainalysis-style provenance analysis.
Is MiCA the same as FATF Travel Rule?
No, but MiCA incorporates Travel Rule requirements via the EU Transfer of Funds Regulation. MiCA is the broader EU crypto regulatory framework (authorization, prudential, market integrity, consumer protection). Travel Rule is a specific AML requirement within MiCA's AML chapter.