Know Your Customer (KYC) policies seek to mitigate crime, but they actually exacerbate it. They may have been useful in the days before the internet, hackers, artificial intelligence, and Bitcoin, but today they're an outdated and dangerous regulation.
KYC policies began to take shape in the United States with the passage of the Bank Secrecy Act (BSA) in 1970. At that time, bank record-keeping and transaction reporting for transactions over USD 10,000 were introduced to combat money laundering. KYC was in its infancy: basic customer identification such as name and address, with no formal standards.
In 1989, the Financial Action Task Force (FATF) was established, an intergovernmental body that established global standards to combat money laundering. Thus, KYC policies were formalized as a standard for banks and other financial institutions to verify the identity of their customers, understand the nature of their activities, and assess risks.
The terrorist attacks of September 11, 2001, in the United States prompted a tightening of financial regulations globally. This marked an expansion of KYC beyond money laundering, including the prevention of terrorist financing.
Over the years, KYC requirements and anti-money laundering policies have become more stringent, requesting more information; lowering monetary thresholds (from over USD 10,000 to just over USD 1,000 for cryptocurrency transactions under the Travel Rule, and that's after 50 years of inflation); expanding to include non-financial businesses like lawyers and accountants. In short, with each passing year, surveillance becomes more stringent. Its purpose has been distorted, and now every business must become an agent of the state.
Furthermore, these policies were born at a time when remote access to customer data was practically impossible. With digitalization, every institution that complies with KYC policies becomes a honeypot too sweet for hackers to ignore. From 2005 to 2024, the number of data breaches in the United States grew by 1941%, with over 1.35 billion people affected.
The rate of data breaches is growing exponentially. Source: Statista.
KYC policies seek to deter and discourage certain types of actions, considered criminal, by preventing the use of the proceeds of those actions. It doesn't matter if that money is used to buy vegetables at the local market; what matters is that the person considered a criminal is execrated from the financial system to deter them from committing further crimes, even if these policies haven't prevented the crime(s) they already committed.
Like the prohibition of alcohol in the United States in the 1920s, or any price control policy, seeking a supposed good, these policies end up incentivizing evil.
Monitoring the financial activities of clients of financial institutions, in addition to being a violation of the human right to privacy, presupposes that all clients are potential drug traffickers or terrorists, and therefore must be monitored.
The requirement for every company providing financial services to comply with KYC policies not only imposes extremely high costs on businesses, creating oligopolies due to the high monetary costs of compliance (in 2023, US companies invested $61 billion in compliance). It also creates a multitude of attack points that, instead of reducing crime, increase its proliferation. To comply with the government, they must put their customers at risk.
Any database can be hacked. If you check your email on the Have I Been Pwned? service, you'll likely find a leak where your data was exposed. If you use the same passwords across multiple platforms, you may need to be concerned. But in the case of financial platforms, and specifically cryptocurrency platforms, the risk is greater.
Unlike a social network, on an exchange like Coinbase or a hardware wallet company like Ledger, if the leak doesn't reveal how much cryptocurrency you own, at least it would show you have enough to purchase a specialized storage device. This, in addition to your physical address.
Following the leak of nearly 300,000 physical addresses of Ledger users, many began receiving extortion threats. With the Coinbase hack, many users are allegedly being contacted and scammed. As recorded by developer Jameson Lopp, the number of physical attacks on cryptocurrency users has been steadily increasing. And the fact that their location can be acquired online increases their vulnerability and danger.
Why does a cryptocurrency platform need to know the location of each of its users? If there's a legal issue with one of them, the authorities already have that information, in case a dispute needs to be resolved. Distributing personal information across multiple services unnecessarily increases people's vulnerability.
After investigating FinCEN, FATF, and other organizations that combat financial crime, no reports were found detailing how many alleged criminals have been caught thanks to KYC policies. Instead, leaks like the FinCEN Files revealed that banking giants like JPMorgan, Bank of America, and Deutsche Bank facilitated the laundering of USD 2 trillion between 1999 and 2017. But the worst part is that they reported these suspicious transactions to the authorities, and nothing was done about it.
All of this suggests that KYC raises costs for companies enormously. This not only increases money that could be invested in more beneficial causes, but also undermines free competition. It also puts people's privacy and physical and financial integrity at risk. And, to top it all off, when suspicious transactions are reported, the authorities fail to act accordingly.
Bitcoin was the solution to this serious problem imposed on financial intermediaries, and thanks to it, we have an alternative to use our money directly among peers, without having to share our data for our exchanges. And around Bitcoin technology, peer-to-peer markets without the need for KYC have also been created, which have proven unstoppable. Since this technology is open source, efforts to censor it will only encourage the emergence of new versions.
Satoshi Nakamoto, as mentioned in the epigraph, solved the problem of the reversibility of digital transactions. In Bitcoin, transactions are final once they are confirmed. This makes it similar to cash. Once a merchant receives a bill as payment for a drink, they don't need your data because they don't need to trust: they already have their payment. And in more complex transactions like the purchase of real estate, rather than KYC, a contract is required. Either way, in that scenario, a Bitcoin payment would still be final. In this context, Bitcoin makes KYC unnecessary for everyday transactions. There's no longer any justification for asking for all your information, even when buying a pair of shoes.
Historically, every prohibition has found an alternative market. Criminals continue to launder money, and terrorism continues to be funded. KYC only redirects crime toward ordinary people. The best thing to do to avoid risks is to minimize exposure to services requiring KYC, but this also brings risks of trading with people disliked by the state. Furthermore, the crimes for which KYC exists remain a social problem. So what should be done? Reform the current KYC system to a system that protects personal security and privacy.
Services like Chainalysis, which, although we may not like them, are a reality, already analyze the risk of addresses with which one intends to interact. Thanks to these technologies, the focus of money laundering prevention can be placed directly on the address (on the money itself), rather than on the individuals, and thus companies can evaluate and decide whether to do business with such users.
Whatever the form, KYC currently represents a danger that should not be tolerated. Given the nature of cash and Bitcoin as the evolution of money, KYC is likely to be limited to high-value transactions, such as property purchases, or, at best, die a slow death. Until then, the best thing you can do is protect yourself and your bitcoins by increasing your privacy and carefully evaluating whether you really need a KYC-enabled platform.
