Identity verification is one of the first

experiences your clients go through when using

your product. That’s why it’s critical to build the
KYC process efficiently to make a good
impression from the start. However, it’s no less
important to comply with all relevant regulations
in the crypto sphere.

Today, crypto companies have two challenges: the first

is compliance with all applicable laws and regulations; the second

is building the KYC process to quickly onboard users faster while

maintaining a high level of fraud resistance. That’s why our team
prepared this guide on verification essentials to help you build
compliant, high-conversion KYC.

01
Contents

1 4
Which crypto companies are regulated
Building verification flows for crypto

and why it’s important to be compliant with Sumsub: best practices

2 5
What are the regulatory specifics across Success stories: verification results
different countries? achieved with Sumsub

3 6
How to stay compliant without losing A final word: reach the highest possible
clients when performing KYC pass rates worldwide

02
1. Which crypto companies are regulated and why it’s important to be compliant

In the past, regulations affected only a few companies and cases

in the crypto industry. Today, regulators are eyeing the industry Over time, the approach to regulating services related to virtual
as a whole, implementing laws and rules that impact a much currencies has evolved and, at this moment, Virtual Asset Service
wider spectrum of companies. Providers include any natural or legal person that engages in any
of the following activities:
Which companies are now regulated in the crypto field? сryptocurrency exchange (including exchanges between multiple virtual
currencies and crypto to fiat);
In 2018, the 5th AML Directive brought European crypto businesses (exchanges
between virtual currencies and fiat currencies and custodial wallets) into the regulatory transfer of cryptocurrencies;
scope, subjecting them to the same AML rules as financial institutions. The same year,
the Financial Action Task Force (FATF) updated Recommendation 15 to include crypto
safekeeping and/or administration of crypto assets or instruments
businesses under the scope of AML regulations. This prompted both European and non-
enabling control over crypto assets;
European members of the FATF to require certain types of crypto businesses to meet
AML requirements. Therefore, all crypto businesses (known as Virtual Asset Service
Providers ((VASPs)) located in countries that have transposed FATF requirements are participation in and provision of financial services related to an issuer’s
obliged to follow AML regulations. offer and/or sale of a virtual asset.

Notably, the FATF states that other activities related to virtual assets may also fall into the VASP definitions under certain circumstances (e.g. DApps (DeFi), brokerage services,
order-book exchange services, etc.). Moreover, the FATF adheres to the functional approach to defining VAs and VASPs, based on the basic characteristics of the asset

and underlying financial services—not the entity’s operational model, technological tools, ledger design, or any other operating feature.

03
What are the main regulatory requirements?

VASPs must introduce measures for detecting money laundering,

terrorist financing, and other financial crimes. This mainly includes: In addition, since 2019, the Travel Rule (the common name

for FATF Recommendation 16 on combating money laundering) extends

M creating and implementing internal AML policiesQ to VASPs, obliging them to conduct identification, collect personal data
M performing risk assessmentQ on participants and transfer it when transactions exceed 1,000 USD/EUR.

M conducting customer due diligence (CDD), including KYC, At this moment, more and more countries are implementing this
transaction monitoring, ongoing monitoring, etc.> requirement in their national legislation.

M Conducting enhanced due diligence (EDD) (where applicable)Q

M sanctions screeningQ In other words, the Travel Rule requires the originator's VASP

M reporting suspicious transactionsQ to immediately and securely obtain, hold, and transmit required
M keeping recordsQ information (see the table below) to the beneficiary’s institution

M appointing a compliance officerQ on participants in a transaction when conducting transfers.

M educating personnel.

04
What are the main regulatory requirements?

Sender data Recipient data

Name Name

The above data must accompany relevant transactions Account number

Account number
performed between VASPs. Plus, the FATF provides (can be a wallet address)

specific requirements in relation to accuracy of the Physical address or,

data for all participants and control suspicions,

Unique ID number (national identity
including by conducting sanctions screening
number, etc.) or,

for beneficiary information by the originator's VASP. Customer identification number that
uniquely identifies the originator or,

Date and place of birth

05
Why is FATF compliance important?

The crypto field is attractive to criminals due to greater anonymity and the ease of money
transfers. FATF requirements are aimed at combating financial crimes related to money
laundering and terrorist financing. Crypto businesses that fail to comply may face local
regulatory sanctions, including fines and even jail time.

Compliance with FATF requirements allows crypto companies to do the following:

O Prevent money laundering and terrorist financing using crypto asset@
O Avoid sanctions for non-compliancJ
O Detect suspicious activitie@
O Cooperate successfully with law enforcement in cryptocurrency markets

FATF compliance helps conduct smooth FIU investigations and observe due diligence

in respect of counterparty VASPs (which usually includes questions concerning

KYC/KYT procedures as well as Travel Rule compliance).

In addition, compliance may be necessary even for those companies that are not yet
regulated—for example, non-custodial wallets or crypto staking platforms, as they often
work with high-risk users who exchange crypto to fiat and then withdraw fiat.

06
2. What are the regulatory specifics across different countries?

Regulation differs from jurisdiction to jurisdiction. VASPs should be aware of this if they plan to work in particular jurisdictions.

Below are several examples of AML/CFT regulation in relation to VASP activities:

Country Travel Rule Threshold AML/CFT-regulation

USA 3000$
Regulated entities: businesses engaged in virtual asset-related activity can be considered Money

Proposal to lower to $250

Service Businesses (money transmitters) or in some cases broker-dealers. This includes, inter alia,

exchanges, hosted wallets, ATMs and some other activities in line with the FinCEN Guidance.

Supervision requirements: Regulated entities must be registered with the relevant competent authority.

AML/CFT requirements: Regulated entities must comply with Bank Secrecy Act (BSA) requirements

and FinCEN regulations, including Travel Rule requirements.

The main requirements include:

 Customer Acceptance Policy (CAP)%

 Customer Identification Program (CIP)%
 Ongoing monitoring of transactions,
 Risk management procedures%
 Suspicious activity reporting%
 Filing Currency Transaction Reports (CTR) for transactions in excess of $10,000.

07
Country Travel Rule Threshold AML/CFT-regulation

EU Depends on national law Regulated entities: In line with AMLD5, obligated entities include providers engaged in custodian
wallet provision and exchange services between virtual currencies and fiat currencies.

All EU countries were obliged to implement such provisions into their national law before the January
10th, 2020 deadline. Some member states have gone further and implemented the FATF approach
(regulating 5 activities mentioned in Section 1).

Supervision requirement: As a rule, VASPs have to be registered/authorised or licensed (depending

on particular requirements in their jurisdiction) with their national supervisory authorities.

AML/CFT requirements: VASPs must comply with AML/CFT requirements of AMLD 4 and 5, as well

as with national laws and regulations. Examples of the main AML/CFT requirements, including CDD
indicated in section 1 of this Guide.

Some EU countries have also established Travel Rule requirements in their national regulations.

* In the EU, amendments to regulation on information accompanying transfers of funds and certain
crypto-assets are developing. Under the proposed amendments, all transfers of crypto-assets will
have to include information on the source of the asset and its beneficiary. This information is to be
made available to the competent authorities. The rules would also cover transactions from so-called
unhosted wallets (a crypto-asset wallet address that is in the custody of a private user). Also the
removal of the de minimis threshold is proposed.

08
Country Travel Rule Threshold AML/CFT-regulation

UK Proposal to estimate* 1000GBP Regulated entities: In line with the national AML/CFT law (MLR 2017 as amended MLR 2019),

virtual assets exchange providers and custodian wallet providers are regulated entities.


Supervision requirements: Regulated entities must be registered with the supervisory authority.


AML/CFT requirements: Regulated entities must comply with AML/CFT set out by national law,
including CDD and other requirements specified in section 1 of this guide.
*Travel rule requirements are still not accepted, but the draft is under discussion.

Switzerland 1000 CHF/USD Regulated entities: Companies engaged in virtual assets activities are, as a rule, considered
financial intermediaries within the AML Act. This can include, custodian wallet providers, both
centralized and decentralized trading platforms (under certain circumstances), crypto funds,
currency exchange offices and some other activities.

As a rule, companies must be members of self-regulated organisations (SRO).

Supervision requirements: Certain activity related to virtual assets requires relevant licenses.

AML/CFT requirements: Regulated entities must comply with AML/CFT rules specified by national
AML law and Travel Rule requirements.

09
Country Travel Rule Threshold AML/CFT-regulation

Canada $ 1000* Regulated entities: According to national AML law (PCMLTFA), regulated entities are natural or legal
persons dealing in virtual currencies are considered Money Services Businesses (MSBs) or Foreign
MSBs. MSBs and FMSBs can include both virtual currency exchanges and virtual currency transfer
services.

Supervision requirements: MSBs or FMSBs have to be registered with the supervisory authority.

AML/CFT requirements: Regulated entities must comply with AML/CFT requirements specified

in national law and supervisory authority regulations.

In Canada Travel Rule requirements are also established in relation to persons dealing in virtual
currencies.

In addition, there are requirements for MSBs to report transactions over 10 000$ (the 24-hour rule may
apply) with full identification information to FiNTRAC.

* Throughout FiNTRAC guidance, references to dollar amounts are in Canadian dollars (CAD) unless
otherwise specified.

10
3. How to stay compliant without losing clients when performing KYC

AML regulations require crypto companies

First, automate your verification flows as much as possible. This means paying special attention

to perform KYC procedures. However, extensive

to the countries and document types your verification provider processes automatically. This allows
CDD requirements often make the KYC verification you to speed up verification, so your clients don’t go to competitors because of long wait times.
process complicated. This leads to increased user
verification time and, ultimately, losing applicants
during onboarding. Second, tailor verification flows to different customer segments, based on their risk profiles or other
criteria. Consider making the onboarding process complex for high-risk clients only, while passing
If you’re obliged to perform multiple user checks
lower-risk clients through the minimum number of mandatory checks.
in your verification flow, it’s important to make them

as efficient as possible to keep pass rates high.

Third, consider dividing verification into levels. Perform only the necessary checks at the right time.
This way, users can get started with your service after passing the very basic checks (e.g. phone

S o, how can you verify clients properly without

or email verification), and then complete extra checks only when they need to unlock the next level

losing them in the process?

at your service (e.g. when depositing money or completing a transaction).

By following the best practices above, crypto companies can reduce drop-offs significantly. In the following chapters,
we will take a closer look at how to properly implement level-based verification, as this is the main method of building
verification flows for crypto companies.

11
Building effective KYC flows using verification levels

There are two categories of levels to keep in mind when building your verification flow. The first category is basic, which is enough

for initial identity verification. This second is ongoing, which keeps you compliant with regulations on a continuous basis. See which
checks fall into each category in the table below.

Legal background for the check Check Why it’s important

Basic levels
FATF Rec. 10, 16/Travel Rule Identification+Verificationn AML-regulated VASPs shall write AML policies and perform standard CDD
requirements for all users during onboarding or before the first transactions, including¤
b PoI+Po`
b PoI+reliable source check b Identification (including UBO|
(database) b verificatio‹
b record-keeping®
b transaction monitorin‘
b reporting suspicious activity (where applicable)

FATF Rec. 10 Liveness (Face authentication)

Non-regulated VASPs shall identify users making transactions over

the estimated threshold in order to comply with Travel Rule obligations. The second
reason is to follow the same KYC procedures as their regulated partners do.

12
Legal background for the check Check Why it’s important

FATF Rec. 13 (BO) Questionnaire AML-regulated VASPs/Non-regulated VASPs

need to identify the transaction amount, as well as define the beneficiary in case

the user is acting on someone’s behalf. The questionnaire may be also used

to collect additional information such as their experience in crypto.

FATF Rec. 12 (PEP) AML Screening AML-regulated VASPs must perform AML screening to identify politically exposed
persons (PEPs), heads of international organizations (HIOs), and other designated
persons. It’s necessary to apply additional due diligence (DD) or Enhanced Due
Diligence (EDD) measures to them.

Suspicious activity detection Crypto screening AML-regulated VASPs must prohibit transactions with designated persons/entities
and identify suspicious transactions.

Reporting requirements, when applicable SoF/SoW AML regulated VASPs are required to carry out Enhanced Due Diligence (EDD)

for high risk and/or large transactions and PEPs. Sometimes AML/KYC policies

require even higher-than-medium risk customers to provide SoF/SoW information.

13
Legal background for the check Check Why it’s important

Ongoing levels
Frequency shall be determined in line
Ongoing document monitoring AML regulated VASPs must perform ongoing due diligence (DD).


with the AML Policy requirements

Non-regulated VASPs should monitor documents collected during

KYC procedures.

FATF Ongoing AML Screening AML-regulated VASPs/Non-regulated VASPs need to detect

and prohibit transactions with designated persons and entities.

14
 Onboarding ¡ Buyin›
Verification levels during customer lifecycle ¡ Selling tokens

Simple identification

A level-based verification flow can identify applicants without verification without verification
at the signup stage (usually, this is limited to collecting a name, phone
number and email). The verification stage is usually launched once users Identification + verification:

initiate financial actions (e.g. buying/selling tokens or money withdrawals) - Pol + PoA
 Face

- Liveness + Face match
 authentication
and may include a combination of identity checks. This is when checks AML Screening
like face authentication may be added for extra security, verifying users
prior to transactions to make sure their accounts aren’t compromised.

¡ Crypto-crypto exchangº Withdrawal

¡ Receiving payments

Dividing the verification flow into levels will allow you to significantly less than Travel rule threshold
reduce drop-offs during onboarding and secure your transactions.

This is an example of an optimal, level-based verification flow

15
4. B uilding verification flows for crypto with Sumsub: best practices
Sumsub’s expertise is built on years of close work with crypto businesses. For example, if you want to customize flows for different customer
We know the needs of crypto clients, which is why our product enables segments, you can set up triggers based on risk profiles, countries,
you to easily build and customize your verification flows. To build transaction limits, and more.

verification levels with Sumsub, you can choose from a wide number of
checks that can be mixed & matched. To build your desired flow, you can Now, let’s see how you can divide user verification into several levels
set up necessary triggers and conditions. based on customer actions. Below, you can see the list of checks

and the main levels of the verification process you can use them for.

Pre-screening Verification Payment

Transaction
method added requested

Email verification ID verification Bank card verification Face authentication

Phone verification AML screening Crypto screening
Liveness & Face match
Address verification
Questionnaire

16
Let’s take a closer look at each of the checks in order to build your flows properly.

1. Pre-screening
The user can identify themselves at registration by providing name and country

of residence (or nationality) without submitting any documents. This is a simple

setting allowing for fast registration.



Pre-screening may include email and phone verification You can add one of these
checks (or both) as a required first step while customizing your verification process.

2.The verification stage

ID verification: Proof of Identity

After the applicant uploads a photo of their ID, it is verified in three general steps:

— checking the image for authenticity–

— checking the integrity of the images–
— document data validation.

Sumsub also validates ID documents through reliable sources. This means that we use
external databases to double-check that the document in question is authentic.

This option is not available everywhere, but there are many countries covered.

17
Liveness (in-house face authentication technology)+ Face match
Sumsub’s Liveness technology ensures that the applicant is a real person (not a paper
mask, photo, doll or something similar). After checking if the applicant is a real person,
liveness ensures they're true document holder by matching their face with the face

on document. This process can also ensure that applicants aren't making duplicate
accounts.

There are two ways you can embed liveness into your verification flow:

1) during onboarding and 2) for account access (face authentication).

Combined with face match technology, liveness checks ensure that the true account
holder is present during onboarding.

To keep existing accounts safe, face authentication solutions prevent account takeovers
and reduce multiaccounting.

Address verification: Proof of Address

Proof of address verification is required by the FATF and the 4th and 5th AMLDs.

By default, Sumsub accepts PoA documents that have been issued within the last 3
months. These are cross-validated against the provided proof of identity.

Sumsub’s average PoA verification time is 59 seconds.

18
AML screening
AML screening notifies Sumsub’s customers whether their applicants (both natural
persons and legal entities) are on any of the various sanctions lists and watchlists across
the globe.

Sumsub offers ongoing AML monitoring to help its customers stay up to date with
changes to global sanctions lists and watchlists. We update our data as soon as changes
are made to the lists that we monitor.

Note: AML checks happen in the background; as a client, you don’t need to do anything.

Questionnaires
Sumsub lets you add questionnaires right to your verification flow. Questionnaires can be
used to collect additional information about users, saving you time and effort on sending
out separate surveys.

Questionnaires are mostly used for collecting KYC data and requesting more details

and supporting documents (e.g. source of funds) from clients.

Sumsub questionnaires are easy to customize. You can create questionnaires for either
for new users (applicants) as well as for verified ones and then assign a user action
(trigger) that activates them.

19
3.The transaction stage

Bank card Face Crypto transactions

verification authentication screening
Bank cards are checked for security and When a user adds bank cards or requests for This screens crypto addresses so you can
compliance purposes. This type of verification
money withdrawals, they’re asked to upload
estimate the risk associated with a crypto
can be a part of the onboarding procedure, or a selfie with their card or pass a face transaction, set up the corresponding alerts

set up as a separate check triggered by a user authentication (liveness) check. This helps
and manually review suspicious transfers.

action (depending on your verification to ensure the true account holder performs
These checks are available for BTC, BCH,

settings). a financial action. USDT, LTC, ETH, ERC20.

20
Sumsub offers industry-leading customization, allowing you to build any
verification flow you need. Choose from a wide range of checks and divide

them into levels to keep your user flow as smooth as possible.

All the above procedures may be carried out (as a part of CDD) for beneficial

owners, directors or representatives of the legal entities to be onboarded.

Sumsub provides Know-your-business (KYB) verification solutions for different

types of legal entities, such as companies, corporations, sole traders, trusts, etc.

The KYB check includes deep analysis by compliance officers of the provided
corporate documents, establishment of full corporate structure, validation via

relevant sources (such as company registries), and AML screening . All the

information is summarized in a structured report. The criteria for acceptable

documents may be established in accordance with the business’s internal
requirements or, as an alternative, our in-house AML and legal experts may

suggest our own regulations.

21
5. Case studies: verification results achieved with Sumsub

Flexibility, in-house technology and a strong legal background are what enable Sumsub to reach the highest verification results worldwide.

Bybit fights fraud

Up to 99%
1 minute
78%

and quickly onboards users forgery detected average onboarding time average pass rate

Learn more
for 1st-level verification (ID+ Liveness)

Paybis effectively manages

Up to 80%
85%
Up to 150K

Learn more
user verification flows first check approval rate final conversion rate monthly checks

YouHodler switches to Sumsub

92%
1.2 minutes
Up to 50%

to speed up onboarding time

average pass rate verification time decrease in support

Learn more
by 700% and user verification costs

22
6. A final word: reach the best possible pass rates worldwide

Finding the perfect balance between compliance

and pass rates is not an easy thing, but Sumsub can

help you achieve the highest real-world figures.

With Sumsub, you can easily go to any market in the world,

backed up by an in-house team of 20+ legal experts.

Reach the highest possible pass rates worldwide with our

all-in-one solution.

See Sumsub’s global pass rates →

23
 Want to know more about how

to stay compliant and keep conversions high?

Get a free demo

24