Summary: Bad actors have weaponized KYC against their customers.
What is KYC?
Know Your Customer (KYC) procedures are a cornerstone of financial institution AML programs. Federal law and regulations require financial institutions to collect information from customers in order to establish and verify identity, understand the nature of the customer’s business, and assess the customer’s money laundering risks.
What data is collected for KYC?
Information typically collected as part of the KYC process includes a variety of Personal Identifiable Information (PII): name, address, social security or other identification number, photo ID, etc. This data is usually gathered at account opening but in other instances, a financial institution may request more or updated information.
What is Weaponized KYC?
Weaponized KYC is when organizations collect KYC information from customers and then use that information (or the KYC process itself) to inflict harm on customers. The organization may be a financial institution or an entity pretending to be a financial institution in order to acquire KYC data.
How is KYC Weaponized?
Bad actors have weaponized KYC in at least three ways:
1) KYC as a pretext for not releasing customer funds
There has long been rumors that crypto companies use KYC as a pretext for not releasing customer funds. My analysis of CFPB consumer complaints identified that 20% of complaints against crypto-centric firms was for Money Not Available When Promised.
CFPB complaint narratives describe customer withdrawal requests met with demands for ID or other documentation, delayed or denied disbursements, and the inability to reach customer service.
Here’s a few examples of CFPB complaint narratives involving Money Not Available When Promised:
Certainly, some consumer complaints about Money Not Available When Promised are due to valid KYC concerns by crypto exchanges coupled with documentation, verification or technology issues, and a lack of customer service.
DOJ Alleges KYC was Pretext to Obstruct or Delay Withdrawals
However, a recent DOJ indictment shows that at least one crypto firm allegedly used KYC as a pretext for not releasing customer funds. The DOJ announced on 11/21/22 an indictment against two Estonians for an alleged crypto mining and ICO scam that took in over $550 million dollars.
The indictment states:
On July 19, 2018, HashFlare imposed so-called Know-Your-Customer (“KYC”) requirements upon customers, which mandated that users submit identification and other information before they could continue using the platform or make withdrawals. In fact, POTAPENKO and TUROGIN, and others, used the KYC requirement as a pretext to obstruct and delay customers’ abilities to make withdrawals from their accounts.”
The DOJ alleged that the pair used the fraud proceeds to purchase real estate and luxury cars.
2) Collect KYC info with no intention of offering a financial product
The criminals have various options for the KYC data once collected:
- Resell the KYC data. Ironically, legitimate KYC requirements have created a black-market for stolen KYC data.
- Use the KYC data to open accounts at other institutions. These accounts are used to cash out frauds, hacks, or other illicit schemes.
- Take out loans taken out in the name of the KYC’d customer
3) Collect KYC info, then use it to “dox” your customers
A crypto token platform employee is alleged to have intentionally doxed 4,500 customers’ KYC data. Coindesk reported that a Tokensoft community manager published an excel spreadsheet of “bad actors” on Discord with the customer’s personal details. The Tokensoft community manager allegedly posted the KYC data claiming that the users “gamed” an airdrop. The data included full name, wallet address, and physical and IP address.
Impacts of Weaponized KYC
Weaponized KYC impacts victimized consumers and legitimate financial institutions. As noted above, the victimized consumers may have their identity is stolen and used to take out loans or open accounts at other financial institutions. Legitimate financial institutions are challenged with uncovering fake accounts using real KYC data, and with consumers reluctant to provide KYC data, worried that their information will fall into the wrong hands.