If you're building or running a crypto exchange in 2026, KYC is no longer optional in any meaningful sense. It hasn't been for a while. But the regulatory landscape has gotten materially more complex in the past two years, and the enforcement environment has shifted from "theoretical risk" to "exchanges are getting fined hundreds of millions of dollars."

This is a practical guide to what KYC actually requires for crypto exchanges, broken down by what you need to collect, how verification works, and what's changed recently that you need to be aware of.

What KYC Requires You to Collect

At its core, KYC is about establishing that your users are who they say they are and that they aren't on a sanctions list. For a crypto exchange, the standard information collected at onboarding typically includes:

Identity information

  • Full legal name

  • Date of birth

  • Residential address

  • Government-issued ID (passport, driver's license, national ID card)

Verification

  • Liveness check or selfie to confirm the person submitting the documents is physically present

  • Proof of address for higher-risk profiles or larger transaction thresholds

Ongoing obligations

  • Sanctions and watchlist screening against lists including OFAC, EU, UN, and HM Treasury

  • Transaction monitoring for suspicious activity

  • Risk-tiered access (lower limits for unverified or lower-tier users, higher limits after enhanced verification)

The depth of verification required scales with risk. A user depositing small amounts from a low-risk jurisdiction needs less scrutiny than someone moving large volumes from a high-risk country. Risk-based approaches are not just acceptable under most frameworks — they're expected.

The Regulatory Landscape in 2026

The rules vary by jurisdiction, but the trend globally is consistent: stricter requirements, broader scope, and more active enforcement.

United States

US-based exchanges operate as Money Services Businesses (MSBs) and are subject to the Bank Secrecy Act (BSA), with FinCEN as the primary regulator. KYC and AML programs are mandatory. The SEC has stepped back from some enforcement actions in 2025, but FinCEN and the DOJ have not. In late 2025, OKX was fined over $500 million for AML failures including weak KYC practices and suspicious transaction volumes. Paxful received a $3.5 million FinCEN penalty for BSA violations around the same time.

A notable addition in 2026: US exchanges are now required to issue Form 1099-DA, reporting capital gains and losses to users and the IRS. To do that, you need to know who your users are. KYC is now a tax compliance requirement as much as a financial crime one.

European Union

MiCA (Markets in Cryptoassets Regulation) is now the governing framework for crypto exchanges operating in the EU. All Crypto-Asset Service Providers (CASPs) must be licensed, and KYC and AML obligations under MiCA are extensive. The Travel Rule applies to any transfer above 1,000 euros: you must collect and transmit sender and recipient identity data to the counterparty exchange. Operating without a MiCA license in the EU is not a grey area.

United Kingdom

The FCA regulates crypto businesses under its AML framework, and crypto asset businesses must be registered. KYC obligations broadly mirror the EU approach.

UAE

The UAE has emerged as a serious crypto hub with serious compliance expectations. VARA, ADGM, and DFSA all enforce mandatory KYC for Virtual Asset Service Providers. Guidance issued in 2025 requires firms to avoid anonymous counterparties entirely.

Global baseline: FATF

The Financial Action Task Force sets the international standard that most of these jurisdictions are translating into local law. Under FATF recommendations, any Virtual Asset Service Provider (VASP) must implement KYC, AML, and the Travel Rule. The Travel Rule specifically requires VASPs to collect and pass along originator and beneficiary information for crypto transfers, similar to how wire transfers work in traditional banking.

What's Changed Recently

A few developments are worth calling out specifically for 2026:

Enforcement has teeth now. The era of enforcement warnings without consequences is over. The OKX and Paxful penalties are the clearest examples, but they follow a pattern of regulators demonstrating willingness to act against exchanges of any size.

1099-DA reporting in the US creates a new KYC imperative. If your exchange needs to issue tax forms, you need verified identity data. This is pulling in centralized exchanges that may have previously operated with lighter-touch verification.

The Travel Rule is expanding. More jurisdictions are implementing Travel Rule requirements, and the threshold for triggering it varies. Building this into your compliance stack now is significantly easier than retrofitting it later.

Biometric verification is becoming standard. Liveness detection is increasingly expected rather than optional, particularly for higher-tier verification. Static selfies are giving way to active liveness checks as the baseline for identity assurance.

Where Exchanges Commonly Get This Wrong

A few patterns come up repeatedly in enforcement actions and compliance failures:

Treating KYC as a one-time event. Verification at onboarding isn't enough. Ongoing monitoring is a regulatory requirement, and users whose risk profile changes need to be caught by that monitoring. A user who was low-risk at signup may not be low-risk two years later.

Inconsistent sanctions screening. Screening against OFAC is not the same as screening against the full set of relevant lists. Depending on where your users are located, you may also need EU sanctions, UN consolidated lists, HM Treasury, and others. Relying on a single list creates gaps.

No risk-tiered approach. Applying the same level of scrutiny to every user is both operationally inefficient and not actually what regulators want. A risk-based approach that applies enhanced due diligence to higher-risk users while streamlining lower-risk onboarding is both compliant and better for conversion.

Slow verification times hurting conversion. This isn't a compliance failure, but it's a business one. Verification times that drag into hours or days create drop-off at exactly the point where you've done the hard work of acquiring a user. Modern identity verification should complete in seconds, not days.

The Operational Reality

For a crypto exchange, building a compliant KYC program means making decisions about several things at once: what you collect, how you verify it, how you screen against sanctions data, how you monitor ongoing activity, and how you handle escalations and record-keeping.

Doing all of this in-house is possible but expensive and slow. Most exchanges integrate a KYC API that handles identity document capture, liveness verification, and initial sanctions screening, then layer in transaction monitoring and ongoing AML tooling on top.

The things to evaluate when choosing a KYC provider: coverage across the document types and countries your users come from, verification speed (conversion depends on it), audit record quality for regulators, and how data is handled (particularly relevant for GDPR if you're serving European users).

If you're evaluating KYC infrastructure for your exchange and want to see how Mallient handles verification across 200+ countries with sub-2-second results, I'm happy to walk through it.

Book a demo or reach out directly.

Michael is the founder of Mallient, a developer-first identity verification API built for crypto exchanges and fintechs.

Keep Reading

© 2026 The Latest From Mallient.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv