The Dark Business of KYC Badges in the Crypto World
KYC, or “know your customer,” measures and procedures are a set of guidelines that financial institutions must abide by to verify their identity, whether they are a person or a corporate entity. This procedure is currently a requirement for crypto service providers that want to offer their services in certain nations, like Australia, the US, and the UK, among others.
The cryptocurrency industry is expanding more quickly than ever before, and new decentralized products are being released every day, suggesting that in order to protect common customers, national and international financial regulators must compel these providers to follow the same regulations as traditional banks.
The KYC procedure is not only intended to ensure that the team members behind a Defi product are who they claim to be; it is also intended to ensure that the users of a specific financial product are who they claim to be. Although in the crypto space, this is most common with the users of centralized crypto exchanges or platforms.
Generally speaking, this KYC process serves the following purposes in both the crypto world and the traditional financial system:
- To recognize individuals suspected of criminal activity
- To specify which jurisdiction’s international sanctions companies or individuals are subject to
- To provide information on organizations or people suspected of participating in bribery, money laundering, human trafficking, or financing terrorism.
- To identify those who are politically exposed.
However, while the General Data Protection Regulation (GDPR), which governs the protection of personal data both inside and outside the EU, is strictly followed in the traditional financial system, this doesn’t seem to be the case in the cryptocurrency space.
The primary objective of KYC for cryptocurrency exchanges and platforms is to avoid the illegal use of cryptocurrencies as a result of their decentralized nature. However, while this measure seeks to protect against the illegal use of crypto tokens, it leaves the door open for certain players to use people’s identities illegally, as there is no standardized mechanism in place for this purpose.
The main market for the KYC BADGE originates from the crypto or NFT launchpad sector. The launchpads encourage projects that host pre-sales, special sales, private sales, fair launches, etc. to buy KYC badges in order to receive various levels of visibility and “certification.” However, every launchpad has realized that by focusing on preventing fraud, they can sell the KYC badge to crypto project owners in order to certify them in front of customers. But they don’t take the risks they expose project owners to into consideration.
The Risky Crypto KYC Badge Market
The crypto market currently has a plethora of KYC badge providers, but “a vast majority” of them do not adhere to the EU principle that requires that the processing of personal data and documents be carried out by a certified manager who is identifiable and visibly present on the provider’s website.
In addition, it is necessary to specify the company or other legal entity in charge of the processing, as well as the precise location and manner of storage and use. In fact, in many states, a privacy manager actually needs to complete specialized training, have the competency, get certified, and disclose this information to the public.
Many prominent companies in the sector fail to accurately disclose how, where, and with what security protocol personal data is managed in their privacy policies and KYC services. And if any of these are not sufficiently stated, it amounts to the abuse and trafficking of illegally obtained identity documents, as well as a grave disregard for the GDPR’s guidelines.
Unfortunately, a lot of crypto platform developers do not care to ponder this critical matter before handing over their private identification information to “completely unknown” so-called KYC badge providers who might use it for nefarious practices.
One of the requirements of the GDPR is that:
By using appropriate technical and organizational measures, personal data shall be processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
However, the majority of crypto KYC badge providers demand that users send their IDs via email or Dropbox to an unidentified recipient who might absolutely handle a private person’s sensitive data and videos without revealing their own identity to the public. The risk of the user ID being used fraudulently is extremely high, and this is outside of any legal means of managing sensitive data. It is not enough for a company (the KYC badge issuer) to be well known to guarantee data security; we must also make sure that all procedures are carried out legitimately.
Although KYC measures are necessary for improving the security of crypto investors, they also have the potential to endanger the lives of crypto service providers and programmers because only a small percentage of KYC providers follow GDPR principles and provide transparent methods for managing people’s data.
On the other hand, we all need to be aware that anonymous individuals are in charge of maintaining these data, and with the information they need, they could open foreign companies, prepaid cards, and bank accounts, and commit fraud by using third-party data.
Therefore, why and how should a group of “unknown” individuals confirm the identities of others without having their own identities confirmed by any legal authority or even a governmental institution?
Now, it makes perfect sense to require that anybody or any company wishing to confirm the identities of others and retain their sensitive data be a known, preferably well-known, entity. Therefore, if the information is ever leaked, even unintentionally, or used illegally, the world will be able to identify who is responsible.
Closing Thoughts
This isn’t an effort to get rid of KYC requirements in the crypto world; rather, it’s a way to understand the risks and shadowy world of KYC badges while also identifying more effective, security-conscious procedures that the current providers adopt outright.
Finally, this serves as a serious invitation to cryptocurrency projects, service providers, exchanges, businesses, and general users to pay close attention to this issue and to send their sensitive documents only to verified, transparent individuals who provide all the necessary specific safeguards for data processing in accordance with international regulations, especially the General Data Protection Regulation (GDPR). This is due to the fact that the potential harm that crypto-related KYC badges pose is almost equal to the benefit they provide.
