KYC for Crypto That Doesn't Turn Your Exchange Into a Target

- "We've been working on the onboarding for five months, and we're still not going through." — Compliance lead at a Latin American bank moving into crypto - "We're very jealous of the information in the group. If a third party gets access to our data lake, it's impossible to work with us." — Same call - "We launched on testnet without KYC. Going to production is October. We're not making it." — Founder, crypto AML infrastructure platform - "Volume is hard to estimate, this is a one-of-a-kind service." — Product lead, decentralized identity wallet The pattern is always the same. Compliance isn't the part anyone wants to spend time on. They want it done, defensible, and out of the way. --- ## H2: How does Zyphe do KYC for crypto without holding the documents? We verify the customer the same way any compliant vendor would: government-issued ID with NFC chip reading where supported, document OCR, biometric liveness with deepfake detection, sanctions and PEP screening, adverse media, proof of address. The difference is what happens next. Instead of storing the result on a server we own, we shard it across **60,000+ decentralized nodes** and hand the user the key. The exchange keeps the audit hash. We keep nothing reconstructable. The user keeps their PII.  For the architecture, see [Decentralized PII Storage](/product/decentralized-pii-storage) and [Decentralized KYC](/product/decentralized-kyc).

| Stage of the flow | Centralized KYC vendor | Zyphe | |---|---|---| | User uploads passport + selfie | Stored on vendor cloud, retained 5–7 years | Sharded, geo-locked, user holds the key | | Subject access request (GDPR) | Days to weeks, vendor + DPO loop | Seconds, user resolves it themselves | | Vendor breach scenario | Full database leaked | Each node holds a fragment that decrypts to nothing | | Same user joins your next product | Re-verifies from scratch | One click + passkey, instant approval | | Audit by FCA / FinCEN / MiCA NCA | Pull data from vendor, hope it's intact | Threshold-encrypted audit trail, regulator + user co-sign | This is the part that lands on every call. We had a Latin American bank tell us, in plain English, that the only reason they'd consider a KYC vendor is if the vendor *cannot* see the data. That's the architecture. --- ## H2: How does reusable KYC change the economics of crypto onboarding? Once a user has cleared KYC with Zyphe one time, they hold a [KYC Passport](/product/kyc-passport): a signed, portable credential they own. Next time they sign up to any platform on the Zyphe network, they re-verify with a passkey. No re-uploads, no waiting for review. We see completion rates lift by **up to 70%** on returning-user flows compared with cold-start KYC. That changes the math two ways. Acquisition cost drops because fewer users abandon at the document upload step — which is where most crypto onboarding flows lose them. And cross-product onboarding gets cheap: if you run an exchange and a wallet and an OTC desk, the same user clears once and is good for all three. For onboarding-specific tactics, see [reduce KYC onboarding drop-off](/resources/blog/reduce-kyc-onboarding-drop-off) and [the KYC onboarding process: ultimate guide](/resources/blog/kyc-onboarding-process-ultimate-guide). --- ## H2: Can a crypto platform make money on KYC instead of paying for it? Yes, and several of our customers do. The mechanic is straightforward: you charge your end-user a fixed fee for the verification (most platforms in our network charge between **$1.50 and $3**), Zyphe charges you less, and the spread sits on your P&L instead of someone else's. For a platform onboarding 50,000 users a quarter, that's a six-figure revenue line that used to be a cost line.  The setup is on a starter plan with a fixed monthly minimum and a pay-as-you-go rate above it. You configure your preset policy from the dashboard, we ship policies pre-built for Europe, the US, Asia, and several emerging crypto jurisdictions — and start collecting. See [pricing](/pricing) for current tiers. > "It's super easy to set it up from your dashboard. You can do it on your own, collect the payment, and get revenue from it." > — Michelangelo Frigo, Zyphe (transcribed from product call) --- ## H2: What about KYB? Crypto exchanges onboard businesses too. Most crypto teams don't separate the two cleanly, so neither do we. KYC verifies the individual. KYB verifies the entity: registration, ultimate beneficial owners (UBOs), directors, shareholders, group structure, financials, plus AML checks at the company level. Inside KYB, the UBOs themselves get KYC'd, with EDD (enhanced due diligence) triggered for higher-risk profiles. So a crypto exchange onboarding a market-maker entity, an OTC counterparty, or a corporate VASP runs one workflow, not two procurement processes. One thing worth flagging: KYB cost varies wildly by jurisdiction. If a counterparty is registered in the British Virgin Islands, the Cayman Islands, or the Marshall Islands, the entity check is a manual process with a local agent and the unit cost is meaningfully higher than for a UK Companies House or Delaware lookup. Build it into your pricing model. For the full breakdown, see our [KYC vs KYB differences](/resources/blog/kyc-vs-kyb-differences) post. For business onboarding, the dedicated product is [KYB software](/product/kyb-software). For ongoing AML monitoring on the exchange itself, pair it with [AML software](/product/aml-software). --- ## H2: Which crypto businesses use Zyphe for KYC? The fit is sharpest for any crypto product that's already at scale, already regulated, and already nervous about its data exposure. We see it most often with teams running tens of thousands of verifications a quarter who've felt the cost of a data breach, a long onboarding flow, or a vendor that won't move on price. In practice that's: - **Centralized exchanges**: onboarding retail and institutional users across multiple jurisdictions, MiCA-aligned in Europe, MSB-registered in the US. - **Crypto wallets and on/off-ramps**: where conversion economics live and die on the document-upload screen. - **DeFi front-ends with a regulated layer**: verifying users without breaking the non-custodial UX. See [how DeFi platforms ensure KYC compliance](/resources/blog/how-decentralized-finance-platforms-ensure-kyc-compliance). - **AML and compliance infrastructure**: platforms whose own customers are crypto-native and need KYC-as-a-feature embedded. - **Token issuance and TGE platforms**: where the legal exposure on a botched investor check is existential. - **RWA and tokenized asset platforms**: KYC plus accreditation plus jurisdictional gating. - **Crypto-native banks and neobanks**: where the data-jealousy of a regulated entity meets the speed expectations of a crypto user. If you've shipped a Web3 product that has a fiat ramp, you probably need this. See also [the challenges facing KYC in a Web3 world](/resources/blog/the-challenges-facing-kyc-in-a-web3-world). --- ## H2: How does Zyphe compare to Sumsub, Onfido, Jumio, and Persona for crypto? The honest answer is that the feature lists overlap most of the way. Document checks, biometric liveness, sanctions screening, PEP, adverse media — every serious vendor has them. The differences that matter for crypto are about what happens to the data after the verification, how the same user gets onboarded twice, and what the regulator finds when they audit you. | What you actually care about | Sumsub / Onfido / Jumio / Persona | Zyphe | |---|---|---| | Where customer PII lives after onboarding | Vendor cloud, 5–7 year retention | Sharded, user-controlled, vendor cannot reconstruct | | Vendor's track record on breaches (2024–2026) | Multiple public incidents | None — there's nothing to steal | | Reusable verification across your products | Vendor-locked or unsupported | KYC Passport, one-click re-verification | | Time to ship in production | 2 to 6 weeks | 15 minutes (no-code link) or 1–2 days (API) | | Reseller / margin model on verifications | Not standard | Built in — fixed minimum + PAYG, you set the user-facing price | | Custom policies per jurisdiction | Engineering effort | Preset policies for EU, US, Asia, configurable in dashboard | | MiCA-aligned audit trail | Manual, vendor-dependent | Threshold-encrypted, regulator + user co-sign | Read the head-to-head in [Zyphe vs. Sumsub](/resources/blog/zyphe-vs-sumsub), the [Persona / Discord incident](/resources/blog/persona-discord-centralised-identity-verification-incident), and the [identity breach epidemic 2026 analysis](/resources/blog/identity-breach-epidemic-2026-centralized-pii-storage-liability). --- ## H2: What does an integration look like for a crypto team? Most exchanges go live in two weeks end-to-end. Most wallets and front-ends go live in 15 minutes — that's the no-code link. The flow is the same either way: pick a preset policy, configure your branding, drop the link or call the API, get a webhook back when the verification clears. We cross-check the document against the issuing government's database where one's available, run liveness, run sanctions and PEP, and return a decision. ```bash curl -X POST https://api.zyphe.com/v1/verifications \ -H "Authorization: Bearer $ZYPHE_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "customer_reference": "user_42", "country": "GB", "policy": "crypto-eu-mica", "checks": ["document", "liveness", "sanctions", "pep", "address"], "redirect_url": "https://yourapp.com/kyc/complete" }' ``` For the technical walkthrough, see [how it works](/how-it-works). For pricing and volumes, [pricing](/pricing). --- ## H2: What's the best KYC software for crypto exchanges? For crypto exchanges that need MiCA-aligned KYC without inheriting a PII liability, Zyphe is the best option because it verifies users globally and stores zero documents. (24-word voice-search-ready answer.) --- ## FAQ

Identity verification (government ID + biometric liveness), sanctions and PEP screening, address verification in most jurisdictions, source-of-funds checks for higher-risk tiers, and ongoing monitoring. Under MiCA in the EU, expect tightened CDD obligations and a Travel Rule layer for transfers above the threshold.

Yes — and the key word is "actually." MiCA, the FATF Travel Rule, GDPR, and eIDAS 2 don't require a single vendor to hold the data; they require the verification, the audit trail, and lawful access. Zyphe handles all three. The user-held vault model satisfies data-residency rules automatically.

KYC verifies an individual. KYB verifies a company, registration, UBOs, directors, shareholders, financials — with KYC done on the UBOs as part of the KYB process. Crypto exchanges onboarding institutional or market-maker counterparties need both. KYB cost varies sharply by jurisdiction; offshore registrations cost more.

Yes. Zyphe runs on a fixed monthly minimum plus pay-as-you-go above it. Many of our crypto partners charge their end-users $1.50 to $3 per verification and keep the spread. For a platform onboarding tens of thousands of users per quarter, that turns KYC from a cost line into a revenue line.

Zyphe's KYC creates the verified counterparty record that Travel Rule messaging tools reference. We integrate with the major Travel Rule networks rather than reinventing the wire — your counterparty data is verified once and re-used across providers. AML transaction monitoring lives in [Zyphe AML software](/product/aml-software).

Most teams hit production in two weeks. The fastest path, a no-code verification link with one of our preset crypto policies — takes about 15 minutes to configure. Full API + webhook integrations with custom branding typically take one to two engineering days.