Customer due diligence for crypto firms: what differs from traditional CDD

Customer due diligence for crypto firms: what differs from traditional CDD

The Money Laundering Regulations 2017 apply to cryptoasset businesses registered with the FCA in the same way they apply to banks, payment firms and investment businesses. The obligation to conduct customer due diligence, enhanced due diligence for higher-risk relationships, and ongoing monitoring of transactions is the same in law. In practice, however, the implementation of CDD at a cryptoasset firm looks substantially different from CDD at a traditional financial institution — and the differences create specific operational and compliance challenges that MLROs at crypto firms navigate in ways their counterparts in conventional finance do not.

This article sets out where the practical differences lie and what they mean for the design of a crypto firm’s CDD framework.

Wallet verification instead of account verification

Traditional CDD establishes that the person opening an account is who they say they are, and that the account belongs to them. In the crypto context, the equivalent process involves verifying both the identity of the customer and their ownership or control of the wallet addresses they are transacting from or to. These are not the same thing.

A customer can pass identity verification while transacting through wallet addresses they do not beneficially own — using wallets controlled by third parties, custodial wallets with split control arrangements, or multi-signature wallets where the customer is one of several signatories. Equally, a verified customer can transact to external wallets whose ownership the firm has no direct visibility over. Standard account-based CDD frameworks do not encounter this problem in the same way — when a bank transfers funds to another account at the customer’s instruction, the account has an identifiable owner at the receiving institution.

CDD frameworks at crypto firms need to address wallet ownership verification as a distinct step — not just identity verification of the customer, but verification of the relationship between the customer and the wallets involved in their transactions.

The Travel Rule

The UK implemented the Travel Rule for cryptoasset transfers in January 2023. The rule requires that Virtual Asset Service Providers transmit originator and beneficiary information alongside transfers above a de minimis threshold — the equivalent of the information that accompanies a SWIFT payment under correspondent banking arrangements. This is a significant departure from how crypto transfers have historically worked, and the implementation challenges are considerably more complex than in traditional finance.

In traditional wire transfers, the sending and receiving institutions are both regulated financial entities with established Know Your Institution frameworks and standardised messaging protocols. In crypto, the counterparty VASP may be in a jurisdiction with minimal regulatory oversight, may not have implemented the Travel Rule in a compatible format, or — in the case of transfers to unhosted wallets — may not be a VASP at all. The MLRO at a UK-registered crypto firm needs to have a clear policy for how Travel Rule information is collected, transmitted and received, and what the firm does when it cannot obtain complete Travel Rule information for a transfer.

Blockchain analytics as a CDD tool

The most significant operational difference between crypto CDD and traditional CDD is the role of blockchain analytics. Transactions on public blockchains are visible to anyone with access to the chain data — every transaction, every wallet address, every amount moved, and in many cases a probabilistic assessment of the counterparties involved, is accessible through analytics tools such as Chainalysis, Elliptic and TRM Labs. This creates an obligation and an opportunity that has no equivalent in traditional CDD.

The obligation: a crypto firm that does not use blockchain analytics to screen wallet addresses and transaction histories has an obviously incomplete CDD framework. The fact that on-chain data is publicly available means the firm cannot credibly claim it was unable to identify the risk signals that the data would have disclosed. The FCA’s expectation — consistent with its registered firm requirements and its broader financial crime guidance — is that crypto firms use analytics tools proportionate to their risk profile.

The opportunity: blockchain analytics can surface risk signals that traditional CDD simply cannot generate. A transaction to or from a wallet cluster associated with a sanctioned entity, a mixing service, a darknet marketplace or a known ransomware address is identifiable through analytics before the transaction is processed or immediately after. This gives the MLRO a qualitatively different set of suspicious transaction indicators to work with compared to traditional finance, where transaction monitoring depends on pattern analysis rather than direct linkage.

Unhosted wallets and the enhanced due diligence question

The FCA and FATF have been explicit that transactions involving unhosted wallets — wallets not held at a regulated VASP, typically self-custodied by the wallet holder — carry higher inherent risk and require enhanced due diligence in higher-risk cases. The practical challenge is that the unhosted wallet is by definition outside the regulated perimeter. The firm cannot verify the owner through the Travel Rule, cannot rely on a counterparty VASP’s CDD, and must depend on its own analysis of on-chain data and the customer’s representations about the wallet’s purpose.

MLRO policy on unhosted wallets needs to address: what information the firm requires from customers transacting to or from unhosted wallets, what blockchain analytics screening applies to those wallet addresses, what the threshold is for enhanced due diligence, and what the firm does when the customer cannot or will not provide satisfactory information about the destination of their funds. This is an area where the regulatory expectation has been clear but the operational implementation varies significantly across registered firms.

Source of funds and source of wealth for crypto customers

Source of funds verification for a customer whose assets are denominated in cryptoassets presents specific challenges. A customer stating that their Bitcoin derives from mining activity in 2013, or from an early investment in a now-defunct exchange, or from proceeds of DeFi liquidity provision, is describing a source of funds that is difficult to verify through the documentary routes that work for conventional source of funds enquiries. Payslips, bank statements and solicitor completion letters do not help here.

On-chain data can partially substitute — the transaction history of a wallet may be consistent or inconsistent with the claimed source of funds, and analytics tools can identify whether the wallet has received funds from mining pools, exchanges, or higher-risk sources. But the MLRO’s framework needs to be clear about what constitutes adequate source of funds verification for crypto-origin assets, and what level of on-chain evidence is required before the firm accepts the customer’s account of the origin of their wealth.

Ongoing monitoring and on-chain versus off-chain transactions

Ongoing monitoring of customer activity in traditional finance relies primarily on transaction monitoring systems that flag unusual patterns in account activity. In crypto, the equivalent obligation covers both the on-chain transactions processed through the firm’s platform and — where relevant — the off-chain activity that the customer’s wallet history discloses. A customer whose on-chain history shows recent interaction with a high-risk wallet cluster, even in a transaction not processed through the firm, is a customer whose risk profile has changed.

This does not mean that firms are obliged to perform continuous blockchain surveillance of all their customers’ non-firm wallets. It does mean that the ongoing monitoring framework should incorporate periodic rescreening of known customer wallet addresses through analytics tools, not just monitoring of transactions processed through the firm’s own systems.

FD Capital places MLROs and compliance professionals in FCA-registered cryptoasset businesses and in regulated firms with cryptoasset exposure. The specific technical knowledge required to design and oversee a CDD framework in this context is distinct from conventional compliance expertise, and we understand the difference.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• SMF17 — MLRO Function Guide
• KYC: A Complete Guide for UK Regulated Firms
• Customer Due Diligence Guide
• Politically Exposed Persons Guide