BLOCKCHAIN AND THE POSSIBLE TRINITY: GDPR, AML AND CTF – bringing cryptocurrency exchanges under the umbrella

A recent study carried out by Mitek Systems surveyed the KYC practices of 25 cryptocurrency exchanges and wallet providers in the US and Europe, found that only 32% of those entities carry out full KYC. The majority don’t have any KYC procedure in place. Needless to say, this renders the crypto sphere the locus of illicit and criminal activities. It is argued that many ICOs, for example, which have reached a peak of more than $800 million in 2017, are being used for money laundering.

KYC requirements differ among exchanges in terms of identification being asked for and forms being signed as well as length of time needed to process the application. While most of the documents are scanned and uploaded directly to the platform, so that they are automatically handled, in many occasions this has to be done manually as well. At the peak of the crypto euphoria in 2017 and early 2018, the process of onboarding a new customer took months. For those investors who wish to spread their risk, it is a daunting process and time consuming to upload their documents several times across several exchanges.

The effect of regulations such as General Data Protection Regulation (GDPR), AML, and CTF has started to be felt in the cryptocurrency world. In an article published on, IDEX is heading to full compliance with KYC and AML directives. Although this is a big step taken by a decentralised exchange, it goes directly against the crux of blockchain philosophy, anonymity.

Experts argue that newly introduced regulations such as GDPR and AMLD have created tension between individuals’ rights for privacy, and the financial institutions’ obligations to comply with AML and CFT regulations. Legal jurisdictions like the EU, US, UK, Taiwan, India, Vietnam and many others have made KYC, AML, and CFT rules an integral part of cryptocurrency exchange regulatory framework. These regulations require financial institutions to collect information and identification from customers as part of due diligence process in order to determine the type of activities to expect within a customer’s account.


GDPR places emphasis on the individual rights to privacy. The EU has linked the right to data protection with other fundamental rights such as the right to life and the right to security. The personal data within GDPR includes name, identification number, location data, cultural or social identity among others. While sensitive personal data includes, for example, race and political opinion. On the other hand, the US treats personal data as the property of the entity holding this data. This presents challenges to find a new mechanism which makes data transfer between the EU and the US legal.

GDPR places requirements on the collection, transfer and storage of personally identifiable information. The customer should be informed how their information will be processed, stored, and for what purposes it is requested. Further, GDPR requires enterprises and financial institutions to limit the amount of data being collected to that which is necessary and to store it only as long as it is necessary. The customer should express their explicit and unambiguous consent to processing and transferring their information.


According to a Eurobarometer survey, eight out of 10 people feel they do not have complete control of their personal data; six out of 10 say they do not trust online businesses; more than 90% of Europeans say they want the same data protection rights across all EU countries. Therefore, GDPR is considered an opportunity for enterprises to restore trust with their clients.

In the absence of statistics on the cost of conducting KYC and due diligence by cryptocurrency exchanges, one can take a lead from other financial institutions’ spending on KYC. According to Forbes website the average annual spending including labour and third-party cost is $48 million, only on KYC.

Despite many applauding the above regulations as a boost to customer confidence and the adoption of cryptocurrencies into mainstream markets, yet the regulations impose financial burdens on these exchanges. The cost and technical knowledge required to implement and maintain adequate levels of compliance with AML and CTF requirements can be challenging. This can give larger exchanges an advantage of gaining a bigger market share. Overall, the adoption of these regulations will legitimise the industry and will bring millions of dollars of investment to a market that is suffering from gradual shrinking.

Blockchain can provide an optimal solution to all the mentioned above thorny issues. The financial sector is very interested in and is investing in blockchain technology. The unique characteristics of the technology such as the distributed ledger, which makes it resilient to cyberattacks, the immutable and time-stamped records, the provenance of transactions, and the capabilities to scale up to thousands or millions of transactions per second are well-suited to release the tension between GDPR, in one hand, and AML and CFT, on the other hand.

Cryptocurrency exchanges can form a blockchain-based consortium, consisting of exchanges only or a combination of banks and exchanges. As the participants in the network are competitors, the governance can be designed in a way which guarantees the concealment of information each party holds about its own customers by creating blind spots. As a rule of thumb, customers information will be encrypted and displayed as an encrypted code only, ensuring that no personally identifiable data is displayed.

As with self-sovereign identity, customers would have a full control over their information. They can reveal the amount of information to an exchange or a bank that is adequate to conduct onboarding, KYC and due diligence.

Although some crypto exchanges pride themselves that they store cryptos in several locations, customers data is still centrally stored. This represents a single point of failure, which may cause the exchange dearly under GDPR. In a blockchain-based consortium data is stored in a distributed manner. In these scenarios, data is usually fragmented, cloned and then stored across several nodes. The fragmentation of the data is important so that if a cyberattack managed to hack a personal data storage, the data attained will not be complete. While cloning guarantees that the data will not go missing if a node disappears or stops functioning.

Establishing a blockchain-based consortium can guarantee uniformity of documents needed and procedures followed during customer’s onboarding. It will lead to an effective compliance as all stakeholders within the consortium are encouraged to follow the same best practices. A group-wide consortium based on blockchain can seamlessly integrate policies and procedures within the stakeholders’ modus operandi, which should include the rules relating to EU’s approach to data protection and highlight the requirements for sharing information within the consortium for AML and CTF purposes.


It would reduce the time and cost needed to verify customers’ identity and conduct KYC, eliminate double-verifications, manual verification and handling of sensitive data. For the customer, it would also save the time needed to upload the same documents to several platforms, and sometimes several times to the same platform. The customer will be kept informed about why their data is being collected, who is collecting or reading their data, whether their data will be transferred across the borders or between entities, and the length of time this data will be stored. The customer would have full control over their data either through a private key, a biometric data or a combination of both.

Once a customer is onboarded by their bank or an exchange their details will be verified once, hashed or encrypted, and then kept on the blockchain. Of course, the right to be forgotten is enshrined by GDPR.  If the customer wishes to register with another exchange they can do this without the need of resubmitting the same documents or going through the same process. If they update their data this would be propagated across the blockchain.

At enterprise level, this would reduce the time associated with customer onboarding and the cost of KYC, increase efficiencies and redirect financial and human resources to more productive and profitable areas of the enterprise’s operations.

Although this solution may benefit more smaller exchanges as the cost of deploying new technology and building capabilities to ensure compliance with new regulations would be high, it has a far-reaching impact on the industry as a whole. Blockchain would allow the tracking of suspicious or illicit transactions on exchanges as well as deposits to or withdrawals from wallets. Sensitive information about suspicious accounts from 3rd countries can be shared instantaneously. Cryptos can be stored in multiple nodes, lowering the risk of hacks. It would provide a standardised reporting platform between all stakeholders. Most importantly, blockchain promotes transparency as it represents the ultimate record of truth, an aspect which is needed badly in the crypto sphere.

From a regulatory point of view, this may lead to crypto exchanges being viewed as equal trusted partners to banks, and thus facilitating partnership opportunities between both entities. The adherence of crypto exchanges to these regulations and directives can legitimise their operations in many countries which view them suspiciously. It demonstrates serious commitment by exchanges to work closely with regulators to solve thorny issues.

Ultimately, it is expected that establishing a blockchain-based consortium within a regulatory framework which ensures compliance with GDPR, AML and CTF would increase mass adoption of cryptocurrencies, stabilising prices and bringing in more needed funds from mainstream financial institutions and investors.