KYC Customer Onboarding

The KYC (Know Your Customer) module provides a complete customer onboarding and lifecycle management system built for crypto-native businesses. It combines identity verification, document collection, sanctions screening, PEP checks, and adverse media analysis into a single, automated pipeline — with risk-based decisioning that reduces manual review workload while maintaining regulatory compliance.

Overview

Onboarding customers in the crypto industry requires balancing speed (customers expect near-instant access) with thoroughness (regulators expect robust identity verification and risk assessment). The KYC module addresses both:

  • Automated pipeline — Customers complete onboarding through a hosted or embedded flow, and the platform handles identity verification, sanctions screening, and risk scoring automatically.
  • Risk-based approach — Low-risk customers can be auto-approved in minutes. High-risk customers are flagged for manual review with all relevant data pre-assembled.
  • Regulatory coverage — The module is designed to meet the requirements of MiCA (EU), AMLA (EU), FATF Recommendations, 5AMLD/6AMLD, and jurisdiction-specific AML regulations.

The KYC module is designed for customer onboarding and ongoing due diligence. For blockchain address-level compliance (screening wallets, monitoring transactions), see Wallet Screening and Transaction Monitoring.

Customer Creation

Creating a Customer Record

Customers can be created through the dashboard or the API.

Via Dashboard

Navigate to Customers

Go to Dashboard > Customers > New Customer.

Enter Customer Information

Fill in the customer profile:

  • Customer Type: Individual or Business
  • First Name / Last Name (individuals)
  • Legal Entity Name (businesses)
  • Email Address
  • Date of Birth (individuals)
  • Nationality / Country of Incorporation
  • Tax ID / Registration Number (optional, for businesses)

Assign Risk Category

Optionally assign an initial risk category based on your internal risk assessment criteria. If left blank, the platform will assign a risk category automatically based on the KYC checks pipeline results.

Save and Initiate KYC

Click Create & Start KYC to save the customer record and automatically begin the KYC checks pipeline.

Via API

POST /api/v1/customers

{
  "type": "individual",
  "first_name": "Maria",
  "last_name": "Garcia",
  "email": "maria.garcia@example.com",
  "date_of_birth": "1990-05-15",
  "nationality": "ES",
  "external_id": "your_internal_id_123"
}

Document Collection and Verification

The KYC module supports collecting and verifying identity documents as part of the onboarding flow.

Supported Document Types

| Document Type | Accepted For | Verification Method | |---|---|---| | Passport | Identity verification | OCR + database check | | National ID Card | Identity verification | OCR + database check | | Driver's License | Identity verification | OCR + database check | | Proof of Address | Address verification | OCR + date validation | | Utility Bill | Address verification (within 3 months) | OCR + date validation | | Bank Statement | Address verification, source of funds | OCR + date validation | | Certificate of Incorporation | Business verification | Manual review | | Articles of Association | Business verification (UBO identification) | Manual review | | Shareholder Register | UBO verification | Manual review |

Document Upload Flow

Customers can upload documents through:

  1. Hosted KYC page — A white-labeled page hosted by BlockchainAnalysis.io that you link to from your onboarding flow
  2. Embedded widget — A JavaScript widget you embed directly in your application
  3. API upload — Direct file upload via the API for custom integrations

Verification Checks

Uploaded documents undergo the following checks:

  • Authenticity — Is the document genuine? Checks for tampering, editing artifacts, and known forgery patterns
  • Data extraction — OCR extracts name, date of birth, document number, expiry date, and address
  • Cross-reference — Extracted data is compared against the customer profile for consistency
  • Expiry validation — Expired documents are flagged (configurable: reject or accept with warning)
  • Liveness detection — For selfie-based verification, confirms the image is of a live person (not a photo of a photo)

Document verification provides a strong layer of identity assurance, but no automated system is infallible. High-risk customers or flagged documents should always receive manual review from your compliance team.

Risk-Based Approach

The KYC module uses a four-tier risk classification system:

Risk Categories

| Category | Description | Due Diligence Level | Review Frequency | |---|---|---|---| | Low | Customer from low-risk jurisdiction, standard activity profile, no adverse signals | Simplified Due Diligence (SDD) | Annual | | Medium | Some risk factors present but manageable (e.g., moderate-risk jurisdiction, moderate transaction volume) | Customer Due Diligence (CDD) | Semi-annual | | High | Significant risk factors (PEP, high-risk jurisdiction, complex ownership, high-value transactions) | Enhanced Due Diligence (EDD) | Quarterly | | Prohibited | Customer matches sanctions list, located in comprehensively sanctioned jurisdiction, or falls outside risk appetite | Reject / Exit | N/A |

Risk Factor Assessment

The platform evaluates the following factors when determining a customer's risk category:

Customer Factors

  • Country of residence / incorporation
  • Nationality (for individuals) or jurisdiction of registration (for businesses)
  • PEP status (current or former)
  • Industry / occupation
  • Source of wealth / source of funds

Product/Service Factors

  • Transaction volume (expected vs. actual)
  • Product types used (spot trading, derivatives, OTC, etc.)
  • Use of privacy-enhancing features

Geographic Factors

  • FATF grey list / black list status
  • EU high-risk third country list
  • Transparency International CPI score
  • Country-specific sanctions programs

Behavioral Factors

  • Transaction patterns (velocity, volume, counterparty diversity)
  • Structuring patterns (transactions just below reporting thresholds)
  • Rapid movement of funds through the platform

Auto-Decision Engine

The auto-decision engine evaluates the results of all KYC checks and makes an automated disposition decision based on your configured rules.

Decision Outcomes

| Decision | Criteria | Result | |---|---|---| | AUTO_APPROVE | All checks pass, low risk score, no adverse signals | Customer is onboarded immediately | | MANUAL_REVIEW | One or more checks require human judgment (potential PEP, fuzzy sanctions match, adverse media hit) | Customer is queued for compliance review | | AUTO_REJECT | Direct sanctions match, prohibited jurisdiction, confirmed fraud | Customer is rejected automatically | | PENDING_DOCUMENTS | Identity checks pass but required documents are missing or expired | Customer is prompted to provide additional documents |

Configuring Auto-Decision Rules

You can customize the auto-decision engine in Settings > KYC Configuration > Decision Rules:

  • Sanctions match handling — Choose between auto-reject on exact match only, or also on fuzzy matches above a confidence threshold
  • PEP handling — Auto-approve PEPs with enhanced monitoring, or route all PEPs to manual review
  • Adverse media handling — Set the severity threshold that triggers manual review
  • Risk score thresholds — Define the score boundaries between auto-approve, manual review, and auto-reject

The auto-decision engine is designed to handle the majority of onboarding decisions automatically, freeing your compliance team to focus on genuinely complex cases. Most platforms see 70-85% auto-approval rates with properly configured rules.

KYC Checks Pipeline

When a customer record is created and KYC is initiated, the platform runs the following checks in sequence:

1. Identity Verification

Confirms the customer's identity using the submitted documents and personal information.

  • Document OCR and data extraction
  • Facial comparison (selfie vs. document photo)
  • Liveness detection
  • Document authenticity checks

2. Sanctions Screening

Screens the customer's name, aliases, and date of birth against all integrated sanctions databases.

  • OFAC SDN, EU Consolidated, UN Security Council, and 26+ additional lists
  • Fuzzy matching with confidence scoring
  • Alias and transliteration support
  • See Name & Entity Screening for database details

3. PEP Screening

Checks whether the customer is a Politically Exposed Person:

  • Current PEPs — Individuals currently holding a prominent public function
  • Former PEPs — Individuals who held a prominent public function within the last 12-24 months (configurable)
  • PEP Associates — Close family members and known associates of PEPs
  • RCA (Relative or Close Associate) — Individuals with close business or personal relationships with PEPs

4. Adverse Media Screening

Searches global media sources for negative news associated with the customer:

  • Financial crime (fraud, embezzlement, corruption)
  • Money laundering
  • Terrorism
  • Drug trafficking
  • Tax evasion
  • Regulatory enforcement actions
  • Other criminal activity

Results are categorized by severity and recency. See Adverse Media Screening for details.

5. Risk Scoring

All check results are aggregated into a composite risk score and risk category assignment. The risk score considers:

  • Sanctions screening results (matches, potential matches, clear)
  • PEP status and level
  • Adverse media findings and severity
  • Geographic risk factors
  • Customer profile risk factors

6. Decision

The auto-decision engine evaluates the composite results and renders a decision (AUTO_APPROVE, MANUAL_REVIEW, AUTO_REJECT, or PENDING_DOCUMENTS).

Customer Status Lifecycle

Every customer moves through a defined status lifecycle:

CREATED → PENDING_KYC → IN_REVIEW → APPROVED / REJECTED / SUSPENDED
                                         ↓
                                    UNDER_REVIEW (periodic re-KYC)
                                         ↓
                                    RE_APPROVED / EXITED

Status Definitions

| Status | Description | |---|---| | CREATED | Customer record created, KYC not yet initiated | | PENDING_KYC | KYC checks pipeline is running | | IN_REVIEW | Auto-decision engine routed to manual review; awaiting compliance officer decision | | APPROVED | KYC passed; customer is active and can use the platform | | REJECTED | KYC failed; customer cannot be onboarded | | SUSPENDED | Previously approved customer suspended due to new risk information | | UNDER_REVIEW | Periodic re-KYC triggered; customer may continue operating while under review | | RE_APPROVED | Periodic re-KYC passed; customer continues as active | | EXITED | Customer relationship terminated (voluntary or compliance-driven) |

A SUSPENDED status should be applied immediately when new information suggests the customer may pose an unacceptable risk — for example, a sanctions listing, law enforcement inquiry, or confirmed fraud. Suspended customers should have their transaction capabilities frozen pending investigation.

Status Transitions

Status transitions are logged in the audit trail with the following metadata:

  • Timestamp
  • User who initiated the transition (or "SYSTEM" for automated transitions)
  • Reason for the transition
  • Supporting evidence (linked screening results, documents, notes)

Ongoing Due Diligence

KYC is not a one-time event. Regulatory frameworks require ongoing monitoring of customer risk:

Periodic Re-KYC

The platform automatically triggers re-KYC reviews based on the customer's risk category:

| Risk Category | Re-KYC Frequency | Scope | |---|---|---| | Low | Every 36 months | Sanctions re-screen, PEP re-check | | Medium | Every 12 months | Full re-screen including adverse media | | High | Every 6 months | Full re-screen + manual review |

Event-Driven Reviews

Re-KYC can also be triggered by specific events:

  • Customer's transaction volume exceeds expected patterns
  • Customer's address country changes
  • New sanctions listing matches a customer name
  • Adverse media alert triggers for a customer
  • Law enforcement or regulatory inquiry received
  • Manual trigger by compliance officer

Regulatory Compliance

The KYC module is designed to meet the requirements of the following regulatory frameworks:

MiCA (Markets in Crypto-Assets Regulation)

  • Article 68 — Record-keeping requirements for customer identification data
  • Article 79 — CDD requirements for CASPs, including identity verification and ongoing monitoring

AMLA (Anti-Money Laundering Authority Regulation)

  • Centralized EU AML supervision standards
  • Harmonized CDD requirements across EU member states
  • Beneficial ownership transparency requirements

FATF Recommendations

  • Recommendation 10 — Customer due diligence
  • Recommendation 12 — Politically Exposed Persons
  • Recommendation 19 — Higher-risk countries
  • Recommendation 20 — Suspicious transaction reporting

5AMLD / 6AMLD

  • Expanded definition of obliged entities to include VASPs
  • Enhanced CDD for high-risk third countries
  • Beneficial ownership register requirements
  • Whistleblower protection provisions

Regulatory compliance is a shared responsibility. The KYC module provides the technical infrastructure and automated checks, but your compliance team is responsible for defining risk appetite, reviewing flagged cases, and ensuring that the configuration aligns with your specific regulatory obligations and jurisdiction.

API Reference

Create Customer

POST /api/v1/customers

Get Customer

GET /api/v1/customers/{customer_id}

Update Customer

PATCH /api/v1/customers/{customer_id}

List Customers

GET /api/v1/customers?status=APPROVED&risk_category=HIGH&page=1&limit=50

Initiate KYC

POST /api/v1/customers/{customer_id}/kyc

Get KYC Status

GET /api/v1/customers/{customer_id}/kyc/status

Upload Document

POST /api/v1/customers/{customer_id}/documents
Content-Type: multipart/form-data

Change Customer Status

POST /api/v1/customers/{customer_id}/status

{
  "status": "SUSPENDED",
  "reason": "New sanctions listing match detected",
  "evidence_ids": ["ns_abc123", "ft_def456"]
}

For full API documentation including request/response schemas, see the API Reference.

Best Practices

  1. Configure auto-decision rules before going live — The default rules are conservative. Review and adjust the thresholds to match your risk appetite and regulatory requirements before onboarding real customers.

  2. Set up re-KYC schedules — Ongoing monitoring is a regulatory requirement, not optional. Ensure periodic re-KYC is configured for all risk categories.

  3. Train your compliance team on manual review — The platform assembles all relevant data for manual review cases, but your team needs to understand how to interpret sanctions matches, PEP classifications, and adverse media results.

  4. Document your risk-based approach — Regulators expect a documented methodology for how you classify customer risk. Use the risk category definitions as a starting point and customize for your business.

  5. Link wallet screening to customer records — Associate blockchain addresses screened through Wallet Screening with the corresponding customer record to build a complete compliance profile.

  6. Archive rejected and exited customers — Maintain records of rejected and exited customers for the retention period required by your jurisdiction (typically 5 years after the relationship ends).

BlockchainAnalysis.io — Digital Asset Compliance Platform