Someone downloads your app, funds an account in their head, and starts the sign-up. They enter their name, address and date of birth. Your crypto KYC check runs against credit reference data, finds nothing it trusts, and stops them. They were genuine and eligible. They were ready to deposit. Thirty seconds later they have closed the app, and the exchange they try next gets the deposit you lost.
Crypto sign-up flows are fragile in a way few other sectors are. The user is often young, recently arrived in the country, or simply not visible in credit data. The check reads that absence as a fail. At the same time, the Financial Conduct Authority treats crypto as a higher-risk sector, so the temptation is to make checks heavier rather than smarter. Making checks heavier tends to lose more genuine users than it catches bad actors. The lost user is a measurable line of revenue, and recovering them does not mean loosening a single control.
Genuine crypto users fail because first-pass checks usually rely on credit reference data, and crypto attracts the exact people that data misses. Younger users, recent arrivals to the UK, and people who use little formal credit have thin files or no footprint at all. The check finds no match and returns a fail, even when the person is real and eligible to onboard.
Thin-file users are not a fringe. The Financial Conduct Authority and gov.uk estimate around 7.1 million UK adults, roughly one in seven, are financially excluded. Not all of them use crypto, and not all are invisible to every data source. The point holds: a real population of eligible adults will not match cleanly against credit records, and a credit-only check treats that silence as a failure.
UK cryptoasset businesses must register with the Financial Conduct Authority under the Money Laundering Regulations for anti-money-laundering supervision, a requirement in force since January 2020. Registration commits a firm to customer due diligence, including identity verification against a reliable, independent source. The rules set a standard of assurance without mandating any single data source.
That distinction is where the conversion opportunity sits. A firm that verifies a user against bank, mobile network or public sector data meets the same obligation as one relying on a credit reference check, and reaches more genuine users while doing it. The UK Travel Rule, in force since September 2023, adds a separate duty to collect and pass on originator and beneficiary information with cryptoasset transfers. That is a transaction-data obligation and sits alongside identity verification rather than replacing it.
A new regime is coming. It will raise the bar on top of the current rules, which stay in place. HM Treasury is bringing cryptoasset activities inside the Financial Services and Markets Act framework. The FCA has set out an authorisation gateway expected to open on 30 September 2026 and close on 28 February 2027, with the regime expected in force around 25 October 2027. Firms that build credible, explainable KYC now will move into authorisation from a stronger position. The MLR registration and Travel Rule duties stay in force in the meantime.
The EU’s Markets in Crypto-Assets regulation sits outside this. MiCA applies to crypto-asset service providers established in the EU and does not bind UK firms. It matters only as cross-border context: a UK firm serving EU users, or planning to, will meet EU expectations on top of the UK regime, not instead of it.
The Money Laundering Regulations 2017 require firms to verify identity against a source that is reliable and independent of the customer (Regulation 28). In practice, electronic verification meets this through the industry “2+2” convention: matching at least two identity attributes against at least two independent, reliable data sources. The phrase “2+2” appears nowhere in statute. JMLSG and HMRC guidance is the benchmark for what counts as reliable.
The convention itself is fine. The weakness is in how most firms source the two matches. If both sources are credit reference agencies, a user with no credit footprint fails twice for the same reason. HMRC guidance is explicit that a single-source electronic check is not normally enough on its own (HMRC ECSH33357), which is why firms reach for more than one source. The opening is to widen what those sources are.
In practice, you run a second pass over only the records that failed the first check, against independent data sources beyond the credit reference agencies. The assurance bar stays exactly where the regulator set it, while the pool of data used to clear it widens, so genuine users who were invisible to credit data get matched and onboarded.
The reason a genuine user failed the first time is usually absence of data in one place, not a real risk signal. Bank-held records, mobile network data, insurance policy and claims data, public sector records and finance application data each cover people that credit files miss. Match the identity attributes across those, and the user who abandoned at the ID check clears in the same session, with no document upload and no selfie.
The first check still does most of the work, because the second pass applies only by exception to the users who failed a credit reference check. That keeps cost and friction off the majority who pass cleanly and concentrates effort where the recovery sits. For the user, none of this is visible. They tap through, the additional check runs in the background, and they reach a funded account without being sent off to photograph a passport.
|
What strong crypto KYC needs |
Why it matters under FCA scrutiny |
|
Verification against multiple independent sources |
Meets and exceeds 2+2 without relying on credit data alone |
|
Explainable match evidence per user |
Outcomes stand up when a regulator assumes higher risk |
|
Recovery of thin-file users by exception |
Lifts verified onboarding without weakening the control |
|
Minimal identity data retention |
Limits breach surface in a high-risk environment |
|
Real-time and batch delivery |
Recover users live, or remediate an existing book before authorisation |
No. Identity matching performs one part of customer due diligence. It confirms a user’s name, address and date of birth against reliable, independent sources to a standard the firm configures. It does not replace the wider duties a crypto firm keeps: customer risk assessment, source of funds where required, ongoing monitoring, sanctions screening, and the Travel Rule data obligations on transfers.
gov.uk guidance on using digital identities with the Money Laundering Regulations is clear that a certified provider is a reliable, independent source for the identity step, while the firm remains responsible for the rest and ultimately liable. Stronger identity verification improves the quality of one stage out of several, and no firm should treat it as if it discharges the wider duties.
Strong crypto KYC verifies users against multiple independent data sources, returns explainable evidence on every match, recovers thin-file users by exception rather than friction, holds minimal identity data, and runs both live and in bulk. Judge any provider against those five points before the integration, not after.
OneID is a digital verification services provider certified under the UK’s Digital Verification Services Trust Framework. Its KYC Match service returns a configurable count of independent data-source matches across name, address and date of birth, drawing on banks, mobile networks, insurance data, public sector records, finance applications and credit reference agencies, in whatever combination a firm configures. It runs as a real-time API at onboarding or as a batch wash over an existing dataset. Crypto KYC built to survive scrutiny and scale adoption, applied by exception when users fail traditional credit reference checks.
The cleanest way to size this is on your own data. Compare KYC Match against your existing provider on the records that matter. Send name, address and date of birth for users who failed your current check, see the match counts returned across independent sources, and read that against your present pass rate. You will see exactly how many of your failed users were genuine, eligible customers you could have onboarded without loosening a single control.
OneID offers a free 1,000-record comparison so you can run this without commitment. To set it up, or to talk through how this fits your onboarding flow, contact OneID.
UK cryptoasset businesses must register with the Financial Conduct Authority under the Money Laundering Regulations, in force since January 2020, and carry out customer due diligence including identity verification against a reliable, independent source. The rules set a standard of assurance rather than naming one data source, so firms can use bank, mobile or public sector data to meet it.
No. “2+2” is an industry convention, not a statutory term. The Money Laundering Regulations 2017 (Regulation 28) require verifying identity against a source independent of the customer. In practice, electronic verification meets this by matching at least two attributes against at least two independent, reliable sources. JMLSG and HMRC guidance is the benchmark.
Genuine users fail because first-pass checks often rely on credit reference data, and many real users have thin files or no footprint. Around 7.1 million UK adults, roughly one in seven, are financially excluded per gov.uk and FCA estimates. Younger users and recent arrivals, common in crypto, are over-represented, so a credit-only check reads absence of data as a failure.
No. The UK Travel Rule, in force since September 2023, requires firms to collect and pass on originator and beneficiary information with cryptoasset transfers. It is a transaction-data duty that sits alongside identity verification. A firm still has to verify who its users are under the Money Laundering Regulations, and the Travel Rule applies on top.
No. The EU’s Markets in Crypto-Assets regulation applies to crypto-asset service providers established in the EU. UK firms follow the UK regime: FCA registration under the Money Laundering Regulations now, with a new Financial Services and Markets Act regime coming. MiCA matters only as cross-border context for UK firms serving EU users.
No. It performs the identity-matching step only. Crypto firms keep responsibility for customer risk assessment, source of funds where required, ongoing monitoring, sanctions screening and Travel Rule data on transfers. A certified provider is a reliable source for the identity step under current gov.uk guidance, and the firm remains ultimately liable for the rest.
OneID, the Digital Verification Access Network, today announced that it will support identity verificati...
To verify a company director’s identity before the 18 November 2026 deadline, you choose one of two rout...
What is the KYC 2+2 rule? “2+2” is the industry convention for electronic identity verification under UK...