OneID® | News and Events

Crypto KYC: Onboard More Users Without Weakening Your Checks

Written by The OneID Team® | 01/07/26 07:20

Someone downloads your app, funds an account in their head, and starts the sign-up. They enter their name, address and date of birth. Your crypto KYC check runs against credit reference data, finds nothing it trusts, and stops them. They were genuine and eligible. They were ready to deposit. Thirty seconds later they have closed the app, and the exchange they try next gets the deposit you lost.

Crypto sign-up flows are fragile in a way few other sectors are. The user is often young, recently arrived in the country, or simply not visible in credit data. The check reads that absence as a fail. At the same time, the Financial Conduct Authority treats crypto as a higher-risk sector, so the temptation is to make checks heavier rather than smarter. Making checks heavier tends to lose more genuine users than it catches bad actors. The lost user is a measurable line of revenue, and recovering them does not mean loosening a single control.

Why do genuine crypto users fail KYC checks?

Genuine crypto users fail because first-pass checks usually rely on credit reference data, and crypto attracts the exact people that data misses. Younger users, recent arrivals to the UK, and people who use little formal credit have thin files or no footprint at all. The check finds no match and returns a fail, even when the person is real and eligible to onboard.

Thin-file users are not a fringe. The Financial Conduct Authority and gov.uk estimate around 7.1 million UK adults, roughly one in seven, are financially excluded. Not all of them use crypto, and not all are invisible to every data source. The point holds: a real population of eligible adults will not match cleanly against credit records, and a credit-only check treats that silence as a failure.

What KYC does the FCA require from UK crypto firms?

UK cryptoasset businesses must register with the Financial Conduct Authority under the Money Laundering Regulations for anti-money-laundering supervision, a requirement in force since January 2020. Registration commits a firm to customer due diligence, including identity verification against a reliable, independent source. The rules set a standard of assurance without mandating any single data source.

That distinction is where the conversion opportunity sits. A firm that verifies a user against bank, mobile network or public sector data meets the same obligation as one relying on a credit reference check, and reaches more genuine users while doing it. The UK Travel Rule, in force since September 2023, adds a separate duty to collect and pass on originator and beneficiary information with cryptoasset transfers. That is a transaction-data obligation and sits alongside identity verification rather than replacing it.

What is changing in UK crypto regulation

A new regime is coming. It will raise the bar on top of the current rules, which stay in place. HM Treasury is bringing cryptoasset activities inside the Financial Services and Markets Act framework. The FCA has set out an authorisation gateway expected to open on 30 September 2026 and close on 28 February 2027, with the regime expected in force around 25 October 2027. Firms that build credible, explainable KYC now will move into authorisation from a stronger position. The MLR registration and Travel Rule duties stay in force in the meantime.

The EU’s Markets in Crypto-Assets regulation sits outside this. MiCA applies to crypto-asset service providers established in the EU and does not bind UK firms. It matters only as cross-border context: a UK firm serving EU users, or planning to, will meet EU expectations on top of the UK regime, not instead of it.

What is the “2+2” convention in crypto KYC?

The Money Laundering Regulations 2017 require firms to verify identity against a source that is reliable and independent of the customer (Regulation 28). In practice, electronic verification meets this through the industry “2+2” convention: matching at least two identity attributes against at least two independent, reliable data sources. The phrase “2+2” appears nowhere in statute. JMLSG and HMRC guidance is the benchmark for what counts as reliable.

The convention itself is fine. The weakness is in how most firms source the two matches. If both sources are credit reference agencies, a user with no credit footprint fails twice for the same reason. HMRC guidance is explicit that a single-source electronic check is not normally enough on its own (HMRC ECSH33357), which is why firms reach for more than one source. The opening is to widen what those sources are.

How do crypto firms onboard more users without lowering the bar?

In practice, you run a second pass over only the records that failed the first check, against independent data sources beyond the credit reference agencies. The assurance bar stays exactly where the regulator set it, while the pool of data used to clear it widens, so genuine users who were invisible to credit data get matched and onboarded.

The reason a genuine user failed the first time is usually absence of data in one place, not a real risk signal. Bank-held records, mobile network data, insurance policy and claims data, public sector records and finance application data each cover people that credit files miss. Match the identity attributes across those, and the user who abandoned at the ID check clears in the same session, with no document upload and no selfie.

The first check still does most of the work, because the second pass applies only by exception to the users who failed a credit reference check. That keeps cost and friction off the majority who pass cleanly and concentrates effort where the recovery sits. For the user, none of this is visible. They tap through, the additional check runs in the background, and they reach a funded account without being sent off to photograph a passport.

What strong crypto KYC needs

Why it matters under FCA scrutiny

Verification against multiple independent sources

Meets and exceeds 2+2 without relying on credit data alone

Explainable match evidence per user

Outcomes stand up when a regulator assumes higher risk

Recovery of thin-file users by exception

Lifts verified onboarding without weakening the control

Minimal identity data retention

Limits breach surface in a high-risk environment

Real-time and batch delivery

Recover users live, or remediate an existing book before authorisation

Does identity verification cover all of a crypto firm’s AML duties?

No. Identity matching performs one part of customer due diligence. It confirms a user’s name, address and date of birth against reliable, independent sources to a standard the firm configures. It does not replace the wider duties a crypto firm keeps: customer risk assessment, source of funds where required, ongoing monitoring, sanctions screening, and the Travel Rule data obligations on transfers.

gov.uk guidance on using digital identities with the Money Laundering Regulations is clear that a certified provider is a reliable, independent source for the identity step, while the firm remains responsible for the rest and ultimately liable. Stronger identity verification improves the quality of one stage out of several, and no firm should treat it as if it discharges the wider duties.

What strong crypto KYC looks like, and where OneID fits

Strong crypto KYC verifies users against multiple independent data sources, returns explainable evidence on every match, recovers thin-file users by exception rather than friction, holds minimal identity data, and runs both live and in bulk. Judge any provider against those five points before the integration, not after.

OneID is a digital verification services provider certified under the UK’s Digital Verification Services Trust Framework. Its KYC Match service returns a configurable count of independent data-source matches across name, address and date of birth, drawing on banks, mobile networks, insurance data, public sector records, finance applications and credit reference agencies, in whatever combination a firm configures. It runs as a real-time API at onboarding or as a batch wash over an existing dataset. Crypto KYC built to survive scrutiny and scale adoption, applied by exception when users fail traditional credit reference checks.

See the recovery on your own users

The cleanest way to size this is on your own data. Compare KYC Match against your existing provider on the records that matter. Send name, address and date of birth for users who failed your current check, see the match counts returned across independent sources, and read that against your present pass rate. You will see exactly how many of your failed users were genuine, eligible customers you could have onboarded without loosening a single control.

OneID offers a free 1,000-record comparison so you can run this without commitment. To set it up, or to talk through how this fits your onboarding flow, contact OneID.

Frequently asked questions

What KYC do UK crypto firms have to do?

UK cryptoasset businesses must register with the Financial Conduct Authority under the Money Laundering Regulations, in force since January 2020, and carry out customer due diligence including identity verification against a reliable, independent source. The rules set a standard of assurance rather than naming one data source, so firms can use bank, mobile or public sector data to meet it.

Is the “2+2” rule a legal requirement for crypto KYC?

No. “2+2” is an industry convention, not a statutory term. The Money Laundering Regulations 2017 (Regulation 28) require verifying identity against a source independent of the customer. In practice, electronic verification meets this by matching at least two attributes against at least two independent, reliable sources. JMLSG and HMRC guidance is the benchmark.

Why do genuine crypto users fail KYC?

Genuine users fail because first-pass checks often rely on credit reference data, and many real users have thin files or no footprint. Around 7.1 million UK adults, roughly one in seven, are financially excluded per gov.uk and FCA estimates. Younger users and recent arrivals, common in crypto, are over-represented, so a credit-only check reads absence of data as a failure.

Does the UK Travel Rule replace KYC?

No. The UK Travel Rule, in force since September 2023, requires firms to collect and pass on originator and beneficiary information with cryptoasset transfers. It is a transaction-data duty that sits alongside identity verification. A firm still has to verify who its users are under the Money Laundering Regulations, and the Travel Rule applies on top.

Does MiCA apply to UK crypto firms?

No. The EU’s Markets in Crypto-Assets regulation applies to crypto-asset service providers established in the EU. UK firms follow the UK regime: FCA registration under the Money Laundering Regulations now, with a new Financial Services and Markets Act regime coming. MiCA matters only as cross-border context for UK firms serving EU users.

Does identity verification cover all of a crypto firm’s AML obligations?

No. It performs the identity-matching step only. Crypto firms keep responsibility for customer risk assessment, source of funds where required, ongoing monitoring, sanctions screening and Travel Rule data on transfers. A certified provider is a reliable source for the identity step under current gov.uk guidance, and the firm remains ultimately liable for the rest.

 

References

  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 28 (customer due diligence: reliable, independent source).
  • FCA registration of cryptoasset businesses under the Money Laundering Regulations, in force since January 2020 (FCA cryptoasset AML supervision). Recheck wording at publish.
  • UK Travel Rule for cryptoasset transfers, in force since September 2023 (Money Laundering Regulations transfer-of-funds requirements).
  • HM Treasury / FCA new cryptoasset regime under the Financial Services and Markets Act: authorisation gateway expected 30 September 2026 to 28 February 2027, regime expected in force around 25 October 2027. Frame as coming, not live. Recheck dates against the latest FCA roadmap at publish.
  • EU Markets in Crypto-Assets Regulation (MiCA): applies to EU-established crypto-asset service providers, applicable from 30 December 2024, EU CASP transition ending 1 July 2026. Cross-border context only; does not bind UK firms.
  • HMRC Economic Crime Supervision Handbook, ECSH33357 (electronic verification: data from multiple sources; single-source not normally sufficient).
  • gov.uk, “Using digital identities with the Money Laundering Regulations”: certified DVS providers as a reliable source for the identity step; firm remains responsible and liable. Confirm exact date against primary source.
  • gov.uk and FCA financial inclusion data (financially excluded UK adults, approximately 7.1 million / one in seven).