KYC for ICO
The majority of ICOs that happened earlier in 2018 and in 2017 did not use any KYC tools, and had no idea who their participants were (here we don’t count ICO pre-sales and private sales, where ICO organizers obviously had personal contacts with early contributors and knew them well).
This fact created a major compliance problem down the road simply because regulators, tax authorities, auditors and financial partners are going to be asking the same question over and over again: How do you know that your company is not funded by dirty money?
This is exactly why so many high profile Swiss-based ICO foundations are now (thinking about) trying to retroactively validate and verify their participants.
So, what would be the best AML/KYC practices for raising money via ICO? Here is your step-by-step-guide:
1. Have a pre-registration site and ask the participants the following questions:
- Full name
- Date of birth
- Nationality
- Phone number
- Country of residence.
Ideally try to use “login with Facebook” or another login via social network functionality option. It would save some time for the users who don’t have to type in all the info, and at the same time, it will give you an important data point about your future participant. Please note, that this initial login via social network does not mean that you will have forever access to the social feed of your participants. You should not create any kind of permanent remembered login, because you don’t want potentially compromised social media accounts to impact your security. All you are doing here is trying to improve registration experience.
Ask the user to create a strong password and make sure that it is really strong.
You don’t need to ask users to upload any documents, ID copies or utility bills at this stage. You don’t need video or selfie verification yet.
2. Install online fraud management and AML scanning tools and run the following basic checks (most of those can be done in real time or within seconds via APIs):
- Scan the first names against the list of celebrity names, brand names and abusive names. You would be surprised how many of people register as Peter Pan or Donald Trump or Red Cross. And I am not even talking about all kinds or inappropriate sexually suggestive language. Your scanning tool should be able to identify and flag those bogus names and you can probably setup automatic message to these customers telling them politely to verify and resubmit their information, otherwise they would not be able to participate in the ICO.
- Run API verification for the combination of “full name+ date of birth + nationality + country of residence” against the sanctions list to make sure your participants are not on the terrorist lists. These services are widely available, cost just a few hundred dollars for the one-time screening of all your customer database, the response time is a few seconds and you are going to avoid a lot of headaches.
- Your fraud management tool must record all information about the first session of your participants when they register with you: what was their device and IP location, does their IP location match to the phone number country prefix and the country of residence information they gave you, what was the default language of their device, have they used VPN or any disguising techniques to hide their location, etc. Statistically speaking, information about “machine fingerprint” of your participants during their first registration session with you will dramatically improve your ability to predict and manage future risks of hacking, account takeovers or other forms of online fraud. Amazon, PayPal, AliPay and all major online players do these checks all the time, it’s not a rocket science. Within a few seconds your fraud tool will flag for you a few potentially risky participants and you can decide if you want to let them be or block them from future participation.
- At this stage you don’t yet know, if people who registered are really going to participate in the ICO and contribute, but at least you are making sure that they are eligible when the time comes, they are 18 years old, they are not from countries that you don’t want to support. It will save you a lot of time when the ICO is actually running, and if it is over-subscribed you can de-activate the suspicious participants or participants from the US or participants who refused to admit their real name was not Peter Pan. You don’t have to validate all participants information at that stage, and the efforts you do with automated tools and checks are most likely sufficient for the time being.
3. ICO runs. Hopefully it is over-subscribed and everyone is super happy. From the compliance side, you are well protected already, because you followed the previous steps with minimal inconvenience for your participants, but you would be able to demonstrate to anyone challenging you in the future about “how do you know you have not build your company with Silk Road money”. Yes, some participants would refuse to register, because they want full anonymity. But if you are building a solid business with a long-term ambition, do you really want them?
4. Now, depending on where your ICO is established and what is the nature of your future business, you may need to do additional verification for some of your largest contributors. You will have potentially a few months to do it, they already have a stake in your ICO and hopefully they would not mind to tell you their real address or perform a selfie verification, if needed. It’s good for their own security, after all.
P.S. If you would like more information about digital KYC, onboarding requirements, AML tools and field validation, feel free to grab your FREE pdf Checklist by following the link below.
Want to learn more about digital KYC? – download my FREE Checklist NOW