Learn

KYC Explained: Why Exchanges Want Your ID

Alan

The first time an exchange asked me to upload a photo of my passport, I closed the tab. Six years later I’ve done KYC on roughly fifteen platforms and I’ve stopped flinching at it — but I also understand exactly what I’m handing over, what they do with it, and where it’s gone wrong before. Most people don’t. Most people upload an ID, tick a box, and hope for the best. If that’s you, this post will give you the actual mechanics: what KYC is, why exchanges demand it, what the risk is, and what’s possible without it.

Short answer: KYC stands for Know Your Customer. It’s the process where a crypto exchange verifies who you are — usually by collecting an ID document, a selfie or video, and sometimes proof of address. Exchanges do it because regulators in almost every major country require them to, mainly to prevent money laundering, sanctions evasion, and terrorist financing. Most centralised exchanges have multiple KYC tiers — basic verification unlocks trading, full verification unlocks higher withdrawal limits. Decentralised exchanges and most peer-to-peer markets don’t require KYC.

Open a BitGet account → (affiliate link) — basic KYC usually clears the same day.

Key takeaways

  • KYC is identity verification required by financial regulators — not invented by the exchanges themselves.
  • Most major CEXs use 2–3 tiers: basic (email + ID), intermediate (proof of address), full (enhanced verification for higher limits).
  • The 2020 Ledger data leak exposed personal data of over 270,000 customers, including home addresses — a real example of why KYC data matters.
  • You can still trade crypto without KYC via DEXs, peer-to-peer markets, and some smaller platforms — but with significant trade-offs.
  • Tax authorities are increasingly receiving KYC data directly from exchanges. Assume your activity is visible.

What KYC actually is (and why regulators require it)

KYC is shorthand for Know Your Customer — a regulatory requirement that financial businesses must verify the identity of their users before letting them transact in size.

It exists because regulators decided, decades ago, that anonymous financial accounts make life too easy for criminals. The framework is part of a broader set of rules called AML (Anti-Money Laundering) and CTF (Counter-Terrorist Financing). Banks have been doing KYC since the 1970s. When crypto exchanges started looking like banks — taking deposits, processing transactions, holding customer funds — regulators required them to do the same.

The legal pressure mostly comes from three places:

  • The Financial Action Task Force (FATF) — an intergovernmental body that sets global AML standards. Their guidance on Virtual Asset Service Providers (VASPs) since 2019 has been adopted by most major jurisdictions. Per the FATF’s Virtual Asset Travel Rule, crypto exchanges are now required to share customer information for transactions over certain thresholds.
  • National financial regulators — FinCEN in the US, the FCA in the UK, BaFin in Germany, MAS in Singapore. Each has its own crypto AML rules, but most align with FATF.
  • The EU’s MiCA framework — which standardised crypto exchange regulation across the EU and includes strict KYC requirements.

This isn’t BitGet or Binance wanting your data because they’re nosy. It’s the law in basically every country with a working financial system. An exchange that doesn’t do KYC gets banned, fined, or shut down. Bittrex and Bitfinex have both eaten regulator fines in the hundreds of millions for AML failures.

That doesn’t mean the system is perfect or that there’s no downside for you. It just means the demand for your ID isn’t coming from the exchange. It’s coming from the people who let the exchange operate.

The 3 tiers most exchanges use (basic, intermediate, full)

Most major centralised exchanges use a tiered KYC system. Each tier unlocks higher limits and more features.

Tier 1 — Basic

What it requires:
– Email address
– Phone number
– Sometimes a single ID photo

What it unlocks:
– Account creation
– Spot trading on a CEX
– Low-limit deposits and withdrawals (often $1,000–10,000/day)

This is the lightest level of verification. Some exchanges allow trading at this tier; others require Tier 2 before you can trade in any meaningful size.

Tier 2 — Intermediate

What it requires:
– Full ID document (passport, driver’s licence, or national ID card)
– Live selfie or short video
– Sometimes proof of address (utility bill, bank statement)

What it unlocks:
– Higher deposit and withdrawal limits (often $50,000–500,000/day)
– Fiat on-ramp (card and bank deposits)
– All standard trading products

This is what most retail users complete. Verification usually takes a few hours to a day. BitGet, Binance, and Coinbase all sit roughly at this level for their main customer base. The bitget review walks through the BitGet KYC flow in detail.

Tier 3 — Full / Enhanced

What it requires:
– Everything in Tier 2
– Proof of source of funds (bank statements, pay slips)
– Sometimes additional documentation or a video interview

What it unlocks:
– Unlimited withdrawals
– OTC trading
– VIP programs
– Institutional features

Most retail users never need Tier 3 unless they’re trading six-figure size regularly.

The tier structure isn’t standardised — different exchanges use different names and thresholds. But the pattern is consistent: more verification, more limits, more product access.

What documents you’ll need

For a standard Tier 2 KYC, expect to provide:

  1. A government-issued ID — passport, driving licence, or national ID card. Must be in date.
  2. A selfie or short video — usually with you holding the ID or a hand-written note with the date and exchange name.
  3. Proof of address (sometimes) — a utility bill, bank statement, or council tax bill issued in the last 90 days, showing your full name and address.

Tips from doing this a dozen times:

  • Use a passport if you have one. It’s recognised everywhere and processes faster than a driving licence.
  • Take photos in bright natural light, against a plain background. Make sure all four corners of the ID are in frame.
  • For the selfie, look directly at the camera. Don’t smile too hard — facial recognition systems work better with neutral expressions.
  • For proof of address, a recent utility bill is the safest bet. Bank statements work but some exchanges require them to be on letterhead.

If KYC fails, it’s almost always because of poor photo quality, an expired document, or a mismatch between the ID and proof of address. Most exchanges let you retry within a few hours.

What happens to your data (exchange-side storage)

Once you upload your ID, your data lives on the exchange’s servers — or on the servers of a third-party KYC provider the exchange uses (Sumsub, Jumio, Onfido, Veriff are the big names).

Typically the exchange stores:

  • A copy of your ID document
  • Your selfie or verification video
  • The metadata associated with verification (timestamp, IP address, device fingerprint)
  • A risk score generated by their compliance system

Most major exchanges encrypt this data at rest, store it in secure regions, and limit internal access. Most also retain the data for several years even after you close your account — because AML rules require record-keeping for typically 5–7 years.

That means even if you delete your exchange account, your KYC data is still sitting on their servers. There’s no “right to be forgotten” override for AML obligations.

This is why exchange data breaches matter so much. When an exchange gets hacked, it’s not just your trading balance at risk — it’s a copy of your passport, your home address, and the connection between your real identity and your crypto wallet activity.

The 2020 Ledger data leak (a real KYC privacy failure)

In June 2020, Ledger — the hardware wallet maker — disclosed that a marketing database had been breached. The breach affected approximately 1 million email addresses. Worse, a separate file containing the personal details of over 270,000 customers — including full names, postal addresses, and phone numbers — was leaked publicly on a hacker forum in December 2020. Per Reuters’ coverage, the leaked data was being used in phishing campaigns and physical extortion attempts within days.

The Ledger leak is a useful case study because it wasn’t a crypto-related breach in the traditional sense. Ledger didn’t lose customer crypto. The hardware wallets themselves weren’t compromised. What was compromised was the personal data Ledger collected as part of running an e-commerce business — names, addresses, emails, phone numbers.

People who’d bought a Ledger device started receiving:

  • Phishing emails pretending to be from Ledger, asking for their seed phrase
  • SMS scams targeting their phone numbers
  • Physical extortion threats sent to their home addresses
  • “Swatting” calls in some cases

Some users reported intruders attempting to break into their homes after the address leak. A few attempts at violent home invasions targeting known crypto holders have been linked to leaked customer data from various breaches over the years.

The point isn’t that Ledger is uniquely bad — they handled the disclosure properly and have since hardened their systems. The point is that any company you give your identifying information to is a potential point of failure. KYC data is high-value data. Treat it accordingly.

The lessons most experienced crypto holders take from this:

  • Don’t use your home address if you can use a different mailing address.
  • Use a unique email address per exchange so a leak doesn’t follow you everywhere.
  • Use a unique phone number where possible (Google Voice or similar).
  • Never tell anyone, anywhere, how much crypto you hold.

For the storage side of this, the seed phrase storage and ledger nano x review posts cover the physical security setup. For attack patterns specifically, see the crypto scams guide.

KYC on BitGet

BitGet’s KYC system uses two main tiers for retail users. Basic verification — ID upload and selfie — clears in typically a few minutes to a few hours and unlocks spot trading, futures, copy trading, and standard withdrawal limits. The full bitget review walks through every step with screenshots.

Documents needed for BitGet basic KYC:

  • One government-issued ID (passport works best globally)
  • A live selfie
  • Sometimes a quick liveness check (turn your head, blink)

Most users I know who’ve signed up through my BitGet referral link (affiliate) clear basic KYC the same day. Higher-tier verification, which raises withdrawal limits significantly, usually requires proof of address.

BitGet, like most major exchanges, operates within a regulated framework and has to follow AML rules in every jurisdiction it serves. That’s why the data collection exists. The trade-off you’re making is convenience and access in exchange for handing over your identity to a regulated platform.

KYC on Coinbase, Kraken, Binance comparison

For comparison, here’s roughly how the big CEXs stack up on KYC.

Exchange Basic verification Full verification Typical clearance time
BitGet ID + selfie + proof of address Same day to 24h
Binance ID + selfie + proof of address + source of funds Same day to 48h
Coinbase ID + selfie + bank account verification Same day to 24h
Kraken ID upload Multi-stage with intermediate, pro, institutional Hours to days
Bybit ID + selfie + proof of address Same day to 24h
OKX ID + selfie + proof of address Same day to 24h

Coinbase is generally the strictest on KYC and the most aligned with US regulations — they share data with US tax authorities and have been involved in providing user data under subpoena. Kraken is similar in the US.

BitGet, Bybit, and OKX are offshore-based and historically more lenient, but in 2024-2026 they’ve all tightened up significantly as global regulation increased.

Binance has the most variable KYC depending on which Binance entity you use (Binance.com, Binance.US, regional sub-licences).

None of these are KYC-free. The “no KYC” era of major centralised exchanges ended around 2020-2021. If a major CEX claims you don’t need ID, that’s almost certainly out of date or jurisdiction-specific.

Can you actually trade crypto without KYC?

Yes — but with significant trade-offs. The main no-KYC options:

Decentralised exchanges (DEXs)

Uniswap, PancakeSwap, Curve, Jupiter — connect a wallet, swap tokens. No ID. No account. No deposits or withdrawals to manage. You trade directly from your own wallet.

The trade-offs:

  • You need crypto already in a wallet to start trading. No fiat on-ramp.
  • Gas fees on Ethereum L1 can be expensive. L2s and Solana are much cheaper. See gas fees explained.
  • No customer support if something goes wrong.
  • You need to know what you’re signing every time.

The crypto exchanges explained post covers the CEX-DEX split in detail.

Peer-to-peer (P2P) markets

LocalBitcoins (now closed), Bisq, Hodl Hodl, AgoraDesk, and various OTC markets let you trade crypto directly with another person. Some require KYC, some don’t. The non-KYC ones usually have higher prices (the seller charges a premium for taking the risk).

Atomic swaps and cross-chain bridges

Atomic swaps let you swap one cryptocurrency for another without an intermediary. Adoption is low but growing. No KYC required because there’s no centralised platform to demand it.

Small or unregulated platforms

Some smaller exchanges still operate with minimal KYC, particularly those based in less-regulated jurisdictions. The risk is exchange failure — if the platform isn’t regulated, you have no recourse when something goes wrong. Generally not worth it for most users.

What’s not actually KYC-free

Buying crypto with a bank card or bank transfer requires KYC. Always. There’s no fiat-to-crypto on-ramp without identity verification. If a service claims to offer one, it’s either small and fragile, geographically restricted, or about to be shut down.

If you want to operate with the minimum KYC footprint: use a CEX once to convert fiat to crypto, withdraw to a self-custody wallet, then do everything else on-chain via DEXs.

NordVPN soft-mention for account security

Using a VPN on the device you do KYC from — and the device you trade from afterwards — is a habit worth building. Not to hide from the exchange (they see your KYC anyway) but to:

  • Protect your traffic on public WiFi (airports, hotels, cafes — where most account takeovers happen)
  • Keep your IP consistent so you don’t get random “suspicious login” lockouts when you travel
  • Avoid leaking your location through every site you visit

I use NordVPN on every device I trade from. The setup I run is here (affiliate link).

One thing to be clear about: a VPN doesn’t let you bypass KYC. The exchange still has your ID. The VPN protects the channel, not your identity.

Tax authorities and KYC (the connected dots)

This is the part most retail users underestimate.

Tax authorities are increasingly receiving KYC data directly from exchanges. The connection is now routine in major jurisdictions.

  • The IRS in the US has been getting customer data from major US exchanges since 2018 via court orders, and the new DAC8 / Form 1099-DA framework will require automatic reporting starting in 2026.
  • HMRC in the UK receives data from UK-regulated exchanges under the Cryptoassets Reporting Framework (CARF). They’ve issued nudge letters to over 100,000 UK crypto holders since 2022.
  • The EU’s DAC8 directive requires all EU-registered crypto exchanges to share customer transaction data with member states’ tax authorities, starting in 2026.
  • OECD’s CARF is being adopted across most developed economies, with the first automatic exchanges of data starting 2027.

The practical result: if you’ve done KYC on a regulated exchange, your government almost certainly knows about your crypto activity, or will within the next year or two.

This doesn’t matter if you’re paying your taxes properly. It matters a lot if you’re not. The era of “the tax man doesn’t know I have crypto” ended around 2022-2023 in most major economies.

Practical implications:

  • Keep records of every trade, deposit, and withdrawal. Most exchanges let you export trade history as a CSV.
  • Use a crypto tax tool (Koinly, CoinTracker, CryptoTaxCalculator) to calculate your liabilities.
  • Declare what you owe. Penalties for non-disclosure are usually worse than the tax itself.

This isn’t financial advice. This is “don’t assume KYC data stays at the exchange — it doesn’t.”

Common KYC failure reasons + how to fix

If your KYC gets rejected, it’s almost always one of these:

1. Poor photo quality

The ID is blurry, dark, glare on it, or one corner cut off. Retake in good light, against a plain background, holding the camera steady.

2. Expired document

Some IDs expire and exchanges won’t accept ones past expiry date. Use a passport if you can — they last 10 years.

3. Name mismatch

The name on your ID doesn’t exactly match the name you entered when signing up. Especially common with people who use middle names inconsistently or have changed names after marriage. Re-enter the name exactly as it appears on the ID.

4. Address mismatch

The proof of address shows a different name or address from what you entered. Use a recent utility bill or bank statement matching exactly.

5. Selfie failure

Face not visible, lighting too low, sunglasses, hat. Retake in natural light, plain background, looking straight at the camera, no accessories.

6. Geographic restriction

Some exchanges don’t accept users from certain countries. If you’re restricted, KYC will fail no matter what. Check the exchange’s terms.

7. Sanctions or PEP match

If you’re a Politically Exposed Person (PEP) or appear on a sanctions list, KYC will require additional review. Usually a slower process; sometimes a rejection.

Most exchanges will tell you why KYC failed and let you retry. If it keeps failing without explanation, contact support directly with screenshots.

Ready to do KYC on a proper exchange?

BitGet’s basic verification usually clears the same day. Passport and a selfie is all you need to start.

Open BitGet →

Affiliate link. I may earn a commission at no extra cost to you.

Frequently asked questions

Is KYC mandatory on all crypto exchanges?

On all major centralised exchanges, yes. DEXs and peer-to-peer markets generally don’t require KYC. Small or unregulated platforms may offer limited KYC-free access but with significant trade-offs in security and reliability.

How long does KYC take?

Basic KYC on a major exchange usually clears within a few hours, often within minutes. Full verification can take 24-72 hours. Manual review can stretch this to a week in rare cases.

Can the exchange share my KYC data with my government?

Yes, and increasingly they do. The FATF Travel Rule, EU’s DAC8 directive, and OECD’s CARF framework all require crypto exchanges to share customer data with tax authorities. Assume your activity is visible to your tax authority.

What happens if I lie on KYC?

Best case: your account gets frozen and you lose access to your funds. Worst case: you commit identity fraud, which is a criminal offence in most jurisdictions. Not worth it.

Is my KYC data safe with the exchange?

It’s only as safe as the exchange’s security. Major exchanges encrypt KYC data and limit access, but breaches happen — the 2020 Ledger leak exposed over 270,000 customer records. Treat any data you hand over as potentially leakable.

Can I trade crypto with no KYC at all?

You can trade on DEXs, atomic swaps, and some P2P markets without KYC. You cannot buy crypto with fiat (bank card or transfer) without KYC anywhere legitimate. The minimum-KYC route is: one CEX for fiat conversion, then everything on-chain.

Will my privacy be respected after KYC?

Within the limits of the exchange’s policies and the regulators they answer to. Your data won’t be sold for marketing. It can be shared with law enforcement under court order, and with tax authorities under automatic reporting frameworks. Don’t share your home address if you don’t have to.

Final word

KYC isn’t going away. Anything that looked like a “no KYC exchange” in 2018 either does KYC now, has been shut down, or operates in a grey zone you probably shouldn’t rely on. The regulatory direction in every major economy is the same: more reporting, more verification, more data sharing with tax authorities.

That’s the world. You can fight it or you can plan around it.

If I were starting today, this is the order I’d do it in:

  1. Pick one well-regulated CEX and do KYC properly there. BitGet is the one I use. Coinbase and Kraken are also reasonable.
  2. Use that CEX as the fiat on-ramp and off-ramp only. Buy with bank or card, sell back when you want to bank profit.
  3. Move long-term holdings to a hardware wallet — Ledger Nano X (affiliate) is what I use. The ledger nano x review covers why.
  4. Do on-chain activity via DEXs and self-custody. No additional KYC required there.
  5. Use NordVPN on every device you trade from — particularly when travelling or on public WiFi. Setup link here (affiliate).
  6. Keep records. Declare your taxes properly. Don’t get clever with it.

That’s the playbook. Not exciting. Not perfectly private. Just realistic for how the system actually works now.

Right — over to you.

Disclaimer: Crypto trading carries significant risk. You can lose all of your capital. Nothing in this article is financial advice — it’s my personal opinion and experience as a retail trader. Always do your own research before making any trade or investment decision.

Affiliate disclosure: Some links in this article are affiliate or referral links. If you sign up through them I may earn a commission, at no extra cost to you. I only link to products and platforms I actually use.

Last updated: May 2026.

Alan Spicer

Crypto trader since 2020 · Coin Bureau · Crypto Banter · Trade Travel Chill

Alan has been in crypto for nearly six years. He writes what he wishes someone had told him on day one — the wins, the rugs, and the stuff the YouTubers won’t say on camera.

More from Alan →

Related posts


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *