Start now →
Products
Payment Gateway Checkout API Integration Crypto Settlement White Label
Developers
Documentation API Reference Status
Resources
Blog Crypto News Support About Us
Buy Crypto Pricing
Start now →
Home Crypto News Regulation How KYC Harms Business and Violates Consumer Rights

How KYC Harms Business and Violates Consumer Rights

By Rabbit · Published March 22, 2026 · 9 min read · Source: Cryptocurrency Tag
Regulation
How KYC Harms Business and Violates Consumer Rights

How KYC Harms Business and Violates Consumer Rights

Rabbit 🐰Rabbit 🐰7 min read·Just now

--

Ordinary everyday businesses — grocery stores, restaurants, or beauty salons — can freely serve customers without establishing their identity. A cashier does not ask you to show your ID to sell you a loaf of bread, and certainly does not inquire about the origin of the funds you use to pay for a haircut. Moreover, in most developed countries, refusing to serve a customer who does not wish to disclose their name, age, citizenship, or place of residence would be seen as blatant discrimination.

But as soon as we move into the realm of highly liquid assets — such as cryptocurrencies — the picture changes. Here, the norm is different: businesses are required to know their customers (Know Your Customer, KYC). Users are asked to provide documents, selfies with their passport, proof of address, and sometimes even bank statements.

Press enter or click to view image in full size

Supporters of strict regulation explain this simply: you cannot resell a restaurant meal, but you can easily resell cryptocurrency. Therefore, a restaurant cannot become part of a chain used to conceal criminal activity, while a cryptocurrency business can. High liquidity is believed to make digital assets an ideal tool for criminals.

In reality, this is a serious misconception. Blockchain transaction data is stored permanently. Even if today it is difficult to trace a transaction chain to a specific individual, no one can guarantee that new analytical tools will not emerge tomorrow. In fact, they already are: law enforcement agencies successfully use blockchain analytics (it is enough to recall how the U.S. Department of Justice seized more than $3.6 billion worth of bitcoin stolen in the Bitfinex hack).

But the main question lies elsewhere: should the responsibility for identifying users and verifying the origin of their funds really be placed on businesses? I believe it is not. And here is why.

A Blow to Competition: How KYC Harms Startups

Imagine you are launching a new cryptocurrency business. You invest in development, put tremendous effort into marketing, and attract your first customers. They arrive, and you greet them with the requirement: “Show your ID, take a selfie, explain where your money comes from.” What will their reaction be?

Customers will simply leave. Not because they have something to hide, but because you are a nobody in the market. When dealing with a large company that has been operating for ten years and is trusted by millions, a person is willing to disclose their data: such a company has reputational risks. With you, that trust does not exist. And this is rational behavior: if your service disappears, goes bankrupt, and stops protecting data, the risks of fraud or identity theft will remain with the customer and will not disappear along with your business.

The result is predictable: instead of healthy competition that leads to lower prices and better service, the market becomes monopolized by giants. New companies that could offer better conditions and innovative products simply do not get a chance. KYC becomes a classic barrier of regulatory capture, reliably protecting incumbent leaders. The cryptocurrency market, which could have been a model of open competition, turns into an oligopoly.

The Illusion of Privacy, or Forced Consent

Many countries have strict personal data protection laws. Their basic principle is simple: information about a person may not be collected without their voluntary consent. Individuals have the right to privacy and the right not to disclose to the entire world which services they use.

But in practice, without passing KYC, a person is effectively cut off from entire categories of services — primarily financial ones. A potential client’s refusal to disclose personal information forces businesses to automatically deny them service.

In 2025, the FATF itself — the main global driver of such regulation — acknowledged that disproportionate requirements have created unintended consequences: a large number of law-abiding people have been excluded from the legal financial system simply due to a lack of required documents or unwillingness to reveal their identity. According to FATF, this particularly affects refugees, migrants, and the unbanked — those whom the state is supposed to protect.

The position of the Court of Justice of the European Union is also telling: in 2022, it invalidated a rule that made information about companies’ beneficial owners accessible to any member of the general public, citing disproportionate interference with private life. The court emphasized that such interference must be necessary and proportionate to the objective pursued. Yet, for some reason, these principles do not seem to apply to KYC requirements even in Europe.

Data as Bait: KYC Creates What It Is Supposed to Prevent

One of the most important arguments against mandatory KYC is purely practical. When businesses are forced to collect millions of passports and selfies, their servers become attractive targets for cybercriminals. And this threat is not theoretical.

Back in 2019, a hacker known as ExploitDOT was reported to be selling around 100,000 identity documents on the darknet platform Dread, allegedly collected by major crypto exchanges such as Binance, Poloniex, Bitfinex, and Bittrex as part of their KYC procedures. The origin of the data remained disputed: the exchanges denied being hacked, and the data may have been stolen from a third-party KYC provider. But this only makes the incident more revealing: the chain of custodians holding your personal data is longer than you think, and any point in that chain can be vulnerable.

In May 2025, something happened that could no longer be attributed to uncertainty about the source: Coinbase publicly acknowledged that cybercriminals had bribed a group of overseas support contractors, who then handed over customers’ personal data (names, addresses, phone numbers, partial Social Security numbers, and identity document scans submitted during KYC verification). A total of 69,461 users were affected. The exchange refused to pay a $20 million ransom but estimated potential losses from the incident at $180 to $400 million.

In the fall of 2025, cybersecurity researchers discovered an unsecured database belonging to the crypto platform NCX, containing more than 5 million records, including direct links to users’ KYC documents. All of this was publicly accessible due to a MongoDB configuration error. No hack was required — the database was simply left open.

In short, the best way to protect personal data is not to store it at all. Every new operator collecting passport data is a new risk. KYC creates not just customer registries, but targets for criminals. With access to a person’s name, address, biometric data, and asset history, an attacker has everything needed to impersonate them.

Who Should Catch Criminals: Police or Business?

Law enforcement agencies are funded by taxes for their services — including investigating crimes and combating illicit financial flows. Businesses are paid for providing services, too. Yet KYC procedures effectively shift police functions onto the private sector: businesses are required to identify customers, screen sanctions lists, analyze the origin of funds, and report suspicious transactions. At the same time, the state does not compensate them with a single cent from the taxes already paid for these purposes. If a business makes a mistake, it pays a fine. If it does not, it still bears enormous costs for a system that is, strictly speaking, a state function.

What is most damaging here is the data on effectiveness. Ronald Pol, a researcher at La Trobe University (Australia), in his widely cited paper published in the journal Policy Design and Practice, found that compliance costs exceed the amount of assets actually recovered from criminals by more than a hundred times.

Businesses spend hundreds of billions of dollars annually (global compliance costs exceed $200 billion per year), yet the results are negligible. Who in their right mind would want to bear such meaningless costs? States certainly do not — and so they shift them onto businesses, and ultimately onto consumers.

Sometimes this mechanism takes on an explicitly political dimension. In February 2022, during the trucker protests in Canada, the government leveraged the fact that financial and crypto organizations held data on participants and instructed them to apply the Emergencies Act to freeze incoming funds. Businesses found themselves acting as political instruments, while citizens lost access to their own money. Two years later, a court ruled these actions unconstitutional — but the funds had already been frozen, and citizens had already experienced the scale of the threat firsthand.

The Market Has Already Delivered Its Verdict

The market reaction is already clear. In the cryptocurrency space, there is strong and persistent demand for services without KYC: people are willing to tolerate inconvenience, seek workarounds, and even pay more — just to avoid handing over documents to unfamiliar companies with unknown data storage practices.

But often they do not even have to pay more. Rabbit.io can offer the best exchange rates partly because we do not incur the costs associated with collecting, processing, and storing customer data. Naturally, when consumers have a choice, they prefer to obtain services where the cost is lower. That is why our customers choose us. And that is also why imposing KYC on businesses effectively harms them.

Our users are not criminals or conspiracy theorists. They are people with a simple and understandable motivation: to complete a transaction at the best rate without having to disclose their identity when it is not necessary. When I buy apples at a market, the seller does not ask for my passport. When I ask a shop to break a bill into smaller denominations, no one asks why I need different banknotes. Why should digital transactions be fundamentally different?

Conclusion

KYC requirements create a system in which costs are distributed unfairly. Businesses pay for what is essentially a state function. Honest users also pay for it and additionally risk their personal data. New companies fail due to the competitive advantage of large incumbents. Meanwhile, actual wrongdoers find ways around the system, in part by exploiting the very data registries that businesses are required to build under KYC procedures.

If governments believe that oversight of financial flows is necessary, then an honest discussion is needed: who pays for it, who bears responsibility, and why private businesses should perform policing functions at their own expense and to the detriment of their customers. It is also necessary to recognize that mandatory, universal KYC is an expensive and inefficient tool that turns honest market participants into suspects, and their data into targets for criminals.

This article was originally published on Cryptocurrency Tag and is republished here under RSS syndication for informational purposes. All rights and intellectual property remain with the original author. If you are the author and wish to have this article removed, please contact us at [email protected].

NexaPay — Accept Card Payments, Receive Crypto

No KYC · Instant Settlement · Visa, Mastercard, Apple Pay, Google Pay

Get Started →

Related Articles

XRP Ledger Signals Growth With $1M Unlock And Activity Surge
NewsBTC · 29m ago

XRP Ledger Signals Growth With $1M Unlock And Activity Surge

A flood of forgotten funds has quietly found its way back to XRP Ledger users, after a decentralized exchange founder scanned the entire network to track down expired escrows that...

regulationblockchainaltcoins
Why crypto hacks don’t end and continue even when the money is gone
CryptoSlate · 1h ago

Why crypto hacks don’t end and continue even when the money is gone

A crypto hack never ends when the wallet is drained. The theft lands first, fast and visible, and then a slower collapse starts to work through the rest of the project. The token k...

regulationsecurity
Zoom Out First, Build Second: Lessons From Launching Servicing AI at Scale
Fintech Tag · 1h ago

Zoom Out First, Build Second: Lessons From Launching Servicing AI at Scale

How it started AND how it went Continue reading on Bootcamp »

regulationai-crypto
NexaPay
U.Today · 2h ago

Cuban Sees Crypto as Major Bank Threat

Cuban Sees Crypto as Major Bank Threat News By Alex Dovbnya Sun, 22/03/2026 - 19:43 Billionaire entrepreneur Mark Cuban has issued a stark warning to the traditional banking sector...

regulationmarket-analysis
NexaPay
Fintech Tag · 3h ago

Building a Fintech-Grade Secure Login Screen in Android using Jetpack Compose (Monzo Inspired)

Most login screens in demo applications are built just to make the UI look functional. Continue reading on Medium »

regulation
No Visibility, No Trust: A Lesson for New Smart Contract Security Researchers
Blockchain Tag · 3h ago

No Visibility, No Trust: A Lesson for New Smart Contract Security Researchers

Many beginners entering smart contract security research make the same mistake: they believe technical skill alone will speak for them. Continue reading on CoinsBench »

regulationsecurity