Should NFT platforms have KYC to verify users' identities?

An overview of considerations of KYC and AML regulations and how they can increase security for companies handling NFTs

Non-fungible tokens (NFTs) are growing in popularity, not only in the art world but beyond. The world’s third most valued living artist is Beeple, whose NFT artwork “The First 5000 Days” sold for $69 million. Even Hong Kong-based Animoca Brands, the blockchain industry’s latest unicorn, had to address a fraudulent NFT sale on Discord. NFTs are the next product built with blockchain technology that consumers can benefit from. Even newer to the market than cryptocurrencies, NFTs occupy a regulatory grey zone and many founders argue for less regulation to encourage innovation. However, as crypto companies and NFT platforms gain mass adoption, governments are imposing regulations as guard rails against money laundering and fraud. What will KYC in the NFT sector mean for creatives, investors and virtual assets service providers (VASPs)?

While having KYC (Know Your Customer) checks in place may seem like an imposition, many crypto and NFT platforms have used them without regulatory pressures because they see the benefits of providing customers with assurance and increasing their own security posture. Passbase works with companies in FinTech and crypto, as well as less regulated industries such as hospitality and marketplaces for real estate and fashion to provide assurance that users are who they claim to be. In this blog post, we will outline how companies concerned about preserving user privacy can think KYC and AML (anti-money laundering) best practices to serve customers and ensure sustained growth through a robust regulatory strategy.

What are NFTs?

NFTs introduce another potential in blockchain technology that differs from cryptocurrencies: unique ownership. With a fungible token like a cryptocurrency coin, you can exchange one for another and have the exact same value. NFTs, on the other hand, are one of a kind. Songs, digital artworks, event tickets, collectibles and even tweets can be turned into an NFT with a certificate of ownership is stored on the blockchain — addressing long-standing problems of originality and credit to creators.

As authorities are just beginning to enact legislation around cryptocurrencies, the guidelines around NFTs vary from country to country. For example, Thailand has banned them, while they remain a grey area in Singapore that is not covered by the Payment Services Act. However, NFTs could come under different types of regulations if they are artworks or auction houses that may have anti-money laundering considerations already. In addition to that, regulatory guidelines set globally by the Financial Action Taskforce’s (FATF) have pushed for regulation of not only cryptocurrencies, but VASPs or broadly digital asset services that can include NFTs. Finally, if NFTs are handling fiat (traditional currencies), there may already be anti-money laundering or fraud prevention measures that are required, such as the EU’s Payment Services Directive 2 (PSD2).

While NFTs may not be explicitly mentioned by regulations yet, there are wider regulatory measures that may still require some sort KYC check as part of wider AML measures for payment processing.

Why should NFT companies care about AML and KYC if it’s not required?

Even though many legislatures have not passed specific NFT regulations yet, strategic companies that occupy “grey areas” for legislation have taken measures to match FinTech and bank-grade security, which includes a robust KYC check. These companies see KYC procedures as a way to invest in trust early with customers and minimize the risk of fraud, security breaches, and scandals as they continue to grow.

Below, we outline the reasons companies integrate KYC into their product ahead of regulations.

Use identity verification to build trust with users

Anonymity is not synonymous with privacy, or security. While some users may insist on anonymity, all users want security — that they can access their accounts and that their accounts will not be compromised. Sift released a report that found that account-takeover attacks increased 307% between 2019 and 2021.

As crypto continues to gain popularity, users who are more concerned about securing their account than anonymity will become more and more important as a target group. A 2019 Experian report found that 70% of consumers are willing to share more data online if there is a perceived benefit and if there is security.

By conducting identity verification in a secure and transparent way, companies can reassure legitimate customers. Integrating identity verification that is intuitive and may have benefits, such as text extraction from an ID document scan to save time from manual inputs, also gives users better onboarding experiences. Using bank-grade KYC for NFT platforms helps them reliably identify users at onboarding, which can be referenced in the future, such as through biometric authentication for logins or high-risk tasks such as changing contact details.

Build KYC into a wider security strategy as a competitive advantage

Lack of regulation should not mean a lack of standards. As demonstrated in the Nifty Gateway hack, transactions could be negotiated over Discord or Twitter, and 2FA is not even enabled by default. While some companies opt to do the minimum required in pursuit of immediate growth, more mature companies invest in security from day one. Being able to verify users is an essential part of business security.

Companies are taking a page off of traditional financial KYC measures to improve business security and operational efficiency. Verifying users, and by extension, their access rights, is one piece of the wider security puzzle for a company’s defence systems against hacks and fraud. User verification gives businesses higher assurance that the individual accessing the account is who they claim to be.

With modern KYC solutions that integrate natively into cross-platform tech stacks, businesses can easily integrate identity verification into user onboarding. Some companies will phase the user onboarding process by having a quick user sign up to access the platform, with identity verification requirements to begin sending and receiving funds. Once a user has verified their identity, usually using government-issued ID and a selfie face match, third-party identity verification companies can do background AML and database checks to screen for sanctioned individuals and use ongoing monitoring to flag changes or expired documents in the future. Using best practices from FinTech enables companies handling NFTs to quickly incorporate background security and fraud prevention features to protect the business.

Securing growth without regulatory risks

The general trend is that countries increasingly align their regulations with FATF’s guidelines for VASPs. The business cost of retroactive KYC addition can also be huge, as seen with countries cracking down on Binance’s success this year.

Additionally, regulators can come after companies or entities in any industry if there is suspicion of fraud, money laundering, or the financing of terrorism. If your NFTs are handling financial transactions, especially fiat, then the risk of unwittingly facilitating illegal activities. While markets like the Asia Pacific may not hold individuals liable, the EU recently made a landmark amendment with its 6th Anti-Money Laundering Directive (6AMLD) that holds individuals criminally liable for negligence.

Rather than having future regulations as speed bumps or outright barriers to growth, companies handling online payments are looking at third-party KYC solutions that can help them cut through regulatory complexity and establish bank-grade compliance measures that can integrate directly into their products.

How can KYC fit into the onboarding user flow?

Understandably, digital-native companies handling NFTs will not want to compromise user experience and conversions when introducing KYC processes. Referencing FinTech companies’ onboarding user flows will give new companies guidance on how the flow can work. While countries may differ in their specific KYC implementation (some require agents to video verify while others can have mobile ID document scans and video selfies), the components remain the same:

  • Submitting official photo ID to provide identifiable data, such as name, date of birth
  • Face matching and liveness detection with either a video call or recording to make sure the person who the ID document belongs to is actually sitting in front of the screen.
  • Additional documents for added assurance, such as proof of address or second ID document

As there are a number of legacy and modern KYC solutions providers, testing how they integrate both into the product as well as business operations will be key. Working with a provider that has clear documentation, live testing for SDKs, API and webhook integrations, pay-as-you-go pricing — all while delivering an intuitive UI for both end users and internal teams — will help teams build a customized identity verification flow into their product at the right customer touchpoint. Selecting the right identity verification service partner will give businesses the flexibility to sandbox and scale KYC processes with business growth.

Taking initiative before regulators crackdown in the NFT space will give forward-thinking businesses a competitive edge. Without regulatory rigidity, product teams have more leeway to choose providers that deliver better native integrations, without being bound to a particular vendor who might meet a specific compliance requirement. Finessing an approach to identifying users that is streamlined into scalable operations will accumulate into a proprietary industry advantage.

Considering an ID verification solution for your business? Sign up with Passbase here.

Get the latest news from Passbase

Passbase © 2023


Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.