AI KYCKnow Your Customer rules require users to submit identity information such as passports, selfies, addresses, or phone numbers before accessing a service.Glossary → Got Faster. The Risks Got Worse.
KYC used to mean a human checking a passport scan. Now it means AI scoring your document, face, liveness, behavior, and media trail in about 30 seconds. 68% of US financial institutions are deploying AI-enhanced KYC as of 2026. The FATF's risk-based AML/CFT guidance keeps pushing the model outward.
Speed does not make it gentle. It just makes the intake pipe wider.
If you want exchanges without identity checks: See our ranked comparison of no-KYC swap services. For the baseline, read What is KYC.
Five Layers Now Sit Between You and Access
Liveness detection is the weak point. It drove most of the 1-in-20 deepfake failures Sumsub reported in 2025, because injected video feeds can skip past active prompts at the OS level. Document forgery checks catch cheap fakes well but weaken against state-grade documents with real security features. Behavioral biometrics are harder to spoof because the signal gets made live in the session. Sanctions screeningAutomated or manual checks against sanctions lists, wallet blacklists, and compliance databases to block or flag users, transactions, or counterparties.Glossary → costs vendors about $0.30 to $0.80 per check at scale. The whole stack costs roughly $2 to $8 per verification, depending on document country and liveness tier.
The breach risk sits upstream: Your faceprint usually lives with the KYC vendor, not just the exchange. Sumsub was breached in 2023. Binance KYC data hit darknet markets in 2019. Veriff had an incident in 2022. Once a centralized database stores your faceprint, you cannot swap it out like a password. The EFF has documented the risks of biometric data centralisation for years.
What KYC Takes, and Who Keeps It
| Data type | Who holds it | Retention | Breach risk |
|---|---|---|---|
| Government ID scan | KYC vendor + exchange | 5–10 years (AML laws) | High (centralized) |
| Biometric faceprint | KYC vendor | Varies (often indefinite) | High. Cannot be changed |
| Selfie/liveness video | KYC vendor | Varies | High |
| IP address | Exchange | Varies | Medium |
| Transaction history | Exchange + regulators | 5+ years (BSA) | Medium |
| Device fingerprint | Exchange | Varies | Medium |
No-KYC Options Exist for a Reason
Non-custodial swap services and P2P exchanges usually do not trigger the same duties as custodial money service businesses. Trocador and SideShift act as swap coordinators without holding funds. Haveno and Bisq route trades between users. The data gap is blunt:
| KYC exchange (Coinbase, Kraken) | No-KYC swap (Trocador + TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary →) | |
|---|---|---|
| Name | Yes | No |
| Government ID | Yes | No |
| Faceprint | Yes | No |
| Home address | Yes | No |
| Bank account | Yes | No |
| IP address | Yes | Hidden (Tor) |
| Transaction history | Permanent, reportable | Swap amounts only |
See Best No-KYC Crypto Exchanges 2026 for current options, and How to Vet Any Privacy Tool for the screening process behind the list.
Follow the Money
Identity verification is a $12B industry. The same companies selling KYC compliance tools also sell the surveillance stack that no-KYC services avoid.
Cunicula is editorially independent. Not financial or legal advice. Affiliate disclosure.
Frequently Asked Questions
What does AI add to KYC compared to traditional identity verification?
Traditional KYC put a human in front of ID documents. AI KYC adds automated document classification and forgery checks, liveness detection to tell a real person from a replay, behavioral biometrics like typing or touch patterns, and adverse media screening against news and law enforcement databases. It all runs in seconds, often with no human review.
Can AI deepfakes defeat liveness detection in KYC?
Yes. Sumsub's 2025 Identity Fraud Report found that 1 in 20 identity verification failures worldwide involved AI-generated or deepfake content. Attackers use injected video feeds, 3D masks, and AI-animated photos. Vendors answer with harder liveness prompts and passive checks for deepfake artifacts. Nobody has won this fight as of 2026.
What data does KYC actually collect and who can access it?
A standard AI KYC check collects a government ID, a biometric selfie that creates a stored faceprint, a liveness video, your IP address, device fingerprint, and sometimes behavioral biometric data. Third-party vendors like Jumio, Onfido, Sumsub, and Persona process much of it, not just the exchange. Those vendors aggregate across clients. A breach at one vendor can expose users from many exchanges. Sumsub was breached in 2023. Binance KYC data appeared on darknet markets in 2019.
Are no-KYC crypto exchanges legal?
Often, yes, depending on the service and your jurisdiction. Non-custodial swap services and P2P exchanges that do not hold user funds usually sit in a different regulatory category from centralized custodial exchanges. Services like Haveno, Bisq, and atomic swap protocols let users trade directly. In many Western countries, private peer-to-peer crypto trades without KYC are legal for individuals up to reporting thresholds. The heavier legal duty usually falls on money service businesses, not private traders.
What information does a no-KYC exchange see about me?
A well-designed no-KYC swap service like Trocador over Tor sees the swap amounts, the destination wallet address, and maybe your IP address or browser fingerprint if you do not mask them. It does not get your name, government ID, biometric data, or banking records. With Tor, exposure can drop to the amounts and destination addresses alone. A KYC exchange keeps your full ID set, selfie, and transaction history under your verified identity.