KYC requirement from ICOs will open up a whole news area of scam

[BTRIC]

As the thread subject mentioned, I strongly believe the KYC documents requirement from the ICOs will open up a new area of scam to the world, much larger than the ICO itself.

Reason 1:
The basic idea of crypto currency is de-centralization and anonymity. I understand that ICO will have to comply with the regulatory requirements, but isn't it directly challenging the basic idea of crypto currency? If KYC is required for every ICO, then the whole idea of de-centralization and anonymity is gone. The ICO requirement should be the other way around. Means, every ICO should provide a proper KYC documentation to the public so that investors can be assured that they are not dealing with a bot or a child operating from his home computer.

Reason 2: (this is a big threat)
KYC means "Personally Identifiable Information" and it is a very serious level of data. Most of the governments have a very stringent rules against the breach of PII data, especially in USA. The SSN numbers of USA residents are traded in darkweb for $5-$10 each based on the details available. While most of the ICO owners are not identifiable to public (linkedin and FB profile can't be considered as valid here), they can secretly open up a secondary market for PII data, that will provide them an extra layer to their income. Most of the ICOs are not compliant with the infosec policy of many countries. No one is sure, what is going to happen with their data. It leads to a much larger future scam.

Reason 3:
It provides a big opportunity to the ICOs to deny the bounty hunters from their payment even after their promotional efforts. I am not sure we have already encountered some of these, but I am sure it will happen in future. I have seen no ICO bounty thread mentioned anything about the KYC requirement. There is no upfront communication. However, they may come back saying that KYC needs to be done before the bounty rewards can be released. That's complete miscommunication and cheating. If the ICOs can be upfront on their KYC requirement (which they are not), only bounty hunters and investors will join who can fulfill the requirement. The campaign managers needs to be upfront in this matter.

*While I don't know what needs to be done in order to regularize the first two reason, the third reason can be solved via upfront communication. Please share your thoughts.

This is something I've been thinking about because it's a real problem.  I have some ideas but there's no perfect answer to the situation.

Here in the United States we have legal requirements for Know Your Customer / Anti-Money Laundering / Countering the Financing of Terrorism.  I certainly understand the reason we have these regulations in place, but when you apply the same principles as used in legacy banking and finance to the world of crypto assets, new problems emerge:

• How do you know the ICO is who they represent themselves to be?
• How do you know the ICO is going to safeguard your PII?  They could be careless and it could be stolen through a hack, or they could be malicious and sell the information or use it directly to steal your identity.  Sad to think about, but some of the ICOs are full-out scams.
• What happens to your information if the ICO fails, shrivels up and dies?
• How do you still comply with the legal requirements while implementing a trust-free model?

The answer I come up with is to have a trusted party conduct the KYC and make attestations to ICO issuers.  But, I don't like that idea because it has a point of centralization that could abuse trust.  So, I'm thinking about a decentralized way to do it.  Potentially something like, go through the KYC gamut with your primary exchange, be that Binance or Coinbase, etc., and then they would be able to issue some type of credential that ICOs would accept as KYC verification without having access to all of the information directly.  Potentially even non-exchanges could provide this as a service.  If done properly, you as a user would be able to approve what information they are able to access, on an ICO by ICO basis (or any other entity that was using the system, for that matter).  Somewhere in this concept a user would have to place trust in someone, someone must actually perform and verify KYC, so I figure the best place for that trust to be the exchange they already have a relationship with.

Facebook has something like this in how they implement third-party app permissions (as does Android).  They have a basic permission that allows them to get basic information, and then if the app needs more information, like your social graph, or the ability to post, etc. it's another "confirm/decline" decision for the user.

I think something like this could be the way to go, but it needs an open standard on conducting the due diligence as well as a software interface to accessing the information.  It's an idea that's been in my mind as something that we should look at through BTRIC Institute.

I believe if done right it would reduce fraud.

Best regards,
Ben

[1713473106]

1713473106

[1713473106]

1713473106

[1713473106]

1713473106

[1713473106]

1713473106

[1713473106]

1713473106

[avikz]

• How do you know the ICO is who they represent themselves to be?

That's a concern for sure! We have seen instances where ICO owners are caught using stock photographs of little-known models and used in their website as the ICO owners. I am sure there are more such ICOs. Even though some ICOs are upfront about their owner's identity, majority of them do not bother to provide the same and tries to mask them. One such instance,

https://bitcointalk.org/index.php?topic=2979889.0

You can easily understand what will happen if you provide your KYC data to such scammers! Probably you will be seen as their next owner. The only way to counter this is to be vigilant and thorough research. 

• How do you know the ICO is going to safeguard your PII?  They could be careless and it could be stolen through a hack, or they could be malicious and sell the information or use it directly to steal your identity.  Sad to think about, but some of the ICOs are full-out scams.

There is no way to know that. As I have already mentioned in the main thread, that KYC is a very serious level of data and has a big underground market. It's very easy for anyone to sell out that data to get some extra income. I am not particularly worried about the hackers because majority of the ICOs are scam. If your data lands in the hand of those scammers, the repercussion can be huge. We are not able to understand the threat just as yet because a sizable scam didn't happen in recent past. My thread will start making sense to a lot more people if any such scam happens. 

• What happens to your information if the ICO fails, shrivels up and dies?

Again a gray area! I have no idea hence this brainstorming!

• How do you still comply with the legal requirements while implementing a trust-free model?

I don't think it is possible in any way. Complying to government regulations for having a trustless and de-centralized business model, is directly opposite to each other. But I believe government needs to step in here to provide a proper framework for the ICOs operating from their soil. On 16 Feb, Swiss regulator FINMA provided a very basic framework for the ICOs operating from their country. While the main framework is not very extensive and have many opportunities to improve, I like the part where all ICO owners need to submit proof of their identity to the government. The pdf can be obtained from the below article. Click on the "guidelines" hyperlink. 

https://www.coindesk.com/switzerland-will-treat-some-icos-as-securities-finance-regulator-says/

Go to page number 9 of the PDF where it has given the directives to the ICO owners on the data they need to submit before opening an ICO in their country. That's a welcoming move. At least the government will have all details of the ICO owners. It will significantly reduce the possibility of scam. But that doesn't really apply for the trustless business model.

So to your question, I have no idea. But such kind of framework can help bring back the trust within the ICO market and reduce the risk of investors.

 

[audaciousbeing]

As the thread subject mentioned, I strongly believe the KYC documents requirement from the ICOs will open up a new area of scam to the world, much larger than the ICO itself.

Reason 1:
The basic idea of crypto currency is de-centralization and anonymity. I understand that ICO will have to comply with the regulatory requirements, but isn't it directly challenging the basic idea of crypto currency? If KYC is required for every ICO, then the whole idea of de-centralization and anonymity is gone. The ICO requirement should be the other way around. Means, every ICO should provide a proper KYC documentation to the public so that investors can be assured that they are not dealing with a bot or a child operating from his home computer.

Reason 2: (this is a big threat)
KYC means "Personally Identifiable Information" and it is a very serious level of data. Most of the governments have a very stringent rules against the breach of PII data, especially in USA. The SSN numbers of USA residents are traded in darkweb for $5-$10 each based on the details available. While most of the ICO owners are not identifiable to public (linkedin and FB profile can't be considered as valid here), they can secretly open up a secondary market for PII data, that will provide them an extra layer to their income. Most of the ICOs are not compliant with the infosec policy of many countries. No one is sure, what is going to happen with their data. It leads to a much larger future scam.

Reason 3:
It provides a big opportunity to the ICOs to deny the bounty hunters from their payment even after their promotional efforts. I am not sure we have already encountered some of these, but I am sure it will happen in future. I have seen no ICO bounty thread mentioned anything about the KYC requirement. There is no upfront communication. However, they may come back saying that KYC needs to be done before the bounty rewards can be released. That's complete miscommunication and cheating. If the ICOs can be upfront on their KYC requirement (which they are not), only bounty hunters and investors will join who can fulfill the requirement. The campaign managers needs to be upfront in this matter.

*While I don't know what needs to be done in order to regularize the first two reason, the third reason can be solved via upfront communication. Please share your thoughts.

While I will not directly condemn the use of KYC from ICOs because of the regulatory requirement, the concern is the whole of ICOs asking for it if they are all doing it because of regulatory requirement of if its because they are doing it for their own primary purpose or joining the bandwagon and if they are asking for regulatory purpose, the question to ask is who is then the body doing the regulation?

Today, virtually all ICOs coming out today, wants use to join the 'whitelist' even to those developers that don't even know what it means to be on a whitelist which to me is not even relevant because majority are even trying to meet the Soft cap not to talk about the Hard Cap and if they cannot raise the required amount, it then means that the project would likely be abandoned and the question again is what happen to the data collected by those that joined the 'whitelist'?

I agree that this will bring about a new wave of scam because information gathered can then be sold to those who wants to use it to spam, generate an email to ensure unsuspecting individuals just click and then becomes vulnerable, specific emails because their target audience mails have been gotten already.

[sparkystacey]

While for some the point of cryptocurrency is anonymity, the reality is the real value for most it is reducing barriers and serving the underbanked. True anonymity is only a nice to have for most. For the larger ICO market that spans beyond cryptocurrency, blockchain is opening up a new economy of doing business - with reduced barriers. Certainly businesses are motivated to know and serve their customers as it is a primary marketing tool and feedback loop. For those that seek anonymity, products and services will emerge for them. For most businesses, they will naturally seek out KYC to many levels for marketing purposes and to ensure they are not an accidental front for money laundering, and to ensure business continuity in the face of regulation.

The security perspective to prevent hacks like Equifax is something we need to develop better practices and technologies for to safeguard. I see some companies out there doing some work to this end already, for instance the co-founder of Ethereum has a company Consensys (https://new.consensys.net/)that appears to be working on these issues.

The real answer is while technology (and cryptography) can help secure investors, there will never be an excuse to not do your own due diligence. Never share your private info with someone you don't trust.

[Vektrum]

I agree that the verification of KYC by the companies conducting the ICO is quite a big and urgent problem that is waiting for its immediate solution. Neither investors nor members of the generosity campaign can be sure that their personal information and copies of passports will not be used for any unlawful purposes. It's no secret that among the ICO companies there are a lot of scammers and transferring their identification data and copies of passports in such a situation is very dangerous. Regulatory authorities, if they require the collection of such information, must guarantee at least that such ICO teams will not be fraudulent.

[Bagaji]

From my observation so far here in the forum and from the bounty campaign which i have participated in the past , i believe that your submission number three is one of the main reason why ICO and campaign manager will required participants to provide KYC . This help the manager / ICO to identify bounty Hunter from countries that are not qualified to participate in campaign.

[matuson]

I agree that the verification of KYC by the companies conducting the ICO is quite a big and urgent problem that is waiting for its immediate solution. Neither investors nor members of the generosity campaign can be sure that their personal information and copies of passports will not be used for any unlawful purposes. It's no secret that among the ICO companies there are a lot of scammers and transferring their identification data and copies of passports in such a situation is very dangerous. Regulatory authorities, if they require the collection of such information, must guarantee at least that such ICO teams will not be fraudulent.

KYC is a Bank structure. Do you believe that they will only fight fraudsters? I have a friend. He is from Ukraine. It cannot pass the KYC check on THE cex stock exchange.IO. I have not heard that Ukraine is on the list of banned countries. There are no sanctions against this country either. Where is the guarantee that this mechanism will not be used against the ICO?

[olubams]

I can say aside the exchange site that I see the need to have a KYC policy in place other are just making life difficult and more of repitition of functions. Every investors in ICOs wants to buy when its worth is low then sell when its high but that is not possible without exchange sites which means when the exchange sites insists on KYC there is no reason why any other body and not iCOs to say the least requesting for KYC. It defeat the entire purpose of anonymity.

[Johnyz]

I think think this is right.
But I don't think it follows what cryptocurrency is, since it is decentralized.

Decentralized market is slowy changing and KYC is the first step to define it. Though KYC is really for the protection of every investors, I still believe that if you give too much information from any ICO, your personal information is on risk and may result to a scam.

[leopard2]

The whole point of crypto and also (security) tokens IMHO is that they are highly portable bearer instruments

Most stocks and of course bank accounts are registered securities, and not portable either, so you cannot own them. Same with real estate. All those things must be considered borrowed; the government lets you use it ... until they decide to punish you for whatever reason.

So today, if government goons talk about KYC and AML, they are the bad guys, not the good guys.

Steve "Batman" Mnuchin and all the SEC/Fincen/CFTC/whatever are not concerned about investor safety, they are concerned about the modern version of the Swiss bank account.

https://www.bloomberg.com/news/articles/2018-01-12/mnuchin-warns-against-bitcoin-becoming-next-swiss-bank-account

In Nazi Germany, Jews were persecuted. And what they considered to be their property, was seized. With the exception of the money that was sitting in Swiss bank accounts. How can property, ownership, and privacy be marketed as something negative? How insane has our society become?

The KYC/AML craze is a reversal of evidence, it is turning everyone into a potential criminal from the first second of a business relationship! It is pure communism/stalinism; KYC/AML is very un-American; I wonder what the founding fathers would have to say about today's regulatory landscape.

There is no point in registered or "KYC"ed crypto or ICOs, none at all. I would not spend a penny on them.  

Btw. if this was about investor protection, no KYC would be needed for that at all, just scrutinizing the ICO's. Mind you, Gox had KYC, Madoff did KYC...., Enron shares were registered securities with full KYC, the list goes on and on

[BTRIC]

The KYC/AML craze is a reversal of evidence, it is turning everyone into a potential criminal from the first second of a business relationship! It is pure communism/stalinism; KYC/AML is very un-American; I wonder what the founding fathers would have to say about today's regulatory landscape.

There is no point in registered or "KYC"ed crypto or ICOs, none at all. I would not spend a penny on them.  

Btw. if this was about investor protection, no KYC would be needed for that at all, just scrutinizing the ICO's. Mind you, Gox had KYC, Madoff did KYC...., Enron shares were registered securities with full KYC, the list goes on and on

Hi leopard,

I completely agree that the place the standards need to be applied is in ICO/ITO issuers, to rate their quality, security, and really evaluate the project potential in a standardized manner.  So many scams out there.  In addition, I also believe standards should be applied to crypto businesses such as exchanges.  When you're dealing with electronic money or other cryptoassets that can be stolen just like someone breaking into your house or business, it's important to know that the exchanges have in place best-practices for security.  Most people wouldn't trust a million dollars to just be sitting inside of their shed, with no security to speak of besides potentially a padlock.  With cryptoassets, we are talking about much more value than $1 million in many cases, trusted to businesses with unknown security.  Some do a great job, some are horrible.

My organization is looking at having a set of 1.0 standards during April.  The first draft will be published to GitHub soon and public comment and participation is welcomed.  It's all open, usable by anyone.

Voluntary standards can improve on this situation.  No standards would be forced on anyone, but voluntary standards can become "expected".  They need to take into account the unique factors of the various different types of cryptoassets and other businesses.  It can also help us stave off government regulations, by demonstrating self-regulation.  They're going to stick there noses in this field whether or not we want it, but I believe that there's ways to encourage "light touch" regulations that don't stifle innovation.  I agree with much of Coin Center's position on regulatory matters, but there's some areas where I believe a more permissive approach is needed.

As far as KYC with ICO investors, I believe the current framework that is basically bolted on from the model that banks use is inappropriate for many/most "ICO" investments.  There may be exceptions, but the more we go down the "securities" path, the more concerned I become about heavy regulation that will favor large financial institutions and hurt new entrants and small, but innovative, organizations.

Best regards,
Ben

[Jekbolt]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

[BTRIC]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

Yeah, as we see the U.S. definitions evolve -- not through regulations but rather by court cases and letters to Congress (novel way that will probably stick until/unless Congress gives them additional legal authorities), it's clear that a crypto-centric SRO needs to get organized or the large financial institutions are going to run the tables.

They're basically pointing all exchanges at FINRA which is legacy finance's largest SRO.  Good luck with that.

I'm thinking on this issue and am going to reach out to a bunch of people/organizations.

Best regards,
Ben

[Lieldoryn]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

I don't understand such prohibitions. Well let's say the man stole the money. He can always keep them in cash. If he invests them in ICO, they will work for the country's economy. I think that's the best option. Of course I am against organizing an ICO for the production of an atomic bomb. But any legitimate activity must be supported.

[BTRIC]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

I don't understand such prohibitions. Well let's say the man stole the money. He can always keep them in cash. If he invests them in ICO, they will work for the country's economy. I think that's the best option. Of course I am against organizing an ICO for the production of an atomic bomb. But any legitimate activity must be supported.

It's all about "money laundering and terrorism financing" is what they say.  The reality, a lot of it is about tax evasion.

Many, but not all, people in crypto already "trust" at least one entity with their KYC information, that being an exchange that allows buy/sell to their fiat bank account.  I think these organizations should work together on a model KYC policy that if you're known to one member of the group, it can be attested to that your KYC is on file.  A decentralized way to accomplish this would be nice, I've sketched out some ideas.

I've seen some third-party ICO's that are trying this angle, but it might be better to go to the exchanges and see if they'll get on board.  I've had to do similar work before to track traceability of food, different providers made certain attestations that were relied upon without actual transfer of the information in 99% of cases.

I'm looking into this because it's definitely becoming "a thing" from the regulators perspective.

Best regards,
Ben

[Jekbolt]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

I don't understand such prohibitions. Well let's say the man stole the money. He can always keep them in cash. If he invests them in ICO, they will work for the country's economy. I think that's the best option. Of course I am against organizing an ICO for the production of an atomic bomb. But any legitimate activity must be supported.

 I think these organizations should work together on a model KYC policy that if you're known to one member of the group, it can be attested to that your KYC is on file.  A decentralized way to accomplish this would be nice, I've sketched out some ideas.

Yes, it would be great if only one entity had request KYC info from a user with periodical updating and then share that info with another entities authorised by a user to share such personal info. It would safe a lot of money for the crypto industry and speed up its growing.

Such 'one' entity could focus only into the protection of that data.

[BTRIC]

I think that ICOs don't have a choice...if they will not collect KYC then they can be blamed to take money from potential "terrorists".
also there can be a problem in the future to list in a "good" exchange if not collect that date. Maybe I am wrong.

I don't understand such prohibitions. Well let's say the man stole the money. He can always keep them in cash. If he invests them in ICO, they will work for the country's economy. I think that's the best option. Of course I am against organizing an ICO for the production of an atomic bomb. But any legitimate activity must be supported.

 I think these organizations should work together on a model KYC policy that if you're known to one member of the group, it can be attested to that your KYC is on file.  A decentralized way to accomplish this would be nice, I've sketched out some ideas.

Yes, it would be great if only one entity had request KYC info from a user with periodical updating and then share that info with another entities authorised by a user to share such personal info. It would safe a lot of money for the crypto industry and speed up its growing.

Such 'one' entity could focus only into the protection of that data.

That's the plan.  Though it's not "one" entity in that it's a centralized point.  It's the one entity that YOU trust, which may not be the same as the entity that I trust.  All of the entities will be following the same rules for KYC, in federation essentially.  I don't want it to be a single, solo entity because that gives them too much power and control.  But sure, a few leaders that have earned trust for safeguarding the information would be the probable result.  But there's nothing stoping a new entity from coming into the field.

I have this on the drawing board, I want to make something of it.  I believe it would have great utility across the crypto field, and I've spoken to attorneys that believe if it was designed in the right way it would be fully legal and compliant.

Best regards,
Ben

[Proton2233]

After the appearance of such a regulator, the basic rule will be violated is decentralization. Very bad intentions can be concealed under a good pretext. Money and power spoil people. Who can guarantee that this body will not eventually turn into a repressive apparatus? I think I need another solution to this problem.

[SixOfFive]

Document provided in ICO's for KYC completion may create some chaos if the ICO Team is fraud. We should never share our official documents on any open platform for KYC like telegram etc as it may create more problems for us. We should always submit the documents as per the process decided by the co. which is usually confidential.

[BTRIC]

After the appearance of such a regulator, the basic rule will be violated is decentralization. Very bad intentions can be concealed under a good pretext. Money and power spoil people. Who can guarantee that this body will not eventually turn into a repressive apparatus? I think I need another solution to this problem.

The ideal scenario is that a business you already trust, such as your fiat/crypto converter, has performed KYC as a part of your account onboarding with them.  Then they could participate in this pool and they would be the place you already trusted.  The data itself would be decentralized and in the custody of that business, acting as a KYC trustee. 

Working out some details related to different KYC jurisdictions.  Also have to sketch out under what conditions the information would be released, such as judicial order, etc.

KYC goes both ways in some sense.  Personally, I hope it eventually goes away entirely, or nearly entirely, but while it's necessary, I'm trying to find a way to comply that is as easy as possible for everyone involved and balances privacy issues.

I'm looking at Visa's model, they require KYC be done by banks in order to issue certain products as well as for merchant processing services.  They have to deal with different KYC requirements all over the planet.  I'm applying to that the FinCEN guidance on KYC but making it a more even system.

I also believe that ICOs should have to do KYC type verification so that you know who you're investing in.  The other day there was an ICO people were memeing on Twitter that used Ryan Gosling's picture as one of their team members.  That crap has to stop.

Best,
Ben