I would appreciate If someone could explain to me a few things about how exchanges work when it comes to KYC/AML.
It seems like a lot of exchanges (even the ones that have no fiat involved) start to ask users for documents at a certain period of time, for some reason. I can't seem to understand why.
If it's because of the laws of the country the exchange is operating in, then why not start by these document verification when launching the exchange? If that has nothing to do with it, then why ask for KYC in the first place?
It probably has more to do with
where their customers reside than where the exchange operates from. For instance, any exchange that does business with US residents falls under FinCEN's jurisdiction. FinCEN published guidance in 2013 that applied its rules to Bitcoin services. A few highlights:
Businesses that accept bitcoin from one person and send it to another are money transmitters, and are not exempt from money transmission regulation simply because they do not deal in fiat currency.
Any business that exchanges fiat currency for virtual currency – or even one virtual currency for another – is a money transmitter.
Money transmitters are required to file a Suspicious Activity Report (SAR) when they suspect "transactions aggregating $5,000 or more that involve potential money laundering or violations of the Bank Secrecy Act." Filing an SAR requires all the typical KYC information. They also need to file a currency transaction report (CTR) for transactions involving more than $10,000.
Also, If a group of developers decides to make an exchange, and they have no physical offices and they decide to host it somewhere else in the world (Cloud). Should they go with the laws of their country or where their servers are?
Your biggest worry is the laws where your customers are. To be safe, you want to be legally covered where you reside, where you operate from, and where you do business.