Canada: Using Blockchain For KYC/AML Compliance

Last Updated: June 13 2019
Article by Ryan Middleton

Blockchain is a polarizing technology – some people argue that it is all hype and lacks true use cases; while others are convinced that it will radically revolutionize certain areas of business. For many, blockchain was originally synonymous with Bitcoin and other cryptocurrencies. However, in the past two years, an increasing number of commentators are now waking up to the fact that blockchain technology can be deployed to solve friction inherent in certain business functions. One of those use cases is using blockchain to improve KYC/AML compliance regimes.

Banks, insurance companies and other financial service providers (collectively, FIs around the world allocate substantial resources to "Know Your Client" (KYC) and "Anti-Money Laundering Laws" (AML) compliance programs. According to a 2016 Thomson Reuters report, FIs individually spend anywhere from US$60 million to $500 million annually on KYC/AML compliance.1 Furthermore, as regulatory regimes around the world become more complex and penalties for regulatory non-compliance become increasingly punitive (both from a cost and reputational standpoint), these compliance costs will continue to rise. Existing compliance costs are at least partly driven by inefficiencies in compliance programs, which are generally paper-based, require substantial manual human input, and often result in the duplication of work both within and between FIs.

In addition to the massive costs of KYC/AML compliance, FIs are increasingly under client pressure to facilitate transactions in an expedited manner. Unfortunately, in many cases, current compliance programs are manual, fragmented and slow, all of which impedes the client's business and can potentially damage the client relationship. 

Which blockchain platform is appropriate?

Not all blockchain platforms are appropriate for all purposes; some are better suited for certain enterprise use cases. In the case of managing and interacting with FIs and their data, it is increasingly clear that the private, permission-based model offered by distributed leger technology (DLT) (a type of blockchain) is best suited for handling KYC and AML compliance. FIs have invested substantial amounts of time and money in the development of DLT, and have completed a number of successful "proof-of-concept" tests using this technology. For example, in June 2018, Synechron and R3 (which represents more than 300 partner members across multiple industries and jurisdictions) tested a KYC compliance system built on DLT. This proof-of-concept completed 300 KYC transactions involving 39 participants across 19 countries.2 FIs, as part of this proof-of-concept system, were able to request access to a customer's KYC test data, while customers could approve requests and revoke access to personal data at their discretion. Customers were also able to update their test data, which was then automatically updated on the DLT platform, where all FIs that had permission could access it.

How DLT can solve inefficiencies in existing KYC/AML processes

The existing KYC/AML processes used by most FIs contain certain inefficiencies, including (1) information asymmetries between FIs and regulators; (2) the duplication of KYC/AML compliance work completed within and between FIs; and (3) FIs spending a disproportionate amount of time and resources on manually validating and coordinating the completion and reconciliation of KYC/AML documentation, as opposed to assessing client risk.

1. Information Asymmetries between FIs and Regulators

Because FIs are mandated to prepare and submit compliance reports to regulators, many aspects of the existing KYC/AML workflows between FIs and regulators require FIs' employees to review and manually reconcile a substantial amount of paper documents, resulting in significant labour costs, and increasing the risk of human error and frustrating the client. DLT would: (i) reduce the use of paper documentation; (ii) reduce the time spent manually reconciling documents; and (iii) increase the speed of verifying the KYC data.

2. Duplication of Compliance Efforts Between and Within FIs

FIs do not typically share KYC/AML information with either each other, and often fail to share that information among different divisions within the same FI. Therefore, where a transaction involves multiple banks (or a client uses multiple banks for different banking needs), each FI independently expends resources to validate the KYC/AML data of that client without any cooperation, coordination or information sharing between each FI. Additionally, some FIs do not maintain central internal databases of a client's KYC/AML data. Consequently, some clients have to re-submit their KYC data (i.e., proof of address, identification documents, etc.) to the same FI on multiple occasions when applying for services from a different division of the same FI. This separate and independent replication of KYC/AML diligence is extremely costly, inefficient and slow.

The duplication of compliance efforts results in FIs spending substantial resources on investigating "false positives" (transactions flagged for non-compliance with KYC/AML rules that turn out to be legitimate and legal). According to IBM, some FIs reported that up to 98 percent of transactions flagged for KYC/AML non-compliance turned out to be false positives.3 For each flagged transaction, an FI must conduct costly, manual due diligence to determine KYC/AML compliance. To put this in perspective, if a client is working with five FIs on a particular transaction, and each FI undertakes its own KYC/AML diligence, and such diligence then uncovers multiple false positives that are independently investigated by each FI, it is easy to understand how compliance costs rapidly escalate.

3. Most Resources are Spent Validating Documents as opposed to Assessing Risk

KPMG estimates that FIs currently spend 80 percent of all KYC/AML resources on reconciling documentation, and only 20 percent on assessing the KYC data and assessing client risk.4   By adopting DLT, more human resources could be spent analyzing the risk of the underlying KYC and transaction data, while relying on DLT to automate and streamline the organizing, sharing and validating of the KYC data.

How DLT can reduce KYC/AML compliance costs

According to BIS Research, a US-based market intelligence firm, using DLT in KYC/AML compliance programs could reduce an FI's administrative costs associated with KYC/AML compliance by 90 percent, generating total aggregate cost savings for all FIs of between US$6 billion to US$8 billion dollars per year.5

DLT promises to address some of the current inefficiencies inherent within an FI's KYC/AML compliance program by using a technology platform that allows FIs (with the consent of the client) to share a client's KYC/AML data: (i) internally among divisions of an FI; and (ii) with other FIs, in each case using a secure and private DLT platform. Unlike a public blockchain like the Bitcoin blockchain, a private, permission-based platform built on DLT is comprised of and only accessible by a group of selected parties. Using this technology will enable FIs to rely on the same shared, secured and auditable source of digitized client information, instead of having to collect and verify the information individually and repeatedly.6

DLT could also streamline information flows between FIs and regulators. Using a private, permission-based DLT platform, regulators could have secure and direct access to an FI's compliance system, and pull compliance reports from FIs themselves. This sharing of information would enable FIs to demonstrate their regulatory compliance in real-time, thereby improving transparency with regulators and dramatically reducing FIs' compliance costs.

How DLT works in KYC/AML compliance

The following discussion provides a high-level example of how KYC/AML compliance could work using DLT.7 For your reference, this explanation is also diagrammed in Figure 2, below. It is important to note that FIs would rely on DLT, ensuring that only approved entities would have access to the system and the data stored thereon. Once an FI or regulator is approved to participate on the DLT platform, further restrictions can be added to limit the entities' access to specific data contained within the platform.

1. Step 1: Client Creates a Profile on the KYC/AML DLT System

When an FI first launches a DLT-based KYC/AML compliance system, a client will have to complete a one-time set-up of their digital profile (Client Profile). The Client Profile contains (among other items) proof of the client's identity (i.e., driver's licence/passport information) and completed versions of required KYC/AML regulatory documentation (KYC Data). Once uploaded, the KYC Data is accessible by the applicable FI for verification. The location where the Client Profile and associated KYC Data are stored is customized for each system. Storage options include using a centralized, encrypted server operated by a third party, storing data solely on an FI's own private servers, or uploading documents to the DLT platform itself.  

2. Step 2: Client Engages in Transaction with FI #1

When the client engages FI #1 for a specific transaction, the client grants FI #1 access to the Client Profile. FI #1 then manually verifies that the KYC Data hosted on the Client Profile is valid (using its existing KYC/AML compliance processes).

Once FI #1 verifies the veracity of the KYC Data, it saves a copy of the KYC Data on its own server (not on the DLT platform – accordingly, the KYC Data is deemed to be stored "off-chain"), and uploads to the DLT platform a "Hash Function" (a code consisting of letters and numbers used to identify and represent such piece of KYC Data) to the DLT platform. Finally, FI #1 transfers digital copies of the KYC Data (which is embedded with a Hash Function that matches the Hash Function uploaded to the DLT platform) to the Client Profile.

It is important to note that the Hash Function does not contain the contents of the KYC Data (it only represents the code name of a specific file). Figure 1 below shows how KYC Data from the client's digital profile appear only as Hash Functions on the DLT platform.8

Figure 1 – How a client's confidential information appears to FIs on the DLT platform

If KYC Data (which is stored on the Client's Profile) is altered in any way, the corresponding Hash Function of such KYC Data (which is stored on the DLT platform) would immediately change. Therefore, other FIs, where permitted under applicable law, could have the ability to rely upon the review of the KYC Data by FI #1, as opposed to having to review the KYC Data themselves. Furthermore, if the KYC Data is ever altered, the equivalent Hash Function of such KYC Data will not match that posted on the DLT platform, causing the system to automatically alert the other FIs to such change.

3. Step 3: The Client Engages FI #2 in a Separate or Related Transaction

FI #2 requires the client to complete the same KYC/AML documentation required by FI #1. Upon receipt of such request from FI #2, the client would grant FI #2 access to the Client Profile. FI #2 would then review and compare the KYC Data (and the Hash Function embedded therein) with the Hash Functions uploaded to the DLT platform by FI #1. If the two Hash Functions match, then FI #2 knows that it has received the same, unaltered KYC Data already validated by FI #1.

If the Hash Functions do not match, then FI #2 would need to manually validate the KYC documents (in accordance with its standard KYC/AML processes). This could occur as a result of the client altering the KYC Data initially uploaded to the Client Profile or uploading additional KYC Data to the Client Profile.

4. Step 4: The Client Uploads Updated KYC/AML Documents onto the Network (If Applicable)

If the client obtains a new driver's licence or passport (or the KYC Data originally posted to the Client Profile changes), these documents must be uploaded and validated in the system. This creates a potential inefficiency for participating FIs. For example, does each FI now need to individually validate the new documents and update their systems accordingly? To avoid this, FIs can leverage smart contracts to automatically update their systems when the client provides new documents. Specifically, the client submits the updated documents to only one FI who then validates and attests to its authenticity. The FI then broadcasts this change (in the form of a new Hash Function) through the blockchain to the other participating FIs.

Figure 2 – Example of a Blockchain-Based KYC/AML Compliance System

Addressing legal and business challenges

Prior to implementing blockchain-based KYC/AML systems, FIs must identify and address the following challenges:

1. Standardizing KYC/AML Documentation

To develop a KYC/AML compliance system that can be used and shared by multiple FIs, the participating FIs must agree upon certain standard KYC/AML forms and processes that will be acceptable to them. This will be difficult to accomplish, as each FI will have their own internal risk profile and procedures that they are comfortable with. Furthermore, even if the FIs can agree upon a certain standard, such standards and documents will then need to be interoperable with the various legacy systems of each FI, and be compliant with any applicable laws or procedures mandated by applicable regulators.

2. Data Privacy Concerns for Data Stored on the Blockchain

There are a number of issues related to data privacy to consider.

(a) Protecting clients' confidential information is a top priority for FIs. At a high-level, the design of blockchain-based KYC/AML systems addresses these concerns in three ways. First, a "self-sovereign" system (as discussed above) allows a client to authorize who can view its private information. This authorization is fluid and can change at the discretion of the client. Second, because blockchain allows for FIs to share KYC Data, the client will only have to make the KYC Data available once (or less frequently), which reduces the chances of the KYC Data being compromised. Lastly, FIs protect clients' confidential information by storing documents outside of the DLT platform, and only uploading Hash Functions onto the DLT platform.

(b) FIs may not be comfortable with regulators pulling information directly from their systems at their discretion. Therefore, FIs must collaborate with regulators to ensure that access is provided in a manner and at a time that the FI is comfortable with, while also ensuring regulatory compliance.

(c) FIs must ensure their systems comply with relevant data privacy legislation. For example, the EU's General Data Protection Regulation (GDPR) provides for the public's "right to be forgotten". This appears to conflict with the fundamentally immutable nature of blockchains (i.e., once data is loaded into the blockchain, it cannot be deleted). Accordingly, further legal analysis is needed to understand whether the GDPR applies to specific client information identified by a Hash Function.

3. Ensuring the Validity of Verified KYC/AML Data Stored on the DLT Platform

As discussed above, a major benefit of blockchain technology in KYC/AML compliance is that it eliminates the duplication of multiple FIs validating the same set of documents. Although efficient and cost effective, this system creates the possibility that fraud or mistakes in validating documents will not be detected by other FIs on the DLT platform. This requires that (i) all of the FIs agree as to the necessary steps needed before KYC Data is validated; and (ii) substantial trust is established in each of the network's participants to properly verify client documents. DLT mitigates this issue by creating a permanent record and audit trail of when and who validated each document (i.e., the identity of an FI employee that validated a specific document) and therefore promotes accountability in the system.

4. Incentivizing the Sharing of Information Between FIs

FIs must be incentivized to share KYC Data on a DLT platform. The more FIs that contribute to the platform, the greater the cost savings for participating FIs.

One emerging solution for incentivizing FI participation on the DLT platform is by paying an FI to validate the KYC Data. FIs that perform the original validation of client KYC/AML Data could be compensated by each FI that accesses and relies upon the validated KYC Data. This motivates participating FIs to both protect client information and to properly attest KYC Data. If this is not done, an FI could lose out on earning incremental revenue from other FIs choosing not to rely upon the KYC Data attested by such FI.  Alternatively, an FI could be removed from the platform altogether for non-compliance with the network's specific data integrity standards.


In today's interconnected world, people are sharing their personal information at an unprecedented rate, which will likely continue due to the arrival and adoption of 5G, IoT, open banking and other technological advancements. Organizations are and will continue to be expected to obtain, process and verify this personal information in a quick and efficient manner, while at the same time safeguarding such information from being hacked and complying with KYC/AML legislation. DLT is a tool that could be utilized by FIs to satisfy these foregoing requirements.

This article was co-authored by Jesse Collins-Swartz a summer law student in the Toronto office.


  1. Euro Banking Association. "Cryptotechnologies: Improving Regulatory Compliance".
  2. World Economic Forum Report. "The future of financial infrastructure".
  3. Deloitte. "Over the Horizon: Blockchain and the future of financial infrastructure".
  4. R3. "Case Study: How Synechron enabled 39 firms to complete a global trial of self-sovereign corporate KYC processes based on R3's Corda blockchain platform".
  5. REFINITIV. "A Blockchain Enabled KYC Solution: New Horizon or False Dawn?".
  6. Hong Kong Monetary Authority. "Whitepaper 2.0 on Distributed Ledger Technology".
  7. Coin Central. "Storing Documents on the Blockchain: Why, How, and Where".
  8. Coin Telegraph. "26 French Companies, Five Banks Complete Blockchain-Based KYC Trial Based on R3's Corda".
  9. Hong Kong Monetary Authority. "Whitepaper On Distributed Ledger Technology".
  10. R3. "Blockchain KYC/AML Utilities for International Payments".
  11. Thomson Reuters, "Thomson Reuters 2016 Know Your Customer Surveys Reveal Escalating Costs and Complexity", (9 May 2016)
  12. R3, "Knowing your customer: blockchain's ultimate killer app?", (23 October 2018)
  13. KPMG, "Could blockchain be the foundation of a viable KYC utility?", (2018)
  14. BIS Research, "Blockchain Technology in Financial Services Market - Analysis and Forecast: 2017 to 2026" (Online Executive Summary), (2017)


1 Thomson Reuters, "Thomson Reuters 2016 Know Your Customer Surveys Reveal Escalating Costs and Complexity", (9 May 2016), online:

2; Also see successful proof-of-concepts completed by (i) a consortium of IBM, Deutsche Bank, HSBC, Mitsubishi UFJ Financial Group and the Treasuries of Cargill (; and (ii) a project led by the Financial Services Regulatory Authority of Abu Dhabi (

3 Euro Banking Association, "Cryptotechnologies: Improving Regulatory Compliance", (2018) at 10, online:

4 KPMG, "Could blockchain be the foundation of a viable KYC utility?", (2018) at 2, online:

5 BIS Research, "Blockchain Technology in Financial Services Market - Analysis and Forecast: 2017 to 2026" (Online Executive Summary), (2017), online:

6 Hong Kong Monetary Authority, "White Paper 2.0 on Distributed Ledger Technology", (2017) at 20, online:

7 Adapted from a report published by the Hong Kong Monetary Authority

8 Adapted from a report published by the Hong Kong Monetary Authority.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions