As you all know, recently there was a data breach at Coinbase, where a lot of customers data was leaked.

And more recently, the KYC pictures and a complete dox of Solana's Co-founder and his wife was made public.

I keep seeing posts where people are caught off-guard and are surprised that Coinbase even stores them.

What if I told you that:

• They have to do it

• Every CEX that's KYC'ing customers does it

• CS Agents usually can access your complete data, including KYC photos and CDD files

And what if I told you that you kinda would want it this way, if you're a CEX user?

The solution? Stop relying on CEXs :)

Before I get into some more details, let me quickly tell you a bit about me.

I've been in this space for many years now and I have worked for 3 CEXs so far. Two European CEXs, one global/asian.

My roles were Customer Support/Customer Support Compliance, besides others not relevant to this topic.

Accessing customer's data, including their KYC data/pictures was my daily bread and butter.

The topic of Regulatory rules and it's compliance by companies is very fascinating to me (note: that does not mean I advocate for it) and I've spend quite a bit of time reading on it - but I'm not a lawyer and have no legal background.

They're convenient, that's it. Nowadays there's no really no reason to use them unless you want to >conveniently/easily/fast< off-ramp.

You're an investor and need good liquidity?

DEXs solved it by now.

You're a trader and need good UI/UX, good liq and speed?

DEXs/Perp platforms solved it by now.

We are not in 2020 anymore.

It's kinda crazy to me that CEXs still get as much business as they do.

Having worked at CEXs, and having had contact with a person who started a new CEX from the ground up, I got to see many of the inner workings and it was super interesting.

That being said, I'm a decentralization, self-custody and privacy advocate, so PLEASE check out:

• kycnot.me

• Farcaster

• Monero

• Railgun and other privacy tools on/for Etheruem

• Regulatory Directives for your jurisdiction.

  Many people find compliance/regulatory boring, but it really is far from boring. Plus, it affects you literally every day. Learn about it already!

Notes: I am only talking about CEXs with KYC here. CEXs without KYC are a topic of their own (let me know if you want me to write about them!)

I am European, have mostly worked for European CEXs, pretty much all of my knowledge is around EU CEXs, EU Regulatory Compliance etc. - also, I'm not a lawyer. I'm self-taught, take everything with a grain of salt.

From my experience, what is being stored:

• Your name and address

• Your ID/Passport number

• You TIN (Tax Identification Number)

• Your IP address(es) and device ID(s) used to access the platform

• Your deposit/withdrawal addresses, both Crypto & Fiat

• Your trading history and history of usage of other products on the platform

• History of changes on your account (e.g. name/address/phone number change etc.)

• Conversations you have with customer support

Did you ever have to submit more documents after KYCing? Or, did you ever, out of the blue, receive a request for more information?

Welcome to "CDD" - Customer Due Diligence.

Whereas KYC is a process with a set start and end (verifying your data), CDD is an ongoing process used to measure and identify high risk users through more in-depth background checks (e.g. tax statements, financial statements and so on). Just in case you're wondering why sometimes you have to submit so many documents :)

And just like there is KYC, there is also KYB (Know-Your-Business). Anyone who has worked in CS Compliance/Compliance for a CEX that offers business accounts, and anyone having opened a business account on a CEX, knows what a pain in the ass process that is.

Yes, you can request a GDPR deletion - that's your right as EU-citizen.

No, it won't delete your KYC data. It also won't delete your deposit/withdrawal data!

CEXs have to follow pretty strict regulatory compliance rules. These include saving customers financial/KYC data for, at least, 5 years after you have closed your account/requested a GDPR deletion.

What directives (in Europe) decide this, though?

In Europe, you have two very important directives:

Directive on Anti-Money Laundering and Terrorist Financing 4 & 5. (There's also AMLD 6 & 7 - newer additions, basically increasing scope and clarifying things)

These directives outline what you have to collect (and verify), how, and what the consequences can be if you don't.

While these directives give an outline, some things are left to the countries.

To give you an example, EU wide the following rules are active:

• KYC identity has to be stored for at least 5 years, with a maximum of 10 years

• Deposit/Withdrawals for both crypto and fiat, at least 5 years, maximum of 10 years

But in Germany, for example, you also have to store accounting/tax records for 10 years minimum and maximum!

So don't be surprised if after your GDPR deletion request one CEX tells you that they have to store some data for 5 years, and another one says 10 years. Depending from where they operate, they are either forced or take the "safe route" and store for 10 years.

They need it! They have to verify it's you.

Be it the onboarding/offboarding process (usually Compliance/Risk handling it) or you wanting to request changes (CS/CS Compliance).

Want to change your phone number?

Prove that it's you actually requesting it.

Want to change your address?

Prove that it's you actually requesting it + proof that your address actually changed.

And in some way, you actually want that. Else it would be even easier for malicious actors to get into your accounts.

Please note my "even easier" - I'm very well aware of the limits and narratives pushed by AML and RegCompliance ;)

Besides that, speed is also an important factor. I know that 99% of you don't have the patience to wait 24h+ for the above changes (for good reason, I understand it) - so imagine if the process was more complex... lol.

Y E S.

DO. NOT. ASSUME. THEY. CAN'T.

If the CEX isn't a shady money-laundering front, the access is, from my experience, limited to those who need it.

Assume that the following departments/roles can access your complete and full data:

• Customer Support/Customer Support Compliance

• Legal, Risk/Compliance

• Developers (ideally limited to those who actually work on the backend)

• Leadership/C-Levels

If you are KYC'd somewhere, consider your data at risk - ALWAYS. ANY. FUCKING. TIME.

Btw, I didn't go into detail here, but keep in mind that many platforms are using third party services for KYC'ing you. They have your data too :)

What are you saying? Oh, you don't like that?

STOP USING CEXs THEN!

If you're worried, start looking for non-KYC alternatives.

And look, I'm not suggesting that you should immediately close all your accounts on KYC'd platforms (keep in mind, they're saving your data for 5 to 10 years anyway) - but be aware of the risks that come with it.

CEXs are convenient and if you want to use them, that's okay.

Further, I want to point out that there also legitimate reasons for these AML Directives.

I've seen it myself: transactions and account creations related to fraud, human trafficking, weapons/arms trading. This is a real thing.

THAT BEING SAID, it's NOT as big of a problem as the European Union makes it out to be (re: crypto is only for crime).

Do they want to control and monitor all of your financial activities?

I don't know and you don't either. I doubt it's as crazy/conspiracy theory like as many make it out to be.

But still, someone in power, who has his heart at the right place and genuinely means good, can still have wrong ideas/ideals/concepts, leading us to where we are today.

Not everyone is evil, most people aren't. They probably just don't know better and are getting influenced by those that are evil/greedy.

Either way, the European Union has time and time again overstepped with their directives and RegCompliance requirements.

As always, it's more complex and more nuanced than many make it out to be :)

I hope with this short writing I could give you a glimpse behind the scenes!

Again, please check out:

• kycnot.me

• Farcaster

• Monero

• Railgun and other privacy tools on/for Etheruem

• Regulatory Directives for your jurisdiction.

If you have any questions or want to know more, you can find me on Farcaster!

PS: Apologize in advance for any grammar/spelling errors, I'm not a writer nor an English native. Thanks for reading ❤️