Global KYC Requirements:
A Country-by-Country Guide

Know Your Customer regulations are no longer optional footnotes in financial services. They are the bedrock upon which every digital transaction, account opening, and cross-border payment rests. Yet the specific rules governing identity verification differ dramatically depending on where your users live, where your company is incorporated, and which regulators have jurisdiction. For engineering teams building authentication and identity infrastructure — particularly in banking and financial services — this patchwork creates a formidable challenge: how do you design a single verification pipeline that satisfies regulators in Brussels, Washington, Singapore, and Sao Paulo simultaneously?

This guide breaks down the major KYC frameworks by region, highlights the critical differences that affect system architecture, and shows how cryptographic approaches like fully homomorphic encryption (FHE) and post-quantum signatures can satisfy compliance requirements without forcing you to store sensitive biometric or identity data in plaintext.

The European Union: GDPR Meets AMLD6

The EU operates under a dual regulatory regime. The General Data Protection Regulation (GDPR) imposes strict limits on how personal data is collected, processed, and retained. The 6th Anti-Money Laundering Directive (AMLD6) simultaneously demands that financial institutions perform thorough customer due diligence. These two frameworks create a tension that many compliance teams struggle to resolve: you must collect enough data to verify identity, but you must also minimize data collection and protect what you gather.

Key requirements under AMLD6 include verifying the customer's identity using reliable, independent source documents, identifying beneficial owners of legal entities, and conducting ongoing monitoring of business relationships. Retention periods are generally five years after the end of the business relationship, though member states can extend this to ten years.

United States: BSA, FinCEN, and the Patchwork Problem

The U.S. KYC landscape is governed primarily by the Bank Secrecy Act (BSA) and enforced by the Financial Crimes Enforcement Network (FinCEN). The Customer Due Diligence (CDD) Rule requires covered financial institutions to identify and verify the identity of customers, identify beneficial owners of legal entity customers, understand the nature and purpose of customer relationships, and conduct ongoing monitoring.

Unlike the EU, the United States does not have a comprehensive federal data privacy law equivalent to GDPR. Instead, a patchwork of state-level regulations applies. California's CCPA/CPRA, Illinois's BIPA (Biometric Information Privacy Act), and Texas's CUBI each impose different obligations on how biometric and personal data can be collected and stored. BIPA is particularly notable because it creates a private right of action for biometric data misuse, leading to significant class-action litigation.

Document Requirements

• Tier 1 (government-issued photo ID): Passport, state driver's license, or military ID
• Tier 2 (secondary verification): SSN cross-reference, utility bills, bank statements
• Enhanced Due Diligence (EDD): Required for PEPs (politically exposed persons), high-risk jurisdictions, and transactions above reporting thresholds

Asia-Pacific: Rapid Evolution and Digital-First Approaches

The APAC region presents the widest variance in KYC requirements globally. Singapore's MAS (Monetary Authority of Singapore) has embraced digital verification through its MyInfo platform, allowing customers to share government-verified data directly with financial institutions. Japan's JFSA requires both documentary and non-documentary verification methods, with increasingly strict rules around cryptocurrency exchanges following the 2018 Coincheck incident. India's Aadhaar-based eKYC system enables real-time biometric verification against a centralized database of over 1.3 billion enrolled residents, though the 2018 Supreme Court ruling restricted its use by private entities.

Australia's AML/CTF Act requires reporting entities to verify customer identity before providing a designated service, with the option of using the Document Verification Service (DVS) for electronic verification. South Korea mandates face-to-face verification for bank accounts, though regulators have gradually expanded acceptance of video-based verification.

Latin America and the Middle East

Brazil's LGPD (Lei Geral de Protecao de Dados) closely mirrors GDPR and imposes consent requirements for biometric processing. The Central Bank of Brazil requires financial institutions to follow CDD procedures under Circular 3,978, with enhanced diligence for PEPs and cross-border transactions. Mexico's regulations require biometric enrollment (fingerprint and facial) for all mobile phone users and financial account holders, creating one of the most comprehensive biometric KYC mandates globally.

In the UAE, the Central Bank has implemented a national KYC utility that allows financial institutions to share verified customer data. The Emirates ID system provides a biometric foundation, while the Dubai International Financial Centre (DIFC) applies its own data protection regulations that incorporate GDPR-like principles.

The Cryptographic Solution: Verify Without Exposing

The fundamental tension across all these jurisdictions is identical: regulators demand thorough verification, privacy laws restrict data handling, and breach liability punishes storage of sensitive information. Traditional KYC pipelines resolve this by accepting the risk, storing plaintext biometric templates and document images behind perimeter security, and hoping the perimeter holds.

A post-quantum cryptographic approach eliminates this tension entirely. With BFV fully homomorphic encryption, biometric matching occurs on encrypted ciphertexts. The verification server computes an inner product between the enrolled template and the probe template without ever decrypting either one. H33's production stack executes this operation at 1.595 million authentications per second on a single node, with each individual authentication completing in approximately 42 microseconds.

// Single API call: FHE verify + ZKP lookup + Dilithium attestation
POST /v1/auth/verify
Authorization: Bearer h33_pk_...
Content-Type: application/json

{
  "encrypted_probe": "<BFV ciphertext, ~256KB>",
  "tenant_id": "acme-corp",
  "jurisdiction": "eu-gdpr"
}

// Response: ~42µs later
{
  "match": true,
  "confidence": 0.997,
  "attestation": "<Dilithium-5 signature>",
  "zkp_proof_id": "stark_lookup_0x3f..."
}

Every verification is attested with a CRYSTALS-Dilithium digital signature, providing a post-quantum-secure audit trail that satisfies record-keeping requirements across all major jurisdictions. The ZKP proof, validated via an in-process DashMap lookup at 0.085 microseconds, provides a non-interactive confirmation that the computation was performed correctly without revealing the underlying data.

The ideal KYC system does not minimize data after collection. It never collects plaintext data in the first place. Fully homomorphic encryption makes this possible at production scale.

Implementation Considerations

When deploying a global KYC pipeline, engineering teams should account for several jurisdiction-specific requirements that affect system design:

• Data residency: GDPR and similar frameworks may require that personal data remain within specific geographic boundaries. Deploy FHE verification nodes in-region so that encrypted ciphertexts never leave the required jurisdiction.
• Retention and deletion: Build automated purge workflows keyed to jurisdiction-specific retention periods (5 years for EU/BSA, 7 years for Japan/Australia). With FHE, deleting the decryption key renders stored ciphertexts permanently unrecoverable.
• Audit trails: Dilithium-signed attestations provide tamper-proof verification records that auditors can validate independently, satisfying ongoing monitoring requirements under AMLD6, BSA, and MAS frameworks.
• Consent management: GDPR and LGPD require explicit consent for biometric processing. Embed consent records in the verification payload and sign them alongside the authentication attestation.
• Quantum readiness: NIST's post-quantum standards (ML-KEM, ML-DSA) are finalized. Regulators in the EU and Singapore have signaled that quantum-vulnerable cryptography will face deprecation timelines. Building on post-quantum primitives now avoids a costly migration later.

Choosing the Right Verification Tier

Not every jurisdiction requires the same depth of verification for every customer. A risk-based approach allows you to apply simplified due diligence (SDD) for low-risk customers, standard CDD for the majority, and enhanced due diligence (EDD) for high-risk scenarios. The cryptographic infrastructure remains the same across all tiers. What changes is the number of verification factors and the depth of documentary cross-referencing, not the security of the underlying pipeline.