Custom KYC Storage System for Regulator Compliance

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Custom KYC Storage System for Regulator Compliance
Medium
~1-2 weeks
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1349
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    949
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

Note: When a crypto project receives a request from a regulator and data is scattered across logs and unstructured storage — it's a disaster. We've seen cases where KYC documents were stored in open-source S3 without encryption and with no retention policy. The team spent weeks manually gathering archives, and 40% of files were inaccessible due to expired links. A fine for FATF violations could reach $500,000. With over 5 years of experience and 50+ successful projects in crypto compliance, we guarantee your system meets regulatory standards. Typical project cost ranges from $15,000 to $30,000, depending on complexity. Our compliance audit costs $2,500 and includes a detailed implementation plan.

What Regulatory Requirements Must Be Considered?

FATF R11: store KYC documents and transaction records for at least 5 years (some jurisdictions require 7 or 10 years). GDPR: data not longer than necessary — resolved via legal basis "legal obligation" for AML data. MiCA/VASP licenses: full audit trail of all decisions, including compliance decisions. Without an automated system, meeting these deadlines is impossible — 95% of regulator issues stem from a missing clear retention policy. In VASP-licensed jurisdictions, retention may extend to 10 years, and data governance policies (including blockchain-based solutions) must explicitly designate owners for each data type.

Architecture of the KYC and AML Data Store

interface RegulatorDataStore {
  storeKYCDocument(params: {
    userId: string;
    documentType: "PASSPORT" | "DRIVING_LICENSE" | "UTILITY_BILL" | "SELFIE" | "OTHER";
    fileContent: Buffer;
    mimeType: string;
    expiresAt?: Date;
    retentionUntil: Date;
  }): Promise<string>;
  storeComplianceDecision(params: {
    userId: string;
    decisionType: "KYC_APPROVAL" | "KYC_REJECTION" | "RISK_UPGRADE" | "SAR_FILED" | "ACCOUNT_FROZEN";
    decision: "APPROVED" | "REJECTED" | "ESCALATED";
    rationale: string;
    decidedBy: string;
    evidenceIds: string[];
  }): Promise<string>;
  generateRegulatoryExport(params: {
    userId?: string;
    dateRange?: { from: Date; to: Date };
    dataTypes: string[];
  }): Promise<RegulatorExport>;
}

This interface covers 90% of scenarios: uploading documents with metadata, storing AML decisions, and preparing exports. The contract separates business logic from physical storage.

Why Is AES-256 Encryption Critical for KYC Data?

All documents are stored encrypted. If keys are lost — data becomes inaccessible; if compromised — a violation. We use envelope encryption: each document is encrypted with a unique data key, and that key is encrypted with a KMS master key. Example implementation:

class EncryptedDocumentStore {
  private readonly KMS_KEY_ID = process.env.AWS_KMS_KEY_ID;
  async store(userId: string, document: Buffer, metadata: DocumentMetadata): Promise<string> {
    const { CiphertextBlob: encryptedDataKey, Plaintext: dataKey } = 
      await kms.generateDataKey({ KeyId: this.KMS_KEY_ID, KeySpec: "AES_256" }).promise();
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv("aes-256-gcm", dataKey, iv);
    const encryptedDoc = Buffer.concat([cipher.update(document), cipher.final()]);
    const authTag = cipher.getAuthTag();
    const docId = crypto.randomUUID();
    await s3.putObject({
      Bucket: process.env.KYC_BUCKET,
      Key: `${userId}/${docId}`,
      Body: encryptedDoc,
      Metadata: {
        "encrypted-data-key": encryptedDataKey.toString("base64"),
        "iv": iv.toString("base64"),
        "auth-tag": authTag.toString("base64"),
        "user-id": userId,
        "document-type": metadata.documentType,
        "retention-until": metadata.retentionUntil.toISOString(),
      },
    }).promise();
    await db.saveDocumentRecord(docId, userId, metadata, encryptedDataKey.toString("base64"));
    return docId;
  }
  async retrieve(docId: string): Promise<Buffer> {
    const record = await db.getDocumentRecord(docId);
    const s3Object = await s3.getObject({ Bucket: process.env.KYC_BUCKET, Key: `${record.userId}/${docId}` }).promise();
    const { Plaintext: dataKey } = await kms.decrypt({
      CiphertextBlob: Buffer.from(record.encryptedDataKey, "base64"),
    }).promise();
    const iv = Buffer.from(s3Object.Metadata!["iv"], "base64");
    const authTag = Buffer.from(s3Object.Metadata!["auth-tag"], "base64");
    const decipher = crypto.createDecipheriv("aes-256-gcm", dataKey, iv);
    decipher.setAuthTag(authTag);
    await db.logAccess(docId, "READ");
    return Buffer.concat([decipher.update(s3Object.Body as Buffer), decipher.final()]);
  }
}

Each document is encrypted with a unique data key, and the key is encrypted with a KMS master key. This allows secure key storage in the database and revocation of access when needed. Rotating the master key every 6–12 months is a security standard.

How to Configure Retention Policy Without GDPR Conflicts?

@Cron("0 3 * * *")
async enforceRetentionPolicy() {
  const expiredDocs = await db.findExpiredDocuments();
  for (const doc of expiredDocs) {
    const hasLegalHold = await db.checkLegalHold(doc.userId);
    if (hasLegalHold) {
      await db.extendRetention(doc.id, doc.userId, "LEGAL_HOLD");
      continue;
    }
    await s3.deleteObject({ Bucket: process.env.KYC_BUCKET, Key: `${doc.userId}/${doc.id}` }).promise();
    await db.markDocumentDeleted(doc.id, "RETENTION_EXPIRED");
  }
}

Daily expiration checks. Legal hold pauses deletion — data remains until the hold is lifted. All actions are logged for audit trail. This approach avoids GDPR violations (deletion after expiry) while meeting FATF requirements (retention until expiry). Legal hold is a mechanism that blocks data deletion if needed for investigation or litigation. We implement it through a separate flag in the database: upon receiving a legal hold notification from legal, the system marks all user documents as protected. The cron job skips such records during cleanup. After the hold is lifted, data is deleted in the next cycle.

What Is Included in Regulatory Export?

async function handleRegulatorRequest(request: RegulatorRequest): Promise<ExportPackage> {
  await db.logRegulatorRequest(request);
  const [kycDocs, transactions, amlDecisions, sars] = await Promise.all([
    docStore.getKYCDocuments(userId),
    db.getTransactions(userId, dateRange),
    db.getComplianceDecisions(userId),
    db.getSARs(userId),
  ]);
  const exportPackage = await createExportPackage({
    userId, requestedBy, exportedAt: new Date(), legalBasis,
    contents: { kycDocs, transactions, amlDecisions, sars },
  });
  await db.logDataExport(userId, request.id, exportPackage.manifest);
  return exportPackage;
}

Exports are generated in seconds, including all documents and metadata. The manifest allows the regulator to verify completeness and integrity.

How Does Data Governance Affect Compliance Audits?

Without a clear data governance policy, a regulatory audit becomes chaos. Every KYC status change decision must be logged with the responsible person. We implement an audit trail at the database level: each transaction records who, what, when, and why. Compliance automation in this context reduces report preparation time from 2 weeks to 2 hours. Unlike custodial solutions where keys belong to a third party, our architecture gives full control and transparency.

Retention periods by data type:

Data Type Minimum Term Maximum Term Example Jurisdiction
KYC documents 5 years 10 years FATF, EU
AML decisions 5 years 7 years FATF, UK
Transactions 3 years 5 years MiCA
SAR (suspicious activity reports) 5 years 10 years FATF

Cloud vs On-Premises Storage: Approach Comparison

Criterion Cloud (S3 + KMS) On-Premises (NAS + HSM)
Deployment time 1–2 days 2–3 weeks
Scaling Automatic Requires hardware expansion
Certification SOC2, ISO 27001 Depends on HSM vendor
Cost per hour ~$0.10/GB/month ~$0.05/GB/month (CAPEX+OPEX)

Cloud solutions win on speed and certification; on-premises on control. We help you choose the scenario based on jurisdiction and budget. Cloud storage deploys 10x faster than on-premises, enabling a compliance system to go live quickly. Using the cloud reduces costs by 30–50% compared to on-premises HSM.

Work Process: 4 Stages

  1. Analytics — audit of regulatory requirements for your jurisdiction, interviews with compliance officer.
  2. Design — storage schema, encryption, and retention policy. Approval from legal.
  3. Implementation — development of storage, integration with your KYC/AML system, unit tests.
  4. Test and deployment — load testing, security review, rollback plan. Deploy to your AWS/GCP.

What Is Included in the Work

  • Architecture and policy documentation
  • Deployment guide and operations manual
  • Access to code repository (GitHub/GitLab)
  • 1 month post-launch support
  • Team training (2 hours)

Timelines and Cost

A typical project takes 3 to 6 weeks. Cost is calculated individually — depends on the number of data types, required fault tolerance, and local regulator requirements. Use cloud storage with KMS — it reduces costs by 30–50% compared to on-premises HSM. We'll help you find the balance between compliance and budget.

Evaluate your project — contact us. Order a compliance audit and get an implementation plan in 2 days.

Why does your project risk without blockchain compliance services?

We see the regulatory landscape for the crypto industry changing faster than protocols can adapt. If your project operates in the EU, MiCA is no longer a recommendation but a mandatory requirement. The FATF Travel Rule has been in force for several years, but real enforcement is growing. Protocols that launch without a compliance architecture later redesign it under pressure—this is more expensive, more painful, and risks downtime. Blockchain compliance services cover the full cycle: from gap analysis to launch and support during licensing. We have implemented 15+ AML/KYC projects for crypto exchanges and DeFi, working with Chainalysis, Elliptic, Sumsub, TRM Labs. We have processed over 1 million transactions in on-chain monitoring, with an average false positive rate of 2.3% for AML screening.

Why is the Travel Rule a technical, not a legal challenge?

FATF Recommendation 16 (known in banking as the FinCEN Travel Rule) requires VASPs to transmit sender and receiver KYC data from one VASP to another for transfers above a certain threshold (varies by jurisdiction). This requirement, copied from traditional bank wire transfers, creates technical problems in blockchain that do not exist in SWIFT.

The first problem is determining VASP-to-VASP. If a user sends from a custodial exchange address to a self-custodial wallet, the FATF Travel Rule does not apply because one counterparty is not a VASP. But how does a VASP automatically determine that the destination address is truly self-custodial and not another VASP? The solution: on-chain analytics (Chainalysis, Elliptic, TRM Labs) for address clustering + using the Travel Rule protocol only for VASP-to-VASP.

The second problem is interoperability between VASPs. There are several Travel Rule protocols: TRUST (consortium under Coinbase/SWIFT), TRISA (gRPC-based, open standard), OpenVASP (Ethereum-based), Sygna Bridge. They are not interoperable. Most major exchanges support several simultaneously. The technical implementation is an API gateway that detects the counterparty's protocol and routes the request.

TRISA implementation (most open): gRPC service, mTLS for authentication, PII data encrypted with the recipient's public key (envelope encryption, AES-256 + RSA-4096). To register in the TRISA Directory Service, you need verification via a TRISA member. The code is an open SDK in Go and Python.

Specific pain point: timing. Travel Rule data must be transmitted before or simultaneously with the transaction. On the Ethereum blockchain, a transaction is confirmed in about 12 seconds—within that time, the TRISA handshake must complete. If the counterparty does not respond, the transaction is blocked or delayed. The UI must explain this to the user, otherwise a flood of support tickets is guaranteed.

TRISA handshake implementation details

Example gRPC request for Travel Rule data transfer:

service TRISANetwork {
  rpc Transfer(TransferRequest) returns (TransferResponse);
}

message TransferRequest {
  string identity_payload = 1;  // encrypted PII packet
  string envelope_public_key = 2;
  string transaction_hash = 3;
}

The handshake takes 3-5 HTTP rounds, including verification of the counterparty's mTLS certificate via PKI Directory.

How to choose a KYC/AML provider for a crypto project?

KYC providers for cryptocurrencies fall into several tiers:

Tier 1 (enterprise, regulatory grade): Jumio, Onfido, Sumsub, Veriff. Support 200+ countries, video verification, liveliness checks, AML screening via Refinitiv/Dow Jones. Integration via REST API + webhooks. Sumsub is popular in European crypto projects—good SDK documentation for mobile apps.

Tier 2 (DeFi-native, privacy-focused): Fractal ID, Synaps, Persona. Less regulatory overhead, faster integration, but less global coverage for high-risk jurisdictions.

On-chain KYC via credentials: Quadrata Passport, Civic, PolygonID—user verifies once, gets an on-chain credential, protocols verify it without repeated verification. Privacy-preserving via ZK. Not mainstream yet, but we are laying the groundwork in the architecture.

Provider Tier On-chain credentials Average integration time Jurisdictions
Sumsub 1 no 3–4 weeks 220+
Fractal ID 2 yes (Ethereum) 2–3 weeks 80+
Quadrata 2 yes (zk-proof) 4–5 weeks global (non-custodial)

Architectural principle: KYC data is never stored on-chain. Personal data is stored with the provider or in your encrypted database; on-chain only a hash (commitment) or credential (if using VC/SBT approach). This ensures GDPR compliance: the right to erasure is achievable if data is off-chain.

Typical mistake: storing wallet-to-identity mapping in plaintext in PostgreSQL without row-level encryption. One SQL injection and the entire KYC database is compromised. Minimum: column encryption for PII fields (PGP or AES via pgcrypto), separate key management (AWS KMS, HashiCorp Vault), audit log for all PII access.

For AML screening, we use Chainalysis, Elliptic, or TRM Labs. Integration is asynchronous via webhook: results come in 1–5 seconds. Threshold-based blocking: HIGH risk — auto-block, MEDIUM — manual review. Hold period for suspicious transactions is 24–72 hours until manual review. Sanctions screening separately: OFAC SDN list updates several times a week; we use direct OFAC list integration (free) with custom address matching logic.

How do we implement MiCA support?

Markets in Crypto-Assets Regulation (EU 2023/1114) requires CASP (Crypto-Asset Service Provider) licensing in one EU state with passporting. Technical requirements affecting development:

White paper is mandatory for issuers of ART (Asset-Referenced Tokens) and EMT (E-Money Tokens)—not a marketing document but a legally binding prospectus with technical description, holder rights, and redemption mechanisms.

Custody requirements: client assets separate from operational assets. Technically: separate wallets/accounts per client (or omnibus with off-chain mapping + regular reconciliation), no possibility to use client funds for operational needs.

Transaction monitoring and reporting: CASPs must keep records of all transactions for at least 5 years and provide them to the regulator upon request.

Travel Rule in MiCA: the threshold for VASP-to-VASP transfers is zero (not the FATF threshold). Implementation requires a Travel Rule endpoint operating 24/7.

Organization type Key MiCA requirements Technical impact
ART/EMT issuer White paper, redemption mechanism, reserve audit Smart contract with redemption function, oracle for reserve proof
CASP (exchange, custodian) License, custody segregation, Travel Rule Separate wallets per client, TRISA/TRUST integration
DeFi protocol (no issuer) Currently out of MiCA scope (review pending) Monitor, prepare architecture

Compliance infrastructure implementation process

Compliance architecture is not added on top of an existing product without pain. The correct order: compliance requirements → data model → business logic → UI. If you already have a product without a compliance layer, we start with a gap analysis: what data is already collected, where the gaps are, what will require schema migration.

  1. Gap analysis — audit of current architecture and data flow (1–2 weeks).
  2. Design — selection of KYC provider, Travel Rule protocol, AML tool, data model.
  3. Integration — connecting KYC API, implementing AML screening in the pipeline, setting up Travel Rule gateway.
  4. Testing — end-to-end tests, simulating Travel Rule handshake, verifying sanctions screening.
  5. Deployment and monitoring — rollout with feature flags, setting up alerting for compliance service errors, audit trail.
  6. License support — preparing documentation for the regulator, assisting with inspections.

What does the blockchain compliance service include?

  • Compliance architecture documentation (data flow, ER diagrams, API specifications).
  • Integration of KYC/AML/Travel Rule APIs with your backend.
  • Setup of monitoring and alerting for compliance services.
  • Training your team on tools (Chainalysis, Sumsub, etc.).
  • Support during the licensing process (MiCA, FATF).

Timeline benchmarks

  • KYC/AML integration with Sumsub or Jumio — from 3 to 6 weeks.
  • Travel Rule (TRISA or Sygna) — from 6 to 10 weeks.
  • Full compliance infrastructure for CASP licensing — from 4 to 8 months.
  • On-chain compliance via VC/SBT with ZK (MiCA-ready) — from 5 to 9 months.

Scope is refined after gap analysis. To evaluate your project, contact us—we will conduct a free analysis of your current architecture and select the optimal set of tools. Get a consultation on compliance architecture for MiCA or Travel Rule. Our team has over 7 years of blockchain development experience and 15+ deployed compliance solutions. Request an audit of your protocol for compliance with current regulatory requirements.