What lawyers see as "naive," what investigators see as "a guilty conscience," and in reality, it's a deep-sea bomb that could explode at any moment.
Authors: Deng Xiaoyu, Li Haojun, and lawyer Liu Honglin
Cover: Photo by Tingey Injury Law Firm on Unsplash
introduction
Within the Web3 community, a highly dangerous compliance illusion prevails: as long as project teams pay to outsource KYC (Know Your Customer) and AML (Anti-Money Laundering) services to internationally renowned third-party agencies, they have essentially bought a "criminal liability exemption." If the platform becomes involved in money laundering or illicit funds, the outsourcing company should bear the blame, while the project team can sit back and wash their hands of the matter.
This idea is seen as "naive" by lawyers and as "a guilty conscience" by investigative authorities, but in reality, it is a deep-sea bomb that could explode at any moment.
In the past two years, as judicial authorities have continuously upgraded their efforts to combat crimes related to virtual currencies, especially with penetrating investigations targeting "facilitating fraud," "concealing crimes," and even "illegal business operations," this "ostrich-like" compliance logic is being shattered one by one by the airtight chain of evidence. Project teams must clearly understand that outsourcing does not equal compliance, much less criminal immunity.
Outsourced KYC is not a "get-out-of-jail-free card": How does criminal law view "neutral behavior" ?
Many project owners believe that by paying for services, they have achieved "technological neutrality" or "business neutrality." However, lawyer Mankiw wants to remind you that there are boundaries to neutrality.
1. Formal compliance is not the same as substantive compliance .
Referring to judicial precedents in the traditional payment industry and aggregated payment (four-party payment), courts maintain a highly consistent logic when handling such "outsourcing compliance" defenses: "Technology outsourcing does not exempt the principal from liability." In criminal law, if you merely use a perfunctory KYC process to cover up your actions, this is easily considered "using compliance as a pretext for laxity" in judicial practice . The court values whether you have fulfilled your "substantial due diligence obligations," not just the outsourcing contract itself.
2. Determining "Subjective Knowledge" Under the Impact of AI Black Market
With the development of AI technology, even with access to standard KYC interfaces, project teams still face enormous challenges. Currently, cybercriminals use tools such as ProKYC and OnlyFake to generate highly realistic fake passport photos at extremely low cost, and use deepfake technology to generate liveness detection videos, injecting them into the system through "virtual cameras" to perfectly bypass automated verification.
Early project teams might say, "I don't understand black market technology," but with tools like ProKYC becoming an industry threat, judicial authorities will argue that as a professional project team, you should have foreseen that the outsourcing company's "static verification" would no longer be able to prevent AI forgery.
If a platform's backend exhibits numerous obvious technical characteristics such as "identical document backgrounds but different faces" or "completely overlapping ambient lighting during liveness detection of multiple users," and the project team fails to upgrade its "anti-injection detection" or increase manual spot checks, this "technical laxity" is highly likely to be deemed "knowingly providing assistance to others in committing crimes" in criminal proceedings.
3. Criminal liability is non-transferable .
Many project owners require the inclusion of "disclaimer clauses" or "compensation clauses" in outsourcing contracts, stating that the outsourcing company will bear the legal consequences arising from its inadequate vetting process. However, within the criminal law system, such clauses are practically worthless.
Criminal liability is strongly personal . Whether an individual or an entity commits a crime depends on whether their actions meet the elements of a crime. You cannot "subcontract" a legally mandated criminal obligation through a civil contract.
According to Article 153 of the Civil Code, civil legal acts that violate mandatory provisions of laws and administrative regulations, or that contravene public order and good morals, are invalid. Any contractual clauses that attempt to evade criminal prosecution or circumvent anti-money laundering regulatory obligations are invalid in the eyes of judicial authorities and may even be considered evidence of the project party's subjective malice in "evading supervision."
In Web3 projects, if an act is deemed a "corporate crime," under the "dual penalty system" for corporate crimes in the Criminal Law, not only will the project owner be punished, but the "directly responsible supervisors" (CEO, CTO) and "other directly responsible personnel" (compliance officers) will also be the primary targets of criminal prosecution. Outsourcing contracts will not only fail to save you, but may actually exacerbate the assessment of your subjective fault due to your "selective oversight" of third-party organizations.
Three key dimensions that determine criminal liability: save your life or risk it?
When a project representative is being questioned for allegedly committing "facilitating fraud" or "concealing wrongdoing," the investigators' core task is to prove your "subjective knowledge." Whether outsourcing KYC (Know Your Customer) reduces or increases your liability often depends on the reconstruction of the following evidence:
1. Is it benchmarking against industry standards, or simply "buying a certificate" ?
In regulatory compliance, your choice of suppliers itself reflects your compliance attitude.
Choosing internationally recognized top-tier service providers such as Sumsub, Jumio, and Onfido, and paying market prices, demonstrates a subjective pursuit of the highest standards and fulfillment of the "duty of reasonable care." Choosing smaller service providers that emphasize "high pass rates" and "lenient review processes" can be interpreted as knowingly lowering defense standards through inferior suppliers despite the risks, indicating a clear "laissez-faire" motive.
2. After receiving a warning, do you "ban your account" or "play dead" ?
This is the most crucial evidentiary element in determining "fraudulent trust activities." If the backend logs record thousands of "identity anomaly" warnings, but the project team fails to conduct any manual review or take any restrictive measures, then the outsourcing contract becomes irrefutable evidence of your "knowing but acquiescence." Therefore, a comprehensive mechanism of "technical feedback - manual handling" must be established. Compliant outsourcing without handling logs is legally worthless.
3. Does the source of profit involve "illegal consideration"?
The flow of money is the ultimate indicator for determining criminal liability. If a platform obtains profits far exceeding the industry average by tacitly allowing "low compliance standards," the judge will determine that these profits constitute "criminal profit sharing." The nature of this phenomenon. If the fees paid to suppliers are far below normal costs, this commercial irrationality will directly expose the facade of "technology neutrality."
Mankiw's Practical Advice
To prevent compliant outsourcing from becoming evidence of criminal liability, the following operational guidelines are provided to project owners:
1. Maintain a due diligence log: record the reasons for selecting an outsourcing vendor, the qualification review process, and the formal contract.
2. Establish a secondary review mechanism: For users identified as "high-risk" by the system, a record of manual review by the internal compliance team must be retained.
3. Regular compliance audits: At least once a year, have a professional lawyer or third-party organization audit the compliance effectiveness and issue a report. This is excellent evidence of "no subjective intent".
4. "Absolute automation" is strictly prohibited: Setting up backdoor scripts to "automatically pass" all verifications is strictly prohibited. Any low-priced KYC service promising 100% pass rate and no disconnections constitutes "inducement to commit a crime" under criminal law.
5. Respond to regulatory notices: Once you receive a notice of assistance in an investigation, you must immediately sever all connections with the relevant risky accounts and not take any chances.
Conclusion:
The compliance battle in the Web3 industry has long since moved beyond the days when "outsourcing contracts" could cover things up.
Outsourcing KYC services is essentially purchasing a technical service , not transferring criminal risk . If you try to use the outsourcing provider as a "firewall" to evade responsibility, then this wall is often thinner than paper in the face of the penetrating digital tracing by judicial authorities.
Finally, I'd like to leave you with this thought: Compliance is indeed expensive, but compared to the cost of losing your freedom, it's always the most worthwhile investment. When faced with criminal red lines, only substantive compliance provides true security for project owners.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
Welcome to the official Web3Caff community : Twitter account | Web3Caff Research Twitter account | WeChat reader group | WeChat official account
