Written by: Deng Xiaoyu, Li Haojun
Introduction
In the Web3 community, there is a highly dangerous compliance fantasy: as long as the project party spends money to outsource KYC (Know Your Customer) and AML (Anti-Money Laundering) services to internationally renowned third-party institutions, it equates to buying a "criminal liability waiver." Once the platform is involved in money laundering or illicit funds, the "blame" should fall on the outsourcer, allowing the project party to sit back and relax.
This idea is seen as "naive" by lawyers, "there's no silver here" by investigative agencies, and in reality, it is a deep-sea bomb that could explode at any moment.
In the past two years, as judicial authorities have continuously escalated their crackdown on crimes related to virtual currencies, especially with penetrating investigations into "aiding and abetting crimes," "concealment crimes," and even "illegal business operations," this "ostrich-style" compliance logic is being shattered by airtight evidence chains. Project parties must clearly recognize: outsourcing does not equal compliance, nor does it equal criminal immunity.
Outsourcing KYC is not a "Get Out of Jail Free" card: How does criminal law view "neutral actions"?
Many project parties believe that by paying for services, they are engaging in "technological neutrality" or "commercial neutrality." However, attorney Mankun wants to remind you: neutral actions have boundaries.
1. Formal compliance does not equal substantive compliance
Referring to judicial cases in the traditional payment industry and aggregated payment (four-party payment), courts have a highly unified logic when dealing with such "outsourced compliance" defenses: "Technological outsourcing does not exempt from principal responsibility." In the logic of criminal law, if you merely outsource a "token" KYC solution to cover your tracks, this is easily recognized in judicial practice as "under the guise of compliance, allowing for laxity." What the court values is whether you have fulfilled your "substantive due diligence obligation," rather than just having that outsourcing contract.
2. Determining "subjective knowledge" under the impact of AI illicit activities
With the development of AI technology, even if a standard KYC interface is integrated, project parties still face significant challenges. Currently, illicit activities utilize tools like ProKYC and OnlyFake to generate highly realistic fake passport photos at a very low cost, and use deepfake technology to create live detection videos, injecting them into systems through "virtual cameras," perfectly bypassing automated reviews.
In the early stages, project parties could claim "I don't understand illicit technology," but in the context where tools like ProKYC have become industry threats, judicial authorities will believe: as a professional project party, you should foresee that the outsourcer's "static review" can no longer block AI forgery.
If the platform's backend shows a large number of "identical backgrounds but different faces" or "multiple users with completely overlapping lighting during live detection," yet the project party has not upgraded "anti-injection detection" or increased manual sampling, this "technical laxity" can easily be judged in criminal proceedings as "knowingly providing assistance to others' crimes."
3. Criminal responsibility is non-transferable
Many project parties, when signing outsourcing contracts, will demand the addition of "exemption clauses" or "compensation clauses," stating that any legal consequences resulting from the outsourcer's lax review will be borne by the outsourcer. However, within the criminal legal system, such clauses are nearly worthless.
Criminal responsibility has a strong personal nature. Whether a person or entity constitutes a crime depends on whether their own actions meet the elements of a crime. You cannot "subcontract" statutory criminal obligations through a civil contract.
According to Article 153 of the Civil Code, civil legal acts that violate mandatory provisions of laws and administrative regulations or contravene public order and good customs are invalid. Any contractual clauses attempting to evade criminal prosecution or circumvent anti-money laundering regulatory obligations are deemed invalid in the eyes of judicial authorities and may even be seen as evidence of the project party's "subjective malice to evade regulation."
In Web3 projects, if deemed "unit crime," according to the "dual punishment system" for unit crimes in the Criminal Law, not only the project party entity will be punished, but also the "directly responsible supervisors" (CEO, CTO) and "other directly responsible personnel" (compliance officer) will still be the primary targets of criminal accountability. An outsourcing contract will not save you; rather, it may exacerbate the determination of subjective fault due to your "selective negligence" regarding the third-party institution.
Three key dimensions determining criminal responsibility: Life-saving or life-taking?
When project parties find themselves in an interrogation room due to suspected "aiding and abetting crimes" or "concealment crimes," the core task of investigators is to demonstrate your "subjective knowledge." Whether outsourcing KYC has reduced or increased your responsibility often depends on the following evidence restoration:
1. Is it aligned with industry standards, or just "buying a certificate"?
In regulatory compliance, your choice of suppliers reflects your compliance attitude.
Choosing internationally recognized first-tier service providers like Sumsub, Jumio, Onfido, and paying market prices demonstrates a subjective pursuit of the highest standards and fulfills the "reasonable duty of care"; opting for smaller service providers that emphasize "high pass rates" and "lax reviews" will be interpreted as: knowing there are risks, yet deliberately lowering defense standards through inferior suppliers, indicating a clear "laxity" motive.
2. After warnings, do you "suspend accounts" or "play dead"?
This is the most critical evidence segment for determining "aiding and abetting crimes." If backend logs record thousands of "identity anomaly" warnings, yet there are no traces of manual reviews by the project party and no measures taken to restrict access, that outsourcing contract becomes irrefutable evidence of your "knowing and allowing." Therefore, a comprehensive mechanism of "technical feedback - manual handling" must be established. Compliance outsourcing without handling logs is legally equivalent to zero.
3. Does the source of profit have "illegal consideration"?
The flow of money is the ultimate barometer for determining criminal responsibility. If the platform gains profits far exceeding the industry average by tacitly allowing "low compliance standards," judges will recognize this portion of profit as having the nature of "criminal sharing." If the fees paid to suppliers are far below normal costs, this commercial irrationality will directly pierce the facade of "technological neutrality."
Mankun's Practical Recommendations
To avoid compliance outsourcing becoming evidence of criminal responsibility, the following operational guidelines are provided for project parties:
1. Retain due diligence logs: Record the reasons for choosing the outsourcer, the qualification review process, and the formal contract.
2. Establish a secondary review mechanism: For "high-risk" users flagged by the system, internal compliance team manual review traces must be retained.
3. Conduct regular compliance audits: At least once a year, have professional lawyers or third-party institutions audit compliance effectiveness and issue reports, which serve as excellent evidence of "no subjective intent."
4. Strictly prohibit "absolute automation": It is forbidden to set up backdoor scripts that "automatically pass" all reviews. Any KYC service that promises 100% approval without dropouts at a low price is, in the sense of criminal law, "inducing crime."
5. Respond to regulatory notifications: Once a cooperation request is received, immediately sever connections with related risk accounts; do not harbor any illusions.
Conclusion:
The compliance game in the Web3 industry has long bid farewell to the rough era where "outsourcing contracts" could deceive the world.
Outsourcing KYC services is essentially purchasing a technical service, not transferring criminal risk. If you attempt to treat the outsourcer as a "firewall" to evade responsibility, then in the face of judicial authorities' penetrating digital tracing, this wall is often thinner than paper.
Finally, here's a saying for everyone: Compliance is indeed expensive, but compared to the cost of losing freedom, it is always the most worthwhile investment. In the face of criminal red lines, only substantive compliance can provide the project party with true security.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
