Light KYC means one thing: a passport scan and a few personal fields. No selfie. No 30-second liveness video. No call with an agent reading your address back to you.

It's still real identity verification. Still mandatory. The issuer needs to know who you are. What changes is the biometric layer.

Crypto-card providers blur the distinction on purpose. Some advertise "no KYC" while quietly running checks. Others skip checks — and lose their BIN sponsor six weeks later. Below: what light KYC involves at an issuer operating within the rules, where the data lives, and why "no KYC" is usually compliance theatre ending with a frozen card.

What light KYC actually is (and what it is not)

Card programs sit on a tiered KYC scale. Three tiers, roughly:

  • Simplified due diligence (SDD) — minimal data, tight limits. Often used by prepaid e-money products under €150.
  • Customer due diligence (CDD) — the standard tier. Government ID, basic personal data, sanctions screening. The default for almost all card programs.
  • Enhanced due diligence (EDD) — triggered by risk. Source of funds, additional documentation, sometimes a video call.

"Light KYC" is the marketing label for a CDD configuration that keeps biometrics out. You hit the FATF-aligned identification baseline. You just do it with one document instead of two, without a face scan stored on someone's server forever.

A few things light KYC is not: it's not anonymity (your name and passport number sit in a regulated database), it's not exemption from sanctions screening (every applicant runs against OFAC, EU, UN, UK HMT, and Swiss SECO lists), and it's not a workaround. It's a design choice that complies with FATF Recommendation 10, the global standard for customer due diligence at financial institutions.

The honest pitch: light KYC removes friction without removing the legal foundation.

Why crypto cards need KYC in the first place

Short answer: card networks demand it.

Visa and Mastercard are private networks licensing a small number of banks (BIN sponsors) to issue cards on their rails. Each BIN sponsor sits under a banking regulator — FDIC and OCC in the US, FCA in the UK, BaFin in Germany, MAS in Singapore. Every regulator runs an AML regime built on the FATF baseline.

Translation: if a card lives on Visa or Mastercard rails, KYC is happening. Only question is where.

Three obligations stack on a crypto-funded card:

  1. Card-network rules. Visa Rules and Mastercard Rules require the issuer to identify the cardholder before issuance. Non-negotiable.
  2. National AML law. Bank Secrecy Act in the US, MLR 2017 in the UK, the EU AML Directives (currently 6AMLD, with MiCA covering crypto-assets from 2024-2026).
  3. Sanctions law. OFAC, EU consolidated list, UN lists, country-specific lists. Issuers screen at onboarding and at every transaction.

A card promising to skip all three isn't legal. It's a card that hasn't been caught yet.

What data gets collected at light KYC

Plain list, exactly what ExCards' KYC policy commits to:

  • Full legal name as printed in the passport
  • Date of birth
  • Nationality
  • Passport number, issue date, expiry date
  • Country of residence
  • Contact handle — email or Telegram username
  • Optional: tax-residence jurisdiction (for fee tier calculation, not stored unless provided)

That's the entire field set at issuance.

Two things to notice. No proof of address — traditional bank programs often demand a utility bill or bank statement; the issuer skips it for the standard limit tier. No SSN, no national ID outside the passport, no employer information.

The scan covers the photo page. The machine-readable zone (MRZ) at the bottom does most of the verification work — cryptographically structured fields parsed and validated against ICAO Document 9303 rules.

What is not collected — and why that matters

The point of light KYC is the gap between what regulators require and what most providers grab anyway. The gap is biometrics.

Standard onboarding at fintechs and neobanks usually asks for a selfie (often with the document held next to your face), a liveness video (turn left, turn right, blink), occasionally a voice sample, and fingerprint or face-ID enrolment on the mobile app.

None of that is legally required for a CDD-tier card program if document authenticity can be verified another way. Issuers collect it because it shaves a few basis points off fraud rates, lets them resell behavioural data, and is the default in their KYC vendor's product.

ExCards' issuer doesn't require any of the above. The trade-off: skipping biometrics means slightly higher residual fraud risk for the issuer — partly why card limits are tiered the way they are and why high-value top-ups can trigger enhanced due diligence. Not a marketing claim about privacy; a structural fact about the verification stack.

How the issuer actually verifies a passport

The workflow, ugly details and all:

  1. Upload. Phone photo of the passport photo page, uploaded through app.excards.io or the Telegram mini-app.
  2. Preprocessing. Server-side rotation, deskewing, glare and edge detection.
  3. MRZ parsing. The two-line machine-readable zone is extracted and validated against the ICAO Document 9303 check-digit algorithm. Broken check digits almost always mean a tampered or low-quality scan.
  4. Field cross-check. MRZ fields compared against the printed visual zone. Mismatches go to manual review.
  5. Authenticity. Font consistency, MRZ alignment, pattern recognition for known fakes. Not airport-grade, adequate for the risk tier.
  6. Sanctions and PEP screening. Name, DOB, nationality run against UN, EU, OFAC SDN, UK HMT, Swiss SECO lists and PEP databases.
  7. Decision. Approved, rejected, or held for manual review. Clean submissions clear within 10 minutes.

The pipeline runs at the issuer partner, not at ExCards directly. ExCards forwards documents over an encrypted channel and receives the outcome. The issuer holds the regulatory permission; ExCards is the customer-facing layer.

Sanctions screening — what happens behind the scenes

Least-discussed part of crypto-card onboarding, and the one that catches legitimate users off guard.

Every applicant is screened against:

  • OFAC SDN List — the US Specially Designated Nationals list. Source: ofac.treasury.gov. Updated weekly, sometimes daily.
  • EU Consolidated List — sanctions adopted by the Council of the European Union.
  • UN Security Council Sanctions List — global, applies to all UN member states.
  • UK HM Treasury Consolidated List — UK-specific.
  • Swiss SECO List — often aligned with the EU, not identical.
  • PEP databases — politically exposed persons and close associates. Hits usually trigger enhanced due diligence, not rejection.

False positives happen. The world has more than one "Sergey Ivanov" and more than one "Mohammed Khan." On a partial name match, the issuer compares DOB and nationality before flagging. Near-matches go to manual review, not auto-rejection.

Country of residence is also screened. Country-level sanctions (Iran, North Korea, Syria, Cuba, parts of Russia under sectoral measures, parts of Ukraine such as Crimea) trigger blocks regardless of the applicant. Full list in the geo policy. FinCEN maintains the US-side guidance hub.

One-time KYC versus ongoing KYC

KYC isn't a one-shot ritual at signup. It's a relationship.

At ExCards, refresh is triggered by:

  • Cadence. Every 24 months by default.
  • Document expiry. Passport about to expire = re-upload required.
  • Country change. New country of residence = re-verification.
  • Behavioural triggers. Sudden change in transaction patterns, unusual top-up sources, geographic anomalies (card used in country A while the cardholder is registered in country B for weeks).
  • Sanctions list changes. Watchlists update constantly. A name that cleared two years ago can show up later.

Not unique to crypto cards — standard ongoing-monitoring under FATF Recommendation 10. Banks do the same; they just hide it better. User-visible side: occasionally a request to confirm a few details or re-upload a current passport. Most users see one refresh request per 24-month cycle.

Light KYC versus "no KYC" — the unflattering comparison

A "no-KYC" crypto card is one of three things:

  1. Verifying users but lying about it in marketing. Most common. Some processors collect IDs at funding stages, then advertise no-KYC. The check happens; the advertising omits it.
  2. Running on a BIN sponsor about to lose its license. Compliance teams at BIN sponsors monitor reseller behaviour. A reseller advertising no-KYC triggers a review that tends to end with the BIN pulled. Real cases: - PayWithUs lost its BIN within roughly two weeks after compliance flags fired. Around $10,000 of transactions unwound before cutoff. Cardholders ate the loss. - Cryptomus took a C$176.9 million penalty from FINTRAC in early 2025 — 2,593 violations, 1,068 missing suspicious-transaction reports, links to darknet markets and sanctions evasion. They re-branded as Heleket and kept the model. Regulators don't tend to forget twice. - Sutton Bank has been under an FDIC consent order since February 2024 for BSA/AML deficiencies tied to fintech partner oversight. Several no-KYC programs still ride that BIN. The clock is loud.
  3. Operating outside the card networks entirely. Some "no-KYC" offerings aren't Visa or Mastercard at all — gift-card resale or closed-loop schemes that look like cards but don't work at most merchants.

None of those are good outcomes. Option 1: you were lied to about privacy. Option 2: card stops working, balance may not be refunded, issuer's records (which exist whether the reseller admits it or not) end up with a regulator during cleanup. Option 3: the card was never what you thought.

Light KYC sits in the boring middle. Real verification, real legal footing, no biometric capture, BIN sponsor that doesn't lose its license next quarter. The risk disclosure page links to the relevant FINTRAC, FDIC, and FinCEN actions.

Privacy implications — where the data actually lives

Fair question after seeing the field list: who can see this, and for how long.

Storage. AES-256 at rest, TLS 1.3 in transit. Passport image and structured fields stored separately. Access logs capture every read.

Access control. Role-based. Three groups can touch the data: ExCards compliance staff with a documented business need; the issuer's compliance and risk teams (for issuance, monitoring, sanctions review); regulators or law enforcement on lawful request. No fourth group. Data isn't sold, isn't shared with marketing partners, isn't handed to data brokers, isn't used to train models.

Retention. At least five years after the customer relationship ends, per FATF Recommendation 11 and the AML laws of the issuer's jurisdiction. After that window, data can be deleted on request, subject to legal holds.

GDPR / data-subject rights. If you're in the EU, UK, or another GDPR-equivalent jurisdiction, you can request a copy of your KYC data, correction of errors, or deletion after the retention period closes. Requests go through the channel in the KYC policy.

What we can't delete on request. AML records during the active retention period. Regulatory floor, not a policy choice.

That last point sometimes surprises people who assume crypto cards are a clean slate. They're not. They're regulated card programs with a different funding mechanism.

What can fail your KYC (and how to fix it)

Most rejections fall into a small set of categories. Almost all are user-fixable.

Image quality. Blurry photo (tap to focus). Glare across the photo or MRZ (no direct sunlight, no overhead lamp). Edges cropped (frame the full page, including MRZ). Photo of a photo (rejected — the engine catches the resolution drop).

Document issues. Expired passport — renew first. Damaged page — unreadable MRZ fails verification. Temporary or emergency travel documents — most issuers don't accept them.

Identity issues. Name mismatch between form and passport (use exact name as printed, including middle names). DOB typo. Country of residence inconsistent with passport nationality — not a blocker, may trigger a request for extra details.

Sanctions or PEP hit. True positive: card cannot be issued, no appeal. Likely false positive: manual review by a compliance analyst, usually 24-72 hours.

Geo-restriction. Country of residence on the restricted-jurisdictions list: card cannot be issued, regardless of passport.

If a submission fails, the user-facing message is usually generic ("verification could not be completed"). By design — detailed feedback would help bad actors iterate on forgeries. Support at app.excards.io walks through the likely cause without exposing detection logic.

Why light KYC is a defensible position — not a marketing trick

A true privacy-maximalist card would have zero KYC, which means zero card networks, which means it isn't a real card. Light KYC is the regulatory-minimalist version instead: legal minimum and stop. No biometrics that aren't required, no retention beyond the AML floor, no on-selling, no "premium privacy" upsell.

Different from "no KYC." Also different from bank-style onboarding where you film yourself, upload a utility bill, and answer a questionnaire about employment. It sits between the two by design.

For a user buying a crypto-funded card to pay OpenAI, Anthropic, Google Ads, Meta Ads, hosting, and SaaS subscriptions, that middle position is usually the right trade-off. Real card at real merchants, real BIN that doesn't vanish in six weeks, minimal biometric exposure.

Product breakdown on the cards page. Compliance stack: /kyc.html, /aml.html, /risk.html, /geo.html. Operational questions in the FAQ.

Closing

Light KYC isn't "KYC lite" as in "less compliance." It's KYC with the biometric layer removed because biometrics aren't required for this card tier.

The difference matters at three points: signing up (faster, less invasive), transacting (same monitoring as any regulated card), and when something goes wrong (same legal protections, same regulator oversight, same five-year retention). The first is the marketing story. The other two are why the program still works two years from now.

If you have a passport, a clean sanctions profile, and a country of residence off the restricted list, light KYC at ExCards is roughly a ten-minute exercise. If any of the three fail, no marketing language will make a card appear. The system working as designed.

Frequently asked questions

What does "light KYC" mean?

Identity verification using a passport scan and basic personal details, without a selfie, liveness check, or video call. Satisfies the issuer's duty to identify the cardholder while skipping biometric capture. Mandatory in every legitimate card program.

Is light KYC the same as "no KYC"?

No. Light KYC is real identity verification, just stripped of the biometric layer. "No KYC" offerings either misrepresent what they collect or rely on a BIN sponsor that gets its license pulled when compliance catches up.

What data does ExCards collect at light KYC?

Passport photo-page scan, full name, date of birth, nationality, passport number, issue and expiry dates, country of residence, contact handle (email or Telegram). Optional: tax-residence jurisdiction for fee calculation. Full list in the KYC policy.

Does ExCards store my selfie or face data?

No. Biometric data isn't stored. Passport-only, no liveness check, no video onboarding.

How long is KYC data kept?

At least five years after the customer relationship ends, per FATF Recommendation 11 and applicable AML laws. Encrypted at rest, role-based access, no resale.

How often does KYC get refreshed?

Every 24 months by default. Also triggered by passport expiry, change of country of residence, or transaction-monitoring flags.

Can my KYC fail? What then?

Yes. Common reasons: blurry scan, expired document, edge cropping over the MRZ, a sanctions or PEP hit, or a country on the restricted list. Most rejections are fixable. Support at app.excards.io helps diagnose without exposing detection logic.

Will my data be shared with anyone?

Only with the licensed card issuer (for issuance and monitoring) and with regulators on lawful request. Not sold, not used for marketing, not handed to data brokers.