Domain Context — Vocabulary You Need Cold
The terms a Platform PM for onboarding / KYC at a crypto exchange should be fluent in. Use this as a glossary; drill the quick-recall section the morning of.
KYC / AML core vocabulary
| Term | Meaning |
|---|---|
| KYC — Know Your Customer | Identity verification for an individual customer |
| KYB — Know Your Business | Verification for a business customer + its beneficial owners |
| AML — Anti-Money Laundering | The umbrella program of which KYC is part |
| CDD — Customer Due Diligence | Baseline diligence at onboarding |
| EDD — Enhanced Due Diligence | Extra scrutiny for high-risk customers |
| SDD — Simplified Due Diligence | Reduced diligence for low-risk customers (where law allows) |
| CTR — Currency Transaction Report | US filing for cash transactions above $10k |
| SAR — Suspicious Activity Report | Filing when a transaction looks suspicious; jurisdiction-specific name (SAR US, SOR EU, STR FATF) |
| BSA — Bank Secrecy Act | US AML statutory backbone |
| UBO — Ultimate Beneficial Owner | The natural person(s) who ultimately own or control a business |
| Source of Funds (SoF) | Where the money for a specific transaction came from |
| Source of Wealth (SoW) | How the customer accumulated their total wealth |
Screening & risk vocabulary
| Term | Meaning |
|---|---|
| OFAC | US Treasury's Office of Foreign Assets Control — administers sanctions |
| SDN list | Specially Designated Nationals — OFAC's primary sanctions list |
| EU Consolidated List | EU sanctions list |
| UN sanctions | Global sanctions enforced via member-state adoption |
| HMT | UK HM Treasury sanctions list |
| PEP — Politically Exposed Person | Government officials, their family, close associates — heightened risk |
| Adverse media | Negative news mentions tied to financial crime / reputational risk |
| Watchlist | Generic term covering sanctions + PEP + adverse media + internal lists |
| Match score | Confidence that a name/data match is real, not coincidence |
| Disposition | Ops decision on a flagged hit — true match / false positive / refer |
| Re-screening | Periodic re-check of existing customers against current lists |
Regulatory bodies & regimes
| Body / regime | Region | Relevance |
|---|---|---|
| FinCEN | US | Financial Crimes Enforcement Network; BSA enforcement, MSB registration |
| OFAC | US | Sanctions |
| FCA | UK | Financial Conduct Authority; crypto AML registration |
| MAS | Singapore | Monetary Authority of Singapore; PSA / DPT licensing |
| BaFin | Germany | Federal Financial Supervisory Authority; crypto custody licensing |
| AMF | France | Autorité des marchés financiers |
| FINMA | Switzerland | Swiss financial market supervision |
| FATF | Global standard-setter | Recommendations adopted nationally; Recommendation 16 is the Travel Rule |
| MiCA | EU | Markets in Crypto-Assets — pan-EU crypto framework |
| GDPR | EU | Privacy regulation; consent, minimization, erasure |
| CCPA / CPRA | California | State-level US privacy |
| BIPA | Illinois | Biometric privacy — relevant to liveness/face data |
IDV technical vocabulary
| Term | Meaning |
|---|---|
| eIDV | Electronic identity verification |
| Document of record | The primary identity document the verification is anchored on |
| MRZ — Machine-Readable Zone | Encoded strip on passports and some IDs containing checksummed data |
| NFC chip read | Reading the encrypted data from a passport's NFC chip — highest-trust signal |
| Liveness | Proves a selfie is from a live person, not a photo or deepfake |
| PAD — Presentation Attack Detection | Technical term for liveness |
| Active vs passive liveness | Active: user follows instructions. Passive: no user effort. |
| Biometric template | Stored representation of a face/voice/fingerprint; regulated separately in some jurisdictions |
| Face match / 1:1 match | Compare selfie to doc photo, return similarity score |
| 1:N match | Compare a selfie against a gallery — used in fraud / duplicate detection |
| Decision engine | The component that combines signals into approve/refer/reject |
| Vendor waterfall | Try vendor A, fall back to vendor B on failure or low confidence |
| Application abandonment | Customer started but didn't complete |
Orchestration & platform vocabulary
| Term | Meaning |
|---|---|
| Onboarding orchestrator | The platform component that runs an applicant through steps in a jurisdictionally-correct order |
| Flow | A configured sequence of onboarding steps for a (segment × market × tier) |
| Policy version | A versioned compliance policy document the platform interprets |
| Tier | A KYC level that unlocks specific product capabilities |
| Grandfathering | Existing customers retain their tier under their original policy version |
| Step-up | Incremental verification to move to a higher tier without redoing prior work |
| Resume | Customer returns mid-flow; platform restores their state |
| Sandbox / test mode | Non-production environment for downstream teams to integrate |
| Idempotency key | Client-supplied identifier so retries don't duplicate effects |
| Event firehose | The unified stream of platform events for downstream consumers |
| Data contract | Explicit agreement between platform and consumer team on schema + cadence + use |
Crypto-specific vocabulary
| Term | Meaning |
|---|---|
| Travel Rule | FATF Recommendation 16 — VASPs must transmit originator + beneficiary info on transfers above threshold |
| VASP | Virtual Asset Service Provider — regulated crypto entity |
| TRP / OpenVASP / Notabene | Protocols / services that solve Travel Rule data exchange |
| Wallet attestation | Proof a customer controls a destination wallet (signed message, Satoshi test) |
| Self-hosted wallet | Customer-controlled wallet, not at a regulated exchange |
| On-chain analytics | Risk-scoring addresses based on chain history |
| Chainalysis / TRM / Elliptic | Major on-chain analytics vendors |
| Mixer / tumbler | Service that obscures transaction provenance — high-risk signal |
| Sanctioned address | A wallet address listed by OFAC or another regime |
| Stablecoin compliance overlay | Issuer-level controls (USDC can be frozen by Circle) |
Operations vocabulary
| Term | Meaning |
|---|---|
| Manual review | Human ops decision on a case the platform couldn't auto-resolve |
| Refer queue | Queue of cases awaiting manual review |
| Disposition | The ops decision on a queued case |
| Four-eyes / dual control | Two-reviewer requirement for higher-risk decisions |
| Three lines of defense | First line: business / ops. Second: Compliance / risk. Third: internal audit. |
| Change control | Formal process for approving platform changes |
| WORM storage | Write-Once-Read-Many — immutable audit storage |
| Legal hold | Retention extended beyond standard window pending litigation |
License types worth recognizing
| License | Where | What it permits |
|---|---|---|
| MSB — Money Services Business | US federal | Federal-level financial services registration |
| MTL — Money Transmitter License | US state | State-by-state authorization to transmit money |
| EMI — Electronic Money Institution | EU / UK | Issue e-money |
| PI — Payment Institution | EU | Payment services |
| CASP | EU (MiCA) | Crypto-Asset Service Provider — pan-EU authorization |
| DPT | Singapore | Digital Payment Token license under PSA |
| BitLicense | New York | Crypto-specific NY state license |
Quick-recall flashcards — drill the morning of
- KYC vs KYB → individual vs business identity verification.
- CDD vs EDD → baseline vs enhanced diligence.
- SDN list → OFAC's sanctions list.
- PEP → Politically Exposed Person; triggers EDD.
- Travel Rule → FATF Rec 16; transmit originator/beneficiary info on VASP transfers.
- VASP → Virtual Asset Service Provider.
- Liveness / PAD → proves a selfie is live.
- 1:1 match → selfie ↔ doc; 1:N → selfie against a gallery.
- UBO → ultimate beneficial owner.
- Source of funds vs source of wealth → this transaction vs total assets.
- WORM storage → immutable audit log.
- Three lines of defense → ops / compliance / audit.
- FinCEN, FCA, MAS, BaFin, MiCA, FATF → memorize the geographies.
- Vendor waterfall → fall through providers on failure.
- Grandfathering → existing customers stay on prior policy version.
- Step-up → incremental verification, not full redo.
- Re-KYC → periodic refresh per risk tier.