Web3 Project Teams Must Read: Outsourced KYC, Can You Shift Blame to a Third Party if Something Goes Wrong?

Written by: Deng Xiaoyu, Li Haojun

Introduction

In the Web3 community, there is a highly dangerous compliance illusion: as long as the project team spends money to outsource KYC (Know Your Customer) and AML (Anti-Money Laundering) services to internationally renowned third-party agencies, it is equivalent to buying a “criminal liability exemption insurance.” Once the platform is involved in money laundering or black market funds, this “pot” should be borne by the outsourcing company, and the project team can sit back and relax.

This idea, in the eyes of lawyers, is “naive”; in the eyes of investigative agencies, it is “foolish”; and in reality, it is a time bomb that could explode at any moment.

In the past two years, as judicial authorities have continuously upgraded their crackdown on crimes related to virtual currencies—especially with penetrating investigations into “assistance crimes,” “concealment crimes,” and even “illegal business operations”—this “ostrich” compliance logic has been gradually shattered by an airtight chain of evidence. Project teams must clearly realize: outsourcing does not equal compliance, let alone criminal immunity.

Outsourcing KYC is not a “get-out-of-jail-free card”: How does criminal law view “neutral conduct”?

Many project teams believe that paying for services constitutes “technological neutrality” or “business conduct neutrality.” But lawyer Mankun reminds you: neutral conduct has boundaries.

1. Formal compliance does not equal substantive compliance

Referring to judicial precedents in traditional payment industries and aggregate payments (four-party payments), courts handling such “outsourced compliance” defenses generally follow a unified logic: “Technical outsourcing does not exempt the entity from responsibility.” In criminal law logic, if you merely use an outsourced “token compliance” scheme to deceive others, it is very easy in judicial practice to be regarded as “using compliance as a guise to indulge.” Courts focus on whether you have fulfilled the “substantive prudence obligations,” not just the existence of the outsourcing contract.

2. Subjective knowledge under AI black industry impact

With the development of AI technology, even if a project connects to standard KYC interfaces, it still faces significant challenges. Currently, black industry groups use tools like ProKYC and OnlyFake to generate highly realistic fake passport photos at very low costs, and employ deepfake technology to produce live detection videos. They inject these into systems via “virtual cameras” to bypass automated reviews perfectly.

Early project teams might say, “I don’t understand black industry technology,” but in the context where tools like ProKYC have become industry threats, judicial authorities will believe: as a professional project team, you should foresee that static reviews by outsourcing companies can no longer prevent AI forgery.

If the platform backend shows obvious technical features such as “documents with identical backgrounds but different faces” or “multiple users’ live detection environments with completely overlapping lighting,” and the project team has not upgraded “injection detection” or added manual sampling, this “technical laxity” can be easily judged as “knowingly assisting others’ crimes” in criminal proceedings.

3. Criminal responsibility is non-transferable

Many project teams, when signing outsourcing contracts, will request to add “exemption clauses” or “compensation clauses,” stating that the outsourcing company bears legal consequences caused by inadequate review. However, within the criminal legal system, such clauses are almost worthless.

Criminal responsibility is highly personal. Whether an individual or an entity commits a crime depends on whether their conduct meets the criminal elements. You cannot transfer statutory criminal obligations through a civil contract.

According to Article 153 of the Civil Code, civil legal acts that violate mandatory provisions of laws and administrative regulations or violate public order and good customs are invalid. Any contractual attempt to evade criminal punishment or circumvent anti-money laundering supervision is considered invalid by judicial authorities and may even be regarded as evidence of the project team’s subjective malicious intent to evade regulation.

In Web3 projects, if an entity is deemed a “unit crime,” according to the “dual punishment system” in the Criminal Law for unit crimes, not only the project entity itself will be penalized, but also “direct responsible persons” (CEO, CTO) and “other directly responsible personnel” (compliance officers) will be the primary targets of criminal accountability. Outsourcing contracts cannot save you; instead, they may worsen subjective fault due to your “selective negligence” in choosing third-party agencies.

Three key dimensions determining criminal responsibility: life-saving or life-taking?

When project teams are questioned for suspected “assistance crimes” or “concealment crimes,” the core task of investigators is to establish your “subjective knowledge.” Outsourcing KYC—whether it alleviates or aggravates your responsibility—often depends on the following evidence reconstruction:

1. Is it aligned with industry standards or just “buying a certificate”?

In regulatory compliance, your choice of vendors reflects your compliance attitude.

Choosing internationally recognized top-tier service providers like Sumsub, Jumio, Onfido, and paying market prices demonstrates a subjective pursuit of the highest standards and the fulfillment of “reasonable diligence”; selecting small providers claiming “high pass rates” and “lenient reviews” can be interpreted as knowingly risking, deliberately lowering defense standards, and having a clear “indifference” motive.

2. After warnings, do you “block accounts” or “play dead”?

This is the most critical evidence in determining “assistance crimes.” If backend logs record thousands of “identity anomaly” alerts, but the project team has no manual review traces and takes no restriction measures, the outsourcing contract becomes solid evidence of “knowingly tolerating.” Therefore, a comprehensive “technical feedback—manual handling” mechanism must be established. Without handling logs, compliant outsourcing is legally equivalent to zero.

3. Does the profit source involve “illegal consideration”?

The flow of money is the ultimate indicator of criminal responsibility. If the platform condones “low compliance standards” to earn profits far exceeding industry averages, judges will recognize these profits as “criminal shares.” If the payments to vendors are far below normal costs, this business irrationality will directly expose the falsehood of “technological neutrality.”

Mankun Practical Recommendations

To prevent compliant outsourcing from becoming criminal evidence, the following operational guidelines are suggested for project teams:

1. Keep due diligence logs: record reasons for choosing the outsourcing vendor, qualification review process, and formal contracts.

2. Establish secondary review mechanisms: for “high-risk” users flagged by the system, retain internal compliance team’s manual review traces.

3. Conduct regular compliance audits: at least once a year, have professional lawyers or third-party agencies audit compliance effectiveness and issue reports—this is excellent evidence of “lack of subjective intent.”

4. Strictly prohibit “absolute automation”: do not set up backdoors that automatically approve all reviews. Any low-cost KYC service promising 100% approval without disconnection is legally considered “inducing crime.”

5. Respond promptly to regulatory notices: upon receiving investigation notices, immediately disconnect from related risky accounts without any illusions.

Conclusion:

The compliance game in the Web3 industry has long moved beyond the naive era where “outsourcing contracts” could easily deceive authorities.

Outsourcing KYC is fundamentally purchasing a technical service, not shifting criminal risks. If you try to treat outsourcing companies as a “firewall” to evade responsibility, this wall is often thinner than paper in the face of judicial digital traceability.

Finally, a word of advice: compliance is indeed costly, but compared to the price of losing freedom, it is always the most worthwhile investment. In the face of criminal red lines, only substantive compliance can truly ensure the safety of project teams.