After KYC and KYB, crypto compliance needs KYA: Know Your Agent
KYA is the control layer for autonomous or semi-autonomous agents that can hold wallets, request payments, route orders, call tools, or act for users.
Quick answer: KYC verifies a person. KYB verifies a business. KYA verifies an agent: who deployed it, what it is authorized to do, what wallet or tool permissions it holds, and who is accountable when it acts.
Why AI agents need a new K
Traditional compliance assumes the actor is either a person or a legal entity. Agentic systems break that assumption. A trading bot, wallet agent, MCP-enabled compliance assistant, or treasury agent can execute a workflow without a human clicking every step. The compliance question shifts from "who is the user?" to "who is this non-human actor acting for, and what evidence proves the action was authorized?"
That is the reason KYA matters for crypto before many other sectors. Crypto agents can touch bearer assets, venue APIs, smart contracts, bridges, lending markets, and token promotion channels. A weakly identified agent can become a sanctions, market-abuse, custody, outsourcing, or consumer-protection problem.
Screenshot-ready KYA comparison table
| Layer | KYC | KYB | KYA |
|---|---|---|---|
| Subject | Individual customer | Company or project entity | AI agent, bot, smart-account delegate, or autonomous workflow |
| Core proof | ID, address, source of funds | Registration, UBOs, directors, operating history | Operator identity, model/tool stack, wallet authority, policy limits, signed logs |
| Key risk | Fraud, sanctions, account abuse | Shell entities, hidden ownership, illicit business activity | Unbounded authority, unclear accountability, prompt injection, unauthorized transactions |
| Exchange question | Can this user trade? | Can this project or market maker be onboarded? | Can this agent access an API, route orders, or sign wallet actions safely? |
| Evidence cadence | Onboarding and periodic refresh | Onboarding, material-change review, annual refresh | Continuous monitoring of permissions, actions, venue access, and policy drift |
The APAC FINSTAB KYA scoring model
APAC FINSTAB maps KYA into seven dimensions: operator identity, agent mandate, wallet and custody controls, tool and venue access, audit trail, security and abuse controls, and jurisdiction fit. The framework extends ACAS from generic agent compliance toward crypto-specific accountability.
For example, an OKX or Binance trading agent profile should not only say "trading bot." It should show the operator, connected venue, API permissions, strategy authority, withdrawal permissions, jurisdiction restrictions, and whether logs can reconstruct each trade decision.
What KYA pages will track
- Agent operator and deployment context.
- Wallet, custody, and signing permissions.
- Exchange, MCP, API, and smart-contract tool access.
- Jurisdiction-specific licensing and promotion risk.
- Evidence quality: public docs, terms, audit logs, and control statements.
Bottom line
KYA is not a slogan. It is the missing audit object between a verified user, a verified business, and the non-human agent that may actually execute the transaction. The earlier crypto teams build KYA records, the easier it becomes for exchanges, regulators, banks, and wallet providers to decide which agents deserve production authority.