How to Build a Tiered KYC Workflow for Crypto Exchanges Using Shufti Journey Builder?

Under the Markets in Crypto-Assets Regulation (MiCA), every crypto asset service provider (CASP) operating in the EU must hold a valid authorisation by July 1, 2026, with full Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures in place before that deadline lands. For many exchanges, that deadline arrives in a live trading environment where adding friction to onboarding costs users fast: CoinLaw’s 2025 KYC compliance analysis puts the average onboarding drop-off rate at 25%. The answer is not lighter verification but smarter tiering. This guide walks through how to configure a three-tier KYC flow inside Shufti’s no-code Journey Builder, so your verification depth tracks user risk rather than applying maximum friction to every signup.

A tiered KYC workflow assigns different levels of identity verification to users based on transaction volumes, geographic risk, and behavioral signals, applying proportionate checks rather than a uniform process to everyone.

What is a tiered KYC workflow and why do crypto exchanges need one?

Risk-based onboarding has been the standard in traditional banking for years, but most crypto exchanges still run a single path that treats a casual retail user making their first deposit the same way it treats a high-volume trader processing thousands daily. That is both a user experience problem and a compliance inefficiency that regulators increasingly notice during authorisation reviews.

A tiered KYC framework fixes the mismatch by slotting each user into a verification level on entry and escalating them automatically when activity crosses a defined threshold.

Tier 1: Basic identification for low-volume users

Tier 1 collects government-issued document data and confirms the user’s identity against it. No biometrics, no liveness detection. This tier suits users trading below the Financial Action Task Force (FATF) Travel Rule threshold, where FATF Recommendation 16 allows lighter-touch verification for lower-risk customers at transactions below $1,000.

Tier 2: Standard verification for retail trading

Tier 2 adds face verification and liveness detection on top of the document check. Users graduate to this tier automatically when their daily transaction volume rises or when they request withdrawal access. This tier covers the bulk of a typical exchange’s user base.

Tier 3: Enhanced due diligence for high-risk and institutional users

Tier 3 triggers full Enhanced Due Diligence (EDD), including AML screening against sanctions lists, Politically Exposed Person (PEP) databases, and adverse media sources. It applies to users flagged by geography, transaction patterns, or a manual review flag during onboarding.

How do FATF and MiCA thresholds map to your KYC tiers?

Getting the tier thresholds right is the difference between a compliant flow and one that passes an audit. Two frameworks set the floor: FATF Recommendation 16 and MiCA’s Transfer of Funds Regulation, both enforceable in the EU as of December 30, 2024, with no grace period on Travel Rule obligations.

FATF’s Travel Rule requires originator and beneficiary information to travel with virtual asset transfers at the threshold set in FATF Recommendation 16. The practical consequence for exchanges: any user who can push or pull value at or above that threshold needs at minimum a completed Tier 2 check before the transaction proceeds.

MiCA adds the CASP authorization layer. CASPs seeking EU passporting must demonstrate, in their application package, that their KYC procedures include Customer Due Diligence (CDD) scaled to customer risk profiles. The standard regulators look for in 2025–2026 authorisation reviews maps neatly onto the three-tier model: simplified CDD for low-risk customers, standard CDD for the retail majority, and EDD for flagged profiles.

A practical threshold model for most exchanges running standard retail crypto products:

• Tier 1: Total account activity below the FATF Travel Rule threshold per rolling 30 days, no withdrawal permissions
• Tier 2: Withdrawals enabled or daily volume above the FATF threshold and below the upper retail band defined by your compliance team
• Tier 3: PEP match, high-risk jurisdiction origin, daily volume in the institutional range, or manual review flag

The thresholds above are starting points, not regulatory mandates. Your compliance team should calibrate them against your actual user distribution and the specific jurisdictions you serve.

How to configure a tiered KYC flow in Journey Builder?

Shufti’s Journey Builder runs in a visual drag-and-drop interface. No API calls, no developer tickets needed. Compliance officers can own the entire flow configuration from the dashboard, and the build takes about 15 minutes once your tier thresholds are agreed internally.

Step 1: Define your tiers as named journey branches

Open Journey Builder and create three separate branches: Tier1-BasicKYC, Tier2-StandardKYC, Tier3-EDD. Each branch runs independently, so naming them precisely makes routing logic easier to audit later.

Step 2: Build the Tier 1 journey

Add a document verification node. Set the accepted document types (passport, national ID, driver’s licence), the required document fields, and the match confidence threshold. No biometric node at this tier.

Step 3: Build the Tier 2 journey

Add a document verification node first, then connect it to a face verification node with liveness enabled. The face verification step compares the selfie capture against the document photo and runs a liveness check to reject static or replayed images. Both nodes must pass before the journey exits as approved.

Step 4: Build the Tier 3 journey

Start with the Tier 2 node sequence, then add an AML screening node after face verification passes. Configure the screening to run against the sanctions, PEP, and adverse media databases relevant to your served jurisdictions. Add a manual review queue for hits that fall in the grey zone.

Step 5: Configure routing logic at the entry point

Back at the root journey, set the entry-level routing rule: new users without prior transaction history start at Tier 1. When a user’s activity triggers a threshold (withdrawal request, daily volume limit crossed, PEP flag from the screening node), the journey automatically escalates to the appropriate branch. Journey Builder handles the conditional routing through its visual logic editor without any code.

Step 6: Publish and test

Run a test batch through each tier branch using sandbox mode before going live. Confirm the tier escalation triggers are firing correctly and that manual review cases are routing to the right queue.

How Shufti helps crypto exchanges configure risk-based KYC?

The crypto KYC and AML compliance challenge for exchanges is not a shortage of regulations to follow. The operational problem is running verification at scale without a compliance team large enough to hand-review every edge case. Shufti’s Journey Builder removes the developer dependency from that equation. You configure the tier logic once, publish it, and the automation handles the routing.

Inside Journey Builder, the verification nodes feeding each tier draw on Shufti’s document verification and AML screening infrastructure. Document verification covers 10,000+ document types across 230+ countries, so a user submitting a less common national ID does not stall in a manual queue waiting for a reviewer. AML screening runs against 100,000+ data sources updated every 15 minutes, so the Tier 3 screening result reflects the sanctions landscape at the time of the check, not the time of the last batch refresh.

For exchanges approaching their MiCA CASP authorisation review or auditing their FATF Travel Rule posture, a properly configured three-tier workflow is also an audit artifact. Journey Builder logs every node decision, every tier escalation, and every manual review outcome, giving your compliance team a structured evidence trail for any regulator review.

Exchanges already running a flat single-tier flow can take advantage of Journey Builder’s live editing capability. Add the Tier 3 EDD branch to an existing journey and set the escalation trigger without rebuilding the base flow from scratch.