Frequently Asked Questions

WhyAML is a digital identity verification platform built for businesses with anti-money-laundering obligations. It lets you verify that your clients are who they say they are - in line with UK AML rules - without ever handling a single identity document.

The platform is operated by Go2Glory Ltd. The consumer-facing verification product carries the brand name WhyKYC, because KYC is the experience your client has.

As an estate agent, tax accountant, solicitor, lender, or other regulated business, you are classified as an 'obliged entity' under the UK Money Laundering Regulations 2017. Parliament has given you a specific responsibility to check who your clients are before working with them. It is not optional, and it applies to every business in your sector regardless of size.

The rules apply identically to you and to a major bank. The difference is that the bank has a dedicated compliance team and infrastructure built over decades, and you do not. WhyAML closes that gap by giving you access to the same standard of verification the large institutions use, at a price that fits a smaller business.

HMRC supervises estate agents and tax accountants for AML compliance; the SRA supervises solicitors; the FCA supervises others. Firms without a documented process face fines, public censure, and in serious cases criminal liability. Firms with a consistent, documented process - like the one WhyAML provides - are in a strong position.

Instead of asking your client to hand over sensitive documents, WhyAML verifies that they control an account at a regulated financial institution - one that has already performed comprehensive identity checks on them and continues to maintain that relationship under ongoing supervision. The institution did the verification work; WhyAML confirms your client is genuinely the person in that relationship. No identity documents change hands.

Today, WhyAML supports FCA-registered crypto-asset firms (Tier 2 regulated institutions) - firms such as Coinbase and Kraken, registered with the FCA under the UK crypto-asset framework. These institutions are supervised under modern AML standards and have performed contemporary KYC on their account holders.

From Phase 1, WhyAML will also support FCA- and PRA-regulated UK banks (Tier 1 institutions) through read-only Open Banking, accessed under WhyAML's certified RAISP registration. The principle is the same in both cases: verify the client through their authenticated relationship with a regulated institution, not through documents.

Your client answers a short series of questions about their own financial history - things only they would know. They connect their wallet to confirm an institutional connection, and provide a recent email from their bank or exchange (a .eml file) that the platform cryptographically verifies. In most cases this takes a few minutes. For some clients an additional step is needed, but the process is always guided.

Real bank and exchange emails carry an invisible cryptographic signature called DKIM, which proves the email genuinely came from the institution's domain and was not altered in transit. By verifying that signature, WhyAML can confirm your client's institutional relationship is real - without ever contacting the institution or needing its cooperation.

The email is read inside a sealed, hardware-isolated environment. No member of WhyAML staff ever sees its contents, and the file itself is not retained - only the result of the check is recorded.

Not exactly. The platform uses a tiered approach driven by G-RADE™ (confidence scoring) - verification adjusts based on each client's profile. Clients with a strong, recent institutional history complete verification quickly; clients with a more complex profile go through additional steps to build the same level of confidence. This mirrors how professional due diligence is meant to work: proportionate to the risk.

Near-approved status means the verification is materially complete and awaiting one final confirmation - usually a routine transaction your client was going to make anyway. You can continue your working relationship during this time, but the formal verification certificate is only issued once the process is fully complete. Do not treat near-approved status as a finished verification for the purpose of starting a regulated business relationship.

The platform holds only the minimum necessary: your client's name, address, and wallet address. The bank email used to confirm the connection is read inside a sealed, hardware-isolated environment; only the result of the check is recorded, and the email itself is never stored.

No passport copies. No bank statements. No utility bills. The sensitive documents that traditionally sit in filing cabinets and shared drives - the ones that make small businesses targets for identity theft - are never collected in the first place.

Operational data is held in encrypted, secure cloud infrastructure based in the EU, subject to UK data protection law. An independent technology audit covers how data is handled at every stage. The architecture is designed so that the personal information held about your client is genuinely minimal - data minimisation in fact, not just in policy.

When verification is complete, your client receives an encoded record on the blockchain called a Compliance Token. It contains no personal information - no name, no address, nothing readable. It is an anti-fraud signal of verification, written as a native part of how the system works.

Your client holds it in their own wallet. Under the Data (Use and Access) Act 2025 and UK GDPR Article 20, the verified-status record is theirs to hold and to port - they can use it in a future verification or keep it private, and the protection works either way.

You receive a Broker Compliance Certificate - a clean, downloadable record confirming the verification was completed, the confidence band achieved, the timestamped flow of each step, and the regulations satisfied. The Technological Due Diligence assessment and the Certificate Terms of Use are appended in full.

This is your evidence of compliance. You store it, and if a regulator examines your process, this is what you show them. The underlying personal data never enters your systems.

UK law requires AML verification records to be kept for five years, and WhyAML meets this automatically. Your Broker Compliance Certificates are stored in your portal. Your client's on-chain record is permanent and independently verifiable - it cannot be lost, altered, or deleted.

A passport is a piece of paper. The institution behind your client - the bank or regulated exchange they actually use - has already verified their identity to a far higher standard than any single document could provide, and continues to monitor the relationship under statutory obligations. Checking the passport gives you a copy of a document; checking the institutional relationship gives you the supervised, ongoing verification the institution maintains.

In a world where AI-generated passports are increasingly difficult to detect - a 311% increase in synthetic identity documents between Q1 2024 and Q1 2025 - the document-centric model has a structural weakness. The Witness Model does not.

Under the document-centric model, your client's identity documents end up in every database they applied to - including every deal that never completed. Most people have no idea how many copies of their passport and bank statements sit in the systems of firms they never did business with.

Under the WhyAML model this doesn't happen. The verification is recorded once, and your client controls who has access. If a deal doesn't complete, no identity documents were ever collected - the honeypot doesn't exist because the documents were never gathered.

No. The architecture is rail-agnostic - it observes the user's authenticated relationship with a regulated institution, whatever rails that institution operates on. Today the platform observes on-chain activity at FCA-registered crypto-asset firms. From Phase 1 it will observe read-only Open Banking signals at FCA- and PRA-regulated UK banks, under WhyAML's certified RAISP registration.

The principle does not change between phases: the institution did the identity work, the client's ongoing economic activity is the proof, and WhyAML witnesses the result. Your client doesn't need to be a crypto specialist - they need a real, authenticated relationship with a regulated institution.

AML exists to enable financial investigation. Under the document-centric model, if fraud is discovered after the verification, the trail ends at the document accepted at onboarding - and if that document was synthetic, there is nothing for an investigator to follow.

Under the witness model, the trail leads upstream into the regulated institution's own records, its ongoing monitoring, and its supervisory oversight. An investigator reaches the institution that actually performed and maintains the underlying verification - not a piece of paper that may or may not be real.

WhyAML satisfies Regulation 28 of the Money Laundering Regulations 2017 - the requirement that identity be verified from a reliable, independent source. The Regulations do not prescribe a method; they require reliability and independence. A regulated institution that has performed and maintains comprehensive KYC under its own statutory obligations is a reliable and independent source, and WhyAML witnesses your client's authenticated connection to that source.

Adoption of the methodology is recorded under Regulation 19(4)(c) as a risk-based approach. WhyAML provides a full Technological Due Diligence assessment, appended to every Broker Compliance Certificate, that forms part of your Practice-Wide Risk Assessment.

No, and it does not claim to be. The HM Treasury and DSIT Joint Guidance of 26 February 2026 confirmed that DIATF-certified Digital Verification Services are one recognised route to satisfying Regulation 28. WhyAML takes a different route: it is not a DVS and does not create a digital identity. Regulation 28 is technology-neutral - it requires identity to be verified from a reliable source independent of the person, without prescribing a single method. WhyAML witnesses your client's authenticated relationship with a regulated institution that has already performed statutory KYC; that institution is the reliable, independent source. Adoption of this methodology is recorded under Regulation 19(4)(c) as a documented risk-based approach, supported by the Technological Due Diligence pack appended to every Compliance Certificate.

Yes - that obligation sits with you as the regulated business. WhyAML provides the documentation to support it, including a Technological Due Diligence assessment that covers the platform's methodology and is signed off by your MLRO before first use.

You show them your Broker Compliance Certificates and the appended Technological Due Diligence assessment. WhyAML's deeper documentation - the provision-by-provision Regulatory Compliance Mapping that defends each requirement in detail - is available to your counsel on request. Every verification leaves a clear, auditable, timestamped record, so if a regulator examines your process, it is all there and organised.

Your existing verification records remain valid for the period they were conducted. WhyAML is for new verifications and for periodic re-verification where your obligations require it.

Completely different - in your favour. Passport copies create a liability: you store sensitive data you are responsible for protecting, and if it is ever compromised, it is your problem. WhyAML verifies identity without ever collecting those documents. No documents on your systems means no documents to lose.

Most digital KYC services replace the passport check with a selfie and a photo scan. They are still inspecting documents - just digitally. WhyAML verifies that your client already has a verified relationship with a regulated institution: the institution did the work, and you get the result.

WhyAML is currently the only AML verification service operating in the UK that collects no identity documents from the customer at any stage.

No. WhyAML does not contact the institution, request anything from them, or require their participation. The verification is based entirely on evidence your client generates themselves through their own financial activity. Nothing is asked of the institution - only its existing, externally verifiable evidence of your client's authenticated relationship is observed.

WhyAML's verification engine - including the G-RADE™ (confidence scoring) system and the multi-level proof architecture - is Patent Protected. The approach is a new verification standard rather than a faster version of document checking.

Complete the WhyAML onboarding process: accept the Client Terms of Service, review and sign off the Technological Due Diligence assessment (which becomes part of your Practice-Wide Risk Assessment file), and integrate the platform into your client onboarding workflow.

WhyAML lets you set your minimum confidence threshold during onboarding. A higher setting means more verification steps for your clients and greater evidential certainty for you; a lower setting means a faster process for straightforward cases. Your setting should reflect the risk profile of your typical client and is documented in your Practice-Wide Risk Assessment.

For most clients with a straightforward institutional history, verification takes a few minutes. For clients who require additional proof steps it may take longer - and in some cases a final step completes when they next make a routine transaction. We always show you and your client where they are in the process.

The platform will indicate clearly that an alternative verification method is needed. Traditional document-based verification remains available for those cases - but for any client with an authenticated relationship at an FCA-registered institution, the witness model is the better path.

WhyAML provides onboarding support, a knowledge base, and direct access to our team for queries about the platform and its use. For questions about your specific legal obligations, we recommend speaking with your professional body or a specialist adviser - our job is to give you the best possible tool, not to replace professional advice.