The know-your-customer or KYC process is one of the biggest stumbling blocks in finance and, specifically, in banking. KYC can be time and resource-consuming, the data provided can be fraudulent, the verifier might not be able to verify the data, with the cherry on the top – a horrible user experience – and the list can go on.
Self-sovereign identity (SSI) or decentralised identity (DID) enables both KYC and separately creditworthiness in an efficient manner and in a way that prevents fraud. The verifier of data can always verify credentials directly with the issuer of it. Furthermore, the KYC credentials can be re-used to further save on costs and time while improving the user experience. In short, SSI can significantly reduce the friction for users improving a customer experience and, at the same time, providing a compliant service. While current KYC is “single-use”, SSI makes KYC “reusable”.
Why current know your customers processes don’t work
Most financial services usually request user identity verification, such as opening a bank account. KYC is the process of verifying the identity of a customer, without it, fraud is impossible to prevent.
Driven by regulatory requirements, banks and corporates are required to undertake KYC and anti-money laundering (AML) checks to be in compliance with them.
While effective KYC processes are vital for successful compliance and risk management, endless identity checks are, at the same time, a hurdle for customers. According to SWIFT, AML and KYC, compliance is growing in importance as more stringent regulatory requirements are coming into force, making it even more difficult for banks to navigate the balance of compliance and frictionless customer service. That balance is being exacerbated by the old-fashioned compliance methods currently used.
Banks, including neobanks, continue to fight a losing battle with fraud in their industry. It is indeed a “losing battle” because they continue to use the same age-old AML and KYC processes to defeat the ever-evolving digital threats. Oversharing personal information in order to verify the identity (i.e. showing a utility bill in order to prove an address) or storing all personal data in a centralised database aren’t future-proof and secure KYC methods.
A very well-known example was the neobank darling Monzo – nearly half a million of their customers fell victim to a data breach. It shows how even digitally-savvy banks’ KYC and data handling methods aren’t sustainable and fit for the digital age.
Part of the problem is the current regulations – meaning these financial institutions are burdened with heavy requirements to be compliant with, which means significant costs. There is no incentive, time or resources for a company within the financial sector to develop an identity solution of its own. Also, perhaps a deeper point could be that they don’t feel it is their responsibility to find a solution. Since the amount of regulation imposed, one may assume that the regulators must know what they are doing and should be the ones to carry this burden. If a bank is already meeting a hefty bill in costs to comply, e.g. paying salaries for a compliance team of 100s of people along with the cost of associated systems, would they be further thinking to find, let alone develop, a solution to the problem?
Yes, one can argue neobanks are much ahead of the rest and are actively using user-friendly identity verification methods, such as selfies, a short video of the applicant or even live verification systems. However, these checks can easily be bypassed with deepfakes, with some of them being literally mind-blowing (cheq out DuckDuckGoose).
In order to understand how decentralised identity can aid the banking sector by re-imagining KYC, we need to understand the core concepts of SSI itself.
Self-sovereign identity or decentralised identity is a method of identity that centres the control of information around the user, hence also sometimes referred to as “self-managed identity”. It safeguards privacy by removing the need to store personal information entirely on a central database and gives individuals greater control over what information they share. Unlike the existing system, it’s a user-centric and user-controlled approach to exchanging authentic and digitally signed information in a much more secure way.
Acting as an enabler of decentralised identity, verifiable credentials are tamper-evident data files with a set of claims about a person, organisation, or thing that can be cryptographically verified.
Banks can adopt a decentralised identity to make their entire KYC process smooth by using reusable verifiable credentials across banks through forming a consortia or potentially utilising initiatives like open-banking here in the UK. If one bank issues a VC, others can simply reuse it and get it verified with the issuer of the VC. The VC can be updated on expiry or on a more regular basis (e.g. annual) based on existing policies of the bank and regulators – and incorporating any further requirements set by the ecosystem or the consortia itself, accommodating various commercial business models – it could be the issuer bank renewing this VC or perhaps the bank that receives a VC which has just expired. The scenarios are endless.
It would lead to saving costs for banks and a massive improvement to the onboarding experience.
Furthermore, banks can start actually becoming issuers of additional, useful data through SSI to their clients, e.g. credit scores, evidence of salary payments or bank balance, bank account title VCs, etc. They can get paid each time another entity (bank or otherwise) needs the VC verified – e.g. a mortgage provider or a new employer, or a visa application. The payer can be verified of the data or the holder of the data. As a result, this will:
- Make payments fair – e.g. banks get paid because they have actually done something valuable for the client by verifying a particular detail to a third party;
- Put the data owner in control of their data. The data is issued to the bank’s client, who is the owner and user of that data. And so the user is always in control of where and what data to use.
- Save time for each participant of the process.
- Reduce chances of fraudulent transactions or activity, including ID theft.
- Make all such applications that take hours or days to complete verified in a matter of seconds, including bank accounts, mortgages, visas, loans, property purchases, and so on.
- Improve security – since the users keep their data, banks do not have to create databases and data silos, meaning they are less of a target for hackers, decreasing their exposure to data leaks and hacks.
Through SSI, banks can further (in a partnership with non-financial and/or government organisations or just within their consortia) create a list of verified issuers of data or even adopt a scale or scoring system. In such a system, the level of trust put in each VC by the user or verifier of that VC is based on several factors, one of which can be the status or credibility of the issuer. An individual can then use those verified credentials to prove their identity. And so, if an individual VC has a lower credibility score due to the VCs issuer, they may need to use multiple VCs from different issuers to prove that particular aspect of their identity.
Companies pioneering decentralised KYC
Decentralised identity is already being used by a number of banks and financial services firms for their KYC. As part of their Regulatory Sandbox, the UK’s Financial Conduct Authority (FCA) tested how decentralised identity can make it easier for customers to sign up for financial products while maintaining a high level of fraud and anti-money laundering protection.
There are also a number of web3 companies already improving KYC processes with the help of decentralised identity. Two particularly interesting ones are Umazi and Verida. Umazi speeds up corporate identity verification by streamlining due diligence by replacing repetitive paperwork heavy processes. Verida is a multi-chain protocol for interoperable database storage and messaging built on decentralised identity.
We at cheqd believe that SSI helps solve this problem effectively. The decentralised nature of the solution makes it resilient to phishing, hacking or similar attacks.
In addition, the identity data is held by individuals themselves. So, there is no single, ripe, fruitful target (a bank in this case) any longer. Even if the perpetrator is successful, there is no longer a single honeypot that stores all that sensitive and very valuable personal data for thousands or millions of individuals.
Finally, cheqd payment rails will create commercial models for trusted data marketplaces, which will incentivise all the participants of the process. And as mentioned above, an organisation that receives identity data or credentials from an individual can have it verified by the issuer of that identity (see the image below), which further helps fight fraud.
In short, while current KYC is “single-use”, SSI makes KYC “reusable”, decentralised, privacy-preserving, cheaper, and future-proof.
The SSI market is around the 0.55 trillion mark, noting this number might be significantly underestimated as other unexplored areas of opportunities present themselves with SSI adoption. Irrespective, experts believe that the adoption of this technology will accelerate in the coming years.
Read more about how cheqd infrastructure enables Trusted Data Markets.