Introduction to Compliance on tbDEX
In this guide, we will walk through an example of how a PFI (Participating Financial Institution) offering services on tbDEX can integrate DIDs (Decentralized Identifiers) and VCs (Verifiable Credentials) into their customer due diligence program.
What is KYC?
In the financial industry, KYC (Know Your Customer) is a term used to describe a set of policies, procedures, and processes that financial institutions use to determine the identity of a customer, and assess the on-going risk that a customer poses to an organization during the life-time of a customer relationship.
KYC encompasses the following compliance processes and procedures:
Customer identification and verification (IDV);
Customer Due Diligence (CDD) to understand the nature and purpose of the customer relationship;
Enhanced Due Diligence (EDD) uses a risk-based approach to determine if additional diligence is required for higher risk customer relationships.
KYC requirements can vary based on a number of factors , which, among others, may include jurisdiction, nature of services provided, and regulatory oversight of the financial institution. As a result, different PFIs may have different compliance needs. These needs can vary with respect to the information that needs to be collected, the information that needs to be validated and verified, how long that information needs to be retained, and how often various aspects of KYC need to be refreshed to maintain and update customer information.
Identity Verification
Identity verification (IDV) is a component of KYC that typically involves the collection of Personal Identifiable Information (PII), a Photo ID issued by a government agency (such as a Driver's License or Passport), and biometric information from an individual. The information collected is validated and verified against third party sources. Financial institutions often leverage compliance vendors to streamline the IDV process.
IDV is a foundational process a PFI implements to carry out KYC, and thus offer regulatory compliant financial services on tbDEX.
Decentralized Identifiers (DIDs)
A Decentralized Identifier (DID) is a cryptographically secured digital identifier that can represent a person, company, or government agency. Unlike other identifiers such as email addresses, social accounts, or web addresses, DIDs are fully under the control of the individual or entity they represent since they do not need to rely on centralized infrastructure. These identifiers allow two peers to directly communicate with one another, free from any intermediaries.
Verifiable Credentials
Verifiable Credentials (VCs) are digitally verifiable, tamper-evident containers of information that an authority has claimed to be true about a Subject. The Subject of a VC, which is the entity about which claims are made, is also often the Holder of the VC. VCs may be issued by a private company, government agency, or even another individual. In the following example you will see how DIDs and VCs can work together to both streamline and strengthen a PFI’s compliance processes, and improve privacy for customers in the process.
Example: a Financial Institution (FI) issues a VC representing KYC completion
FI, an Issuer, issues a VC to Alice representing her successful KYC.
Alice, the Subject and Holder, securely holds the VC in a Digital Wallet on her phone.
Alice asks a PFI on tbDEX to enter into a transaction with her.
The PFI returns their KYC policy for this transaction to Alice’s Digital Wallet, which checks to see if she can satisfy that policy using her existing VCs, and, if so, presents her VC as Proof that she meets the policy requirements.
The PFI, the Verifier, verifies that the presented VC belongs to Alice and fulfills their KYC requirements using the credential.
The PFI also verifies the authenticity of the digital signature on the VC (similar to inspecting a watermark on a physical ID).
Finally the PFI verifies that the DID of the issuer is associated with an entity whom they Trust.
If all checks out, the transaction proceeds.
The above process occurs nearly instantly with minimal friction for Alice, and offers high security for both Alice and the PFI. While any level of PII can be communicated through VCs in this process, we foresee a future where PFIs can use VCs to fulfill their KYC requirements without collecting and storing any PII at all, improving both the security and privacy of today’s KYC processes.
Additionally, the VCs requested from Alice could be issued by an authoritative government source. For example, a PFI could implement policies that require the presentation of a Mobile Driver’s License, which is a digitally verifiable equivalent of today’s physical driver’s license, as an input to the IDV process. Doing so would afford the PFI:
Near-instant onboarding
High assurance digital ID source
Cost-savings during IDV
Fraud reduction
Using DIDs and VCs on tbDEX
As noted above, Decentralized Identifiers and Verifiable Credentials provide a technical solution for the secure exchange of identity information and proof of verification without a centralized intermediary. Used on tbDEX, DIDs and VCs allow two parties to directly negotiate the information they need from one another for a transaction.
This technology has enabled tbDEX to be built from the ground up with compliance in mind.
In the next section, we will walk through how a PFI can construct and use the credentials needed to fulfill KYC for regulated financial transactions on tbDEX.