Reusable eKYC – The Fintech white whale

Learn about the challenges and solutions for reusing KYC credentials to improve user experience. Reusing KYC credentials can reduce repetitive identity checks but requires ongoing monitoring and compliance, making it complex. The idea is to create an open ecosystem where credential providers and verifiers can work together easily, supported by strong infrastructure and clear rules. Important issues to address include managing credential revocation and ensuring secure data storage. This approach aims to make KYC processes smoother and more efficient for everyone involved.

‍

Are you tired of repeatedly going through KYC every time you sign up for a new app?

KYC can be a tedious process, especially if you are just testing new services. Many industries are delaying the implementation of KYC due to its friction on user experience.

In this article, we'll explain why reusing KYC credentials is more challenging than it seems:

‍

• What is KYC?: The process of verifying the identities of customers for regulated businesses. It also involves checking IDs against sanction lists, followed by ongoing monitoring and record-keeping.
• The Complexities of KYC Reusability: KYC isn't just about a one-time identity check; it also involves ongoing services like managing revocations and ensuring data storage compliance, which becomes complex as credentials are reused by different verifiers.
• Framework for an Open Ecosystem of Reusable Credentials: A healthy ecosystem lets KYC providers freely offer services to many customers and industries, ensuring consistent user experience and compliance without needing additional integrations.

‍

First, let’s define what eKYC means

Know Your Customer (KYC) is the process of verifying the identity of customers for regulated businesses. You have probably gone through the process: a website asks you to scan your passport or national ID and your face.

The truth is, this is just the first step of the process –the rest (monitoring) will happen behind the scenes. KYC is not only a credential, but also a legal responsibility that can be seen as an ongoing process. This means that you can’t just “pass” the KYC check by presenting a credential –there are other obligations that a company has to meet in order to be compliant.

Although the requirements for compliance in KYC depend on local or regional legislation, they usually involve:

‍

1. Customer Identification Program (CIP): Verifying the identity of the customer through some national ID or similar documentation.
2. Customer Due Diligence (CCD): Looking up the customer in publicly available lists of sanctioned individuals such as Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT).
3. Continuous monitoring (CM): Monitoring transactions & AML/CFT compliance periodically.
4. Keeping the records of this verification for a minimum period of time (5 to 10 years) in case of an investigation.

‍

CIP is usually automated by eKYC providers through document scanning and face recognition (you own a valid document that matches your face). This is what creates the “KYC credential”.

The process has its difficulties (different document formats, problems with face-match, poor cameras…). Let’s say that, as a user, this is not something you would like to do very often – especially if it’s a requirement just to “test” a new service or application.

But presenting this credential to a verifier is not enough for the verifier to be compliant – somebody has to perform steps 3 and 4. Most eKYC providers will take these responsibilities as part of their services.

Many industries are delaying the implementation of these KYC controls because of the friction it creates in the user experience.

‍

What is reusable eKYC?

The idea of reusable, portable and compliant eKYC is not new. SWIFT KYC Registry started in 2016 as a way to share KYC data across banks and financial institutions (holding a SWIFT license). It’s an example of credential re-usability in a closed ecosystem.

The next challenge is to offer that kind of reusability in an open ecosystem, for any type of company. What we want to achieve is an open ecosystem.

‍

Open ecosystem of credentials

An open ecosystem of credentials is a permission-less marketplace, where new actors –credential providers and apps consuming these credentials– can join freely, as long as they meet the rules of the ecosystem.

It means to transform the industry from their current status where these B2B relationships between credential providers and consumers are created and managed through manual and offline channels (contracts, negotiations, calls, ad-hoc integrations, monthly billing processes, etc.) to a new marketplace model, where relationships are not 1 to 1, but many to many:

‍

‍

In an open ecosystem:

• Any eKYC provider can join and start offering services to every customer operating in the ecosystem (no monopolies).
• Customers can buy credentials from any eKYC that meets their compliance requirements without additional integration efforts.
• The user experience remains consistent across all providers.

‍

This alone is already quite challenging when you consider what it takes to build an interoperable open ecosystem of credentials. But KYC is even more difficult, because is not just about the credential (CIP), but about the responsibilities that the provider inherits every time a credential is sold (CCD, CM) –it’s not only about reusing a credential, but about managing the ongoing services subscriptions that are created with that reuse.

So, let’s review the requirements for an open ecosystem of reusable KYC credentials:

1. To involve the user in the exchange of data, so all data sharing is consented.
2. An economic model that compensates the KYC providers for their services.
3. A governance model to regulate the trust requirements to participate in the ecosystem.
4. Infrastructure services that automate the exchange of data and value in a permissionless marketplace, including the delivery of ongoing services derived from the credentials sold.

‍

KYC ongoing services

Reusable KYC services require more than just presenting the KYC credential; they involve ongoing services for continuous monitoring. Let’s start with the basic reusability flow:

1. The user wants to onboard into Service Provider X –and is asked to present credentials or to go through document verification.
2. Since the user doesn’t have credentials, he/she goes through an identity verification process executed by eKYC provider Issuer Inc. and receives a KYC credential in his/her identity wallet.
3. Days later, the user wants to onboard in Service Provider Y and is asked to present credentials or to go through document verification.
4. The user is able to reuse the KYC credentials obtained in step 2, skipping the document verification process.

‍

What is missing here? The KYC attached ongoing services that Issuer Inc provides to Service Provider X are not passing automatically to Service Provider Y:

‍

‍

Unfortunately, the majority of the solutions advertised today as “Reusable KYC” fail to solve this issue in some way or another. These are most common issues with the current solutions in the market:

‍

A Framework for Reusable eKYC

What would a complete solution for Reusable KYC look like? Let’s define some user stories:

As a Credential Provider, I want:

• To be compensated for the first issuance of each credential and their reuse.
• To receive the necessary information about the credentials used in the different verifiers, so I can provide them with the right services.
• Compensated for the ongoing services attached to each credential presented to a verifier.
• Allow new verifiers to reuse my credentials in a self-service manner (permissionless onboarding).

‍

As a Verifier, I want:

• To benefit from an open ecosystem of providers, where I can benefit from competition.
• To get the guarantee that the reused KYC credentials will also provide me with the associated compliance services to my specific compliance needs.
• To reuse credentials from issuers that I have never worked with before, as long as they meet certain regulatory requirements.

‍

Baseline Architecture

The basic components of any open ecosystem of credentials are:

‍

‍

These elements provide the necessary infrastructure and governance services for an economically sustainable, permission-less open ecosystem of credentials.

But they don’t solve the challenges presented in this article around the management of ongoing subscription services attached to KYC credentials. For that, we will need to expand the scope of some of these components and add some more.

‍

Revocation Subscription

Revocations are part of the Verifiable Credential standard and are an important element in any credential ecosystem to invalidate previously issued credentials under certain conditions.

In Polygon ID, it is the identity holder who proves the non-revocation of the credential to the verifier –the verifier can’t check the revocation status directly. This has been implemented to protect the privacy of the identity holder but –even in other solutions that make the revocation registry open to the verifiers– the real question in the KYC market is how much responsibility is the credential provider taking in maintaining that status –and how it’s compensated for it:

• If 100 verifiers are reusing the same KYC credential, should the provider be compensated in the same way as if only 1 is using it?
• Should all verifiers get access to the revocation status for free?
• Or is this revocation status a service to which these verifiers should subscribe?

‍

In the case of KYC –the revocation status involves the CDD and CM parts of the process– they represent a big part of the value that providers deliver to their verifiers. Which means the ecosystem should have:

• A mechanism for verifiers to pay for having access to the revocation status updates.
• A mechanism to manage each individual “subscription” to the revocation of every credential (one per verifier).

‍

Compliant Storage

To facilitate the management of the data retention periods required by KYC regulations. This is (all the information obtained during the CIP that must be available in case of an investigation for a certain period of time after the business relationship with the verified person and the verifying application ends).

This is an obligation usually met by the credential providers, but it becomes very complex when credentials can be reused permisionlessly –every time a new verifier reuses the credential, it can expand the retention period required for that credential:

This challenge can be solved either by:

1. Assuming that each credential provider will manage this complexity OR
2. Allowing credential providers to outsource the responsibility of this compliant storage to an infrastructure service.

‍

We advocate for the second option since it allows for a faster, easier growth of the ecosystem of credential providers.

‍

Open questions

Usually, the devil is in the details and this is not an exception. Although we have identified some specific needs for reusable, interoperable and compliant KYC credentials to be shared in an open ecosystem, we still need to find solutions for:

‍

• What is the process to “open” the data of a credential when the verifier is required to do so by authorities? Can we still claim to have a privacy-preserving solution when the verifier is able to look into the data at any point in time?
• Given that each country may have different sanction lists, is the credential revocation the best mechanism to reflect the eligibility of an individual to the services of the provider? The same credential could be invalid in one country but valid in others.
• The Continuous Monitoring (CM) part of KYC usually involves assessing the risk of every transaction (depending on the profile of the customer) –how do we combine this with the current credential-based approach?

‍

Our research will focus on solving these questions and implementing the necessary components in our solution to meet the requirements discussed above for a reusable, open ecosystem.

If you want to explore identity solutions with Polygon ID, please contact the business development team.