Blog
Use Cases
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
LoremLearn about the challenges and solutions for reusing KYC credentials to improve user experience. Reusing KYC credentials can reduce repetitive identity checks but requires ongoing monitoring and compliance, making it complex. The idea is to create an open ecosystem where credential providers and verifiers can work together easily, supported by strong infrastructure and clear rules. Important issues to address include managing credential revocation and ensuring secure data storage. This approach aims to make KYC processes smoother and more efficient for everyone involved.
Are you tired of repeatedly going through KYC every time you sign up for a new app?
KYC can be a tedious process, especially if you are just testing new services. Many industries are delaying the implementation of KYC due to its friction on user experience.
In this article, we'll explain why reusing KYC credentials is more challenging than it seems:
Know Your Customer (KYC) is the process of verifying the identity of customers for regulated businesses. You have probably gone through the process: a website asks you to scan your passport or national ID and your face.
The truth is, this is just the first step of the process –the rest (monitoring) will happen behind the scenes. KYC is not only a credential, but also a legal responsibility that can be seen as an ongoing process. This means that you can’t just “pass” the KYC check by presenting a credential –there are other obligations that a company has to meet in order to be compliant.
Although the requirements for compliance in KYC depend on local or regional legislation, they usually involve:
CIP is usually automated by eKYC providers through document scanning and face recognition (you own a valid document that matches your face). This is what creates the “KYC credential”.
The process has its difficulties (different document formats, problems with face-match, poor cameras…). Let’s say that, as a user, this is not something you would like to do very often – especially if it’s a requirement just to “test” a new service or application.
But presenting this credential to a verifier is not enough for the verifier to be compliant – somebody has to perform steps 3 and 4. Most eKYC providers will take these responsibilities as part of their services.
Many industries are delaying the implementation of these KYC controls because of the friction it creates in the user experience.
The idea of reusable, portable and compliant eKYC is not new. SWIFT KYC Registry started in 2016 as a way to share KYC data across banks and financial institutions (holding a SWIFT license). It’s an example of credential re-usability in a closed ecosystem.
The next challenge is to offer that kind of reusability in an open ecosystem, for any type of company. What we want to achieve is an open ecosystem.
An open ecosystem of credentials is a permission-less marketplace, where new actors –credential providers and apps consuming these credentials– can join freely, as long as they meet the rules of the ecosystem.
It means to transform the industry from their current status where these B2B relationships between credential providers and consumers are created and managed through manual and offline channels (contracts, negotiations, calls, ad-hoc integrations, monthly billing processes, etc.) to a new marketplace model, where relationships are not 1 to 1, but many to many:
In an open ecosystem:
This alone is already quite challenging when you consider what it takes to build an interoperable open ecosystem of credentials. But KYC is even more difficult, because is not just about the credential (CIP), but about the responsibilities that the provider inherits every time a credential is sold (CCD, CM) –it’s not only about reusing a credential, but about managing the ongoing services subscriptions that are created with that reuse.
So, let’s review the requirements for an open ecosystem of reusable KYC credentials:
Reusable KYC services require more than just presenting the KYC credential; they involve ongoing services for continuous monitoring. Let’s start with the basic reusability flow:
What is missing here? The KYC attached ongoing services that Issuer Inc provides to Service Provider X are not passing automatically to Service Provider Y:
Unfortunately, the majority of the solutions advertised today as “Reusable KYC” fail to solve this issue in some way or another. These are most common issues with the current solutions in the market:
What would a complete solution for Reusable KYC look like? Let’s define some user stories:
As a Credential Provider, I want:
As a Verifier, I want:
The basic components of any open ecosystem of credentials are:
These elements provide the necessary infrastructure and governance services for an economically sustainable, permission-less open ecosystem of credentials.
But they don’t solve the challenges presented in this article around the management of ongoing subscription services attached to KYC credentials. For that, we will need to expand the scope of some of these components and add some more.
Revocation Subscription
Revocations are part of the Verifiable Credential standard and are an important element in any credential ecosystem to invalidate previously issued credentials under certain conditions.
In Privado ID, it is the identity holder who proves the non-revocation of the credential to the verifier –the verifier can’t check the revocation status directly. This has been implemented to protect the privacy of the identity holder but –even in other solutions that make the revocation registry open to the verifiers– the real question in the KYC market is how much responsibility is the credential provider taking in maintaining that status –and how it’s compensated for it:
In the case of KYC –the revocation status involves the CDD and CM parts of the process– they represent a big part of the value that providers deliver to their verifiers. Which means the ecosystem should have:
Compliant Storage
To facilitate the management of the data retention periods required by KYC regulations. This is (all the information obtained during the CIP that must be available in case of an investigation for a certain period of time after the business relationship with the verified person and the verifying application ends).
This is an obligation usually met by the credential providers, but it becomes very complex when credentials can be reused permisionlessly –every time a new verifier reuses the credential, it can expand the retention period required for that credential:
This challenge can be solved either by:
We advocate for the second option since it allows for a faster, easier growth of the ecosystem of credential providers.
Usually, the devil is in the details and this is not an exception. Although we have identified some specific needs for reusable, interoperable and compliant KYC credentials to be shared in an open ecosystem, we still need to find solutions for:
Our research will focus on solving these questions and implementing the necessary components in our solution to meet the requirements discussed above for a reusable, open ecosystem.
Together, we can build an equitable future for all through the mass adoption of Privado ID.