Today it is common-place for consumers to fulfill Know Your Customer (KYC) checks prior to accessing services online. Despite the myriad of options available to businesses who are required to implement such KYC checks in areas like finance, there is a lack of understanding about some critical differences which can have a significant impact on both the business and the individual consumer.

Despite a long list of incidents of the years, the latest data breach suffered by Fractal ID, highlights the importance of selecting platforms which prioritize individual encryption and credential anonymization at the point of data collection. In this case, the breach was due to an employee using a compromised password.

A critical identity software provider such as this not updating their passwords shows systemic vulnerability not only in architectural design but also illustrates how the human factor plays a role. In a true zero-knowledge environment, not even the employees of a KYC vendor would be able to initiate such a breach, rendering this risk completely void.

Know Your KYC Options

To understand the issue in more detail, it is helpful to break down KYC providers into the following camps;

• Web2 KYC

Web2 commonly refers to the era of centralized internet companies where users have more usability, but suffer from a lack of personal data control. When we extend this to KYC, the same general standards apply, whereby companies in this segment such as Jumio offer a wide array of services to businesses, yet individuals suffer from all the possible risks related to the centralized provision of identity services and have zero control over their data.

• Web2.5 KYC

Companies highlighted as Web2.5 such as Fractal, are those who are somewhat of a hybrid between Web2 and Web3, whereby the user has a greater degree of control than in the Web2 context, but still has significant drawbacks to true decentralized services as only a portion of the KYC suite is trustless.

• Indirect KYC Proofs

In order to understand this segment, it requires a more technical understanding of how identity can be managed with the power of zero-knowledge (ZK) technology. In a nutshell, ZK is an exciting tool to unlock fully self-sovereign identity where the user can self-select what information to share, whilst remaining anonymous. This sharing of information is validated by a “proof” (as in, what you said is true, or provable), yet in this instance providers such as zkPass, rely on indirect proofs which does not fulfill the legal requirements of KYC. With indirect proofs, a provider does not conduct a risk-assessment of the user and there is no data recoverability. In both cases, companies who utilise such services increase their risk profile dramatically, including with the authorities.

• Web3 zkKYC

The introduction of blockchain technologies brought about the moniker “Web3”, indicating an advancement on previous technologies and a significant shift towards the user being in control of their online experience and personal data through decentralized technology. It is now possible for both businesses and consumers to benefit from fully onchain (or decentralized) processes to manage KYC. By infusing the power of ZK technology into the KYC process, zkMe can verify user credentials without disclosing any personal information to anyone, whilst simultaneously removing any data honeypot risks. zkMe’s zkKYC offering is the only KYC solution to be fully decentralized, private-by-design and compliant with global AML requirements.

zkMe’s Guiding Principles

While many identity service providers make wild claims regarding data protection and regulatory compliance; many misuse or misrepresent terms. zkMe is the only solution to deliver on all of the following fronts in a certified and verifiable manner

Privacy-by-Design

Client-side encryption and Anonymization (End-to-End Zero Knowledge)

• All data processing of personal data is processed fully automatically, directly on your end device or in a decentralized oracle network. At NO point in the due diligence process does ANY party (no regulator, no company, no shady 3rd party “data processor”, not even zkMe) have access to ANY personally identifying information. NO personal data is shared, NO personal data is stored on centralized servers.

Selective Disclosure

• Personal information is only shared when, where and strictly as irreducibly needed in form of yes/no responses to predefined demographic questions (e.g. zkMe reveals: “Yes, user is over 18 years old” rather than revealing the actual birthdate). The available questions are designed to make it virtually impossible to infer a single user’s identity.

Self-Sovereign Identity

• The credential holder is FULLY in control of all and any sharing of data (even of anonymized information). He can amend, update and revoke verification permissions on a project-by-project basis from the convenience of their mobile phone. NO “email-us-to-delete-your-data” processes, NO sharing of data without explicit consent.

Decentralization

Decentralized Storage

• On zkMe, users’ private data is encrypted on users’ device end with a generated zero-knowledge proof (ZKP). A Soulbound Token (SBT) containing the ZKP is minted on the blockchain, while encrypted data is stored in decentralized storage. The use of decentralized storage combined with threshold ensures that only authorized parties can access these documents under strict predetermined conditions and strict collaboration between all involved stakeholders. At no point in time is a single stakeholder able to unlock the private data of the Holder. In threshold encryption, a group of n participants collaboratively generate a public key, while the decryption key is shared among them.

Chain and Party-Agnostic

• No role in the zkMe infrastructure is fixed and controlled by a single entity (incl. zkMe itself); i.e. who is “Issuer”, “Holder”, “Verifier”, “Node Operator” or even “Regulator” is context-specific and role changes, duplications or removals are possible at any time given consent by the governing DAO.

DAO Governed

• Once deployed, the evolution and general governance of the zkMe infrastructure will transition to a zkMe decentralized autonomous organization (DAO), governed by the zkMe native token $ME. NO central control.

Compliance

FATF Compliant

• zkMe fulfills both existing FATF recommendation, EU 6AML directives and upcoming EU MiCA and US Lummis-Gilibrand bill requirements on customer due diligence. Protocols can certify that due diligence checks have been processed. Thanks to threshold cryptography, the real identity of the user remains unknown until the government initiates ‘bad actor’ proceedings and the Regulator, Verifier and Issuer come together to decrypt the KYC documentation provided. Verifiably anonymous until proven guilty.

W3C Standards

• zkMe is built with compliance to the W3C DID, VC and VP standards.

Travel Rule Requirements

• zkMe ensures that all parties involved in transactions (assuming user consent) from or to KYCed user have access to a verifiable proof of eligibility and are able to recover user data when the Regulator initiates bad actor proceedings.

Transparency

Open Source & Composable

• All algorithms required to run the zkme infrastructure, including how user credentials are verified, or zero-knowledge proofs are generated are open sourced, audited regularly and provided to the ecosystem to expand and build additional credential use cases on.

Cross-Silo and Multi-Chain Identity

• zkMe is able to process and cross-polinate credentials across all identity silos. Your web3 identities (e.g. your Metamask, or Trust wallets) anonymously benefit from credentials in your real life or web2 identities (e.g. your FICO credit score or your social media following).

Share-to-earn Model

• The upcoming zkMe Network will run on the utility of its native token $ME. All transaction, minting and onboarding fees by the Verifiers are paid in $ME, node operators receive $ME as compensation for running the infrastructure and credential holders are rewarded in kind for their participation in the broader ecosystem.

What’s Next?

In today’s environment, it is clear that businesses will face increasing scrutiny from both the regulator and consumers about how they manage PII data and credentials. The only systemic solution to continued data breaches and continued violations of users’ privacy is individual encryption and credential anonymization at the point of data collection.

As the only on-chain FATF-compliant KYC provider, zkMe is ideally placed to support more projects in achieving robust KYC compliance without compromising on the ethos of web3. If your team is considering KYC options, and wants to avoid the risk of data honeypots, please contact our team at contact@zk.me today or learn more about zkMe here.

About zkMe

zkMe builds zk Identity Oracles for truly decentralized & anonymous cross-chain credential verifications.

No personal information is ever processed by anyone but the user themselves. Data leaks & misuse by the service provider are impossible; full interoperability & reusability result in a superior ID solution. zkMe’s is the only FATF compliant KYC provider to be fully decentralized, offering a full suite of products from anti-bit/anti-sybil, to KYC and more.

For more information, follow the links below: Website | Twitter | Discord | Docs |