TLDR:
zkKYC presents an alternative solution concept for KYC, one that is more human-centred, does not rely on upfront sharing of personal information with businesses and still enables a customer to be identified if and when that is required. To achieve this outcome, it leverages self-sovereign identity and zero-knowledge proofs, together with proper ecosystem design.
Core Research Question
How can we remove the need for customers to share any personal information with a regulated business for the purpose of KYC, and yet provide the transparency to allow for a customer to be identified if and when that is ruled necessary by a designated governing entity (e.g. regulator, law enforcement)?
Citation
Background
Privacy is a multifaceted topic and exists on a continuum. Some people are very protective of their privacy, even at a high cost. Others care very much in principle, but easily trade off their privacy for the benefit of convenience. Wherever one sits on this spectrum, it is obvious that privacy is typically a matter of trade-offs. At times transparency is required for regulatory reasons (e.g. to fight money laundering and terrorist financing) or for the greater good (e.g. medical research) and sharing personal information is considered an acceptable and necessary sacrifice. Simultaneously maximising privacy and transparency is the challenge for legislators, regulators, thought leaders and for each of us as individuals in our daily choices.
Summary
- Businesses that are subject to AML/CTF regulation must meet their KYC obligations. In this context, to establish and verify a customer’s identity, the customer is currently required to share personal information with these businesses. This creates a Pareto dominated situation where a customer’s privacy is typically traded off for the mandated transparency requirements. In addition, this privacy erosion also reduces the security and safety of the customer as shared personal information can be passed on or stolen and used against the best interest of the customer (e.g. identity theft).
- Recent innovations in self-sovereign identity and zero-knowledge cryptography, along with smart ecosystem design, allow for a novel approach to KYC that protects the customer’s privacy without reducing transparency. The proposed solution concept, zkKYC, removes the need for the customer to share any personal information with a regulated business for the purpose of KYC, and yet provides the transparency to allow for a customer to be identified if and when that is ruled necessary by a designated governing entity (e.g. regulator, law enforcement, community governance council/DAO).
- A customer can privately prove they meet the eligibility criteria set by the business (or its regulator) such as domestic residency, minimum age requirement, no presence on sanctions list … all without disclosing any personal identifiable information as such. A designated ecosystem governance authority can however reveal the identity of an individual, but only when multiple parties (i.e. verifier and issuer) are agreeing to the need to do so and actively collaborate to such request. This makes identification at scale very hard by design, to make sure this effort is only focused on those events where it is absolutely required; on identifying bad actors.
- In summary, zkKYC breaks the traditional privacy vs. transparency trade-off and provides structured transparency, resulting in a net positive outcome for all parties involved.
Applicability
As zkKYC is built on top of a decentralised (self-sovereign) identity model, it is well suited to be applied for decentralised KYC. The obvious candidate use case for this is Decentralised Finance (DeFi).
SCRF Presentation material on zkKYC used during community call 22 September 2021:
zkKYC-SCRF-v0.01.pdf (710.8 KB)