zkKYC - Compliance Suite

zkMe supports the verification of various user Credentials, each of which can be individually added and configured to the whitelisting program required by the service provider.

Available zkKYC Credentials

Tier 1

At Tier 1 of zkMe's verification process, users are required to provide:

• Proof-of-Personhood: This ensures the user is a real individual.

• Liveness check: This verifies the user is a living person and not a bot or using a fake identity.

• Uniqueness check: This ensures that the user is not already registered in the system, preventing duplicate accounts.

Tier 2

Tier 2 includes all the requirements of the Tier 1, plus:

• Proof-of-Citizenship: Verification of the user's legal status in a given country.

• Anti-Money Laundering (AML) profile check: These checks are designed to prevent financial crimes.

• Transaction Monitoring (KYT) profile check: Analysis of user's transaction behavior for any suspicious patterns.

• ID document verification: Requires users to provide a valid ID as proof of their identity.

• Adulthood check: Verification that the user is of legal age in their jurisdiction.

• PEP (Politically Exposed Persons) / Sanction Lists: Checks to see if the user is on any international sanction lists or is classified as a PEP.

• Adverse Media: Screening of global media sources to identify any negative news about the user.

Tier 3

Tier 3 includes all the requirements of the Tier 2, plus:

• Proof-of-Location: Checking the user's current geographic location through GPS.

• Accredited Investor Verification: Verification that the user meets the criteria to be classified as an accredited investor, typically requiring certain income levels or net worth (on-chain).

The add-ons supplement each level of verification by requiring additional data or conducting extra checks. The specific requirements and levels of verification can differ based on the add-ons chosen and zkMe's policies, which are designed to comply with relevant laws and regulations. Users should refer to zkMe's specific KYC policy for exact details.

Issues with Traditional Third-party eKYC Solutions

• Privacy Issues: Integrating a third-party KYC solution means sharing users' personal information with a third-party, which could lead to privacy breaches.

• Data Ownership Issues: In a third-party KYC solution, users' source files might be owned and controlled by the third-party, which goes against the principle of user data ownership in web3.

• Decentralization Issues: If a decentralized application integrates third-party KYC, the application becomes centralized, contradicting the decentralization principle of web3.

Success Criteria for Onchain Compliance

The core spirits of web3 are decentralization and data autonomy, which can make the implementation of traditional KYC processes challenging, as they often require the collection and storage of personal data, which goes against the core principles of web3. However, ZKPs-based KYC offers a solution to this challenge, providing a way to verify users' identities while still maintaining data autonomy and decentralization.

Here are some of the key business requirements for implementing ZKPs-based KYC in the web3 ecosystem:

• Privacy: With ZKPs-based KYC, businesses can verify users' identities without requiring them to disclose their personal information. This can help to protect users' privacy, as their data is not stored on a centralized server or shared with third parties.

• Regulatory Compliance: Many businesses operating in the web3 ecosystem are subject to regulatory requirements, such as anti-money laundering (AML) and know-your-customer (KYC) regulations, including identity recovery capabilities for at least five years after the completion of a service relationship if there is reasonable suspicion and regulatory intervention, and compliance with the travel rule regarding KYC data among financial institutions. ZKPs-based KYC can help businesses comply with these regulations while still maintaining the decentralized and autonomous nature of the web3 ecosystem.

• Security: By implementing ZKPs-based KYC, businesses can enhance security and reduce the risk of fraud, identity theft, and other malicious activities. The use of ZKPs allows for secure identity verification without the need for centralized identity repositories, which can be a target for attackers.

• Efficiency: Traditional KYC processes can be time-consuming and expensive, which can create a barrier to entry for some businesses. ZKPs-based KYC can improve efficiency by reducing the time and cost associated with verifying user identities.

• User Experience: With ZKPs-based KYC, users can enjoy a more seamless and user-friendly experience when accessing web3 applications and services. The process of identity verification is simplified, reducing the friction that can sometimes exist with traditional KYC processes.

Restructured KYC Process with zkKYC

zkMe zkKYC enables users to prove their identity to a service provider without revealing their personal information, improving privacy and security over existing eKYC solutions. The process can also help service providers comply with regulatory requirements for KYC while reducing the risk of data breaches, identity theft and verification costs in general. The restructured process of zkKYC involves the following steps:

Credential Verification: The Holder submits their identity documentation digitally to the zkKYC Issuer for verification. This step involves the traditional process of providing personal information and documents, such as a passport or driver's license. The Holder's Identity documentation and likeness is verified through OCR and Facial Recognition checks. The zkKYC Issuer algorithm is able to parse the machine-readable identity documents in a structured way. No need for any human interaction or third-party processing.

Screening & Risk Assessment: The Holder Identity is screened against lists of known criminals, terrorists, or politically exposed persons (PEPs), transaction history and other relevant information to identify potential risks. This check is processed in real time, no personal data is stored at any time. On basis of the check the zkKYC Issuer generates a risk profile for the Holder Identity and actively scrubs all private user data from memory.

ZKP Generation: Once the zkKYC Issuer has verified the Holder's identity, it issues anonymous VP claims (in the form of SBT and ZKPs) for each of the preselected eligibility questions. ZKPs provide a mechanism to express traditional credentials digitally, cryptographically secure, privacy-respecting, and machine-verifiable. SBTs are stored on-chain and ZKPs are stored in decentralized storage.

SBT Mint: Creation of an encrypted data object to the Holder's SSI wallet that contains their DID and respective ZKP pointers required to prove a Holder’s eligibility to Verifiers repeatedly.

Proof Verification: When a Holder wants to access a service that requires KYC, they receive a request to allow for verification of proofs from the Verifier. Once authorized, the Verifier checks the Holder's ZKP against their internal eligibility criteria, such as age or residency. If the proof is valid and the ZKP answers fulfill the service requirements, the user is granted access to the service.

Proof Revocation: ZKP VP claims have a natural expiration. If the user's verifiable credential is compromised or revoked, the identity issuer can update or revoke the credential, preventing its use for future authentication and verification.

Ongoing Monitoring: Verifiers may process continuous on-chain transaction monitoring to ensure compliance with relevant regulations and to detect any suspicious activity that may indicate fraudulent behavior. Additionally, every time a ZKP is reissued upon expiration or revocation, screening and risk assessment procedures are repeated.

(Data Recovery): Only in the event that the regulator initiates formal bad-actor proceedings against a Holder can the original identity data be recovered. Upon substantial suspicion, the Regulator, Credential Issuer and Verifier combine their key shards, creating the private key required to unlock the original identity document proof stored in threshold encrypted decentralized storage.

zkMe's zkKYC Design Philosophy

• Personal Data Protection: In a zero-knowledge proof (ZKP) system, users can verify certain attributes about themselves without revealing raw data. This approach protects user privacy, and users have full control over their own data. This aligns perfectly with the web3 philosophy of decentralization and user sovereignty.

• Regulatory Compliance: In situations where KYC/AML checks are necessary, zero-knowledge proofs can provide a solution that balances regulatory compliance with privacy. Users can prove they meet KYC/AML requirements without revealing personal information to service providers.

• Data Recoverability: Since users control their own data in a zero-knowledge system, they can recover and migrate it if issues arise with the system or service provider.

Crypto Regulations

The regulatory framework for KYC/AML compliance in web3 is still developing. Some countries have started to implement regulations specific to web3 technologies, while others have issued guidance or are in the process of developing regulations.

Other countries and regions, such as Switzerland, the United Kingdom, Hong Kong, Singapore, and Japan, have implemented or are planning to implement regulations specific to web3.