zkKYC - Compliance Suite


zkMe supports the verification of various user Credentials, each of which can be individually added and configured to the whitelisting program required by the service provider.

Available zkKYC Credentials

Category
Credentials
Description
  1. Document Identity

• ID-document verification • Liveness check • Age-of-Majority, citizenship validation

  1. Location

• Geolocation verification

  1. Compliance Risk

• PEP/sanctions-list screening • Adverse-media monitoring • Transaction monitoring on-chain

  1. Investor Qualification

• Proof of income over the past two years with zkTLS

Issues with Traditional Third-party eKYC Solutions

  • Privacy Issues: Integrating a third-party KYC solution means sharing users' personal information with a third-party, which could lead to privacy breaches.

  • Data Ownership Issues: In a third-party KYC solution, users' source files might be owned and controlled by the third-party, which goes against the principle of user data ownership in web3.

  • Decentralization Issues: If a decentralized application integrates third-party KYC, the application becomes centralized, contradicting the decentralization principle of web3.

Success Criteria for On-chain Compliance

The core spirits of web3 are decentralization and data autonomy, which can make the implementation of traditional KYC processes challenging, as they often require the collection and storage of personal data, which goes against the core principles of web3. However, ZKPs-based KYC offers a solution to this challenge, providing a way to verify users' identities while still maintaining data autonomy and decentralization.

Here are some of the key business requirements for implementing ZKPs-based KYC in the web3 ecosystem:

  • Privacy: With ZKPs-based KYC, businesses can verify users' identities without requiring them to disclose their personal information. This can help to protect users' privacy, as their data is not stored on a centralized server or shared with third parties.

  • Regulatory Compliance: Many businesses operating in the web3 ecosystem are subject to regulatory requirements, such as anti-money laundering (AML) and know-your-customer (KYC) regulations, including identity recovery capabilities for at least five years after the completion of a service relationship if there is reasonable suspicion and regulatory intervention, and compliance with the travel rule regarding KYC data among financial institutions. ZKPs-based KYC can help businesses comply with these regulations while still maintaining the decentralized and autonomous nature of the web3 ecosystem.

  • Security: By implementing ZKPs-based KYC, businesses can enhance security and reduce the risk of fraud, identity theft, and other malicious activities. The use of ZKPs allows for secure identity verification without the need for centralized identity repositories, which can be a target for attackers.

  • Efficiency: Traditional KYC processes can be time-consuming and expensive, which can create a barrier to entry for some businesses. ZKPs-based KYC can improve efficiency by reducing the time and cost associated with verifying user identities.

  • User Experience: With ZKPs-based KYC, users can enjoy a more seamless and user-friendly experience when accessing web3 applications and services. The process of identity verification is simplified, reducing the friction that can sometimes exist with traditional KYC processes.

Restructured KYC Process with zkKYC

zkMe zkKYC enables users to prove their identity to a service provider without revealing their personal information, improving privacy and security over existing eKYC solutions. The process can also help service providers comply with regulatory requirements for KYC while reducing the risk of data breaches, identity theft and verification costs in general. The restructured process of zkKYC involves the following steps:

Credential Verification: The Holder submits their identity documentation digitally to the zkKYC Issuer for verification. This step involves the traditional process of providing personal information and documents, such as a passport or driver's license. The Holder's Identity documentation and likeness is verified through OCR and Facial Recognition checks. The zkKYC Issuer algorithm is able to parse the machine-readable identity documents in a structured way. No need for any human interaction or third-party processing.

Screening & Risk Assessment: The Holder Identity is screened against lists of known criminals, terrorists, or politically exposed persons (PEPs), transaction history and other relevant information to identify potential risks. This check is processed in real time, no personal data is stored at any time. On basis of the check the zkKYC Issuer generates a risk profile for the Holder Identity and actively scrubs all private user data from memory.

ZKP Generation: Once the zkKYC Issuer has verified the Holder's identity, it issues anonymous VP claims (in the form of SBT and ZKPs) for each of the preselected eligibility questions. ZKPs provide a mechanism to express traditional credentials digitally, cryptographically secure, privacy-respecting, and machine-verifiable. SBTs are stored on-chain and ZKPs are stored in decentralized storage.

SBT Mint: Creation of an encrypted data object to the Holder's SSI wallet that contains their DID and respective ZKP pointers required to prove a Holder’s eligibility to Verifiers repeatedly.

Proof Verification: When a Holder wants to access a service that requires KYC, they receive a request to allow for verification of proofs from the Verifier. Once authorized, the Verifier checks the Holder's ZKP against their internal eligibility criteria, such as age or residency. If the proof is valid and the ZKP answers fulfill the service requirements, the user is granted access to the service.

Proof Revocation: ZKP VP claims have a natural expiration. If the user's verifiable credential is compromised or revoked, the identity issuer can update or revoke the credential, preventing its use for future authentication and verification.

Ongoing Monitoring: Verifiers may process continuous on-chain transaction monitoring to ensure compliance with relevant regulations and to detect any suspicious activity that may indicate fraudulent behavior. Additionally, every time a ZKP is reissued upon expiration or revocation, screening and risk assessment procedures are repeated.

(Data Recovery): Only in the event that the regulator initiates formal bad-actor proceedings against a Holder can the original identity data be recovered. Upon substantial suspicion, the Regulator, Credential Issuer and Verifier combine their key shards, creating the private key required to unlock the original identity document proof stored in threshold encrypted decentralized storage.

zkMe's zkKYC high level sequence diagram

zkMe's zkKYC Design Philosophy

  • Personal Data Protection: In a zero-knowledge proof (ZKP) system, users can verify certain attributes about themselves without revealing raw data. This approach protects user privacy, and users have full control over their own data. This aligns perfectly with the web3 philosophy of decentralization and user sovereignty.

  • Regulatory Compliance: In situations where KYC/AML checks are necessary, zero-knowledge proofs can provide a solution that balances regulatory compliance with privacy. Users can prove they meet KYC/AML requirements without revealing personal information to service providers.

  • Data Recoverability: Since users control their own data in a zero-knowledge system, they can recover and migrate it if issues arise with the system or service provider.

Crypto Regulations

The regulatory framework for KYC/AML compliance in web3 is still developing. Some countries have started to implement regulations specific to web3 technologies, while others have issued guidance or are in the process of developing regulations.

EU

The European Commission has passed regulations (MiCA, TRF and AMLD7) requiring all Virtual Asset Service Providers (VASPs) to undergo customer due diligence and comply with Financial Action Task Force (FATF) requirements.

USA

In the United States, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have issued guidance and proposed bills related to digital assets and web3 technologies.

Other countries and regions, such as Switzerland, the United Kingdom, Hong Kong, Singapore, and Japan, have implemented or are planning to implement regulations specific to web3.

Last updated