Trustless, but verified: Identity compliance in Web3

By Tony Peccatiello; Suzanne Elovic; Erika Larose, Parallel Markets

Published: 27 June 2022

Decentralised finance (DeFi) is continuing to gain ground, with more than 4.7 million unique wallet addresses in use. As the industry grows, so does the urgency to develop a decentralised identity solution that adheres to the DeFi ethos while protecting sensitive user and investor identity information.  

DeFi is attractive to users and investors alike because it enables a ‘trustless’ system by using cryptocurrency and blockchain technology to manage financial transactions.  The traditional Web2 financial system relies on a structure of trusted intermediaries, such as banks, broker dealers and transfer agents. By contrast, DeFi participants can rely on the blockchain’s public and immutable ledger of activity. All financial transactions are recorded on a blockchain and governed by on-chain smart contracts that are programmed to effectuate transactions under certain defined conditions. Parties need not trust, or even know, each other or recruit an intermediary in order to transact with confidence. Advocates of DeFi assert that the decentralised blockchain makes financial transactions more secure, more transparent and reduces costs.

However, decentralised transactions pose many concerns - two of which we focus on in this article. First, without an intermediary bound to protect transaction participants, how vulnerable is an anonymous, trustless system to fraud?   

In recent months, crypto “rug pull” scams have soared in frequency; nefarious actors lure investors into trustless systems, then pull all their liquidity —disappearing with the investors’ money and leaving them with worthless currency.  These schemes are achievable largely because the identity of the offering sponsor is unknown, and in some instances, unknowable.

Second, how do participants avoid unwittingly becoming accomplices to money laundering and/or violating sanctions prohibitions? The Russian invasion of Ukraine has underscored how critical it is to ‘Know Your Customer’ — not just to satisfy heightened regulatory scrutiny, but also to ensure that those who are subject to sanctions are truly blocked from participation in financial markets.

So how do we preserve the decentralised nature of Web3 while bringing trust and compliance to Web3 financial transactions? 

There have been several proposals for decentralised identity verification and compliance in Web3, all of which maintain that Personal Identifying Information (PII) such as social security numbers and dates of birth should never be put on the blockchain, where it would be publicly viewable and vulnerable to fraud and identity theft.

Any solution must operate as a proxy for identity that confirms a participant’s eligibility to transact without displaying any PII. On-chain identity tokens, Verifiable Credentials and wallet monitoring protocols all supply these sorts of proxy-based identity verification, although each comes with unique limitations. 

On-chain identity tokens

An on-chain identity token could provide a comprehensive solution to confirming critical aspects of a wallet owner’s identity and can be leveraged in a decentralised transaction. Identity tokens are native to a blockchain and can interact directly with smart contracts. In turn, smart contracts can require all parties to hold a valid identity token as a condition of participation. In this model, DeFi participants provide identifying information (e.g., passports, addresses) to an outside third party (such as Parallel) who performs robust KYC checks that conform to industry standards for regulated financial institutions. That third party verifies and validates the identifying information, screens the identity against sanctions lists, and issues a non-transferable token to the natural person or business entity. Token holders can then participate in any Web3 native application such as a decentralised exchange (DEX) or decentralised autonomous organisation (DAO).

In keeping with Web3 principles of decentralised anonymity, identity tokens do not contain any PII, but they do contain the necessary information to assure market participants that their counterparties do not have a history of fraud and are not subject to sanctions. For example, a token would indicate: i) whether the owner is a natural person or business entity; ii) that the owner has submitted information to a KYC/AML review and iii) that the owner is not currently sanctioned and is being monitored for new sanctions. Tokens can even assert the owner’s investor accreditation status. An on-chain identity token provides seamless KYC in every transaction without the need for bespoke identity checks.

It should also be noted that as regulated financial institutions (such as fund managers) move toward participation in DeFi, they could fulfill their BSA compliance obligations by requesting that the relevant token holders release the identification data provided to the token issuer, which would be done off chain. 

DIDs & Verifiable Credentials

Decentralised Identifiers (DIDs) are a type of unique identifier directly (and provably) owned by the identity holder — not unlike an email address or username — that enables decentralised, reusable identity. DIDs are entirely controlled by the identity owner and are independent of centralised registries, government authorities and identity providers.

DIDs provide a framework to receive and share Verifiable Credentials (VCs)— cryptographic certificates that convey information about the DID holder. DID holders seeking a Verifiable Credential can present physical forms of identification (such as a driver’s license, passport or utility bill) to a VC Issuer. The issuer authenticates the documentation before issuing the VC (which may, but need not, house the original documentation provided for authentication). The VC  then acts as an immutable, cryptographic piece of evidence tying attributes to the DID holder. 

For example, a DAO could require as a condition of admittance that any applicant seeking membership must hold a VC proving that they are not sanctioned. An investor who wishes to join that DAO could provide a physical form of identification, such as a passport, to a VC issuer.  The VC issuer would confirm that the identification is valid and that the holder of that identification is not subject to sanctions. Then the issuer would issue a VC to the investor’s digital wallet indicating that the holder of the passport is not subject to sanctions. The investor can then present the VC to the DAO (the verifier in this example), and, if the DAO accepts the VC, the investor would be permitted to join.

Web3 users can choose to transact only with counterparties that have been issued a particular VC. VCs can offer transaction parties assurance that a particular attribute has been verified for all counterparties without requiring transfer of PII. 

However, because the use of VCs is an off-chain process, separate from a transaction, it adds a significant impediment to activity in a blockchain-native environment. 

Wallet monitoring

Wallet monitoring is another common approach to add security to Web3 applications. Firms survey the activity of digital wallets in order to identify and track wallet addresses linked to criminal behavior (like rug-pulling scams). Users can research any wallets that are parties to an upcoming transaction and ensure that none have previously engaged in known fraudulent or suspicious activity. 

However, wallet monitoring is limited by its scope, since these protocols provide no mechanism to identify a wallet’s owner. Criminal actors can simply create new wallets for each fraudulent transaction and evade detection. Additionally, wallet monitoring does not perform any KYC that would indicate, for example, if a wallet owner is subject to sanctions. While it certainly provides a layer of security for DeFi transactions, wallet monitoring is an inadequate replacement for a robust KYC process.

The DeFi market is growing. But that growth is limited by a lack of regulation and vulnerability to fraud.  Building compliance infrastructure will meaningfully accelerate adoption and attract both risk-averse investors and regulated financial institutions. Identity solutions that preserve the decentralised elements of Web3 while infusing a level of transparency, security and integrity to the market are the way forward.

We at Parallel will continue to be at the forefront of these technologies. If any of these topics are of interest to you, please feel free to reach out directly.