Seamless and regulatory compliant user onboarding with on- & off-chain KYC credentials.

Download this case study.

About IOTA

The IOTA Foundation is a global non-profit foundation that develops next-generation decentralized technologies for a new digital economy in a connected world. It redesigns the way people and devices connect to share information and value, removing middlemen. The Foundation collaborates with a global ecosystem and partners to research and develop technologies that deliver sustainable, real-world impact.

At the heart of the Foundation's mission is the Tangle, its open, feeless, and highly scalable distributed ledger. Designed to support frictionless value and data transfer, the Tangle is a DLT infrastructure for Web3 applications and digital economies. IOTA’s digital identity framework builds on the W3C’s proposed standards and Self-Sovereign Identity concepts (SSI) aiming at providing compliant, nonetheless privacy preserving, identity solutions for use cases such as: address validation, age verification and authority login.

The Challenge

Today's solutions for onboarding users in DeFi and web3 dApps cannot accurately verify users identities as required by regulations.

For example, existing and upcoming regulations require dApps, exchanges and other crypto service providers  to verify the identity of customers using self custodian wallets. Those requirements are mainly covered in the new Transfer of Funds Regulation (TFR) and Anti-Money-Laundering Regulation (AMLR) which contributes to extending current anti-money laundering obligations to Crypto Asset Service Providers (CASPs). New solutions are required to enable dApps to conduct identity verifications in a way that complies with the previously mentioned regulations. 

In addition to building an compliance solution, IOTA was also determined to respect users' privacy and minimize the burden on dApps. Those challenges laid the fundamentals for the project.

The Solution

The key challenge was to find ways to verify web3 users’ identity while respecting their privacy, without compromising security or the existing user experience. In addition, regulations like the General Data Protection Regulations (GDPR) require that no personal data is stored on-chain to avoid any potential compliance issues. 

As a result, walt.id developed a solution for reusable identity that combines on-chain identity (via Soulbound Tokens based on ERC-721) and off-chain identity (via W3C Verifiable Credentials and OpenID4VC aligned with eIDAS2). To ensure reliable identity verification and regulatory compliance, we partnered with IDnow, a leading identity verification company and a qualified trust service provider (under eIDAS.

This solution awards users complete control over their identity data, which they can use to identify themselves on any application, including DeFi or web3 dApps. By tokenizing the identification process users are able to interact with dApps in a safe and seamless manner, while their personal data remains securely stored off-chain.

The Results

This project gathered four partners (walt.id, IDnow, Bloom, Spyce.5) around the IOTA foundation. The following explains the solution based on a typical user journey: 

1. First-time users are asked to go through a traditional ID verification process to access a service that requires KYC, which is conducted by IDnow (compliant with current AML/CFT rules). 
   

2. After the successful verification, users can claim an on-chain Soulbound Token (SBT) to their crypto wallets or an off-chain Verifiable Credential (VC) to their identity wallet. Both credential formats can serve as the proof of a successful identity verification and allow applications to know that the process has occurred. 
   

3. The SBT is bound to the authenticated wallet address and can be stored in the users’ crypto wallets like the Bloom wallet. At this point, it can already be used for on-chain processes, which simplifies any interaction with dApps, without revealing any personal data, while providing the guarantee that the user has been verified.
   

4. When the user revisits the dApp or any other application which also requires KYC, they can gain instant access without going through the ID verification process again. This can also be achieved by either by signing a message with their crypto wallet to prove ownership of the previously minted KYC SBT or by sharing the KYC VC using their identity wallet. 
   

5. Finally, an authorized party, such as law enforcement, if requested, can enable the disclosure of the identity information collected via the trusted identity verification provider. Tokens can also be revoked if needed (e.g. if watchlist changes). 

Dr. Anja Raden

Executive Director of Legal and Regulatory Affairs 
IOTA Foundation

Ready to get started?

Interested to chat with IOTA?

get in touch with IOTA

About the organizations.