The Art of Knowing Your Client Without Knowing Your Client: Zero-Knowledge Proofs, KYC, and Automated Compliance

news-banner

With the recent launch of Citadel, Dusk’s bespoke KYC/AML solution that
incorporates zero-knowledge proofs, digital self-sovereign identity, and
automated compliance to regulations, we wanted to share more about why
this tool is necessary and what it will allow. If you’d like to read
more about how it works on a technical level please see this article,
and if you’d like to read the press release you can find it here.

Mass adoption; Beyond UI/UX

As cryptocurrencies and blockchain technology move towards mainstream
adoption, we find that we come up against many challenges, a lot of
which are complex to solve and may have unforeseen and detrimental side
effects.

While it can be easy (and tempting!) to think that mainstream adoption
is a question of improving the UI/UX so that “your parents can use it”,
this is actually an oversimplification of what is required. Many moving
pieces need to be sorted out in order to stimulate a transition of the
broader economy to a decentralized paradigm. Although important, the
UI/UX aspect is still just one piece of the puzzle.

Today, let’s consider another fundamental piece of the adoption puzzle:
KYC/AML compliance, and how Dusk is approaching and solving his many
challenges.

What are KYC and AML, and why do they matter?

“KYC” stands for “know your client” while “AML” means “anti-money
laundering”.

KYC refers to the requirements placed on banks and financial
institutions to know who their client is, that is to know and be able to
verify their identity, while AML refers to the legal infrastructure
aimed at stopping money laundering and the illegal use of funds.

We’ve all submitted ourselves to these checks, and upon successful
verification we were granted access to the (financial) services we set
to use, from centralized exchanges (CEX), to open a bank account.

The hallowed ground of mass adoption requires crypto/blockchain to
interact with mainstream, institutional organizations. Traditional
financial institutions operating in heavily regulated spaces cannot do
business without effective KYC/AML procedures. So, if crypto wants to
interact with these institutions, we will have to find a way to meet
these requirements. While you still might use a decentralized exchange
or dApp without needing to KYC and might have multiple wallets with no
KYC, at the point of interacting with regulated assets, we will need to
comply with their regulations, including KYC/AML.

But I don’t like KYC or AML!

Well… a lot of people don’t. But, mass adoption doesn’t just mean the
masses adopting crypto, it also means crypto adopting (or adapting) to
the masses. We won’t get into a debate here about whether KYC or AML are
effective measures to fulfill the goals they set out to achieve. For
better or worse, these procedures are enforced at the regulatory level
and are therefore part of the law to which the masses - as in financial
institutions - must comply.

Most crypto users comply with KYC/AML regulations when using centralized
exchanges, but maintain anonymity or use a pseudonym once they move to
the blockchain. The CEX knows who they are, but once they get on-chain
they are 0xwhoever. They onramp and offramp via the CEX, and do their
activities in the crypto sandbox via multiple wallets oblivious of any
KYC or AML requirements.

This is fine, of course, but represents a hindrance toward broader
adoption as it doesn’t allow interactions with assets requiring a higher
level of legitimacy. In fact, if crypto and blockchain are to interact
with regulated assets they are going to have to meet the regulatory
requirements.

KYC but make it crypto

At Dusk, we are building a blockchain that will allow you to interact
with regulated assets in a “crypto way”. We intend for you to regain
self-custody of your assets, to be able to maintain your privacy, to
transact in a trustless way, and to open your financial horizons toward
the full spectrum of economic opportunities.

The Dusk blockchain will also allow institutions and companies to
tokenize their assets on the blockchain, thus delivering the mass
adoption we’ve all been waiting for.

This means we had to build KYC and AML into our technology. While other
blockchains work around interacting with real-world and, God forbid,
regulated assets so they can avoid this important issue, at Dusk we set
out to tackle the challenge head-on.

This is where zero-knowledge proofs come into play. Our approach to KYC
and AML is to do it in a way that is privacy-preserving. ZKPs allow us
to verify your identity without having to reveal it. This means you can
interact with traditional, regulated assets without sharing your
identity.

What does this look like in practice?

Enough theory, here’s a use case!

When you transact on Dusk’s blockchain you would need to KYC/AML
initially. Once that’s done, your digital identity will be verified, and
you can use the full spectrum of financial opportunities that the
financial landscape has to offer and build your portfolio of crypto or
real-world digital assets you can trade with whoever has successfully
gone through the same process.

As a company that tokenized its assets, you would be able to program
your regulatory compliance directly into the blockchain. This solves
three issues; firstly, it automates the resource-consuming process of
checking and verifying all the details of people who want to transact
with you and making sure you’re not breaking any rules. Secondly, it
removes the ambiguity of granting pseudonymous entities access to the
services you are legally responsible for. Thirdly, it removes the
compliance costs associated with storing, handling, and gaining
responsibility to handle the personal data of your customers. The latter
is particularly important in the EU, where the GDPR sets very strict and
costly procedures for any organization that explicitly deals with users’
data.

With Dusk’s programmable compliance, if, for example, you’re not allowed
to transact with people from a given country, you simply wouldn’t be
able to. No need to check credentials, the system simply won’t allow it.
Compliance is automated. Like a computer program; if it’s within the
rules it can happen. If it isn’t, then it can’t.

Equally, if you are a user, once you get verified, you can trade and
transact without having to reveal your identity. You don’t have to
provide your credentials every time you trade a regulated asset. Thanks
to zero-knowledge proof technology, if you’re allowed to do something
you’ll be able to, and if you’re not, then you won’t.

Automated regulation

In this way, Dusk has found an ideal solution to this issue of
mainstream adoption. Users that value their privacy - and they should! -
shall be protected when interacting with the mainstream world,
especially when critically sensitive information is handled, like when
KYC and AML procedures are required.

By using privacy-preserving zero-knowledge proofs, and building
regulation in at the blockchain level, we are able to automate
regulation and compliance.

Companies and institutions don’t have to spend resources doing
background checks and verifying identities, and users are able to stay
in full control and avoid endangering their own data when dealing with
institutions digitally while still being able to purchase their assets.