A Cypherpunk Solution for Mass Identity Theft
Creating Offline & Private AML / KYC Compliance
“Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible.”
– Eric Hughes, A Cypherpunk’s Manifesto, 1993
Various regulators require AML/ KYC data on customers.
This becomes a honey pot for hackers and identity thieves. Data breeches are common.
For many businesses, compliance is mandatory.
Offline or protected KYC with private tokens replacing identify.
This solution uses RVN NFT membership tokens to create offline compliance systems.
(Ravencoin is a decentralized and open source protocol based on a Bitcoin code fork which enables users to easily create permissionless tokens.)
How RVN Membership Tokens Work
One special type of token the protocol enabkes is a membership token which allows issuers to issue a special token to members / users / customers.
This special type of token can only be moved once. Then the issuer can allow certain abilities to all the holders of that token and can also allow trade of certain assets only between those members.
What this does is gives robust powers to users for all kinds of membership rules. A church could have religious screens, an activist group could allow messaging for only certain members and categories of membership token holders, a game could have access to certain assets based on level. One major use case is for AML KYC and accredited investors verifications.
This is the only way I know of as a financial advisor that I could both comply with the regulations and allow movement between tokens while also keeping the real identity entirely offline. (Before using any of this tech for any regulated activity, check your specific use case with proper counsel.)
Note: Offline is meant figuratively. By “offline” you could actually do it literally fully offline, using paper photocopies in a physical vault and issuing the token key in person. This would be quite interesting and perhaps the most secure way to protect identity while complying with the rules. In reality, most companies would probably use more of a colder / semi-offline system for ease of use. Something like an internal network with limited access would link the identities and the tokens — but all movement, controls, and comms would be on the token level. People interacting with tokens can know the type of token and whether a holder is a member of a group or a bank says they are accredited for example.
For exercise sake, to create an offline KYC token, here’s how you’d do it:
- A bank or other financial institution KYCs a customer. The KYC data could be placed in a secure offline vault or use other more secure methods than are typically seen today.
- The issuer issues a special token to the customer who has met AML KYC requirements (they can also tag the customer with special criteria such as “accredited investor”)
- The issuer allows only people with those type tokens to trade with each other — so Bob and Sally both have been KYCd but they don’t know each other, they simply know that address 1ABC can trade with address 1XYZ
- Regulators wishing to review trades can be shown that each address matches a KYCd user by having. the financial institution share those “offline” records they can see that 1XYZ has done trades requiring the investor to be accredited and can view the offline KYC records to show that Sally owns that wallet.
- The company has a record linking each customer to their membership token but the identity link is offline — if a regulator says “How do you know that wallet 1XYZ2 is accredited?”, the issuer can go to a file (even a physical one!) pull out a spreadsheet that says who matches with what token and say “Here you go regulator, as you can see that token belongs to Sally, it’s never moved, here is her file.”
- Whoa hold on did you just say database? That’s lame and centralized, not cypherpunk you poser. That example was intentional — certain aspects of these types of tokens may be or should be centralized — clearly whoever runs a membership token: game, bank, religious or activist group or sewing club, may want to have a list of members (maybe not, some use cases are fully decentralized) — what matters is the underlying protocol — the beauty of this and the most cypherpunk part is that the tokens are NOT attached to any KYC, ID or database in the protocols world — in other words the protocol and the lists and controls are separate — this is so we have the maximum flexibility — a protocol not gummed up with lots of rules, but a tool set robust enough to comply with anything from a religious screen to a securities regulator.
- Issuers and companies could also choose to recognize other membership tokens from other companies — for example FINRA members could choose to recognize other FINRA members — the coolest part — they never need to see the customer lists or know who is who! (Perhaps an independent auditor reviews each firms books or something — point is you can build networks of groups on top of groups all with their own memberships and layers. A game or firm could recognize or allow competitors or allies to broaden their network. This has lots of potential use cases like private equity (which really often is, quite private) and secondary markets.
Issuers can set rules by which membership tokens can interact with other tokens and which wallets can hold which digital assets. This makes restrictions and whitelists entirely voluntary and user controlled. The whitelists are not part of the protocol. The protocol doesn’t recognize any list or KYC or compliance feature. Instead, the protocol makes tools for users to create their own robust controls. The controls are not second layer, they are both part of the code but also user controlled.
By the way — the assets on the Ravencoin network can include IPFS data. This, combined with the tools above can create some powerful solutions.
There you have it. A financial institution could have proper ID, customer records and KYC info for regulator review in an offline or controlled environment…yet all customers in the network would have full verification as KYCd and accredited and be able to trade with advanced controls…all with no identity whatsoever attached to the real world.
This marries cypherpunk principals with the real world and real compliance needs faced by many use cases.
What do you think?
Does this make sense? Do you know of a better way to do this? Thoughts are welcome. Ravencoin is totally open source and decentralized, it’s your project to contribute to. The project and all ideas are given away freely and no permission is needed to build.