SSI for regulatory compliant DeFi

CeDeFi and SSI as Continuums

By Fraser Edwards, CEO & Co-founder at cheqd and Martin Worner, Co-founder at Confio

A continuum can be defined as a model that gradually transitions from one condition to another without abrupt changes. A seamless, natural progression between states. And as we move into a world of Web 3.0, continuums are becoming increasingly important. It may even be possible to argue that the goal of Web 3.0 is one single continuum.

Rather than distinct, standalone ecosystems, Centralised Finance (CeFi) and Decentralised Finance (DeFi) exist on a spectrum, and they are becoming a continuum of one another. CeDeFi, for example, was first coined as a term by Changpeng "CZ" Zhao, CEO of Binance, on the advent of Binance Smart Chain, to describe this coalescence.

Similarly, identity can be modelled as a continuum, from centralised systems, like Identity & Access Management (I&AM) and Customer Relationship Management (CRM), through Federated systems, e.g. login with Facebook or Google, to decentralised or self-sovereign identity, e.g. cheqd, Lissi or IATA travel pass. 

Cryptocurrency transfer split

Cryptocurrency transfer split for Central, Northern and Western Europe between CEXs and DEXs. Source: Chainalysis.

What we are seeing now, is like two separate bubbles, a coalescence between DeFi and CeFi in one bubble, and Centralised identity and Decentralised Identity in another. Creating a continuum and symbiotic relationship between the transitioning finance and identity worlds. This can best be seen by the flow of European institutional funds, e.g. pension funds, into DeFi.

bubble coalesence

Combining these continuums into a grid, it is then possible to position protocols, with most of the current DeFi protocols naturally falling into pseudonymous but DeFi area and traditional finance (TradFi) into centralised identity and CeFi (duh!). 

The Continuum Catalyst

The regulatory landscape for DeFI is, without doubt, the catalyst and root cause of this continuum. This is because of the pressure that a decentralised cryptocurrency ecosystem has put on traditional, centralised financial regulations. 

The problems are threefold:

  1. Decentralised Exchanges (DEXs) and Decentralised Autonomous Organisations (DAOs) generally have no liability infrastructure or accountable persons, in the instances of fraud, theft or phishing;
  2. Anonymous or pseudonymous transactions supported by coin-mixing/tornado cash protocols can make money laundering difficult to prevent and easier to obscure than in the physical world. Similarly, their pseudo-anonymous identifiers make it difficult for users to demonstrate a sufficient level of understanding of the risks involved in different protocols and transaction types. 
  3. The global, cross-border, cyberspace-located nature of transactions and interactions in the cryptocurrency world, act at odds with the distinct jurisdictional scope of national law. 

The motivation for regulators pushing for identity is to establish whether the entity behind a platform falls under their jurisdiction or the investor is resident in their jurisdiction. This ensures that the regulators meet their obligations and terms of reference. They cannot ignore entities or residents in their jurisdiction who act in an unsupervised environment.

Furthermore, global regulators have acknowledged that a law on its own is not sufficient to regulate the industry and have resorted to regulating the technical architecture protocols must have in place, mandating increasingly complex identity requirements onto who uses any CeFi or DeFi protocol. Identity requirements, which largely, can only be accomplished by using a decentralised approach, to complement the privacy and pseudonymity-first approach of DeFi.

The most commonly cited identity requirement on CeFi and DeFi is the Financial Action Task Force (FATF) Virtual Assets and Virtual Asset Service Providers, Recommendation 16: the Travel Rule. This has imposed a requirement on Virtual Asset Service Providers (VASPs), such as exchanges or custodians, to store personal information of both parties to transactions greater than $1000 US.

For Exchanges, as an example, the following information is required:

Originator customer information

Owing to this requirement, the identity continuum has been viewed as a trade-off between privacy and regulatory compliance, e.g. full anonymity or pseudonymity would not meet the Travel Rule requirements. Yet, while this may seem binary at first thought, i.e. data is either provided or not, we are starting to see innovations creating different ways of achieving this data sharing without directly compromising user privacy. 

Whilst the likes of Aave ARC have used centralised solutions to achieve this, there is a movement towards decentralised or SSI solutions across both individual and corporate identity. The likes of Notabene, Centre, Bloom and Shyft are already looking into how to reuse KYC’d data, through Self-Sovereign Identity and the interplay between Verifiable Credentials (VCs) and Decentralised Identifiers (DIDs) to enable access to VASPs without compromising user privacy. Similarly, Coinbase, Circle, Anchorage and Robinhood have formed the TRUST consortium to tackle the same issue in a privacy-preserving way. 

Echoing the above, James Taylor, CBO at Unizen says, “DeFi needs to adopt Self-Sovereign Identity in order to onboard banks and TradFi institutions. Verifiable Credentials and Zero-Knowledge Proofs are novel applications that complement the existing compliance framework and retain user's sovereignty.”

cheqd, eIDAS and the Travel Rule

Due to the continuum of decentralised identity and finance, there is an emerging overlap between the amendments to the European Identification and Trust Services (“eIDAS”) Regulation and a resolution to the Travel Rule friction, tending towards SSI standards. 

eIDAS was a Regulation that came into force in 2016 to create a more seamless way of identifying, authenticating and verifying people and businesses in a cross-border setting. It enables organisations to rely on digital signatures and proofs, rather than solely on physical documentation. Recently, there has been a push within the European ecosystem to extend the scope of eIDAS to incorporate Verifiable Credentials into the remit of the eIDAS model, through initiatives such as eIDAS Bridge. 

Through an updated eIDAS framework, the sharing of Verifiable Credentials and Verifiable Presentations will satisfy legal requirements for KYC checks and identity checks. This presents a very real opportunity for DeFi protocols seeking regulatory compliance to skip centralised or federated systems, keep their decentralised ethos and protect their user’s privacy. There is a further incentive for DeFi as identity is key to preventing the proceeds of crime from flowing into the financial systems. Additionally, the pseudo-anonymous nature of DeFi creates an adversarial environment where cheating others is widespread as seen for example by front-running or wash trading, and by establishing identity it becomes possible to ascertain who is indulging in the adverse behaviour and remedies can be made. Thus taming DeFi through accountability gives greater confidence to prospective investors and opens DeFi to wider adoption.

How does this work?

Since only one of: physical address, national identity number, customer identity number or date and place of birth is required, it is possible to meet the Travel Rule with only name, account number (wallet address) and a customer identification number. Through a process we set out below, data can be verified by a DeFi protocol without creating another data silo. Importantly, this also will make it possible, albeit onerous and costly, to investigate wrongdoing such as funds routing from hacks. 

We have laid out how this works in the diagram and steps below: 

diagram

  1. If the DeFi protocol supports it, anyone (individual or organisation) can create a pool or contract with defined KYC requirements. These KYC requirements could range from:
    1. Blacklisting to prevent certain geographies from participating;
    2. Full checks of documents;
    3. Zero-knowledge proof checks for certain criteria.
  2. An individual or organisation will need to receive a Verifiable Credential for going through a normal KYC process once, likely with a reputable VASP, or trusted entity such as a bank, law firm, insurance company etc. 
  3. The individual or organisation will be issued a secure, verified digital version of their KYC’d data, likely a passport, driver’s licence or certificate of incorporation.
  4. As part of interacting with the DeFi protocol’s pool, they are required to fulfil the KYC criteria. And, since the data in a Verifiable Credential is, by its very nature, verifiable and certified, it can be checked extremely quickly to avoid introducing more barriers.
  5. The user will provide a Verifiable Credential for their name, wallet address and customer identification number from the VASP to the DeFi pool.
  6. Assuming they fulfil the requirements, the individual or organisation can interact with the pool.
  7. Depending on the policy, the pool may make use of Zero-Knowledge Proofs (ZKPs), see below.

Zero-knowledge proofs

Using Zero-Knowledge Proofs (ZKPs), it is possible to perform checks on an organisation or individual without having to process the underlying data. As examples:

  • It would be possible to check that an individual or organisation has been successfully KYC’d by a trusted organisation for other information such as the user’s address, age or national identity number.
  • It is possible to check an individual is over a certain age without needing their date of birth.
  • It would be possible to check the risk or credit profile of the user without disclosing the underlying information;
    • E.g. Institutional or accredited investors could trade all DeFi, new retail may trade lending, swapping but not highly leveraged futures.
  • Similarly, it would be possible to exclude an organisation based on an excluded country list without needing to know exactly which company they are incorporated in.

Regulatory Authorities

Through the model above, any regulatory authority could request access to the pool of details (which would not contain any information on address, national identity number or date and place of birth). Due to the eIDAS regulatory changes, this would be sufficient for valid identity verification and reporting by the DeFi protocol. If the Regulatory needed to request the underlying data, it would have to request this from the original issuer, making it extremely time-consuming to even secure a single individual’s data as well as reducing the number of copies in circulation.

Corporate SSI

Whilst the example above focused on individuals due to the simplicity of the Travel Rule, where this is likely to come into its own is institutions/companies. Bodies like the Global Legal Entity Identifier Foundation (GLEIF) are already building out SSI implementations (e.g. their virtual legal entity identifier vLEI) to give companies digital identities. This will mean that due diligence/onboarding, mergers & acquisitions and other processes are simplified and improved compared to working through paper documents or at best, easily counterfeited PDFs.

The direction of travel (rule)

There is a clear trend to enable regulatory compliant DeFi, both to be compliant with regulations and avoid prosecution or having to move jurisdictions but also to widen access to entities/individuals with stronger counterparty risk requirements. Our expectation is that the markets could split into two, with institutions flowing into regulated markets whilst individuals remaining anonymous/pseudonymous. 

We would also like to state that while this architecture is possible, it does not mean that it should be adopted since we know a large majority of the DeFi community prize their anonymity/pseudonymity and we hope there will always be protocols to support them. 

However, it provides a template for any protocol to implement this approach (if they wish and see demand) without having to recreate the architecture. 

The key is that as regulation is applied or regulatory compliant DeFi becomes a larger sector, we do not create more data silos and we want to maintain privacy as far as possible.

Coalescing

As we have caveated above, this model should not be imposed upon protocols. However, it does provide a route towards regulatory compliance for those who wish for one with the potential upshot of drastically widening access to DeFi whilst protecting individuals. 

To contribute to enabling regulatory compliant DeFi cheqd has joined the CeDeFi Alliance. CeDeFi Alliance is a non-profit organisation kickstarted by Unizen and JUN Capital in order to bring the leading teams from CeFi and DeFi for mass adoption of Distributed Ledger Technology. We are excited to announce that cheqd is joining the CeDeFi Alliance for spearheading the growth of SSI under robust policy frameworks. 

The Alliance will reach out to Government Industry Groups on Blockchains and Regulators for creating a compliant policy framework that allows every Individual and Organisation to use CeDeFi Technology with confidence in its full legitimacy.

We would love to hear the community's thoughts on this, especially everyone’s expectation of the market direction over the coming months and years.

And for anyone building in this space, please get in touch, we would love to hear from you. Drop either partnerships@cheqd.io or Toby (tobias@cheqd.io) a note and we’ll be straight back to you.

Otherwise, make sure to join our community on Telegram, Twitter or Discord – take your pick!