Why does DeFi need Decentralised Identity?
The Centralised Decentralised Finance (CeDeFi) ecosystem sees a robust application for SSI. Since identity verification is equally required in both centralised and decentralised finance, with neither satisfied with the existing KYC and identity approaches, SSI can provide that identity layer that meets both worlds. It creates a bridge between traditional data-heavy interactions and an anonymous DeFi approach, while CeDeFI will provide the financial infrastructure for SSI adoption in a key market.
cheqd’s ultimate vision is to establish the payment rails for identity, initially self-sovereign identity without anyone needing to worry about the underlying technology. This perfectly aligns with the CeDeFi vision of providing a spectrum of financial services without the need to worry about whether they are centralised, decentralised or what technology they are built on. The blending of CeFi and DeFi also prevents the need for multiple, siloed identities, which is the problem SSI is built to solve.
Within the Crypto and DeFi space, SSI enables peer-to-peer (P2P) transactions. One can share a small piece of identity information, i.e. a Telegram handle, to prove who they are without disclosing their identity publicly. This means no more test payments to check wallets. Another option is doing KYC’ed loan pools without storing the data — instead, only keeping ‘yes’ or ‘no’ answers.
A Continuum can be defined as a model that gradually transitions from one condition to another without abrupt changes: a seamless, natural progression between states. Now, as we move into a world of Web 3.0, continuums are becoming increasingly important. It may even be possible to argue that the goal of Web 3.0 is one single continuum.
Rather than distinct, standalone ecosystems, Centralised Finance (CeFi) and Decentralised Finance (DeFi) exist on a spectrum, and they are becoming a continuum of one another. CeDeFi, for example, was first coined as a term by Changpeng “CZ” Zhao, CEO of Binance, on the advent of Binance Smart Chain, to describe this coalescence.
Cryptocurrency transfer split for Central, Northern and Western Europe between CEXs and DEXs
Similarly, identity can be modelled as a continuum, from centralised systems, like Identity & Access Management (I&AM) and Customer Relationship Management (CRM), through Federated systems, e.g. login with Facebook or Google, to decentralised or self-sovereign identity (SSI), e.g. cheqd, Lissi or IATA travelpass.
What we are seeing now is, like two coalescing bubbles, a convergence between DeFi and CeFi in one bubble, and Centralised identity and Decentralised Identity in another. Creating a continuum and symbiotic relationship between the transitioning finance and identity worlds. This can best be seen by the flow of European institutional funds, e.g. pension funds, into DeFi.
Combining these continuums into a grid, it is then possible to position protocols, with most of the current DeFi protocols naturally falling into pseudonymous but DeFi area and traditional finance (TradFi) into centralised identity and CeFi (duh!).
The regulatory landscape for DeFI is, without doubt, the catalyst and root cause of this continuum. This is because of the pressure that a decentralised cryptocurrency ecosystem has put on traditional, centralised financial regulations.
The problems are threefold:
- 1.Decentralised Exchanges (DEXs) and Decentralised Autonomous Organisations (DAOs) generally have no liability infrastructure or accountable persons, in the instances of fraud, theft or phishing;
- 2.Anonymous or pseudonymous transactions supported by coin-mixing/tornado cash protocols can make money laundering difficult to prevent and easier to obscure than in the physical world. Similarly, their pseudo-anonymous identifiers make it difficult for users to demonstrate a sufficient level of understanding of the risks involved in different protocols and transaction types.
- 3.The global, cross-border, cyberspace-located nature of transactions and interactions in the cryptocurrency world, act at odds with the distinct jurisdictional scope of national law.
The motivation for regulators pushing for identity is to establish whether the entity behind a platform falls under their jurisdiction or the investor is resident in their jurisdiction. This ensures that the regulators meet their obligations and terms of reference. They cannot ignore entities or residents in their jurisdiction who act in an unsupervised environment.
Global regulators have also acknowledged that the law on its own is not sufficient to regulate the industry, and as such, they have resorted to regulating the technical architecture that protocols must have in place. This is leading to increasingly complex identity requirements placed onto the users of any CeFi or DeFi protocol. Identity requirements, which largely, can only be accomplished by using a decentralised approach, to complement the privacy and pseudonymity-first approach of DeFi.
The most commonly cited identity requirement on CeFi and DeFi is the Financial Action Task Force (FATF) Virtual Assets and Virtual Asset Service Providers, Recommendation 16: the Travel Rule. This has imposed a requirement on Virtual Asset Service Providers (VASPs), such as exchanges or custodians, to store personal information of the both parties to transactions greater than $1000 USD.
For Exchanges, as an example, the following information is required:
Image credit to Notabene
Owing to this requirement, the identity continuum has been viewed as a trade-off between privacy and regulatory compliance, e.g. full anonymity or pseudonymity would not meet the Travel Rule requirements. Yet, while this may seem binary at first thought, i.e. data is either provided or not, we are starting to see innovations creating different ways of achieving this data sharing without directly compromising user privacy.
While the likes ofAave ARC have used centralised solutions to achieve this, there is a movement towards decentralised or SSI solutions across both individual and corporate identity. The likes of Notabene, Centre, Bloom and Shyft are already looking into how to reuse KYC’d data, through Self-Sovereign Identity and the interplay between Verifiable Credentials (VCs) and Decentralised Identifiers (DIDs) to enable access to VASPs without compromising user privacy. Similarly, Coinbase, Circle, Anchorage and Robinhood have formed the TRUST consortium to tackle the same issue in a privacy preserving way.
There is an emerging overlap between the amendments to the European Identification and Trust Services (eIDAS) Regulation and a resolution to the Travel Rule friction, tending towards SSI standards.
eIDAS was a Regulation that came into force in 2016 to create a more seamless way of identifying, authenticating and verifying people and businesses in a cross-border setting. It enables organisations to rely on digital signatures and proofs, rather than solely on physical documentation. Recently however, there has been a push within the European ecosystem to extend the scope of eIDAS to incorporate Verifiable Credentials into the remit of the eIDAS model, through initiatives such as eIDAS Bridge.
Through an updated eIDAS framework, the sharing of Verifiable Credentials and Verifiable Presentations will satisfy legal requirements for KYC checks and identity checks, even in regulated industries such as financial services. Consequently, this presents a very real opportunity for DeFi protocols seeking regulatory compliance to skip centralised or federated systems, keeping their decentralised ethos whilst protecting their user’s privacy.
There is a further incentive for DeFi, as identity is key to preventing the proceeds of crime flowing in the financial systems. The pseudo-anonymous nature of DeFi creates an adversarial environment where cheating others is widespread, as seen for example, by front-running or wash trading. By establishing identity it becomes possible to ascertain who is indulging in the adverse behaviour and remedies can be made. Thus by regulating DeFi through technical accountability, it gives greater confidence to prospective investors and opens DeFi to wider adoption.
Since only one of: physical address, national identity number, customer identity number or date and place of birth is required, it is possible to meet the Travel Rule with only name, account number (wallet address) and a customer identification number. Through a process we set out below, data can be verified by a DeFi protocol without creating another data silo. Importantly, this also will make it possible, albeit onerous and costly, to investigate wrongdoing such as funds routing from hacks.
We have laid out how this works in the diagram and steps below:
- 1.If the DeFi protocol supports it, anyone institution (or individual) can create a pool or contract with defined KYC requirements. These KYC requirements could range from: a. Blacklisting to prevent certain geographies participating; b. Full checks of documents; c. Zero-knowledge proof checks for certain criteria.
- 2.An institution (or individual) will need to receive a Verifiable Credential for going through a normal KYC process once, likely with a reputable VASP, or trusted entity such as a bank, law firm, insurance company etc.
- 3.The institution (or individual) will be issued a secure, verified digital version of their KYC’d data, like a certificate of incorporation, or for individuals, a passport or driver’s licence (in the form of a Verifiable Credential).
- 4.As part of interacting with the DeFi protocol’s pool, the institution (or individual) is required to fulfil the KYC criteria. And, since the data in a Verifiable Credential is, by its very nature, verifiable and certified, it can be checked extremely quickly to avoid introducing more barriers.
- 5.The institution (or individual) will present a Verifiable Credential for their name, wallet address and customer identification number from the VASP to the DeFi pool.
- 6.Assuming they fulfil the requirements, the institution (or individual) can interact with the pool. Other institutions (or individuals) which do not provide sufficient KYC data in the form of Verifiable Credentials, will not be able to access the pool.
- 7.Depending on the policy, the pool may make use of Zero-Knowledge Proofs (ZKPs), see below.
Using Zero-Knowledge Proofs (ZKPs), it is possible to perform checks on an organisation or individual without having to process the underlying data. As examples:
- It would be possible to check that an individual or organisation has been successfully KYC’d by a trusted organisation for other information such as the user’s address, age or national identity number.
- It is possible to check an individual is over a certain age without needing their date of birth.
- It would be possible to check the risk or credit profile of the user without disclosing the underlying information.
- E.g. Institutional or accredited investors could trade all DeFi, new retail may trade lending, swapping but not highly leveraged futures.
- Similarly, it would be possible to exclude an organisation based on an excluded country list without needing to know exactly which company they are incorporated in.
Through the model above, any Regulatory Authority could request access to the pool of details (which would not contain any information on address, national identity number or date and place of birth). Due to the eIDAS regulatory changes, this would be sufficient for valid identity verification and reporting by the DeFi protocol. If the Regulatory Authority needed to request the underlying data, it would have to request this from the original issuer, making it extremely time consuming to even secure a single individual’s data as well as reducing the number of copies in circulation.
Bodies like the Global Legal Entity Identifier Foundation (GLEIF) are already building out SSI implementations (e.g. their virtual legal entity identifier vLEI) to give companies digital identities. This will mean that due-diligence / onboarding, mergers & acquisitions and other processes are simplified and improved compared to working through paper documents or at best, easily counterfeited PDFs.
There is a clear trend to enable regulatory compliant DeFi, firstly, to be compliant with regulations, creating a safer environment for all; and secondly, to widen access to institutions and individuals with stronger counterparty risk requirements. Our expectation is that the markets could split into two, with institutions flowing into regulated markets whilst individuals remaining anonymous / pseudonymous.
We would also like to state that while this architecture is possible, it does not mean that it should be adopted since we know a large majority of the DeFi community prize their anonymity / pseudonymity and we hope there will always be protocols to support them.
However, it provides a template for any protocol to implement this approach (if they wish and see demand) without having to recreate the architecture.
The key is that as regulation is applied or regulatory compliant DeFi becomes a larger sector, we do not create more data silos and we want to maintain privacy as far as possible.
As we have caveated above, this model should not be imposed upon protocols. However, it does provide a route towards regulatory compliance for those who wish for one with the potential upshot of drastically widening access to DeFi whilst protecting individuals.