User Owned KYC
This page explains how user owned KYC works in detail
Last updated
This page explains how user owned KYC works in detail
Last updated
One of the main differences between Kinto and other L2 blockchains is its KYC functionality. In Kinto, this KYC requirement is enforced at the blockchain level. Users are asked to KYC before they can send txs or create contracts. However, That doesn’t mean that Kinto is permissioned, has access to any data, or that the PII is tied to the user’s blockchain identity.
This blog post will explain how Kinto provides KYC functionality while remaining open, non-custodial, permissionless, and credibly neutral. Kinto puts the users in charge of the KYC process.
Kinto network users are in control of the KYC process through two different mechanisms:
Governance of Kinto will curate the list of KYC providers available in the network. Network participants can onboard new KYC providers and increase the number of choices available.
When a user first visits an application on Kinto, she will be asked to identify herself. The user can then pick their desired KYC provider between the alternatives curated by governance.
As we saw above, Kinto allows users to pick the data provider that they trust with their data. User data is handled according to three important tenets:
Kinto doesn’t own or store any personal data. None. The smart contract Kinto ID only has flags identifying whether a user has KYC’d, accreditation, and whether or not there are AML violations in different jurisdictions.
Personal data is stored in the KYC provider chosen by the users. Personal data include address, date of birth, and government ID. Only the most trusted and secure identity providers are available in Kinto. Information stored in these providers doesn’t include your wallet address so nobody can link your account. Even in the unlikely scenario that they suffer a security breach, your on-chain account is safe.
Personal data can only be accessed with permission from the user. User needs to sign messages giving permissions to applications built on Kinto. These applications will call an API with the signature to receive the data granted from the user. You can read more about how this process works in the docs.
🚨 In case of an emergency (hack, fraud or an exploit), governance and only governance can send to the KYC provider the information needed to link the PII with the blockchain account of the user.
To create a wallet on the Kinto network, every user must pass a KYC check, which does not reveal to the KYC provider the connection between the identity information and the address of the wallet.
This allows them to selectively reveal the minimum possible identity information to access certain financial services, while retaining complete sovereignty over their identity.
On Kinto, traditional financial institutions can interact with DeFi protocols while knowing all network users have passed a minimum KYC check. They can also provide services that require more KYC information because the user can seamlessly opt-in to share the required information with individual counterparties. With self-sovereign KYC, Kinto retains decentralized finance's openness and self-sovereignty while eliminating the barriers to integration and usage between traditional financial institutions and decentralized protocols.
The Kinto network allows previously difficult or even impossible services on-chain, like tokenized real-world assets being used in DeFi protocols, uncollateralized lending, and more.
By living on the same network and enabling self-sovereign KYC, the kind of composability currently enjoyed within the DeFi ecosystem will be possible between DeFi services and traditional financial services.
There are three different participants in the process:
End User. The person that accesses applications built on Kinto from his phone or laptop.
KYC Providers. Third party SaaS providers perform the KYC verification and store the PII data for the user.
Kinto Nodes. A network of servers that processes callbacks from KYC providers and responds to requests from users and developers.
Applications/Protocols. Protocols and applications that are built upon Kinto. The user interacts with these on the smart contract level and through the interface.
KYC providers verify the user identity and perform AML/PEP screening continuously. They store users' personal data without the wallet address. They are selected by the user when they join Kinto.
The list of approved KYC providers is curated by governance. Initial KYC partners include:
The user visits an application deployed on Kinto for the first time and connects his wallet.
The application verifies that the user doesn't have the NFT and hasn't completed the KYC process yet.
The application serves as a popup prompting the user to start the KYC process through a list of verified partners.
The user selects his preferred KYC provider and completes the process by providing a valid ID and selfie.
Once the KYC provider verifies the user's identity, it triggers a callback to a Kinto node that will mint a soulbound NFT (Kinto ID) to the user's wallet.
This user now has the NFT and can transact on Kinto.
Note: If applications require extra accreditation checks and the user has not completed that part of the process, the user will also need to go through an accreditation process.
The developers building on Kinto have two contact points with the KYC system.
Smart Contract API. Through this API, they can check whether a given ETH address is KYC'ed, accredited, belongs to a specific jurisdiction, or has any AML sanctions.
PII Request. If the application needs to store PII for any reason, the developers must explicitly request this data from the user. The user can grant this data by signing a message with their wallet. Then, the application can call a Kinto ID node endpoint with this signature and receive the data stored in the appropriate KYC provider.
Kinto Nodes are responsible for processing KYC/AML callbacks from KYC providers and replying to application requests.
Successful KYC completed. Mints a Kinto ID NFT to the user.
AML Sanction detected. Flags the user appropriately in the KintoID NFT contract.
Personal Data Request. The developer must submit the user's signature along with the request.
KYC Recovery. There are a couple of other endpoints to handle edge cases, including identity theft or account migration.
It's really important to emphasize that Kinto doesn't store user data. Only KYC providers curated by governance and chosen by each user do so. These partners are the best in security in the industry.
PII stored in these KYC providers does not include the wallet address, so user's on-chain privacy is preserved and can only be disclosed by the user to the applications that he wants to use.