Comment on page
💳
KYC Process
This page describes the KYC process and participants in detail.
The demo application is currently unavailable as part of our transition from Optimism to the Arbitrum Stack
There are three different participants in the process:
- End User. The person that accesses applications built on Kinto from his phone or laptop.
- KYC Providers. SaaS services perform the KYC verification and store the PII data for the user.
- Kinto Nodes. A network of servers that processes callbacks from KYC providers and responds to requests from users and developers.
- Applications/Protocols. Protocols and applications that are built upon Kinto. The user interacts with these on the smart contract level and through the interface.
KYC providers verify the user identity and perform AML/PEP screening continuously. They store users' personal data without the wallet address.
The list of approved KYC providers is curated by governance. Initial KYC partners include:
- KYC is Configured to always require identification documents and selfie check.
- AML is configured to PEP risk Level 1 and includes over 20 government watchlists, including OFAC.
- 1.The user visits an application deployed on Kinto for the first time and connects his wallet.
- 2.The application verifies that the user doesn't have the NFT and hasn't completed the KYC process yet.
- 3.The application serves as a popup prompting the user to start the KYC process through a list of verified partners.
- 4.The user selects his preferred KYC provider and completes the process by providing a valid ID and selfie.
- 5.Once the KYC provider verifies the user's identity, it triggers a callback to a Kinto node that will mint a soulbound NFT (Kinto ID) to the user's wallet.
- 6.This user now has the NFT and can transact on Kinto.
Note: If applications require extra accreditation checks and the user has not completed that part of the process, the user will also need to go through an accreditation process.
The developers building on Kinto have two contact points with the KYC system.
- Smart Contract API. Through this API, they can check whether a given ETH address is KYC'ed, accredited, belongs to a specific jurisdiction, or has any AML sanctions.
- PII Request. If the application needs to store PII for any reason, the developers must explicitly request this data from the user. The user can grant this data by signing a message with their wallet. Then, the application can call a Kinto ID node endpoint with this signature and receive the data stored in the appropriate KYC provider. You can test the PII reveal from your account page.
Kinto Nodes are responsible for processing KYC/AML callbacks from KYC providers and replying to application requests.
- Successful KYC completed. Mints a Kinto ID NFT to the user.
- AML Sanction detected. Flags the user appropriately in the Kinto ID NFT contract.
- Personal Data Request. The developer must submit the user's signature along with the request.
- KYC Recovery. There are a couple of other endpoints to handle edge cases, including identity theft or account migration.
It's really important to emphasize that Kinto doesn't store user data. Only KYC providers curated by governance and chosen by each user do so. These partners are the best in security in the industry.
PII stored in these KYC providers does not include the wallet address, so user's on-chain privacy is preserved and can only be disclosed by the user to the applications that he wants to use.