Constructing a Web3 Identification Resolution
TL;DR:
The European Blockchain Sandbox has concluded its second cohort, that includes IOTA Basis’s Tokenized Know Your Buyer Resolution with IDnow, walt.id, and Bloom Pockets. The Sandbox supplied key classes on compliant and privacy-preserving identification verification in Web3, together with the usage of off-chain verification, soulbound tokens, and GDPR-aligned pockets and node practices.
We’ve accomplished our participation within the European Blockchain Sandbox, a three-year initiative by the European Fee that offers progressive distributed ledger tasks the prospect to check their options with regulators throughout Europe. Annually, 20 tasks are chosen to affix, and the IOTA Basis was a part of the second cohort, which ran from June 2024 to March 2025.
Our contribution centered on the Tokenized Know Your Buyer (KYC) Resolution, developed along with IDnow, walt.id, andBloom Pockets. This proof-of-concept answer lets customers confirm their identification off-chain and obtain a tokenized proof of their pockets. This enables dApps, exchanges, and different providers to substantiate eligibility necessities (equivalent to age verification) with out exposing delicate information on-chain.
The shut of the sandbox is marked by the European Fee’s Finest Practices Report for the second cohort. The report shares suggestions and greatest practices from this system, providing invaluable steering for anybody creating DLT options and navigating their regulatory implications.
Key Sandbox Takeaways: Sharing Buyer Information
A key focus within the Sandbox was how Anti-Cash Laundering (AML) and KYC guidelines apply in apply. Regulators emphasised that crypto-asset exchanges and different service suppliers have a authorized obligation to know their customers’ identities. This is the reason our Tokenized KYC Resolution permits the entity liable for finishing up a KYC verify to acquire entry to verified private information from the identification verification supplier (in our case, IDnow). Equally, authorities just like the police can request private information linked to a particular non-transferable (soulbound) token.
To make buyer onboarding simpler, corporations can typically reuse KYC information that one other entity has already collected. However the guidelines for doing this differ throughout Europe. In some nations, information can solely be shared among the many similar class of entities, whereas broader sharing requires particular approval from nationwide authorities. Happily, the upcoming Anti-Cash Laundering Regulation (AMLR) is predicted to harmonize these guidelines concerning the usage of buyer info collected by different entities.
Key Sandbox Takeaways: Soulbound Tokens
The Report additionally highlighted key learnings on self-hosted wallets, KYC, and the way information is assessed on public permissionless DLTs like IOTA. In our Tokenized KYC Resolution, solely soulbound tokens are recorded on-chain. These tokens don’t include private information themselves however show that the KYC course of was accomplished, with the underlying KYC information saved securely off-chain. The Sandbox famous that such tokens should be handled as pseudonymized private information, that means the GDPR applies. As a result of this classification might evolve with new case legislation and pointers, it requires ongoing overview. To reduce information safety dangers, our answer follows an information safety by design strategy by limiting the quantity and kind of information shared on-chain. This follows the precept of information safety by design.
Key Sandbox Takeaways: Pockets Suppliers and Node Operators
One other necessary matter within the Sandbox was howwallet suppliers and node operators are categorized below the GDPR.
- The report concludes that self-hosted pockets suppliers usually are not thought of information controllers or processors if the pockets runs solely on the person’s gadget with out counting on an exterior backend. In our Tokenized KYC Resolution, verified identification information stays off-chain with IDnow, whereas the person’s self-hosted pockets solely holds a soulbound KYC attestation. This design aligns with the GDPR steering: duty for private information rests with the entities that really entry or use it – for instance, IDnow for verification and off-chain information storage and, the place relevant, an integrating service like a dApp or trade when it lawfully requests or makes use of the info.
- The GDPR classification of node operators wants cautious nuance. As we not too long ago commented on the European Information Safety Board’s European Information Safety Board’s pointers for private information in blockchains, nodes carry out solely technical features; they neither decide nor management the needs of information processing. Treating them as controllers would misrepresent their position and impose disproportionate obligations. Our Tokenized KYC Resolution reinforces this distinction. Verified identification information stays off-chain with IDnow, whereas the chain information solely a non-transferable KYC attestation with out private attributes. Nodes merely relay or validate this pseudonymised attestation and by no means entry the identification dataset. Even when such attestations qualify as private information, the design minimizes on-chain publicity and ensures accountability rests with the entities that really course of identification info. This offers a workable path to fulfill AML/KYC necessities whereas respecting rel=”noreferrer”>Switch of Funds Regulation and Anti-Cash Laundering Regulation require entities like cryptoasset exchanges to carry information in regards to the person of a self-hosted pockets and to determine the proprietor of the self-hosted pockets. On the similar time, dApps and DeFi operators are more and more in search of methods to allow compliant identification checks with out compromising privateness and safety. There’s an rising want for on-chain identification instruments to make sure clean and compliant interactions in Web3 ecosystems.
Our proof-of-concept Tokenized KYC Resolution brings collectively all the mandatory steps into one easy-to-use device:
- A trusted social gathering witnesses an identification course of and tokenizes it as a soulbound token, permitting dApps and different entities to believe within the identification course of, with out revealing the precise Personally Identifiable Info.
- The soulbound token can be utilized for on-chain processes, permitting Web3 native interactions.
- The trusted social gathering can reveal the identification info if requested by an authorised social gathering (e.g., legislation enforcement).
- The trusted social gathering may revoke the token if an invalidation is required (e.g., watchlist adjustments).
Following the completion of this undertaking, the rebased IOTA Mainnet has launched with a brand new structure based mostly on the Transfer Digital Machine. To help use instances just like the Tokenized KYC Resolution, we’ve developed the IOTA Belief Framework, a set of composable infrastructure parts, every developed with privateness, compliance, and usefulness in thoughts.
