A startup blockchain backed by PayPal and the Omidyar Network aims to help financial institutions quickly verify digital identities.
IDKeep, which went live Tuesday, was designed by Cambridge Blockchain and LuxTrust, a startup backed by the Luxembourg government and several banks. It launches with the 700,000 customers of the six main retail banks of the small European nation.
But the new project may ultimately influence the U.S., where banks have been slow to develop a shared platform for digital identities. Backers of IDKeep argue that a well-thought-out program, in which questions about privacy and security are ironed out ahead of launch, could be the key to forcing U.S. banks to act.
“This is truly a first-in-the-world implementation of a data-sharing architecture, where consumers have control over how their data is shared between institutions for know-your- customer purposes,” said Kabir Kumar, director of Flourish, a venture capital firm that was spun off by the Omidyar Network. “Multiple markets have attempted to create such systems but have struggled with different approaches. Luxembourg’s model, which heavily leverages the collaboration between the commercial players and the government through the LuxTrust consortium, provides a unique road map that can be replicated by other countries.”
One unusual aspect of this project is that the financial regulator for Luxembourg has a node on the blockchain so it can supervise in real time. This has helped the project win crucial regulatory support.
Kumar says IDKeep will change the way consumers share digital data with service providers.
“We won’t need to provide credentials and basic information each time we access a new bank service,” he said. “Remember that each time that a piece of data is shared, it exposes the consumer to a privacy risk. If Luxembourg can pull this off using Cambridge Blockchain’s technology, then we see the beginnings of a world where more people can get to banking and potentially other services while protecting their privacy and data.”
Cambridge Blockchain takes the identity documentation new customers submit to a bank and creates a hash of those documents that notes the person is recognized under know-your-customer rules. It stores that on an Enterprise Ethereum blockchain run by LuxTrust. Any other party to the blockchain can then verify that person’s identity by looking them up on the blockchain.
The blockchain technology is not being used to store personal data.
“The personal data is stored in something called a personal data service, which is hosted in a bank or data center that is SOC 2 compliant,” said Matthew Commons, CEO of Cambridge Blockchain. “It’s a very, very robust environment. If somebody's got access to a copy of the blockchain, there's no way that they could go back and regenerate the data that's there. But you can use the blockchain ... to validate who checked what and when.”
Security is critical to a project like this.
“You could in theory have some centralized database that would store all the personal information for a group of banks,” Commons said. “But it's very difficult to do that while getting the appropriate consent and making sure that the information is really being shared on a truly need to know basis.”
CV Madhukar, investment partner at Omidyar Network and global leader of the firm's work on digital identity, sees the project as a means of enabling financial inclusion and helping cut the cost of know-your-customer compliance.
“One of the biggest use cases for digital identity is in financial inclusion, and one of the biggest challenges for financial inclusion is getting the KYC process right,” he said. “For the most vulnerable populations, getting KYC documentation is such a big challenge. Every time they need documents supporting KYC, they run into trouble. So whatever can ease the burden of the KYC process has value.”
“This makes it easier for individuals and companies to get this done quickly and most importantly puts the user data in a safe place to access,” Madhukar said. “This is very central to protecting individuals’ privacy.”
Today, consumers have to provide personal data multiple times to access different products and services, through various channels without adequate security and control, Madhukar said.
“This increases the risk of privacy violations and data leaks,” he said. “Additionally, users do not have control over the data that has been shared. And while KYC data sharing makes sense for consumers and providers, few attempts have taken hold because of a lack of appropriate technology, market structure, or competitive dynamics behind the commercial arrangements and regulator role.”
IDKeep also handles the data privacy and open banking requirements of GDPR and PSD2. For GDPR, it provides a way to acquire the consumer’s consent before doing anything with his or her data. For PSD2, Cambridge Blockchain can store a customer's entire transaction history and port it to another bank at the customer’s request.
The system could also benefit companies that need to borrow money and use other banking services. Rather than having to provide documentation to each bank, a business could become KYC verified by one bank and have that verification stored in a hash on the blockchain that could then be made available to other banks.
“The efficiency makes it easier for individuals and for companies to get the paperwork process done quickly,” Madhukar said. “And most importantly, the user data is in a safe place where it's not flipping around on the internet for everyone to access.”
“An oil company trying to borrow might have to provide documentation to every single bank to actually get them to process the loan,” he said. “But if I have a Cambridge blockchain relationship then I'd get the KYC from one bank and the documents and the KYC ratification on the blockchain using the hash and then make it available to other banks to ratify. And so the cost of doing business, both with me and for the banks, would be dramatically lower if we get this right.”
When PayPal, which has a large presence in Luxembourg and processes many European transactions through its institution there, invested in Cambridge Blockchain in April, “as investors we felt this was a validation of the Cambridge approach,” Madhukar said. “In the U.S. banking system and around the world, KYC costs are quite steep and every institution is looking for solutions that can offer a reliable way of getting the KYC process done at the lowest cost.”