KYC and Digital Identity Ownership with KYC-Chain’s CEO

A transcript of key takeaways from our fireside chat with Edmund Lowell

Published in

Cardstack

12 min readJun 2, 2022

Introduction (0:00)

Chris Tse: Hello Cardstack community. My name is Chris Tse. I’m the founding director of the Cardstack Project, coming to you from the land of the Web3. Today, I’m joined by Edmund Lowell, the CEO of KYC-Chain and the advisor of the SelfKey Foundation, to talk about KYC and how you can know your customer in the land of crypto, blockchain, trading, and virtual assets. Welcome.

Edmund Lowell: Thanks for having me. Great to be here.

Chris Tse: It’s really interesting to see a juncture where a lot of excitement is happening in the decentralized space where everybody is just an anonymous address. On the other hand, as we intersect with the institutional world, in the real world with banks and money, there is an increased concern to figure out who you’re actually dealing with.

Who is this Bored Ape? Who is this person? Who is this string of numbers? Unlocking that value creates an opportunity to replace some of the activity we’re doing in the real world with something that actually uses new technology in Web3. One way to do that is through the KYC (Know Your Customer) process. That’s why we are so glad to have Edmund join us to shed some light on the current frontier of that particular work. Can you tell me a little bit about your role in both KYC-Chain and the SelfKey Foundation? What got you excited about this particular sector and specifically about the services around KYC?

Can you tell me about your role in KYC? (1:12)

Edmund Lowell: I’ve been involved with KYC for my entire professional career. I have a company called Flag Theory, started back in 2011, and we help people set up and maintain corporations and obtain bank accounts. We’re always processing KYC. It was always challenging for us, our customers, and for the banks who were our partners in this process. Around 2015, I authored a white paper that hypothesized that we could use blockchain to solve some of these issues of identity on the Internet by using the private-public key pairs and tracking via the immutable nature of the blockchain.

In 2016, I started a company called KYC-Chain where I’m the founder and CEO, and then a few years later, we spun out our consumer wallet. It’s an identity wallet that’s facing the customer, so basically a self-custody wallet that stores not only your crypto but also your identity. Now at KYC-Chain, I am really focused more on the higher-level vision. Where are we going next? That kind of thing. And it’s the same thing with SelfKey. I really am focused on product and, precisely, what products we plan to build one to five years from now. We think about what’s coming and how the regulatory landscape is evolving. How can we fit into that and add value to our customers? Product, that’s really where I like to live.

What is the main demand and tension you’re trying to solve with the toolset? (2:59)

Chris Tse: Product is where a lot of these ideas and concepts that we talk about become concrete. Obviously, in the KYC field there are really two sides: There is the business, or in some cases, the institution trying to understand this person who walked in or this person who logged in, trying to understand who they are. The other aspect of KYC is the customers knowing themselves and being able to present their identity. Are you focusing more on the institutional kind of customers in their needs for compliance? On the institutional side, what is the main kind of demand and tension that you’re trying to resolve with the toolset that you provide?

Edmund Lowell: SelfKey is very much focused on making it possible for the individual to share a complete picture of themselves. Where else do they have an account? Are they a good actor? How long have they been a good actor? You’re right, they do have a different set of needs and demands as the end customers applying for an account. On the other hand, the institution has a very different set of requirements. Oftentimes, they need to comply with local regulation, and they have a very rigorous set of documentation that they need to obtain before onboarding that client. That’s one aspect of how we’re helping institutions — just collecting all that data.

But then beyond the collection of data, it’s really the vetting of that information: making sure that it’s not on the sanctions list, doing elements of risk scoring to compare other types of clients. Is this high-risk? Is this low-risk? Because if you are approaching the situation with a risk-driven approach (which most institutions are in 2022), then you’d want to collect additional due diligence if that customer appears to be high-risk.

What KYC-Chain is about is collecting, vetting, and disseminating that information, and to enable a team to do that in a workflow. We connect to different external data sources like, say, a company’s registry in 120 different countries to enable that company to more easily pass that data to the institution. Then we make it easier for the institution to be able to vet that data. Now you can imagine how that fits into a SelfKey. If you’ve already gone through a KYC process, it’s as simple as one click to share that information. But beyond that, we can start using things like credentials and cryptographic proof to prove with some level of immutability that we have onboarded with this particular institution in the past, and they’ve signed off on our data. That really doesn’t exist in the world yet. As crazy as that sounds in 2022, we don’t really have that. But blockchain gives us that capability.

Composable elements of self-sovereign identity (12:10)

Chris Tse: It’s brilliant, especially if the sybil resistance aspect allows for the whitelisting of drops or permissions to be a criteria. Say you want to get in, but nobody wants to distribute valuable assets — NFTs or otherwise — to bots and mercenaries. So, if this becomes a requirement, then that would drive another type of prerequisite. Many people don’t even bother doing anything extra for compliance in regular paper and pencil kind of ways unless they have to: To do this, you must first go to the DMV, where they book an appointment and spend half an afternoon in a drabby office trying to push one piece of paper with one stamp. The process is rough but your life is better after it. I think it’s cool to look at this as composable elements, where it’s kind of a prerequisite — like many KYC processes in the real world are — for something fun and exciting.

Edmund Lowell: In this way, you actually own and control that identity as opposed to Facebook, which does have great products and services, but also a very centralized, top-down approach. Facebook has had lots of hacks in the past, and they’ve lost a lot of customers’ data. They’ve also potentially misused that data, according to global regulators, at certain times and they have received major fines. That whole ecosystem of Web2 is really about these large companies collecting and harvesting user data and selling ads, so that you effectively are the product. The product is free, but you are the product. Web3 is really a dramatic shift. Many people like to make fun of Web3. It’s kind of in vogue now to say, “I don’t know what Web3 is” or “I don’t know what the metaverse is,” and that’s fair. I don’t know if anyone can really claim to know that, just like we didn’t know what the Internet was in 1990.

Chris Tse: There were a lot of journalists saying, “what is this Internet thing?” But the truth is, it didn’t age well because people were asking real questions and saying: “I’m sure a lot of these things are fluff. A lot of these things may not have legs, but let me understand it better.” Education and learning is really what it’s all about. Education is the opportunity to learn the context and the material. I think some people are starting to say, “I don’t know about Web3,” but then they go watch YouTube videos and read white papers and see that there is certainly some truth in this new space. It doesn’t make sense for us to do all the things that we did before.

How do you teach people the subtle differences in KYC? (19:35)

Chris Tse: There’s a lot of talk about people using NFTs to represent credentials or identity. Obviously, the transferability of NFTs and the tradeability don’t completely align, and there are working groups like W3C working on verifiable credentials. Very few people know about the verifiable credentials work from Manu Sporny at the W3C and within the NFT space in general. How do you teach people the subtle differences between these different ways of encapsulating this information? And how do we make it as conventional and colloquial as making a TikTok video? How do we get people to understand this?

Edmund Lowell: This is how we’re kind of pitching it: you would have a DID. That’s your decentralized identifier under W3C. That would be sort of like this meta-proof. That would be kind of like your avatar in the metaverse or in an online space. And then you could have NFTs that you could layer on top of it that had certain elements of your identity attached. I don’t think that an NFT is suitable as a base layer, but let’s just say I’m Edmund, I have a DID. I’ve proven myself to be a real person, and I have an identity attribute that says that I’m a product manager. I took a product management course. I passed the course, and now I have that identity attribute. That could be an NFT, and it could maybe even be locked to that specific DID.

I think NFTs are way too in vogue. They’ve been around for many years, and I don’t think that they do anything all that special. Just personally, I’m a little bearish on NFTs. I think that they will be there, as fundamentally the technology seems to work, but there are also bad implementations of NFTs. You have NFTs that are pointing toward a server that has an image and it’s not decentralized at all; and then you have NFTs that get rugged or the image on the server gets changed and it’s not the same thing. I think NFTs should be composable purely from the code that’s on-chain. That alone makes them much more viable as a tool in blockchain. Once decentralized storage comes along in a bigger way than it is now — decentralized storage is still an unsolved problem. There are some attempts, but I haven’t seen anything that’s anywhere near AWS in the decentralized storage space.

Once you start to see some of these things evolve and once you see, say, verifiable credentials get more traction, then NFTs for everything will maybe fall a little bit by the wayside. NFTs will still be around. You’ll still have Cryptopunks and certain NFT collections, but I think that they’ll maybe be less relevant than people think that they’re going to be in the metaverse. There are other ways to represent identity in particular that are much more effective. Verifiable credentials are way more effective than an NFT contract. The NFT contract is made for a specific purpose and verifiable credentials are a much more generalized use case for identity than NFTs are.

Chris Tse: I’ve heard thought leaders on CNBC talk about NFTs and they say, “NFTs are going to represent titles and stuff like that, and that’s a good use case.” And it’s like, “ehh that’s not really the right use case — it’s adjacent to it.” It’s best to think about NFTs as special-edition credit card backgrounds. Your credit card number is your DID, and if you want this to be green and purple or you want a limited-edition rose gold, then you get an NFT. That makes sense as a decoration, as an enhancement. You can show that at the door and people are impressed by the gold color and pretty texture.

We use DID in our system. We have a smart contract wallet based on Gnosis Safe technology. But for all the user data that we select, we have a DID that links that particular smart contract address to a DID that allows us to do more decorations and refinement on-chain/off-chain. I’ve spoken to the Arweave team and the IPFS FileCoin team. That technology is coming and it’s always one step before it can really be as reliable as an S3 bucket, the Amazon storage service that most developers in Web2 use.

Clash between private and public identities (24:03)

Chris Tse: There’s a certain culture in cryptocurrency — maybe it’s because of Satoshi Nakamoto’s idea of pseudonymity and the idea that every Bitcoin address changes — that there’s a default that’s pseudonymous. How do you think that culture, coming from that origin story of Bitcoin and, in some cases, Ethereum, affects people’s willingness to link all their identities to one thing, e.g. people linking them with DNS names? Do you think there will be a resistance or do you think that, as more people come from Web2 and Web1 into blockchain and Web3, they’re going to demand the thing they know, which is account sign-on and recovery? What’s your sense of this clash of two bodies of water?

Edmund Lowell: I think that there will always be both. I think you’ll always have a private / public key pair as a base layer. That’s a beautiful thing that will never go away, in my opinion. I think it’s great that it won’t go away. On the other hand, if you want to have, say, an offramp and you want to cash out from crypto into fiat, you’re going to need to prove your identity. That’s just the world that we’re currently in and we’re entering it even more. I don’t think that there is going to be an escape from that or a way around it. That being said, there’s probably always going to be mixers, there’s probably always going to be die-hard libertarians, and there’s probably always going to be governments that want to know who this person is. And for various reasons and laws and regulations, that person needs to be identified. I think that it’ll just be a confluence of both now and in the future.

What’s something that will serve as a breakthrough for this technology? (25:54)

Chris Tse: What do you think is the breakthrough that we need that we don’t have yet to actually make this as good and as popular as something that people would use in their wallet? Whether it’s Apple Wallet, Apple Pay, or Google Pay — there are certain technologies that just kind of become really good. And that’s usually because the camera got good enough or the GPS got good enough to where you can do an Uber. Is there a technology underpinning this whole idea of self-sovereign identity that you believe is missing?

Edmund Lowell: I don’t think that the technology’s missing. In many ways, we have the technology, and it’s here. What’s missing is the adoption. The adoption is missing because the exchanges and the virtual asset service providers haven’t placed a priority on self-sovereign identity. But on the same hand, there haven’t always been these credentials available. In 2017, W3C wasn’t working on verifiable credentials. They have been for some time, and now there are many different companies that are starting to adopt it. I always ask the question, “who are your competitors in the space and do you feel threatened by them?” It’s really a space where we need a rising tide to lift all the boats, and I don’t see other companies that are building with verifiable credentials as competitors at all, because they are designed to be interoperable. They’re designed to move cross-platform and cross-blockchain in many cases. That’s a beautiful thing. That is where the customer will win, where the end user will win. As we start to see more adoption and as we start to see the user demanding this from different services — a VASP, an exchange, maybe someday their bank — we’ll start to see adoption snowball. From a technology standpoint, there’s not anything that’s missing. We don’t need flying cars to enable DIDs. We have that technology here today. We don’t need quantum computing to have a major breakthrough here. I think most of the technology is already there. It’s just a matter of real-world adoption, and a lot of that is already happening, especially with these much larger companies coming into the space.

To get all our latest updates, sign up for our newsletter on cardstack.com, star Cardstack on GitHub, and join our Discord channel or our Telegram group and announcement channel.