Verifiable Credentials for KYC Portability: Reusable Attestations Without Sharing Everything

On March 24, 2026, Indicio launched Proven AI for KYC, extending its platform to let banks and digital asset providers cryptographically authenticate customers using verifiable credentials held in digital wallets rather than document scans and database lookups. The launch followed a March 19 partnership between Indicio and IDEMIA Public Security to build globally interoperable identity verification for financial services, banking, DeFi, and cross-border payments. For a compliance officer, these announcements signal that the infrastructure for portable KYC is moving from specification to production deployment. The workflow it enables is straightforward in concept and structurally different from the legacy process.

The Legacy Workflow and Where It Breaks

In the current model, a customer completes KYC at a bank: government ID upload, facial recognition, address verification, sanctions screening. The bank stores all data in its own systems. When the same customer opens a brokerage account at a subsidiary, they repeat the process. A different institution for a mortgage means repeating again. Each verification is independent, each institution stores its own copy, and each copy becomes a breach target.

The cost is substantial. Companies spend an average of 60 million dollars annually on KYC compliance. The World Bank estimates reusable verifiable credentials reduce onboarding costs by 30 to 50 percent. In 2026, generative AI makes document forgery and biometric spoofing cheap and fast, increasing the cost of each independent verification cycle.

The Verifiable Credential Workflow

The new workflow has three actors: issuer, holder, and verifier. The issuer performs the original identity verification — checks a government ID, validates biometrics, confirms against sanctions lists. Once verified, the issuer creates a verifiable credential: a cryptographically signed data object containing the verified attributes, stored in the customer's digital wallet rather than the issuer's database.

When the holder opens an account at a new institution (the verifier), they present the credential from their wallet. The verifier checks the cryptographic signature against the issuer's public key to confirm the data has not been altered. A real-time liveness check confirms the person matches the biometric bound to it. If both pass, the customer is onboarded without repeating document upload or identity proofing.

The critical property is selective disclosure. The customer can prove they passed KYC at a regulated institution without revealing their full identity document or date of birth unless specifically required. Zero-knowledge proofs can confirm a wallet holder is sanctions-cleared without exposing personal data.

Control Points and Compliance Enforcement

Three control points govern the workflow. First, issuance: only institutions that meet defined trust frameworks (ISO 18013-5 for mobile documents, W3C Verifiable Credentials Data Model, EU Digital Identity specifications) can issue credentials that verifiers will accept. The issuer's reputation is the trust anchor. Second, presentation: the holder must consent to share each credential, and selective disclosure limits what is revealed. Third, verification: the verifier checks the cryptographic signature, the credential's revocation status, and the liveness match independently.

For regulatory compliance, the U.S. Treasury's Request for Comment under Section 9 of the GENIUS Act, signed into law in July 2025, explicitly named digital identity verification as one of four priority technology areas for detecting illicit activity in digital assets. The regulatory direction in 2026 is that compliance obligations follow the financial activity, not the technology architecture. Regulators are requiring AML controls wherever value moves, including through DeFi front ends, bridges, and stablecoin issuers.

What AI Can Automate Today

AI agents can now perform credential verification cryptographically rather than through document review. Indicio's Proven AI for KYC gives AI agents an instant, cryptographic method to authenticate customers with assurance equivalent to an in-branch identity check. The verification is based on cryptographic proof rather than visual inference, providing structural defense against deepfakes. AI can also automate sanctions rescreening by checking credentials against updated lists without requiring the customer to re-engage. What still requires human sign-off: credential revocation decisions, enhanced due diligence for high-risk profiles, and dispute resolution when a credential is rejected.

What Is Improving and What Remains

The constructive signals are accelerating. IDEMIA Public Security partnered with Indicio, Proof, and Trinsic within a single month, building issuer-side infrastructure across six continents. The EU will issue Digital Identity Wallets to all citizens and businesses by end of 2026. NIST published a draft practice guide for financial institutions accepting mobile driver's licenses.

The biggest adoption blocker is not technology but the network effect: a credential is only useful if verifiers accept it, and verifiers only accept credentials if enough issuers produce them. The smallest change that would unlock adoption is a single major banking consortium agreeing to accept each other's KYC credentials, creating a closed-loop trust network that demonstrates cost reduction before requiring open interoperability. A skeptical CFO would ask whether the liability model is clear: if a verifier relies on a credential fraudulently obtained at another institution, who bears the loss? That question remains unanswered in most jurisdictions and is the residual risk that will determine adoption speed.

For informational purposes only. Not an offer to buy or sell any security. Available only to accredited investors who meet regulatory requirements.

‍