We recently announced our new initiative to make Fractal ID a dataless KYC solution by the end of Q2 2025. In line with this approach, we will be introducing an entirely new way of handling user data as a web3 KYC verification provider. We believe that for our customers, and for the scores of companies that depend on KYC to participate in decentralized finance, this is the only path that allows us to mitigate the numerous risks of centrally stored user data. 

Though there is no avoiding the regulatory necessity of accessible data, KYC providers like Fractal ID can be used in tandem with decentralized identity management solutions to enable ongoing access to user data, based on user’s agreement. By decentralizing data storage, we can eliminate the honey pot that centralized databases present to hackers. This will drastically enhance security by reducing incentives for cyber attacks while remaining compliant. We see this as the first step in enabling users to have ultimate control over their information, with maximized safety. 

Today, we are sharing an overview of how Fractal ID aims to delete all user personal identifiable information from centralized servers after verifying users’ data, or as we call it, becoming dataless. There are a number of factors to take into consideration to make this a reality: 

1. Customer service: Several processes regarding our identity verification services — such as checking for duplicate accounts and ongoing AML monitoring — depend on storing user data for a longer time period. 
2. Agreements with existing clients: Many of our existing clients rely on Fractal ID for data availability, even after the verification has taken place.
3. Legal requirements to prove that the regulatory identification process has been conducted properly when audited (e.g. by a governmental or regulatory authority).

As it stands, Fractal ID’s identity verification process needs all user-provided data to be stored, so that it can be accessed when required, for instance to update a user’s verification status or perform additional checks linked to the same user –e.g. after one of the ID documents provided has expired, or the user moved to a new country. It is our aim to delete as much user data as possible should a check not resolve within two weeks, or following a grace period of two weeks after a check has been resolved. This will enable quality assurance (QA) checks and user/client support during the critical early stages of identity verification. Once this two week period is over, the data is then deleted off of centralized servers, and put fully into the hands of the user. As for the data currently stored in our servers, we intend to, together with our clients, start a process in the coming weeks to delete all that we can. 

Radical data minimization across all services

Many of the core services that KYC verification providers offer —  including deduplication, ongoing AML monitoring, quality assurance, and reusability — depend on some or all user data to be stored in perpetuity. In light of our plan to become dataless, we are reviewing every single service we provide and their associated processes to achieve the most radical data minimization effort possible, while maintaining high levels of service for our clients.

We have so far concluded that most user data can safely be deleted in most cases. This includes:

• Email addresses
• Phone numbers
• Wallet addresses
• Residential addresses
• ID document numbers and images
• Source of wealth data
• Institutional data

For a subset of users that signed up for clients that require continuous monitoring (AML checks), we will need to keep the following data. Our plan is to enable the provisioning of these services in a decentralized setting. Until we have established a viable alternative we will be keeping the following data for these users:  

• Name
• Date of birth
• Nationality

In general, for all users, we will need to keep: 

• Type of identity document (submitted during onboarding, not the actual document itself)
• Validity/expiration date of the identity document

to be able to inform clients when identity checks are no longer valid because users’ identity documents (e.g. their passport) expired. 

Fractal ID services that require uncompromisingly broad data retention will be progressively discontinued. Other services are being updated to function within our dataless system. We will show a few examples below.

Ongoing AML checks

Many clients demand their users are AML-monitored continuously, beyond the initial AML check. Fractal ID works with specialized AML service providers like ComplyAdvantage to conduct these AML checks. While this doesn’t require us to keep any user data, having no information about the user means AML hits from the AML providers’ software must be taken at face value. This is problematic as there is a high number of hits that are false positives. We’re concerned that simply relaying these automatic AML hits to clients without performing due diligence by operators would put too many users at risk of seeing their accounts with our clients be unfairly terminated.

Our plan: keep this service alive, albeit with a reduced dataset that still allows for some diligence when reviewing these AML hits (name, date of birth, nationality).

Operational quality assurance

In order to continuously improve our identity verification processes, we frequently conduct quality assurance on past verifications.

Our plan: we will update our processes to work within the 2-week window mentioned above.

Reusability

When existing Fractal ID users are onboarding to a new application that uses Fractal ID for KYC, they don’t need to input their data again. They also have a good chance of being (sometimes automatically) approved without having to provide any additional data. These features are only possible because their data is kept in storage.

Our plan: KYC reusability is a very strong value proposition for both our clients and users. Reusing data that has been already provided and verified by a trusted party requires access to all that data, and we believe that going back to a system without reusability at its core is a step back for everyone involved. However, we believe that Fractal ID can leverage existing web3 identity solutions to still offer re-usability to users without storing their data centrally, while allowing them to manage their personal data in a self-sovereign way.

Dataless KYC & Decentralized Identity Solutions

Just like the shift from physical to cloud storage raised objections from authorities, this will likely be a difficult path to forge. But, it is one we are committed to and believe in deeply. Ultimately, authorities are clear on the necessity of providing actual user data (not just attestations) when needed. However, just because this data needs to be available on demand, that does not mean we need to store it all centrally in one place.

The most common decentralized identity solutions in web3 are in the form of identity wallets and soul-bound tokens (SBTs). While these solutions have contributed to the development of decentralized identity, they have some caveats. The most glaring, is that they’re not viable for compliant use cases where long-term access to KYC/AML data is a requirement, since these solutions host data in the user’s device, data is only available while the user is online, and is deletable unilaterally by the user. Additionally, they require users to download and install additional software which poses an added layer of difficulty.

In order to stay compliant, we believe the best approach is to keep user data encrypted and stored in decentralized storage networks that are controlled by users and available to regulators on an as needed basis. Networks hosting the data should optimize nodes to use a consensus mechanism to ensure dataset harmonization and consistency and, since data is encrypted, it is not accessible even by node operators. While more work is needed in this space, there are several solutions working on decentralized storage of personal user data, such as idOS, Verida, Ceramic and IPFS. 

The dataless strategy essentially means that Fractal ID can focus entirely on identity verification, with the data storage and access management capabilities being facilitated by a decentralized storage network, having users in control of their data. 

Legal and contractual considerations

Under current legal standards, Fractal ID is legally obligated to store more data than we would like to. While the full extent of these requirements are currently undergoing legal discovery, we are confident that there are several positive steps that we can take today to move in the right direction.

Going forward, all new client agreements with Fractal ID will be done in accordance with this plan. However, we have agreements with existing clients where, as their processors, we are obliged to process data on their behalf, as well as provide a solution to access this data. We’re working with our existing clients to accelerate this transition as quickly as possible.

Next steps and data deletion roadmap

Deleting all user data from our servers is not an easy feat, but it is a step we are committed to take. We are happy to have Anna Bikmetova, our former COO, to step up as Managing Director of Fractal ID to make sure that we deliver on this vision and implement top notch security practices. Together with Resonance and new members that will join our engineering and operations team very soon. We will be working together with our existing clients and partners to achieve this goal by the end of Q2 2025.

This quarter (Q3 2024) we will perform the first big deletion. This means identifying all data we’re no longer required to keep with the implementation of this new strategy and scrub it from our systems.

In Q4 2024, we will update all our systems to work with radically diminished datasets. We will also complete the legal discovery process and, if needed, build cold storage capabilities.

By H1 2025, we will be testing the new system version with existing clients, helping users save their Fractal ID data before we delete it from our centralized server, and then enabling the automated data deletion process.

We are confident that becoming dataless is the right approach to allowing our KYC customers to achieve regulatory compliance while ensuring the security of their users’ data. This is the first step that will allow our industry to move towards a system that unites dataless KYC verification with decentralized identity management solutions.

Fractal ID