Using security by design for crypto KYC implementation

How to use identity verification as part of a security by design strategy

One of the biggest barriers to faster adoption of online alternative financial services is the continued consumer skepticism around security. When 6,000 customer accounts were compromised by hackers exploiting a vulnerability in a popular crypto platform’s two-factor authentication system, the damage to customer confidence is irreparable. Whether it’s SIM swaps, smishing or phishing, social engineering attacks pose an existential challenge to companies operating in these industries. This provides crypto, DeFi, and other FinTech companies with an opportunity to differentiate themselves by demonstrating security.

Preventing such security breaches from happening requires examining such risks within the context of an enterprise risk management framework. By reframing the issue of end-user susceptibility as a risk that can be mitigated through collaborative problem solving, different departments are encouraged to adopt a security mindset to help secure users’ accounts, funds, and ultimately the business. With the organization on board, CISOs and IT risk managers can use identity verification services to extend a KYC and AML compliance requirement to a tool for security and a customer experience strategy.

Folding KYC for crypto into a security strategy

Currently, many companies require users to give them their personally identifiable data (PII) during the client onboarding process, which are stored in internal databases. This is costly to secure and damage for loss of data is huge. A 2021 study by GIACT found nearly half of US consumers (47%) experienced identity theft and 38% experienced account takeovers (ATOs) and over half (53%) of ATO victims switched banks or financial service entities.

Identity verification services help businesses separate customers’ PII from their accounts, minimizing the damage of compromised accounts. Going a step further and requiring users to verify their identity via biometrics before logging in, accessing new resources and conducting transactions drastically reduces the risk of unauthorized parties being able to access and modify accounts. Strategically using all the features that modern-day KYC service providers offer will help you introduce more secure practices for both customers and your team.

Looking at identity verification services through security by design principles

Principle of least privilege

Using a third-party identity verification provider helps fulfill the principle of least privilege for your company, your colleagues, and your customers. Your company has less access to your customers’ PII, but can still meet KYC/AML requirements. Removing the customer’s PII from your internal database protects users’ privacy by restricting access to authorized team members, such as the fraud prevention team. From the customer side, users are not immediately granted access to every action, but need to prove who they are to gain privileged access to make critical changes, such as changing their contact information.

Principle of failing securely

If your systems become compromised, your customers’ PII will still be secured with the third-party provider. Only employees who your company has already authorized to access personal customer data on the identity verification platform will be able to access it.

Principle of separation of duties

Working with an identity verification provider means outsourcing the identity verification layer. This allows for a clear separation between account information and the processing of PII.

Principle of economy of mechanism

Introducing third-party identity verification services, like Passbase, enables teams to set up a comprehensive identity verification system without the complexity and risks of creating a complete KYC compliance stack, from document data extraction to database checks. With developer SDKs, webhooks or an API endpoint, companies can benefit from a simple, single-point alternative that results in fewer implementation errors.

Open design

Security should not come from obscurity. Choosing between third-party solutions allows you to learn and use industry best practices. This includes security features such as liveness detection and orchestration features, such as non-technical teams using the dashboard to update and customize verifiations. For customers, using an intuitive and standardized identity verification flow allows them to quickly get through what they are most likely already familiar with, reducing drop-off points for conversion.

Psychological acceptability

Ease of use is critical when it comes to the adoption of new technology. Your identity verification solution will only be implemented if it’s easy to integrate by the engineering team and effective for compliance and fraud teams. Having a single source of truth (for example, Passbase’s Identity Auditor) provides fraud teams to review verifications and documents and immediately add AML checks or trigger new verifications, making it easier for them to do their job effectively.

Defense in depth

By working with a trusted identity verification provider, you can focus on monitoring and adding effective response systems rather than devote all your energy to hardening your defenses. This allows you to detect attacks sooner and respond faster. When you have done your due diligence on a provider and integrated your identity verification, you are also gaining their security features such as encryption of your customers’ data.

Companies now have a choice between providers that empower technical and non-technical teams alike to meet compliance and security needs. When choosing which solution is best suited for your company, it’s important to map out your risks, prepare your own vendor security assessment questionnaire and make sure that the vendor is compliant with data regulations (such as GDPR or CCPA). As crypto and FinTech services continue to build a compelling alternative to traditional finance, they must be able to provide their users with security mechanisms that protect their identity and funds.

Passbase provides a convenient way for businesses in FinTech, crypto, or any new digital economy to perform KYC checks through identity verification. You can integrate Passbase into your platform via the Passbase API or with SDKs for iOS, Android, and web.

To see how identity verification can work for your business today, try Passbase today or book a demo.

Get the latest news from Passbase

Passbase © 2023


Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.