Every time you open a brokerage account, you perform a ritual. You photograph your driver's license. You type your Social Security number into a form. You wait while a compliance automations to run, or worse the team at a financial institution you've never met reviews your documents, cross-references them against databases, and eventually decides you are who you say you are. Then you do it again for the next account. And the next. And when one of those institutions suffers a data breach eighteen months later, your information, the same information you've now handed to a dozen different companies ends up on a dark web marketplace.
I spent years at AngelList overseeing compliance processes at scale. We onboard thousands of investors into venture funds and SPVs annually, and every single one of them goes through KYC. Many of them had been verified by three, four, five other institutions that same year. The redundancy isn't just annoying for customers. It was a systemic failure masquerading as diligence.
The Cost of Doing It Wrong
The numbers are staggering. Financial institutions spend an average of $60 million per year on KYC compliance, with some large banks exceeding $500 million. The per-client cost of a single KYC review runs between $1,500 and $3,000. Globally, financial crime compliance spending is projected to hit $274.1 billion, an increase of $60 billion in just two years. We are pouring enormous resources into a system that, by its own metrics, is failing.
Consider what happens on the customer side. Industry data shows that between 50 and 70 percent of prospective clients abandon onboarding during KYC. They simply walk away. For the venture ecosystem, where fund managers are trying to close capital commitments on tight timelines, holdups for investor identity verification documents can be paralyzing. Every investor who gives up during onboarding is capital that never reaches the startups that need it.
But the real indictment isn't cost or friction. It's effectiveness. Roughly 70 percent of financial fraud across the industry occurs after initial KYC completion. The verification happened, the boxes got checked, and the fraud happened anyway. Meanwhile, AML alert systems at large institutions generate false positives at rates approaching 95 percent, burying compliance teams in noise while actual bad actors slip through. In 2024, consumers lost $12.5 billion to fraud, a 25 percent increase from the prior year. In that same year, AML penalties topped $4.3 billion. TD Bank alone accounted for $3 billion of that figure. The system is expensive for institutions, miserable for customers, and apparently ineffective at its stated purpose.
Why Repetition Is the Problem
The fundamental design flaw is that identity verification is treated as a point-in-time event rather than a persistent credential. When I verify my identity with Institution A, that verification has no portability. Institution B starts from scratch. Institution C does the same. Each verification creates a new copy of my sensitive data sitting in a new database with a new attack surface.
This architecture made sense in a world of paper documents and filing cabinets. It makes no sense in a world with public-key cryptography. We have the technology to let an individual prove their identity once, receive a cryptographic attestation, and present that attestation to any subsequent institution, without revealing the underlying data.
That is what blockchain-based identity passports offer. Not cryptocurrency speculation. Just a simple, practical application of existing cryptographic tools to a problem that costs hundreds of billions of dollars and protects almost nobody.
How It Would Work
The concept is straightforward. An investor completes KYC with a qualified verifier — a bank, a regulated fintech, or a dedicated identity provider. That verifier issues a cryptographic credential tied to a decentralized identifier, or DID, that the investor controls. The credential attests that the verification occurred, what it covered, and when it expires. When the investor opens an account at a new institution, they present the credential. The institution can cryptographically verify its authenticity without ever touching the underlying documents. No new copies of the passport. No new database to breach. No three-week review cycle.
Zero-knowledge proofs make this even more powerful. An investor can prove they are over 18, or that they meet accredited investor thresholds, without revealing their date of birth or net worth. The institution gets the assurance it needs. The investor keeps control of their data. The compliance obligation is satisfied with higher confidence and lower cost than the current approach.
The Regulatory Path Is Narrower Than You Think
Here is the part that surprises people: implementing this does not necessarily require new legislation. It requires four targeted regulatory adjustments, all of which could be accomplished through FinCEN interpretive guidance.
First, a CIP Rule amendment recognizing decentralized identifiers as a valid form of identity documentation under 31 CFR 1020.220. The Customer Identification Program rules already allow financial institutions flexibility in determining acceptable identification. Extending that flexibility to cryptographically verifiable credentials is a natural interpretation, not a radical departure.
Second, an enhanced reliance framework. The BSA already permits financial institutions to rely on another institution's KYC under certain conditions. A formal framework for reliance on cryptographic credentials would reduce the legal ambiguity that currently prevents institutions from accepting portable identity.
Third, a safe harbor provision for institutions that accept verified digital credentials in good faith. Compliance officers are conservative by training and incentive. Without explicit protection from regulatory second-guessing, no institution will adopt a new verification method, no matter how technically superior. A safe harbor removes that barrier.
Fourth, a privacy clarification confirming that zero-knowledge proofs satisfy the verification requirements of the BSA without requiring disclosure of the underlying data. The regulation requires that institutions verify identity. It does not, properly read, require that they possess copies of identity documents. But regulatory practice has conflated verification with possession, and a clarification would untangle that.
The Stakes Are Practical, Not Ideological
I am not making the case for de-regulation. Identity verification serves a legitimate purpose, and financial institutions have real obligations to prevent money laundering and terrorist financing. I am arguing that the current implementation of those obligations is so poorly designed that it undermines the goals it was built to serve and poses increasing security risk for indivuals' PII.
A system that costs $274 billion, loses 50 to 70 percent of legitimate customers during onboarding, catches fraud only 30 percent of the time, and generates 95 percent false positives in its alert systems is not a system that is working. It is a system that has optimized for the appearance of compliance at the expense of actual security.
Portable, cryptographic identity would reduce costs for institutions, reduce friction for investors, reduce the attack surface for data breaches, and by enabling continuous, real-time verification rather than point-in-time checks would actually improve the detection of fraud and illicit finance. The technology exists. The regulatory path is clear. What remains is the institutional will to stop doing the same broken thing and start building identity infrastructure that works.