KYC – Know Your Customer – is fundamental both to the provision of financial services and to the industry’s regulatory compliance. Still unresolved, even after decades of technological advances that have streamlined so many of those processes and produced increasingly fast and frictionless payment systems, is how best to verify individual identities.
It is one thing to carry out background due-diligence before onboarding a customer, or to authorize a bespoke, high-value wire transfer in a controlled corporate setting. It is quite another to reliably authenticate parties to retail electronic transactions in real time.
Biometric methods – from fingerprints to facial recognition to iris scans – are considered a significant step up from passwords, even when the latter are reinforced with additional multifactor authentication (MFA) layers. Yet there are continuing debates among technologists, and questions about public acceptance of potentially intrusive biometrics, while AI agents, deepfakes and decentralized finance raise new risk concerns.
Surveys by client lifecycle management company Fenergo have shown financial firms to be spending 10% to 50% of their compliance budgets on KYC, and the biggest firms assigning up to 3,000 full-time-equivalent employees to those tasks.
A Federal Reserve Bank of Atlanta Payments Forum paper indicates how great the leap would be to extend stringent identity verification to the general population: 29 million U.S. citizens lack a current driver’s license, and another 7 million do not have any government-issued photo ID. “The common approach of requiring one or more forms of identification for opening an account can be a challenge to vulnerable populations,” the authors note.
Some 14% of U.S. households (19 million) were characterized as underbanked in a 2023 Federal Deposit Insurance Corp. report, while 4.2% (5.6 million) had no bank or credit union account. Financial inclusion issues are writ larger on a global scale: Some billions of unbanked and underbanked people could presumably be brought into the mainstream with digital ID and other infrastructure.
“By leveraging digital technologies, fintech solutions can provide a sustainable means for unbanked and underserved populations to contribute to the global economy,” said a 2024 article published by the World Economic Forum. “This transformative promise is becoming a reality as innovative solutions break down barriers and drive financial inclusion at an unprecedented scale.”
Source: World Bank.
“The rapid growth of digital payments, driven by technological advancements and a digitally dependent economy, has significantly enhanced financial access for consumers and businesses,” says the Atlanta Fed paper. “However, some consumer segments may be distrustful initially of the technology and face barriers relating to stringent identity verification requirements.”
Today’s digital ID landscape is dominated by centralized and federated systems managed by governments, financial institutions or other third parties.
India’s Aadhaar is the world’s largest biometric digital identity system. Launched in 2009 and overseen by the Unique Identification Authority of India (UIDAI), Aadhaar has enrolled more than 1.3 billion residents, issuing each a unique 12-digit ID number. Identification is based on a combination of demographic data (name, address, date of birth) and biometric identifiers, including fingerprints and iris scans. Authentication can be performed online, in real time, through biometric matching or one-time passwords linked to a registered mobile number, enabling services such as e-KYC, payments, and welfare transfers.
Centralized models give some digitization advocates pause.
In a blog post last August, Coinbase chief legal officer Paul Grewal argued that KYC and anti-money laundering requirements stemming from the Bank Secrecy Act of 1970 are in dire need of reform and can be fixed with technology.
Paul Grewal of Coinbase
The mandated collection of vast amounts of customer data annoys those subjected to KYC vetting and in the process creates “honeypots for criminals,” Grewal wrote. “We now have blockchain and AI technology to modernize our financial systems and bring innumerable benefits to consumers in a privacy-compliant manner. We just need our laws to allow us to unlock their potential.”
Grewal sees “a better and safer option” in zero-knowledge proofs (ZKPs), a cryptographic tool that, in an identity context, can provide verification without revealing information beyond what is absolutely necessary. Once information is established with a ZKP provider, it can be used “going forward without having to disclose superfluous information to additional parties . . .
“In financial cases, you could open a new account with a company like Coinbase without sharing decades of personal data, instead using ZKPs to prove you are not on any sanctions lists, you’re not a minor, etc. And if law enforcement wanted detailed information on the customer, they would be able to subpoena the company that issued the ZKP.”
“A decentralized digital identity, or ‘passportable ID,’ can be issued once, and it enables multiple entities to attest and verify an individual’s identity credentials, while empowering the user to control their personal data,” explains a comment letter from Andreessen Horowitz (a16z) to the U.S. Treasury Department. “Importantly, using blockchains and cryptographic techniques, such as ZKPs, users also determine how much of their personal information they are comfortable sharing with others, as well as with whom that information is shared.”
The venture capital firm is investing in new-breed “privacy preserving” technologies: “As artificial intelligence advances, challenges such as deepfakes and digital fraud will proliferate, making it imperative to develop digital identity solutions that are able to verify that an individual is human and, in fact, who they claim to be.”
The letter – signed by Miles Jennings, head of policy and general counsel, a16z crypto; Michele R. Korver, a16z crypto head of regulatory (formerly of Treasury’s Financial Crimes Enforcement Network); and a16z chief legal officer Jai Ramaswamy – singled out two portfolio investments: Digital-credential lifecycle innovator Spruce Systems; and World, originally Worldcoin and co-founded by OpenAI’s Sam Altman, whose biometric Orb scanners and credentials are designed to establish “that an individual is both human and unique.”
Although exactitude may be appealing, there may be yet new risk vectors to consider: the reliability of credential issuance, the potential for cryptographic compromise, and over-dependence on AI without humans in the loop.
The a16z commenters summed up the perceived drawbacks in centralized/federated approaches: Because they require intermediaries, “the systems themselves are less resilient, subject to cyberattacks and other intrusions at their weakest point of entry. Those intermediaries sometimes also conduct rent-seeking on their users, making consumers dependent upon them in exchange for providing such basic – albeit critical – services as proof of identity. And finally, for the same reasons that central bank digital currencies are problematic, centralized/federated digital identity solutions risk the privacy and autonomy of their users.”
Vikas Kanungo
Just as those experts concede that centralized/federated is currently more pervasive, Vikas Kanungo, an AI and digital transformation strategist and advisor to the World Bank, sees in large-scale entities the hazard of “function creep” beyond their original purpose, as well as a lack of user control that complicates consent and liability.
“When a system scales rapidly, different agencies often find new uses for identity data, sometimes beyond what citizens originally consented to,” Kanungo says.
Digital public infrastructure (DPI) like India’s demonstrates the power as well as the perils of such ecosystems.
With Aadhaar, bank accounts, and mobile connectivity serving as a backbone for Direct Benefit Transfers, e-KYC, social protection, and financial inclusion, the model is particularly resonant for countries looking to leapfrog legacy systems, Kanungo states.
“India’s DPI journey is often admired not because of one platform,” says Kanungo, “but because of how multiple layers – identity, payments, data exchange, and sectoral stacks – work together in a coherent architecture.”
According to an Atlantic Council report, “A Three-Billion-Person Challenge: An Untapped Global Market for Financial Services”, DPI has been endorsed by the G20 since India’s presidency in 2023. Ninety-seven countries have DPI-like digital payments, 64 have digital IDs, and 103 have consent-based data exchange – “together reducing costs and increasing trust.”
Authored by Atlantic Council GeoEconomics Center nonresident senior fellow Ruth Goodwin-Groen, who was founding managing director of the UN-hosted Better Than Cash Alliance, the report gave “two main reasons a digital ID can accelerate access to financial services for those with some kind of existing financial account: increasing affordability and the reduction of fraud.”
Reliable identity verification “means that electronic Know Your Customer (e-KYC) or Customer Due Dili gence (CDD) for anti-money laundering and combating the financing of terrorism compliance is possible immediately,” says the report, adding, “India is recognized as a leader for its biometric digital ID for all citizens . . . It is estimated that banks that use e-KYC can lower their cost of compliance from $15 to $0.07 per loan.
Commonly issued credentials and authenticators. Source: Federal Reserve Bank of Atlanta and World Bank.
Noting that 10% of U.K. citizens have never had a passport, while 93% of adults own a smartphone, the government has proposed an ID system to ease access to public services, with digital credentials stored on people’s own devices. Although officials have studied Aadhaar, which Prime Minister Keir Starmer praised as a “massive success,” they have not gone that far with biometrics.
One critic quoted in The Guardian, Apar Gupta of the Internet Freedom Foundation, Delhi, said “Aadhaar had ‘metastasized’ and become the basis of an ever-expanding bureaucratic minefield of unique IDs . . . ‘Your very basis to live is checked at each and every step.’”
According to Kanungo, rapid expansion can “introduce policy risks when institutional capacity, regulatory safeguards, and accountability frameworks do not keep pace.”
One resulting risk is exclusion – not necessarily by intent, but because certain groups may not onboard quickly enough due to underlying documentation gaps, biometric challenges, device access, or socio-cultural barriers.
Another risk is in the centralization of data without strong protections, specifically “when ambition outpaces the institutional foundations required to safeguard people’s rights,” Kanungo says. “The best-performing countries are those that move quickly, but with clarity of purpose, strong governance, and robust accountability mechanisms guiding every step.”
The tensions between centralized and decentralized, over who owns or controls what identity details, and which technologies and methods win out, will likely play out in the realms of decentralized finance, digital assets and advanced payments.
One candidate for a flexible overlay is the Modular Open Source Identity Platform (MOSIP), which started in 2018 at the International Institute for Information Technology Bangalore “as a response to the challenges faced by nations adopting digital ID systems.” It has 27 countries participating in its effort to promote interoperability and avoid vendor lock-ins while helping governments achieve “meaningful digital transformation, established on a bedrock of good principles and human-centric design.”
Prof. S. Rajagopalan
“Countries can pick and choose” one or more of fingerprints, iris scans, and facial recognition – the options supported by MOSIP, says president S Rajagopalan.
He stresses that the platform is secure, complies with the EU General Data Protection Regulation (GDPR), and integrates with banking systems for KYC as well as regulations and standards applicable in health care and other sectors.
“Given the increasing use of AI, governments will have to build capacity to evaluate tech systems from the viewpoint of privacy protection, inclusion, transparency and explainability,” Rajagopalan remarks.
A 2025 survey from identity-security vendor Okta shows the range of authenticators adopted by users of Okta Workforce Identity. The sum of adoption rates exceeds 100% because of reliance on multiple authenticators.
How will digital ID, in any advanced form, go over with a privacy-conscious public?
Research commissioned by the Tony Blair Institute for Global Change (TBI), as revealed in a September 2025 paper, found 62% of the British public in favor of digital ID, 19% opposed. Respondents across the board “see a role for technology in addressing the big challenges faced by the state and the everyday problems they encounter interacting with it. They want to see government do more.”
TBI director of government innovation policy Alexander Iosad, one of four authors of that paper, says that planning should address imperatives such as “proof of liveness,” verifying that a user is human and not an AI-driven impersonator. “Governments will need to come up with their own solutions or recognize private-sector ones.”
Iosad says that the “global arms race around impersonation and other forms of identity fraud” calls for continuous investment in system design and in ongoing defense “to keep it updated as new attack vectors become apparent.”
Although quantum computing is a longer-term concern, “we should be starting to think about post-quantum security now,” and systems should not be built without a quantum-resistant roadmap.
Jeffrey Kutler of GARP contributed reporting for this article.