Stop verifying the same person five times

FinCEN has two rulemakings open this spring that together create the best opportunity in a decade to modernize how financial institutions verify customer identity. The current system forces customers to hand over the same sensitive documents to every new institution—multiplying breach exposure without adding meaningful AML value. Consensys' Bill Hughes argues the fix is simple: make identity verification portable. Prove who you are once, to a defined standard, and carry that verification with you. The technology exists. The policy window is closing. Here's the case for acting now.

Reading time

5 minutes

The current US anti-money laundering (AML) regime is inefficient, forcing customers to undergo duplicative identity verification every time they open an account at a new Bank Secrecy Act (BSA)-regulated financial institution. This repeated Customer Identification Program (CIP) is costly for institutions—especially community banks and new entrants—and adds minimal value to financial crime detection compared to ongoing monitoring.

The article proposes a straightforward fix: allow customer identity verification, once performed to a defined standard (like NIST 800-63-4 Identity Assurance Level 2) by a qualified verifier, to be portable across BSA institutions. This is now technically feasible due to established international standards like Verifiable Credentials and mobile driver's licenses.

Under this modernized framework, the relying institution would retain all critical Customer Due Diligence (CDD) obligations, including ongoing monitoring, beneficial ownership collection, and suspicious activity reporting; only the initial, duplicative identity check would be eliminated. The proposal is not a request to weaken identification but to eliminate costly repetition.

FinCEN's open rulemakings on AML/CFT Program Reform and stablecoin issuers offer a crucial window to modernize the existing, cumbersome CIP reliance rule (31 C.F.R. 1020.220(a)(6)). Adopting a portable, standards-based, and user-controlled digital identity architecture—mirroring efforts in the EU and UK—is essential for US financial systems to remain competitive and interoperate globally. FinCEN is urged to establish a qualified verifier registry and set the new standard.

FinCEN has two rulemakings open this spring that together create the best opportunity in a decade to fix something everyone in financial services knows is broken. The April 7 AML/CFT Program Reform NPRM proposes to restructure Bank Secrecy Act compliance around an effectiveness standard rather than technical box-checking. The April 8 stablecoin issuer NPRM, which implements the GENIUS Act's AML and sanctions requirements for payment stablecoin issuers, explicitly defers customer identification to a separate rulemaking and invites comment on how to design it.

That is the window. It probably will not stay open long. The fix is straightforward, and Treasury has already given itself the conceptual framework to adopt it: allow customer identity verification, once performed to a defined standard by a qualified verifier, to be portable across BSA-regulated institutions. The institution onboarding a new customer would continue to be responsible for everything customer due diligence requires, namely understanding the nature and purpose of the relationship, ongoing monitoring, beneficial ownership collection, suspicious activity reporting, and risk assessment. What changes is whether the underlying identity verification has to be repeated from scratch.

What the current regime actually produces

Every covered financial institution is required to conduct its own customer identification program independently. A single person opening accounts at five institutions undergoes five separate verifications. Each institution collects the same set of identity attributes, runs them through a vendor that is often the same vendor the previous institution used, and stores the resulting record in its own compliance system. The customer files five copies of their driver's license. Each institution carries the cost of the verification, the cost of holding the data, the breach exposure of holding the data, and the operational overhead of handling exceptions when one of the five verifications fails for trivial reasons.

The AML detection value of the fifth verification, given that the first four have already happened, is marginal. Identity is identity. Running the same verification a fifth time rarely surfaces new information about the person. The thing that actually catches financial crime is not the initial verification but the ongoing monitoring of activity against the customer's profile, which is a customer due diligence function, not an identity function. Treasury's Program Reform NPRM recognizes this distinction in substance. Customer identification has not yet caught up.

The cost of the current regime is not evenly distributed. Community banks and credit unions absorb a per-account verification cost that lower-balance accounts cannot economically support, which pushes lower-income customers toward less-regulated alternatives. New entrants pay the same fixed cost to build a CIP infrastructure as incumbents, which entrenches the largest players. And the privacy cost falls on customers, who hand over the same documents repeatedly to institutions that did not need them in the first place.

The technical primitives now exist

This proposal was not feasible a decade ago. It is feasible now.

NIST 800-63-4, finalized last year, provides a settled standard for digital identity assurance with explicit identity assurance levels that map onto the rigor required for various financial use cases. The World Wide Web Consortium's Verifiable Credentials data model is mature and widely implemented. Mobile driver's licenses under ISO/IEC 18013-5 are deployed across more than a dozen US states and accepted by the Transportation Security Administration at major airports. The European Union's Digital Identity Wallet, mandated under eIDAS 2.0, is rolling out across all 27 member states and is expected to be in active use for AML purposes by 2027. FATF Recommendation 16 modernization explicitly contemplates digital identity attestations and information sharing across the payments chain.

These are not crypto-industry pet projects. They are the international standards on which the next generation of identity infrastructure is being built. The question for Treasury is whether US AML regulation will interoperate with them or remain stuck in a regime designed for paper documents.

There is also a regulatory foothold already in place. FinCEN's existing rules at 31 C.F.R. 1020.220(a)(6) and parallel provisions for other types of covered institutions already permit one institution to rely on another's CIP, subject to conditions. The framework is restrictive and operationally cumbersome, which is why it is rarely used in practice. It is not, however, a blank slate. The Program Rule is the right vehicle to modernize a structure that has been on the books for two decades.

What modernization looks like

A modernized framework would permit a covered financial institution to satisfy the underlying identity verification element of CIP by relying on a verifiable attestation issued by a qualified verifier. The verifier would be a regulated financial institution, a federally chartered or supervised institution with equivalent obligations, or a non-FI verifier registered with FinCEN and adhering to defined standards. Those standards would include NIST 800-63-4 Identity Assurance Level 2 or higher, supervisory access to the verifier's practices, cryptographic verifiability of attestations, and audit requirements.

The relying institution would retain everything it currently does except the duplicative verification step. Customer due diligence stays. Ongoing monitoring stays. Beneficial ownership collection stays. SAR filing stays. Risk assessment stays. What ends is the requirement to perform from scratch a verification that has already been performed to an equivalent standard by a qualified party.

The attestation should be capable of being held and presented by the customer through a digital identity wallet of their choosing, in addition to or instead of being transmitted directly between institutions through API calls. Customer control over the credential is consistent with data-minimization principles, with the way modern cryptography actually works, and with the architectural choices emerging international standards have already made. It also means that the failure of any single credential database does not compromise the broader system, because the credential lives with the user rather than in a central repository.

This is not a request to weaken customer identification. The verification standard itself, NIST 800-63-4 IAL2 or higher, is at least as rigorous as the standards most institutions apply today. What changes is the number of times the same verification is performed on the same person, not the rigor of any individual verification.

The criticisms of portable ID miss the mark

This approach would not allow institutions to avoid knowing their customers. Every substantive obligation that requires an institution to understand its customer remains in place. The change is limited to the mechanics of the initial identity check, which is the part of the framework with the lowest marginal AML value and the highest marginal cost.

This would not create new fraud risks. Properly designed, it reduces them. Each new institution-level CIP is a new opportunity for identity fraud, because each verification process can be defeated independently. Consolidating verification at a smaller number of qualified verifiers operating to defined standards, with cryptographic verifiability and supervisory oversight, shrinks the attack surface rather than expanding it.

This idea is also not simply a crypto-industry workaround for KYC aimed at bolstering stablecoins and other onchain activity. The duplicative CIP problem is a banking and fintech problem first. The largest absolute compliance burden falls on banks. The most immediate beneficiaries of reform are community banks, credit unions, fintechs onboarding lower-balance customers, and end users who currently navigate a financial system that asks them to prove who they are over and over again. That the proposal also addresses a particularly acute version of the same problem in the payment stablecoin context is a feature, not a motive.

Lastly, customer-held credentials do not create user-error risk that institution-to-institution credential transfers avoid. Credentials held in a user-controlled wallet, with cryptographic verification of the issuing verifier's signature, are more resistant to tampering than credentials transmitted between institutions through APIs, and more resilient to the failure of any single credential database. The EU has reached the same conclusion in its own digital identity framework.

The international stakes

The Administration has said it wants American leadership in payment stablecoins. The European Union's identity wallet is going live. The United Kingdom is moving in the same direction under its Digital Information and Smart Data Bill. Singapore's MyInfo system already supports cross-institution identity verification. If US regulation leaves US institutions unable to interoperate with these systems, the structural competitiveness disadvantage is not one any amount of compliance investment will offset.

The architecture of the EU framework is worth particular attention. It is built explicitly on a user-controlled wallet model, in which the citizen holds and presents their own identity credentials rather than relying on intermediated institution-to-institution transfers. The United States should not adopt a more centralized architecture than the EU has settled on. Dollar-denominated payment stablecoins will compete with euro stablecoins and other foreign-currency digital instruments on rails where identity infrastructure is part of the user experience. The country that fixes identity friction first wins that competition.

FinCEN’s call to action

The final Program Rule should modernize 31 C.F.R. 1020.220(a)(6) and its parallels to permit reliance on verifiable identity attestations from qualified verifiers, subject to standards-based qualification of the verifier, cryptographic verification of the attestation, and continued responsibility of the relying institution for ongoing CDD. FinCEN should establish a qualified verifier registry. It should design the forthcoming PPSI customer identification rule on the same architecture. And it should coordinate with FATF, the European Commission, and other major counterparts to make sure the US framework can interoperate with what the rest of the world is already building.

The technical infrastructure for portable identity verification exists. The legal infrastructure for reliance frameworks exists. The policy posture, namely effectiveness over technical compliance, is on the record. What is missing is the political decision to actually do it.

Comments on the Program Reform NPRM and the PPSI NPRM close in June. This is the moment to make the case.

This article was originally shared by Bill Hughes via X on Wednesday May 13.