By Helen Garneau
In August 2025, the U.S. Department of the Treasury published a Request for Comment asking the public how financial institutions can better detect illicit activity involving digital assets. The RFC wasn’t a general call for ideas. It was a mandate under Section 9 of the GENIUS Act —the first federal crypto legislation, signed into law in July 2025— and it specifically named four technology categories for evaluation: application program interfaces (APIs), artificial intelligence (AI), digital identity verification, and blockchain technology and monitoring.
Decentralized digital identity verification and digital trust orchestration is what Indicio does through its Indicio Proven® platform. Simply put, our submission argued that digitalized finance needs digitalized identity, and the most secure, privacy-preserving way to deliver it is through decentralized identity using Verifiable Credentials.
That argument gets stronger every day.
The compliance gap that won’t close on its own
The digital asset market is expanding fast, driven by institutional adoption, the beginnings of regulatory structure, and growth in decentralized finance. But one fundamental obstacle persists: identity verification is still rooted in a paper-document model.
Many banks and financial institutions still run Know Your Customer (KYC) processes through document scans and photo uploads. These steps are slow, repetitive, and frustrating for users. More critically, they are increasingly dangerous. In the age of generative AI, documents and biometrics can be faked rapidly and inexpensively facilitated by the rise of fraud as a service. The result is that institutions are increasingly exposed to deepfakes, synthetic identity fraud, and account takeover attempts. The response from legacy authentication is more user friction.
KYC is the millstone keeping the promise of instant cross-border payments and streamlined onboarding stuck to the age of waiting, sometimes for days. The result isn’t just inefficiency, cost, and missed opportunity. It’s increased risk for every party involved.
The mix of digital finance and analogue compliance is exactly why the Treasury acted. And it’s why the RFC asked about digital identity verification as a distinct technology category with its own set of evaluation criteria.
What Verifiable Credentials offer
Verifiable Credentials replace the document-scan model with a cryptographic one. A credential is created from authenticated documents, bound to a user’s biometrics, and held in a digital wallet that the user biometrically controls. The data in the credential is digitally signed in a way that is resistant to AI-generated forgery, can only be shared with the user’s explicit consent, and is instantly verifiable anywhere, at any time.
Users can also share data selectively by presenting only the specific attributes relevant to a transaction for cryptographic proof rather than handing over a full identity document. This simplifies data-privacy compliance (including GDPR), makes onboarding faster, and delivers better identity assurance.
Verifiable credentials for KYC leverage the same decentralized identity technology used to create high-assurance digital identity for international travel and border crossing, following specifications published by the International Civil Aviation Organization (ICAO DTC). ICAO-grade digital identity, with authenticated biometrics and cryptographic binding, is among the strongest digital identity assurance levels available; it is already being used for country-scale deployments.
Beyond blockchain analytics: why identity is the missing layer
Most of the responses to Treasury’s RFC focused on blockchain monitoring and AI-driven transaction surveillance, tools that analyze what wallets do after the fact. The Clearing House and Bank Policy Institute, for example, emphasized blockchain analytics, modernized BSA frameworks, and clearer limits on institutional responsibility in decentralized environments. The Independent Community Bankers of America questioned whether the RFC was premature, arguing that GENIUS Act final rules should come first.
These solutions treat identity as a given and focus on surveilling transactions. The problem is that in digital asset markets — especially DeFi — identity is not a given. It’s absent. Blockchain analytics can trace what a wallet does: they cannot tell you who controls the wallet or whether that person has been verified against sanctions lists, PEP databases, or fraud indicators. Transaction surveillance without verified identity is surveillance without a subject.
Verifiable Credentials address the gap at its source. They establish trusted identity before a transaction happens. Compliance is built into the flow rather than reconstructed after the fact.
The DeFi compliance frontier
The U.S. Treasury’s RFC explicitly noted that digital identity tools could be used by DeFi smart contracts to automatically check user credentials before a transaction is executed.
DeFi protocols are permissionless by design, with no central compliance department to enforce KYC. But the regulatory direction is now clear. Compliance obligations in 2026 follow the financial activity, not the technology architecture. Regulators are focusing on the points of control—front ends, aggregators, bridges, stablecoin issuers, and fiat on-ramps—and requiring that AML and CFT controls be present wherever value moves, including through DeFi routes.
Several technical approaches are converging to meet this requirement: zero-knowledge proofs that confirm a wallet is sanctions-cleared without revealing personal data; Verifiable Credentials issued by trusted parties that can be selectively disclosed; and smart-contract wallets that embed pre-transaction compliance checks.
Verifiable credentials are central to every serious approach because they provide the cryptographic identity anchor that makes the other tools work.
Standards alignment
Verifiable Credentials are not a proprietary technology. They are built on open, internationally recognized standards. ICAO’s Digital Travel Credential specification provides the biometric binding and document-authentication framework. NIST’s digital identity guidelines (SP 800-63) define the identity assurance levels that verifiable credentials can satisfy. And FATF’s updated recommendations on virtual assets and VASPs—including the revised Recommendation 16 (the Travel Rule)—are increasingly requiring counterparty identification that Verifiable Credentials are designed to provide.
This alignment is real, but regulatory bodies are still actively determining how selective disclosure, zero-knowledge proofs, and cryptographic attestations satisfy specific examination expectations across different jurisdictions.
What we recommended
Our core recommendation is straightforward: Treasury should define how Verifiable Credentials satisfy AML and sanctions obligations. Without that clarity, institutions that want to adopt verifiable digital identity will hesitate, and the compliance gap will persist.
We also urged Treasury to establish clear technical standards for digital identity verification that follow NIST and FATF guidance; to support supervised pilots that let institutions test verifiable credential workflows under regulatory oversight; and to provide consistent examiner playbooks so that compliance teams and auditors can evaluate verifiable credentials with confidence across jurisdictions.
Steps like these would give institutions the certainty they need to adopt verifiable digital identity at scale — and they would give the Treasury a compliance tool that works at the speed digital finance needs.
From policy to production
In March 2026, we announced a strategic partnership with IDEMIA Public Security to deliver globally interoperable identity verification designed for financial services, banking, DeFi, and cross-border payments. The platform pairs IDEMIA’s biometric identity proofing and document verification capabilities with Indicio’s verifiable credential platform, Indicio Proven, creating a single integration point for high-assurance verified identity that works across North America, Europe, Latin America, Africa, the Middle East, and Asia-Pacific. We jointly demonstrated a KYC solution at RSA in March. You can watch a demo here.
This is the kind of infrastructure that makes the policy case concrete: portable, verifiable, privacy-preserving digital identity that financial institutions can deploy today and that regulators can build examination frameworks around tomorrow.
The bottom line
Blockchain analytics and AI surveillance are insufficient without a verified identity layer. Verifiable Credentials provide that layer and give financial institutions a fast, secure, globally-interoperable and privacy-preserving way to establish who they are dealing with, while reducing fraud, dodging deepfakes, improving auditability, and simplifying compliance.
The technology is ready, and Indicio-IDEMIA Public Security can be implemented rapidly into existing systems.
Want to learn more? Speak with one of our experts about verifiable credentials and KYC, or read Indicio’s full response to Treasury.