Building bridges: turning verifiable credentials into business utility, starting with KYC

Identity ecosystem experts, Lucy Yang, Juliana Cafik, and Michael B. Jones unpack how to bridge the gap between verifiable credentials and rigorous KYC requirements in regulated industries.

Generative AI and deepfakes have accelerated synthetic identity fraud into a  ‘machine-scale’ threat outpacing traditional ‘Know Your Customer’ (KYC) defences. As the Financial Services Sector Coordinating Council (FSSCC) recently highlighted, escalating fraud losses are impacting the entire business landscape, with financial institutions (FIs) bearing the brunt. Digitised analogue workflows are the critical vulnerability in modern financial security right now. Beyond direct losses, the friction they inject into customer onboarding remains a silent killer of growth.

Yet, a robust, government-backed solution, the Mobile Driver’s License (mDL), is already in the pockets of millions in the US and Australia, while others like Canada are building the foundation for cryptographically verifiable credentials. Despite massive public investment, the business community has yet to fully leverage this high-assurance tool, continuing to fight 21st-century fraud with 20th-century manual workflows.

The hurdle is a lack of seamless integration. A technology’s true impact is unlocked the moment its complexity becomes invisible to the business consuming it. My previous article explored the issuer-holder-verifier identity model that mDL follows, an emerging paradigm that moves us away from a reliance on centralised databases. However, for a Chief Compliance Officer, technical elegance is secondary to the immediate need for a ‘reasonable belief’ that a customer is who they say they are. Ultimately, to move from technical pilots to ubiquitous business solutions, we must prioritise usability that makes high-assurance identity verification as intuitive as it is secure.

To that end, in collaboration with identity and standards experts Juliana Cafik and Michael B. Jones, we are unpacking how to transform mDLs and verifiable credentials alike into high-utility tools for the rigorous KYC requirements that go hand-in-hand with regulated industries.

Governments are issuing mDLs: let’s make them usable

According to statistics from the American Association of Motor Vehicle Administrators (AAMVA), 22 states and territories in the US are currently issuing mDLs, with eight more in the process of rolling out programs. Soon, more than half of US jurisdictions will have an mDL program enabling their residents to carry a legal identity credential in their digital wallets.

However, adoption data from the Secure Technology Alliance (STA) as of late April 2026 shows that only two states, Arizona (22.58%) and California (12.41%), surpass a 10% adoption rate. Maryland (9.48%), Georgia (8.52%), and Iowa (7.65%) are close, but for most of the US, mDL holders remain a small fraction of the driving population.

The US National Cybersecurity Center of Excellence (NCCoE) outlines clear benefits of mDLs over their physical counterparts. For regulated entities such as FIs, these features deliver immediate operational value: they eliminate the errors common in manual data entry and drastically reduce synthetic identity fraud by replacing plastic cards with data cryptographically signed by an authoritative source. Simultaneously, users gain enhanced privacy through selective disclosure, sharing only the specific data points necessary for a given transaction, and improved security by keeping their identity information protected by the hardware-backed security of their own devices.

Realising these benefits requires a synchronised effort across the entire identity ecosystem. While we applaud the government’s momentum in issuing mDLs, the ultimate return depends on whether FIs and other verifiers can integrate these credentials into their operational workflows. Utility drives adoption; more people will seek out these credentials once they become the ‘key’ to the high-value services people use daily. 

The path to an intuitive paradigm shift

Historical lessons show that while shouting about a new paradigm creates awareness, making it a reality requires deliberate work. The real challenge with mDL adoption lies in the gap between the nature of the mDL as an identity credential and the reality of operational workflows or compliance nuances in a specific industry.

The bridge between a technological breakthrough and market adoption is almost always an abstraction layer. In our case, this layer must translate technical proofs into actionable, business-ready compliance data. By moving from simply ‘looking at an ID’ to ‘trusting the data behind it’, organisations can automate high-trust interactions without becoming specialists in the new technological paradigm. This ensures the transition feels natural and addresses practical challenges, allowing businesses to satisfy regulatory examiners and reduce fraud while enhancing the customer experience.

As Juliana Cafik notes, ‘Thirty years of driving technology adoption has proven one unforgiving truth: innovation dies the moment it becomes an operational burden. That hard-won lesson is the architectural foundation of an mDL metadata framework I am working on with a community of identity and standards experts. By bridging the gap and natively embedding the assurance of identity directly into the operational workflows financial institutions already rely on, we eliminate frontline friction, unlocking scaled adoption and preventing industry fragmentation.’

Transforming credentials into high-assurance data

Juliana is spearheading a collaborative effort at the OpenID Foundation (OIDF) to specify the mDL metadata framework for KYC and CIP (Customer Identification Program) compliance defined in this white paper. Spring-boarded from the US National Institute of Standards and Technology (NIST) NCCoE mDL project outcomes for financial account opening, this framework helps FIs bridge the gap between digital identity, internal risk management, and regulatory requirements. It achieves this by extending the existing OIDF identity assurance specifications to support the mDL.

The core focus of this framework is to convey cryptographically backed evidence of a person’s identity to FIs. Currently, when a customer presents an mDL from a digital wallet, banks often lack the visibility to verify how that identity credential was issued or if the wallet itself is secure. This framework addresses this head-on by translating complex technical ‘trust signals’ into a format anchored by standardised claims and values as machine-readable evidence.

Specifically, the framework is based on ISO/IEC standards (18013-5/7 and 23220) and NIST SP 1800-42A for mDL. It focuses on key pillars for jurisdictionally independent risk decisioning, including: provenance, cryptographic holder binding, attribute completeness, freshness, and transaction intent. By conveying these standardised claims and values, the framework endeavours to equip FIs with the cryptographic evidence necessary to establish the ‘reasonable belief’ of customer identity required for rigorous KYC and CIP risk-management mandates. This approach elevates the mDL into a high-assurance tool for identity verification. 

Expanding inclusion beyond real ID

A critical component of this metadata framework is its ability to redefine financial inclusion by decoupling identity verification from binary labels. Today, the lack of a federal Real ID in the US is often a rigid gatekeeper; if the ‘gold star’ isn't present, the system defaults to ‘no’, immediately blocking millions’ access to the financial system.

‘Risk is not one-size-fits-all, and our approach to identity assurance shouldn't be either’, says Juliana. ‘Opening a foundational USD 500 checking account requires a fundamentally different set of attributes, claims, and values than securing a USD 2 million commercial line of credit. By allowing a bank to look past the physical label and cryptographically evaluate whether the actual assurance of the identity verification process is commensurate with the intended action, we move from a binary gatekeeper to a dynamic, risk-based model. We stop over-securing entry-level access, ensuring individuals aren't locked out of the digital economy simply because their credentials don't match the highest-tier compliance requirements.’

The framework changes the equation by providing the granularity needed to move past a simple ‘yes/no’ on Real ID status. For example, a bank's system can now see that a ‘standard’ license was cryptographically signed by the DMV. This shift is a vital lifeline for the underbanked. By removing the compliance blind spot associated with non-Real ID credentials, we allow individuals to access financial services from the safety of their homes using the government-backed documents they already possess. It ensures that a lack of specific federal document status no longer translates into a lack of financial opportunity.

Why open standards are the only way forward

This framework is not being developed in a vacuum or as a proprietary product; it is being built through the OpenID Foundation to ensure it remains a public, interoperable standard. For an identity credential to be truly useful, it must work across different wallets, different states, and different FIs without being locked behind proprietary moats. An open ecosystem is the only way to ensure that a student in California and a retiree in Florida can use the same digital ‘handshake’ to open an account.

Michael B. Jones, an Identity Standards Expert and member of the Board of Directors at the OpenID Foundation, emphasises that open standards are the only way to achieve the scale necessary for mass adoption. When a standard is developed in the open with broad participation, it allows for a ‘rising tide’ that lifts all participants, ensuring that an mDL from Arizona is just as valid and verifiable at a credit union in Maine as it is at a national bank.

‘Building interoperable ecosystems is hard and requires a standards-based approach.  The standards and their deployments must meet the perceived needs of all the parties who need to participate for them to decide to do so. Standards are the table stakes to make this possible. Solving real problems that the participants actually have in a way that makes sense to them is what makes adoption and progress a reality’, says Mike.

Federal alignment and the road ahead

The mDL metadata framework is closely aligned with NIST, building on the foundational NIST SP 800-63 guidelines and the NCCoE’s SP 800-63A Profile for mDL Issuance. Crucially, it directly supports the objectives of NIST SP 1800-42A, ‘Digital Identities – Mobile Driver’s License (mDL): Accelerating Development and Adoption of Digital Identity for Financial Institutions’, which provides the practical roadmap for FIs to leverage verifiable credentials. Collectively, these documents represent the ‘go-to standard’ for digital identity assurance. By anchoring to them, the framework ensures that digital transactions meet or exceed the same security benchmarks of traditional face-to-face interactions.

To transition this framework into a formal technical specification, Juliana is leading the effort within the eKYC & IDA Working Group at the OpenID Foundation. Supported by the standards expertise of Mike Jones and contributions from NIST and others, the initiative is extending the OpenID Identity Assurance Schema Definition 1.0 and OpenID Connect for Identity Assurance Claims Registration 1.0 to support verifiable credentials.

The shift to high-utility identity credentials is a call to action for all regulated industries, including healthcare, insurance, and professional licensing. While the metadata framework was initially tailored for mDLs in the US, it has evolved into a protocol-, format-, and jurisdiction-agnostic framework, offering a global blueprint for turning verifiable credentials into business-ready trust across any jurisdiction or industry. If your success relies on truly knowing your customers, the time to embrace a more secure, digital, and intuitive handshake is now! 

Note: The author would like to thank Juliana Cafik and Michael B. Jones for their laudable efforts in making mDLs usable for the broader business community. This article would not have been possible without their tremendous expertise and invaluable contributions.

Juliana Cafik is an independent standards and solutions architect and two-time tech founder with three decades of experience at the intersection of digital identity, telecom, and finance. She currently leads eKYC/mDL initiatives for the OpenID Foundation and is a member of the ENISA AHWG for digital wallet certification. A former Co-Chair of the DIACC Trust Framework Expert Committee (TFEC), member of the Microsoft identity standards team, and co-architect of the NIST NCCoE mDL project. Her expertise spans EMV, ISO 18013 (mdoc/mDL), ISO 27001, NIST SP 800-63, NIST SP 800-53, FAPI, PCI DSS, DORA, and Digital Wallets.

Dr. Michael B. Jones is on a quest to build the Internet's missing identity layer. He is an editor of the OpenID Connect specifications, IETF OAuth specifications, including JSON Web Token (JWT) and DPoP, the IETF JSON Object Signing and Encryption (JOSE)  specifications, FIDO 2.0, W3C Web Authentication, the W3C Verifiable Credentials specs, the JSON Web Proofs (JWP) specs, and a contributor to the OpenID4VC specs. He writes at https://self-issued.info/. 

About the Author

 

Lucy Yang is an identity ecosystem expert pioneering the adoption of standards-based credentials. She specialises in navigating complex ecosystems, synchronising public policy and technical standards with large-scale implementations. Lucy has worked with a global portfolio of clients, including the California DMV, California Community Colleges, UNDP, IATA, ICAO, and the Linux Foundation. She focuses on overcoming intricate market hurdles to solve real-world challenges. Learn more about her work at techservesapurpose.com.