Sign in Subscribe
Opinion

Modernizing BSA and AML/CFT Compliance with Verifiable Digital Identity

In our U.S. Treasury RFC response, we propose an Identity Trust model to modernize AML/CFT compliance—delivering transparency, accountability, and trust for regulators and institutions, without sacrificing innovation or privacy.

Modernizing BSA and AML/CFT Compliance with Verifiable Digital Identity
Thank you to Linda Jeng and Elizabeth Santucci for their instrumental contributions to the analysis and recommendations in our U.S. Treasury comment letter.

The financial system’s integrity, and the public trust it depends on, can no longer rest on paper-era compliance. For more than fifty years, the Bank Secrecy Act (BSA) has guided how institutions detect and report illicit activity. Yet as the economy digitizes, this framework has become a drag on both effectiveness and inclusion. The cost of compliance has soared to $59 billion annually, while less than 0.2% of illicit proceeds are recovered. Community banks spend up to 9% of non-interest expenses on compliance; millions of Americans remain unbanked because the system is too manual, too fragmented, and too dependent on outdated verification models.

SpruceID’s response to the U.S. Treasury’s recent Request for Comment on Innovative Methods to Detect Illicit Activity Involving Digital Assets (TREAS-DO-2025-0070-0001) outlines a path forward. Drawing on our real-world experience building California’s mobile driver’s license (mDL) and powering state-endorsed verifiable digital credentials in Utah, we propose a model that unites lawful compliance, privacy protection, and public trust.

Our framework, called the Identity Trust model, shows how verifiable digital credentials and privacy-enhancing technologies can make compliance both more effective for enforcement and more respectful of individual rights.

Our proposal is not to expand surveillance or broaden data collection, but to make compliance more precise. The Identity Trust model is designed to be applied only where existing laws such as the BSA and AML/CFT rules require verification or reporting. Today’s compliance systems often require collecting and storing more personal information than is strictly necessary, which increases costs and risks for institutions and customers alike. By enabling verifiable digital credentials and privacy-enhancing technologies, our model ensures institutions can fulfill their obligations with higher assurance while minimizing the amount of personal data collected, stored, and exposed. This shift replaces excess data retention with cryptographic proofs, delivering better outcomes for regulators, financial institutions, and individuals alike.

This framework proposes regulation for the digital age, using the same cryptographic assurance that already secures the nation’s payments, passports, and critical systems to bring transparency, precision, and fairness to financial oversight.

A System Ready for Reform

Compliance with BSA and AML/CFT rules remain rooted in outdated workflows: identity verified by a physical ID, information stored in readable form, and centralized personal data. These methods have become liabilities. They drive up costs, create honeypots of data for breaches, and encourage “de-risking” that locks out lower-income and minority communities.

The technology to fix this exists today. Mobile driver’s licenses (mDLs) are live in more than seventeen U.S. states, accepted by the TSA at over 250 airports. Utah’s proposed State-Endorsed Digital Identity (SEDI) approach, detailed in Utah Code § 63A-16-1202, already provides a framework for trusted, privacy-preserving digital credentials. Federal pilots, such as NIST’s National Cybersecurity Center of Excellence (NCCoE) mobile driver’s license initiative, are proving these models ready for financial use.

What’s missing is regulatory recognition: the clarity that these trusted credentials, when properly verified, fulfill legal identity verification and reporting obligations under the BSA.

The Identity Trust Model

The Identity Trust model offers a blueprint for modernizing compliance without the need for new legislation. It allows regulated entities, such as banks or state- or nationally chartered trusts, to issue and rely on pseudonymous, cryptographically verifiable credentials that prove required attributes (such as sanctions screening status or citizenship) without disclosing unnecessary personal data.

The framework operates in four stages:

  1. Identifying: A regulated entity (the Identity Trust, of which there can be many) is responsible for verifying an individual’s identity using digital and physical methods, based on modern best practices such as NIST SP 800-63-4A for identity proofing. Once verified, the trust issues a pseudonymous credential to the individual and encrypts their personal information. Conceptually, the unlocking key is split into three parts: one held by the individual, one by the Trust, and one by the courts, with any two sufficient to unlock the record (roughly, a “two-of-three key threshold”).
  2. Transacting: When the individual conducts financial activity, the individual presents their pseudonymous credential. Transactions are then tagged with unique one-time-use identifiers that prevent linking activity across contexts, even if collusion were attempted. Each identifier carries a cryptographically-protected payload that can only be “unlocked” with the conceptual two-of-three key threshold. Entities and decentralized finance protocols processing the identifiers are able to cryptographically verify that the identifier is correctly issued by an Identity Trust and remains valid.
  3. Investigating: If law enforcement or regulators demonstrate lawful cause, conceptually, both the court and the Identity Trust decide to operate their keys to reach the two-of-three threshold to designate authorized access to specific, limited data justified by the circumstances. The Identity Trust must have a robust governance framework for granting access to law enforcement that respects privacy and due process rights with law enforcement needs through judicial orders. Once the keys from the two entities are combined, the vault containing the relevant information about the identity can then be decrypted if it exists, revealing the individual’s information in a controlled and auditable manner, including correlating other transactions depending on the level of access granted by the lawful request. Alternatively, the individual is able to combine their key with the Identity Trust’s key to gain the ability to see their entire audit log, and also create cryptographic proofs of their actions across their transactions.
  4. Monitoring: The Identity Trust performs these continuous checks against suspicious actors and sanctions lists in a privacy-preserving manner with approved policies for manner and intervals, with the auditable logs protected and encrypted such that only the individual or duly authorized investigators can work with the Identity Trust to access the plaintext. Individuals may also request attribute attestations from the Identity Trust, for example, that they are not on suspicious actors or sanctions lists, or attestations for credit checks. 

This structure embeds accountability and due process into the architecture itself. It enables lawful access when required and prevents unauthorized surveillance when not. Crucially, the model fits within existing AML authority, leveraging the same legal and supervisory frameworks that already govern banks, trust companies, and credential service providers. 

Policy Recommendations for Treasury

SpruceID’s recommendations to Treasury and FinCEN focus on aligning policy with existing technology, ensuring that the U.S. remains a global leader in both compliance and digital trust.

Request for Consideration

Reasoning and Impact

1. Recognize verifiable digital credentials (VDCs) issued by many acceptable sources as valid evidence under Customer Identification Program (CIP) and Customer Due Diligence (CDD) obligations, including as “documentary” verification methods when appropriate.

Treasury and FinCEN should interpret 31 CFR § 1020.220 (and corresponding CIP rules and guidance) to include verifiable digital credentials if they can meet industry standards, such as a baseline of National Institute of Standards and Technology (NIST) SP 800-63-4 Identity Assurance Level 2 (IAL2) identity verification or higher, issued directly from government authorities, or through reliance upon approved institutions or identity trusts.

These verifiable digital credentials (VDCs), such as those issued pursuant to the State-Endorsed Digital Identity (SEDI) approaches, should be treated as “documentary” evidence where appropriate. The principle of data minimization should become a pillar of financial compliance, enabling VDC-enabled attribute verification encouraged over requiring the sharing of unnecessary personally identifiable information (PII), such as static identity documents, where possible.


Current CIP programs largely presume physical IDs, limiting innovation and remote onboarding, even as the statute is not prescriptive in medium or security mechanisms.

Verifiable digital credentials issued by trusted authorities provide cryptographically proven authenticity and higher assurance against forgery or impersonation, to better fulfill the aims of risk-based compliance management programs.

Recognizing VDCs as documentary evidence would enhance verification accuracy, reduce compliance costs, and align U.S. practice with FATF Digital ID Guidance (2023) and EU eIDAS 2.0, promoting global interoperability.

Attribute-based approaches to AML, such as “not-on-sanctions-list” or “US-person,” should be preferred whenever possible as they can effectively manage risks without the overcollection of PII data, avoiding a “checkpoint society” riddled with unnecessary ID requirements.

2. Permit financial institutions to rely on VDCs issued by other regulated entities, identity trusts, or accredited sources via verified real-time APIs for AML/CFT compliance.

Treasury and FinCEN should authorize institutions to accept credentials and attestations from peer financial institutions or identity trust networks when those issuers meet assurance and audit standards.

Congress should further consider the addition of a new § 201(d) to the Digital Asset Market Structure Discussion Draft (Sept. 2025) clarifying Treasury’s authority to recognize and accredit digital-identity and privacy-enhancing compliance frameworks.

While current CIP programs still assume physical ID presentation, the underlying statute is technology neutral and does not mandate any specific medium or security mechanism. Recognizing VDCs can modernize onboarding by reducing costs and friction, improving AML data quality and transparency, and enabling faster, more collaborative investigations across institutions and borders—all while minimizing data-collection risk.

Statutory clarity ensures that Treasury’s modernization efforts rest on a durable, technology-neutral foundation. This amendment would future-proof the U.S. AML/CFT regime, align it with G7 digital-identity roadmaps, and strengthen U.S. leadership in global digital-asset regulation.

3. Permit privacy-enhancing technologies (PETs) to meet verification and monitoring obligations.

Treasury should issue interpretive guidance or rulemaking confirming that zero-knowledge proofs, pseudonymous identifiers, and multi-party computation may be used for CIP, CDD, and Travel-Rule compliance if equivalent assurance and auditability are maintained.


PETs enable institutions to prove AML/CFT compliance without exposing underlying PII, minimizing data breach and insider risk exposure while maintaining verifiable oversight.

Recognizing PETs would modernize compliance architecture, lower data-handling costs, and encourage innovation consistent with global privacy and financial-integrity standards.

4. Modernize the Travel Rule to enable verifiable digital credential-based information transfer.

Treasury should amend 31 CFR § 1010.410(f) or issue guidance allowing originator/beneficiary data to be transmitted via cryptographically verifiable credentials or proofs instead of plaintext PII.

The current Travel Rule framework was built for wire transfers, not blockchain systems. Verifiable digital credentials can carry or attest to required information with integrity, selective disclosure, and traceability.

This approach preserves law-enforcement visibility while protecting privacy, ensuring interoperability with FATF Recommendation 16 and global Virtual Asset Service Providers (VASPs).

5. Establish exceptive relief for good-faith reliance on accredited identity trust, VDC, and Privacy-Enhancing Technology (PET) systems.

Treasury should use its § 1020.220(b) rulemaking authority to provide exceptive relief deeming institutions compliant when they rely on Treasury-accredited credentials or PET frameworks meeting defined assurance standards.

Institutions adopting accredited compliance tools should not face enforcement liability for third-party system errors beyond their control. Exceptive relief would provide regulatory certainty and clear boundaries of accountability.

Exceptive relief incentivizes the adoption of privacy-preserving identity systems such as identity trusts, reducing costs while strengthening overall compliance integrity.

6. Leverage NIST NCCoE collaboration for technical pilots and standards.

Treasury and FinCEN should partner with NIST’s National Cybersecurity Center of Excellence (NCCoE) Digital Identities project to pilot mDLs, VDCs, and interoperable trust registries for CIP and CDD testing.

The NCCoE provides standards-based prototypes (e.g., NIST SP 800-63-4 and ISO/IEC 18013-5/-7 mDL) that validate real-world feasibility and assurance equivalence.

Collaboration ensures technical soundness, interagency alignment, and rapid deployment of privacy-preserving digital-identity frameworks.

7. Direct FinCEN to engage proactively with industry on the adoption of advanced technologies that enhance AML compliance, investigations, and privacy protection.

Treasury should issue formal direction or guidance requiring FinCEN to establish an ongoing public-private technical working group with industry, academia, states, and standards bodies to pilot and evaluate advanced compliance technologies.

Continuous engagement with the private sector ensures that FinCEN’s rules keep pace with innovation and that compliance tools remain effective, privacy-preserving, and economically efficient.

This collaboration would strengthen AML/CFT investigations, reduce false positives, and alleviate the compliance burden on financial institutions while upholding privacy and data-protection standards.

The Path Forward

Time and again, regulatory compliance challenges have sparked the next generation of financial infrastructure. EMV chips transformed fraud detection; tokenization improved payment security; now, verifiable identity can redefine AML/CFT compliance.

By replacing static data collection with cryptographic proofs of compliance, regulators gain better visibility, institutions reduce cost, and individuals retain control over their personal information. The transformation is not solely technological—it’s institutional: from data collection to trust verification.

SpruceID’s aim is to build open digital identity frameworks that empower trust—not just between users and apps, but between citizens and institutions. Our experience powering government-issued credentials demonstrates that strong identity assurance and privacy can coexist. In our response to the Treasury, we’ve shown how those same principles can reshape AML/CFT for the digital age. But the work is far from finished.

Over the coming months, SpruceID will release additional thought pieces on how public agencies and private institutions can collaborate to advance trustworthy digital identity, from privacy-preserving regulatory reporting to unified standards for trustworthy digital identity.

We invite policymakers, regulators, technologists, and financial leaders to join us in dialogue and in action. Together, we can build a compliance framework that is lawful, auditable, and worthy of public trust.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.

Read next