SpruceID at the SEC Roundtable: Advancing Privacy-First Digital Identity

This week, SpruceID Founder and CEO Wayne Chang participated in the U.S. Securities and Exchange Commission’s Roundtable on Financial Surveillance and Privacy, sharing perspectives on the role of digital identity in modern financial systems. The event brought together privacy researchers, federal regulators, blockchain developers, and industry leaders to discuss how digital identity can meet compliance requirements while protecting civil liberties. Here's what we shared and why it matters.

Why This Roundtable Matters

The SEC's Crypto Task Force, led by Commissioner Hester Peirce, is working to define how digital assets can operate within a regulatory framework that protects both national security and individual privacy. As Commissioner Peirce noted, new technologies offer an opportunity to recalibrate financial surveillance measures in ways that honor both objectives.

For SpruceID, this discussion is central to our mission. We build digital identity systems that give people control over their personal data while helping institutions meet their compliance obligations. The session provided a forum to demonstrate how these goals align rather than conflict. 

During the roundtable, Wayne presented on how privacy-preserving, cryptographically verifiable digital identity can reduce fraud and strengthen compliance without expanding financial surveillance. Below, we outline the key themes from Wayne’s remarks and why they matter for the future of financial regulation, privacy, and digital identity.

The Problem We're Solving

Today's identity verification methods were designed for a paper-based, in-person world. When you open a bank account or access a financial service online, you're often asked to upload a photo of your driver's license or passport. But physical ID cards were designed for in-person inspection with features like holograms and card texture that cannot be verified through a webcam image. Increasingly, AI can generate convincing fake documents that can bypass these online identity verification checks.

Adding to the problem, these images often end up stored in centralized databases that become prime targets for attackers. Once breached, the data enables synthetic identity fraud that can destroy credit and block access to essential services. The OPM hack demonstrated this risk at scale, where millions of federal employees had their sensitive information exposed because it was all stored in one place.

This isn’t just a security problem. Over-collection of personal data creates opportunities for discrimination and surveillance that conflict with American values.

SpruceID's Approach: User-Controlled Digital Identity

To address these risks while supporting compliance, SpruceID works within a growing ecosystem of privacy-preserving digital identity technologies that place individuals in control of their data. This approach reduces fraud, protects privacy, and supports regulatory compliance. The core principles are straightforward: individuals control their identity and data across digital interactions, platforms request permission to access data on user terms, and users bring their own credentials to each interaction through digital wallets they control. A fundamental aspect of this model is minimal disclosure: institutions receive only the specific, verified attributes required for a transaction, nothing more, reducing privacy risk while still meeting compliance needs.

This approach uses cryptographic verification rather than static images. Data transmitted through verifiable digital credentials are digitally signed and cannot be forged by AI. Institutions receive digitally signed proof that they can rely on, without maintaining vulnerable databases of sensitive documents.

Examples In Practice

At the roundtable, Wayne demonstrated three example use cases that show this model working in practice:

California Mobile Driver's License

SpruceID implemented California's Mobile Driver's License as a privacy-preserving digital identity controlled by residents. With over 3 million credentials issued, the program has passed NIST and TSA testing and achieved a 4.8-star rating on consumer app stores. California Community Colleges recently announced integration with the DMV Wallet, enabling students to access benefits through a streamlined, fraud-resistant digital process. Compared to asking millions of people to upload ID images or appear in person, verifiable digital credentials reduce friction while increasing security. During the Roundtable, we demonstrated how a student can use the DMV-issued mobile driver’s license to selectively disclose verified identity attributes to a community college website for eligibility and access.

Utah's State-Endorsed Digital Identity

Utah has led on policy innovation. Governor Cox signed Senate Bill 260, establishing State-Endorsed Digital Identity (SEDI) with constitutional protections built into law. The key insight: the state doesn't issue your identity (because what the state issues, it can take away), but it can endorse your identity if you meet certain requirements. This endorsement can then satisfy compliance and verification needs across the economy. The model preserves the right to paper credentials, prohibits tracking, and aligns with ACLU recommendations. At the Roundtable, we showed the demonstration that we previously showcased at the SEDI Summit earlier this year.

This demo shows how SEDI can be used for opening a bank account, satisfying FinCEN's Customer Identification Program requirements through selective disclosure of verified fields.

Disaster Relief Distribution

The third demonstration at the Roundtable showed how privacy-preserving identity can transform disaster relief. Traditional web forms require extensive manual data entry and document uploads, which can be burdensome for families in crisis (who may have lost access to the paper documents) and vulnerable to fraud. With user-controlled digital wallets, individuals can securely share credentials such as driver's licenses, W-2s, and birth certificates in a single interaction. Using the W3C Digital Credentials API (DC API), this information can be transmitted directly from the user’s wallet to the relief portal with explicit consent and selective disclosure. Funds can then be distributed immediately while still meeting compliance requirements.

How This Supports Regulatory Goals

Privacy-preserving digital identity can advance the core objectives of the Bank Secrecy Act by strengthening Customer Identification Program (CIP) and Customer Due Diligence (CDD) processes while reducing fraud, operational burden, and unnecessary data retention. Rather than relying on static document uploads and manual review, regulated entities can receive digitally signed identity assertions that provide high-confidence, tamper-evident evidence of required facts (such as identity, age, residency, or eligibility) consistent with FinCEN’s risk-based approach.

These cryptographically verifiable credentials offer stronger assurance than image-based workflows, which are increasingly vulnerable to synthetic fraud and AI-generated documents. Digital signatures provide provenance and integrity guarantees that cannot be forged or altered without detection, enabling institutions to rely on higher-quality documentary evidence for CIP purposes.

Selective disclosure further aligns with FinCEN’s emphasis on proportionality and risk management. Institutions collect only the specific attributes necessary to satisfy regulatory requirements, rather than full identity records. This minimizes over-collection, reduces exposure under data-breach scenarios, and lowers the compliance costs associated with storing, securing, and governing sensitive personal information—without weakening AML or sanctions controls.

Critically, these models avoid creating centralized identity databases that can become high-value targets for misuse or compromise. State-led, federated digital identity architectures distribute risk and reflect the decentralized structure of identity governance in the United States. This approach supports national security goals while preserving individual privacy and civil liberties – objectives repeatedly emphasized in Treasury and FinCEN rulemakings and requests for comment.

This direction is reinforced by ongoing federal and state activity. NIST’s National Cybersecurity Center of Excellence is conducting applied research on the use of digital identity for banking KYC, healthcare access, and public benefits delivery in collaboration with regulators and industry. At the same time, more than 17 states are piloting digital identity programs that can serve as authoritative, government-backed sources for identity verification. Together, these efforts demonstrate a credible, standards-aligned path for modernizing BSA compliance in a way that improves effectiveness while reducing systemic risk.

The Path Forward

We believe that digital identity in the U.S. should remain state-driven. Decentralization makes systems more resilient to attacks and mitigates the risks associated with a single national identity database. Federated, protocol-level approaches are far more resilient. By working together with industry, regulators, and states, we can build a financial system that Americans trust, one that supports innovation while upholding civil liberties that define our nation. 

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions. We build privacy-preserving digital identity infrastructure that empowers people and organizations to control their data. Governments, financial institutions, and enterprises use SpruceID’s technology to issue, verify, and manage digital credentials based on open standards.