idOS Documentation
  • OVERVIEW
  • What is idOS?
  • Why is idOS needed?
  • Market focus
  • The idOS Consortium
  • HOW IT WORKS
    • What data is stored, how?
    • System design
      • Roles (main stakeholders)
      • Decentralized storage
      • Access management
      • Encryption & idOS Enclave
      • Data flows
  • COMPLIANCE
    • idOS Regulatory approach
    • KYC Re-usability
      • Passporting
      • Data ingestion
      • Case studies for KYC re-usability
    • Compliance overview
      • idOS & Regulatory frameworks
    • idOS Compliance partners
  • INTEGRATE
    • Integration overview
    • SDKs
    • Applications
    • Hosted integrations
    • Integration guides
      • Neobank/wallet integration
      • Financial module integration
      • Web2 -> Web3 integration
    • Legal Considerations
  • ADDITIONAL RESOURCES
    • Official links
Powered by GitBook
On this page
  • Data Protection Frameworks
  • Anti-Money Laundering Frameworks
  • Other Key Regulatory Frameworks
  1. COMPLIANCE

Compliance overview

As the identity layer of web3, idOS is designed to enable users to confidently manage and share their identity information in a decentralized environment while assisting key stakeholders to adhere to applicable regulatory frameworks. idOS aims to incorporate multiple regulatory considerations into its architecture, ensuring that profile creation, credential issuance, and data-sharing mechanisms are aligned with global standards. Compliance with key data protection frameworks is embedded in idOS’ design, allowing users to maintain control over their data while ensuring lawful processing. Similarly, key financial regulations are taken into account to support financial institutions in meeting their obligations.

By providing secure, self-encrypted, and transparent mechanisms for data storage and access, idOS bridges the gap between regulatory compliance and the decentralized ethos of web3. The remainder of this section will explore in further detail key selected regulatory frameworks while its subsection idOS & Regulatory Frameworks goes over how idOS implements them to support both users and organizations in navigating the regulatory landscape of decentralized self-sovereign identity management.

Data Protection Frameworks

In today's digital landscape, data protection and privacy have become paramount, leading to the establishment of various regulatory frameworks worldwide. These regulations aim to safeguard individuals' personal information and ensure that organizations handle data responsibly. Among the most prominent are for example, the European GDPR, the United States' CCPA, the United Kingdom's UK GDPR ("UK GDPR"), and the Brazilian Lei Geral de Proteção de Dados ("LGPD").

EU GDPR: Enacted in 2018, the GDPR is a comprehensive regulation that applies across EU member states. It mandates strict guidelines for collecting, processing, and storing personal data and emphasizes individual rights such as access, rectification, and erasure. Organizations must have in place a valid legal basis before processing personal data and implement robust security measures to protect this information. Non-compliance can result in substantial fines.

CCPA: Effective from 2020, the CCPA grants California residents rights over their personal information held by businesses. These rights include knowing what data is collected, the purpose of collection, and the ability to request deletion. The CCPA takes a slightly less prescriptive approach than the GDPR, leaving certain aspects more open to interpretation.

UK GDPR: Following Brexit, the UK adopted its version of the GDPR, known as the UK GDPR. The key principles, rights, and obligations remain at par with the EU GDPR. However, there are implications for the rules on transfers of personal data between the UK and the European Economic Area (EEA). The UK GDPR also applies to controllers and processors based outside the UK if their processing activities, for example, relate to offering goods or services to individuals in the UK or monitoring the behavior of individuals taking place in the UK.

LGPD: Brazil's LGPD, implemented in 2020, closely mirrors the GDPR in its structure and principles. It applies to any organization that processes the personal data of Brazilian individuals, regardless of where the organization is based. The LGPD grants individuals rights over their data, including confirmation of processing, access, correction, and deletion.

Data Protection Laws in the Asia-Pacific (APAC) Region: The APAC region has seen a growing focus on data privacy, with countries implementing diverse legal frameworks to regulate personal data processing. For example, Japan’s Act on the Protection of Personal Information ("APPI") was significantly amended in 2020 to align more closely with the EU GDPR, Singapore’s Personal Data Protection Act ("PDPA"), one of the most developed privacy laws in APAC, requires, for example, organizations to obtain consent for data collection and implement security measures to protect personal information, and India’s Digital Personal Data Protection Act ("DPDPA") also introduces principles similar to the EU GDPR, such as data minimization and individual rights, while also including unique provisions, such as on government exemptions.

While these regulations share common goals of protecting personal data and granting individuals control over their information, they also present differences, whether in scope, definitions, or specific requirements. Organizations operating across multiple jurisdictions usually navigate these differences carefully to ensure compliance. Understanding the nuances of each law is a crucial step in implementing effective data protection strategies and maintaining trust with users globally.

Anti-Money Laundering Frameworks

Anti-Money Laundering (AML) frameworks are an essential piece in the global effort to prevent illicit financial activities, including money laundering and terrorist financing. These frameworks establish guidelines and regulations that financial institutions and other obligated entities must follow to detect, prevent, and report suspicious activities. Key AML frameworks include:

Financial Action Task Force (FATF): The FATF has established 40 Recommendations that serve as the international standard for AML and CFT efforts. These recommendations provide a comprehensive framework for countries to implement effective systems to combat financial crimes. They cover various aspects, including the implementation of a risk-based approach, customer due diligence, record keeping, and reporting of suspicious transactions.

European Union AML Framework: The EU has been proactive in strengthening its AML regulations. In July 2021, the European Commission proposed a comprehensive legislative package to enhance the EU's AML/CFT framework. A significant component of this package is the proposed creation of a new EU AML Authority (AMLA), which aims to improve the consistency and effectiveness of AML/CFT supervision across member states. The AMLA is expected to be fully functional by 2026. By 2027, the AMLA will issue guidelines to further refine AML practices within the EU. The EU's AMLD6 also enhanced the existing AML framework by expanding the list of predicate offenses, clarifying the liability of legal entities, and increasing cooperation between member states. It emphasizes the importance of robust customer due diligence and the reporting of suspicious transactions.

USA: In the United States, financial institutions must comply with stringent AML regulations, primarily governed by the Bank Secrecy Act (BSA), the USA PATRIOT Act, and the Anti-Money Laundering Act of 2020 (AMLA). The BSA, enforced by the Financial Crimes Enforcement Network (FinCEN), mandates financial institutions to maintain detailed records of clients' identities and transactions while submitting various reports to detect illicit activities. The USA PATRIOT Act strengthens AML measures by expanding due diligence requirements, enhancing information sharing, and broadening the definition of financial institutions. Meanwhile, the AMLA of 2020 introduces key reforms, including the creation of a beneficial ownership database, harsher penalties for money laundering, enhanced whistleblower protections, and more streamlined processes for filing suspicious activity reports, ultimately expanding regulatory oversight.

UK: The UK's AML/CFT framework is primarily governed by the Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, the Proceeds of Crime Act 2002, and the Terrorism Act 2000, aligning with FATF guidance. Financial institutions must, for example, conduct risk-based CDD, establish ultimate beneficial ownership, screen against PEP and sanctions lists, and perform adverse media checks.

These regulations are typically enforced by financial regulators and government agencies, making them a crucial part of the broader financial regulatory frameworks.

Other Key Regulatory Frameworks

In the evolving landscape of digital finance and web3, regulatory frameworks are being established globally to ensure the integrity and security of such markets. Certain jurisdictions have begun enforcing regulations tailored to web3 technologies, while others have provided guidance or are still in the process of formulating regulatory frameworks.

Within the EU, the legislative framework not only covers a range of areas posing new risks relating to money laundering and terrorist financing, including virtual assets and crowdfunding but also complements other regulations such as Markets in Crypto-Assets Regulation ("MiCA").

MiCA establishes a regulatory foundation to address key risks in crypto-asset markets by implementing measures that enhance transparency, market integrity, security, and financial crime prevention. To protect consumers, MiCA requires that prospective customers and holders of crypto-assets receive comprehensive and accurate information regarding their characteristics, functionality, and associated risks. Market integrity is reinforced through operational, organizational, and financial stability requirements imposed on crypto-asset issuers and service providers to reduce the risk of fraud and misconduct. It also contains provisions to combat market manipulation and insider trading and integrates crypto-asset service providers into the broader AML/CTF regulatory framework, ensuring that these entities adhere to strict compliance standards to prevent illicit financial activities.

Included in the EU's legislative package to enhance the EU's AML/CFT framework is the Transfer of Funds Regulation ("TFR"). It extended the information requirements applicable to wire transfers to crypto-assets transfers, with the necessary adjustments, and aligned with the FATF's recommendations on virtual assets, for example, under its Recommendation 16 also commonly referred to as the "Travel Rule". The TFR also updates AMLD5, broadening its scope to cover all crypto-asset service providers under MiCA, categorizing them as financial institutions for AML compliance.

Many other jurisdictions have also implemented the Travel Rule, such as the UK, USA, Switzerland, and Singapore, while others are in the process of implementation or with discussions in progress (e.g. Brazil, Argentina, Turkey, Australia, and Mexico).

PreviousCase studies for KYC re-usabilityNextidOS & Regulatory frameworks

Last updated 1 month ago