Most financial institutions still organize KYC/AML around isolated events (onboarding, periodic reviews, alerts), each creating a separate file of evidence and decisions. Even with digital onboarding and screening tools, compliance history remains fragmented, hard to audit, and nearly impossible to reuse at scale.

This paper proposes a shift: treat compliance not as disconnected events, but as a compliance record represented by a verifiable credential, a Compliance Passport that institutions can issue, verify, and update over time. This model keeps the record cryptographically verifiable, versionable, and revocable, without turning into a centralized warehouse of raw documents.

The core claim: as long as compliance is trapped in case files, open banking remains partial and KYC/AML economies of scale stay capped. Verifiable compliance records provide a shared language for institutions and supervisors to reason about compliance status and risk with far higher precision and continuity.

Compliance as “case” is the true bottleneck

Today, each relevant interaction becomes a new case in a system. Evidence is spread across databases, emails, spreadsheets, and screening tools, and decisions are logged inconsistently across workflows. Every onboarding, review, or alert forces rework, even for long-standing low-risk clients. APIs may expose balances and transactions, but there’s no responsible standard to query a customer’s compliance status across systems, so Open Banking hits a wall. Regulators mostly see summaries and periodic reports and pull files on-demand, but can’t observe compliance quality and risk evolution continuously.

A Compliance Passport as a continuous, auditable record 

The Compliance Passport is a unified record that persists through time and accumulates compliance history, outcomes, and updates. The record must be structured, verifiable, traceable, and referenceable by other systems without revalidating everything from scratch.

From internal compliance to trust infrastructure

Once compliance becomes a structured, verifiable record, it stops being “a better folder” and starts acting like trust infrastructure at multiple levels.

For regulated institutions

Past compliance work becomes a reusable asset: multiple business lines operate on the same compliance identity, every onboarding, review, alert update the same record, and faster answers to: “what do we actually know, under what criteria?” and “what changed since last review?”.

A Compliance Passport can reduce duplication in correspondent banking, remittances, or fintech and bank relationships, without anyone “blindly trusting” another party’s work. The idea is to standardize compliance state so it can be read and complemented in a structured way, given clear rules for what is recognized vs. revalidated.

• Marginal cost of keeping a customer “alive” drops as the passport matures, enabling real KYC/AML economies of scale.

• Fewer redundant requests, faster additional products, less painful periodic reviews, better customer experience.

• Demonstrate what was done, when, and under what criteria, using structured evidence, for stronger supervisory posture.

For supervisors and open banking schemes

For supervisors and governance entities (central banks, superintendencies, payment schemes, DPI operators), verifiable compliance records allow:

• Richer “source of truth” than compiled reports.

• Ability to observe compliance quality evolution via patterns across passport states.

• More preventive, data-structured approaches, instead of primarily ex-post supervision.

• Identify systemic risks when compliance status degrades across multiple entities.

• Minimum standards for representing compliance information without forcing a single platform.

Add compliance identity as a complementary layer to civil identity, transactional identity, and payment infrastructure, enabling inclusion without lowering compliance standards, through portability and governance.

Interoperability with operating guardrails

This model should encode responsibility boundaries and explicit guardrails:

• Raw documents stay with the institution performing due diligence. The verifiable record exposes signed statements, and references to evidence, not necessarily full documents, reducing the risk of new sensitive centralized data hoards.

• Inter-institution use should follow clear internal policies. Requires explicit customer consent, specific legal bases, and clear purpose/limitations.

• It doesn’t remove the primary responsibility of the institution making the decision. Issuers remain responsible for the quality of what they issue, relying parties remain responsible for their own evaluation and decisions, and recognition must operate under a defined framework.

  
  
  

Shifting from case files to trust infrastructure

Moving from case files to a verifiable record is not just a technical change, it’s a mindset shift from fragmented folders to a living, auditable compliance record. That shift unlocks better institutional processes, better supervision, and greater access and trust for people and businesses at the edge of the system.

If compliance stays trapped in files, open banking stays partial and KYC/AML scale benefits stay limited. Compliance Passports provide the common language for coordinated, efficient, evidence-based trust across ecosystems.