How to implement KYC using data tokenization

Know Your Customer (KYC) solution providers, like Alloy, help financial services and institutions verify a user’s identity by checking their Personally Identifiable Information (PII) across a number of sources. These solutions have helped protect individuals and the global financial system without sacrificing user experience for about two decades. 

Fast forward to today. While these services retain their importance to organizations, their implementation has changed. This blog explores the long-term challenges developers face in securing the PII needed for KYC and how veteran fintech leaders use data tokenization platforms to address them. You can access the code used in the walkthrough on our GitHub. 

What are Common Data Challenges in KYC Implementations?

In a KYC implementation, the most common data pain points relate to data collection and analysis. Specifically, collecting the PII data necessary to conduct KYC comes with risk and constraints to the organization.

Storing PII data introduces risk

Would-be attackers value Social Security Numbers and other PII information even more than you. So, when you store PII, you increase the cybersecurity threat to your organization. 

Storing PII data introduces Costs and Delays

Over 140 countries now have data residency laws prescribing how PII must be handled. Each year, new and emerging requirements, which can vary significantly from region to region or industry, create new costs and delays for organizations.  Creating and maintaining a secure and compliant environment for PII requires resources, governance, and development efforts that distracts organizations from delivering value to their customers.

Using a single-KYC provider limits options

Whether pricing, regional regulations, or uptime, each KYC tool has strengths and weaknesses. You can’t predict the future, but having only one provider may make quickly optimizing costs, accommodating new regulatory requirements, and maintaining operations difficult. 

How does data tokenization help KYC implementations? 

Tokenization, which transforms a raw value into an undecipherable token, reduces an applications' compliance scope and provides some optionality for using sensitive data. For most, however, an in-house solution rarely finds funding, nor does it address all of the challenges posed by PII and other sensitive data types. 

Fintech veterans have instead turned to data tokenization platforms, like Basis Theory. These solutions offer PCI Level 1 and SOC 2 certified environments to store and encrypt raw values outside a developer’s existing systems. Customers then use modern developer tools and services to manage, process, and share their encrypted data or its corresponding token. From searching to performing machine learning, a developer can do almost anything with their to their encrypted data in our system that they could with a plaintext held in their system, but without exposing without the exposing themselves to compliance scope. 

How to protect PII data while running your KYC checks

Let’s look at how you might conduct KYC using Basis Theory’s data tokenization step by step guide.

In the following example, we will use the data collected by Basis Theory within your application to trigger KYC checks without needing to have the actual values touch any of your infrastructure. For this sample application, we’ll use Next.js, but Basis Theory also has .NET, Python, and Go SDKs available in our dev docs [with more coming soon]! 

Here is what we will do:

1. Collect and tokenize PII with Basis Theory Elements
2. Call Alloy to verify the identity via Basis Theory’s Proxy
3. Take action on the response

1. Collect and tokenize PII with Basis Theory Elements

Protecting PII data starts when end users provide your applications with their PII. To capture this data seamlessly within your application, we created Elements. Elements are highly configurable and stylized controls that emulate HTML’s input fields (including events and CSS styling). 

Elements do two things: 1) they natively collect the sensitive data within your application and 2) handle all the interactions needed to tokenize that data. 

In this example, our Next.js application never touches the data: Elements handle all of the interactions, ultimately returning token identifiers to store in your database rather than raw sensitive values. As a result, your customer’s PII never touches your application, keeping their data safe and your application secure and compliant.

NOTE: With Basis Theory, you’re never locked into our services. Learn how to migrate your data out of our platform.

Using Elements, we can define custom, secure input fields for each piece of data we need to collect. Let’s take a look at how we could capture a user’s first and last name securely:

<div className={styles.fieldColumns}>
  <div className="field-wrapper">
    <span className="field-title">
      First Name
    </span>
    <div className="row-input">
      <TextElement id="first_name" placeholder="First name" />
    </div>
  </div>

  <div className="field-wrapper">
    <span className="field-title">
      Last Name
    </span>
    <div className="row-input">
      <TextElement id="last_name" placeholder="Last name" />
    </div>
  </div>
</div>

Using Elements is as simple as applying your styles and using the `TextElement` component. Elements will securely collect the data behind the scenes and only return the token to your application. Elements also support masking, validation, and more! You can view the full implementation of this form, which collects the user's address, social security number, and more, on our GitHub.‍

2. Call Alloy to verify the identity via Basis Theory’s Proxy

After we’ve safely collected and protected our data with Elements, our backend must now forward the needed PII data to our KYC partner, Alloy. To accomplish this, we’ll use the Basis Theory Proxy. The Proxy service securely relays raw or tokenized values between any third-party endpoint.

After accepting a JSON body and swapping out the token identifiers for the plaintext values, Proxy will forward the request to Alloy. 

After receiving the response from Alloy, we will tokenize the response and associate it with our Social Security Number token allowing us to keep that data safe. Once tokenized, the platform saves the all token identifiers to our PCI Level 1 database - just in case we need to use the plaintext data in the future! (This example makes use of Basis Theory’s powerful Expressions syntax!)

import axios from "axios";

export default async (req, res) => {
    if (req.method !== 'POST') {
        res.status(404).json({message: 'Endpoint not found'});

        return;
    }

    const { userToken, ssnToken } = req.body;

    try {
      const { data } = await axios
        .post(
            "https://api.basistheory.com/proxy",
            {
                name_first: ``,
                name_last: ``,
                email_address: ``,
                phone_number: ``,
                document_ssn: ``,
                address_line_1: ``,
                address_city: ``,
                address_state: ``,
                address_postal_code: ``,
            },
            {
                headers: {
                    "BT-PROXY-URL": 'https://sandbox.alloy.co/v1/evaluations',
                    "BT-API-KEY": process.env.BASIS_THEORY_SERVER_APPLICATION,
                    "alloy-sandbox": 'true',
                    "Content-Type": 'application/json',
                    Authorization: `Basic ${process.env.ALLOY_API_KEY}`,
                },
            }
        )
        res.status(200).json(data.summary);
    } catch (err) {
        console.error(err);
    }
}

Take action on the response

Once you have a response from Alloy approving your user’s verification, you can allow their access to your embedded finance app, dApp, or whatever awesome service you’re providing! You can then reuse the Basis Theory tokens for other everyday operations, from sending emails to supporting customer calls.

🎉 Just like that, you’ve satisfied your KYC requirements, protected your customer's personal information, and confirmed the results from your KYC checks—all without dealing with encryption keys or cryptography knowledge.

What else can you do with tokenized data?

In this example, we used the Proxy to route your customer’s data without touching your systems and infrastructure. What if you needed to process the data before sending it to another system? 

Reactors allow developers to run serverless functions within the Basis Theory platform. Granted temporary access to the underlying sensitive data, Reactors enable a myriad of use-cases from Sensitive Document Generation (such as 1099 tax forms) to data manipulation, machine learning to pre-authenticating third-party applications, and more. If you can code it, you can deploy it using Reactors!

Final thoughts on KYC Implementation Best Practices

Securing PII generates many risks and constraints for organizations performing KYC. Experienced fintech engineers use data tokenization platforms, like Basis Theory, to abstract these challenges. We showed how Elements seamlessly captures and stores sensitive data in our PCI Level 1 compliant environment and issues back a token to your systems. With the Proxy or Reactors, tokens provide a powerful tool to enable, share, or process any workflow.

Want to try it for yourself? Create a free account and spin up your PCI Level 1 and SOC 2 certified environment in less than a minute—without adding a credit card.