There is more to the metaverse than meets the eye. While most of us are familiar with the metaverse as envisioned by Meta, enabling rich online experiences through the use of AR/VR technologies, there are significant opportunities that this ecosystem presents for the future of fintech and digital wallets.
Digital wallets involve the exchange of identities leveraging decentralized finance (DeFi) protocols. DeFi is huge for fintech in the metaverse, with a market cap approaching $100 billion.
From MetaPay by Meta to VisaDirect by Visa, as well as the recently launched PayPal USD stablecoin, there is a rapidly evolving fintech ecosystem tied to the metaverse and digital wallets. Digital wallets already account for almost half of e-commerce transaction value, estimated to be around $2.5 trillion. In terms of adoption, 18-24 year olds view the digital wallet on their phone as their preferred way to pay and more than half would rather just carry their phone in place of a wallet or purse.
Experts believe that “the metaverse has the potential to be much more interoperable and portable than many online experiences available today.” And the goal for fintechs is to “provide a single wallet experience for people" so that they can access the benefits of interoperability in the metaverse.
But digital wallets cannot hit the mainstream until the privacy and security issues it presents are addressed. The use of digital wallets poses security and privacy risks that allow attackers to exploit identities and steal funds. Further, the use of DeFi protocols creates a conflict between privacy protection and identity verification (such as KYC/AML requirements). This post talks about these issues and their potential mitigations, and how DeFi platforms can incorporate privacy-enhancing technologies to protect user privacy in metaverse while still adhering to regulation.
DeFi: Principles and Risks
What is DeFi?
- DeFi refers to Decentralized Finance applications built using smart contracts.
- Smart contracts are pieces of code (set of conditions) executed on a blockchain to enable programmatic execution of peer-to-peer transactions of value.
What are DeFi Principles?
- The core principle of DeFi is that the network of transactions on a DeFi platform are visible in real time, but each user transacts under a pseudonym.
- DeFi removes the middlemen from transactions, allowing any individual to exchange with any other individual anywhere in the world.
What are the Risks of DeFi?
- Financial crimes: Networks become vulnerable to malicious actors ranging from attackers who short currency to terrorist groups that use it for crowdfunding.
- Security hacks: Trackers used on DeFi sites record Ethereum addresses, while some trivially link users’ addresses with scripts written by phishers.
DeFi Security Hack: Example
DeFi users manage their funds in software wallets that function as browser extensions, which store each user’s private key (E.g. MetaMask. )
The risk is in the protocol website – which may embed scripts that interact with the wallet API to facilitate phishing attacks.
- Once a user connects their wallet to the website, they can interact with the Ethereum provider API.
- Anyone accessing the chat widget’s infrastructure can phish out the user or directly initiate a transaction with the wallet.
Data Privacy Issues in DeFi
In a typical financial transaction between a bank and a service provider, the privacy of a user's data is established by the role of the parties (such as bank acting as the controller and service provider acting as the processor), and each is required to fulfil their obligations under applicable data privacy laws.
In a DeFi scenario, however, there is added complexity due to the multitude of players (fintechs, banks, payment networks, gaming platforms), potential user pseudonymity, and lack of designated roles and responsibilities to enforce the privacy laws.
Some of the key privacy considerations in this regard include the following:
- Who is responsible for privacy compliance and to what extent?
- How can data be kept private/safe while also adhering to regulation?
- How can notice/consent mechanism be implemented?
- How can individuals enforce their access/deletion rights?
- How can the financial entity have proper visibility into all third parties?
Privacy vs. AML/KYC in DeFi
Regulators around the world have Anti-Money Laundering (AML) and Know Your Customer (KYC) laws that often require processing/analysis of large volumes of personal information to fight financial crimes, such as money laundering and terrorist financing. However, pseudonymity and the lack of centralization in DeFi makes it difficult to collect this information and comply with these laws.
At first glance, Data Privacy and AML/KYC laws appear to have conflicting goals:
- Privacy laws limit how, when and why personal information can be used/allow individuals to remain private
- AML/KYC laws require the disclosure of sensitive personal information of users engaged in financial transactions.
There is however the good, the bad and the ugly side of this conflict:
- Good: Almost all privacy laws take the overlap with AML laws into account. For e.g., Art. 6 (1) lit. c and Art. 17 (3) lit. b of GDPR clarify that the legal obligations under AML laws take precedence over privacy rights.
- Bad: The scope of the AML obligations, however, may not always be clear, or KYC data may not be kept up-to-date or it may be difficult to communicate with customers why you must retain their data.
- Ugly: The multitude of parties in the fintech universe have varying obligations and risk appetites, the responsibilities (for e.g. who is the controller or the processor) are not clearly defined.
Regulated DeFi and Privacy: Potential Solutions
There are a few approaches being developed to provide secure and privacy-preserving user identification — enabling DeFi platforms to continue to innovate while still complying with applicable regulations.
- Privacy-preserving blockchain transactions: Approaches are being developed to incorporate privacy-enhancing technologies in DeFi, such as asymmetric encryption, zero-knowledge proof, and homomorphic encryption
- KYC without centralization: Approaches are also being developed to incorporate decentralized identity solutions to verify the identity of users while still maintaining decentralization.
Specific examples of this are the following:
- Panther protocol – dubbed ‘zero-knowledge succinct non-interactive augment of knowledge’, or zSNARK
- Zero-knowledge proof service provider (ZKPSP)
- A privacy-enhancing patch for the wallet extension that anonymized the user's identity to make it harder to track across sites to prevent possible scams and exploits, such as the security hack discussed above.
The metaverse presents significant opportunities for fintech but they cannot be fully realized until the privacy and security issues presented by digital wallets and DeFi protocol are addressed. Due to the multitude of players in DeFi (fintechs, banks, payment networks, gaming platforms), there is a lack of designated roles and responsibilities to enforce the privacy laws. Further, pseudonymity and the lack of centralization in DeFi makes it difficult to comply with AML/KYC laws. There are technical approaches being developed to address these challenges and enable DeFi platforms to continue to innovate while adhering to regulations.
Connect with us
If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.