On-chain KYC without a database: how SSI changes RWA compliance
Why self-sovereign identity is a better foundation for KYC, eligibility checks, and investor protections in institutional RWA yield protocols.
Most RWA protocols talk about “KYC’ed investors” and “whitelisted wallets”. In practice, that usually means one thing: somewhere, there is a centralized database that maps wallet addresses to identity records, and the protocol relies on that opaque list to decide who gets in. It works until you need real transparency, cross-border compliance, or to prove to an auditor how a specific investor was allowed into a specific tranche.
Self-sovereign identity (SSI) offers a different path. Instead of a central database deciding who you are, users and institutions carry verifiable credentials issued by trusted parties. These credentials can prove facts about identity, KYC status, jurisdiction, and risk profile without exposing underlying personal data to every protocol they touch. For institutional RWA yield, that is not a nice-to-have – it is the only way to scale.
Why “on-chain KYC” is a misleading phrase
People often say “on-chain KYC” as if the goal were to store identity information directly on a blockchain. That is almost always a bad idea. Identity data is sensitive, changes over time, and is subject to local regulations that do not map cleanly onto immutable public ledgers.
What RWA protocols actually need is on-chain enforcement of off-chain proofs. The KYC process still happens off-chain, with regulated providers and existing frameworks. The difference is that the outcome of that process is turned into a verifiable credential that the user controls. When the user interacts with an RWA vault, they present a proof derived from that credential. The smart contract does not see the original documents; it sees only whether the proof satisfies its policy.
Verifiable credentials as the missing link
A verifiable credential can encode claims like “this wallet belongs to an investor who passed KYC with provider X”, “this investor is allowed to hold private credit in jurisdiction Y”, or “this entity is a regulated fund with a specific license type”. These credentials are signed by the issuer and held by the subject, not by the protocol.
When a user wants to access a senior RWA tranche, they generate a zero-knowledge or selective disclosure proof from their credentials. The proof answers only the questions the protocol cares about: KYC done, jurisdiction allowed, risk classification compatible with this product. The vault does not learn the user’s name, passport number, or full address – only that the required compliance checks passed according to its policy.
How STRATA uses SSI instead of whitelists
STRATA’s design replaces the classic “whitelisted addresses table” with a short-lived Authorization PDA verified on-chain. The flow looks like this:
- Off-chain, an identity layer verifies the user’s verifiable credentials against STRATA’s policies (KYC provider, jurisdiction, eligibility, risk acknowledgments).
- If the checks pass, the backend creates an Authorization PDA with a narrow scope: which wallet is allowed, which tranche it can access, how long the authorization is valid, and what specific risk acknowledgments were included.
- On-chain, the Anchor program checks for this Authorization PDA before executing any deposit, redemption, or allocation into sensitive tranches.
No Authorization PDA, no transaction – even if the frontend UI tries to direct the user there. No centralized whitelist, no static database to sync across regions, and no need to hardcode KYC logic directly into the vault program.
Protecting investors without turning into a black box
From the investor’s perspective, SSI keeps the experience closer to Web3 while still satisfying institutional requirements. They do KYC once with a trusted provider, receive credentials, and can reuse those proofs across multiple protocols that trust the same issuers. They do not need to send the same PDFs to every new RWA platform, and they do not have to trust each platform with their full identity data.
From the protocol’s perspective, using SSI for “on-chain KYC” means the compliance logic is explicit and auditable. An auditor can inspect the policies: which issuers are trusted, what claims are required, how authorizations map to specific transactions. They can verify that every investor who entered a senior tranche did so under the documented rules, without needing access to private underlying documents.
Why this matters for institutional RWA yield
Institutional allocators are used to workflows where identity, suitability, and eligibility are first-class citizens. They expect to know that only appropriate investors can enter specific risk buckets and that those rules cannot be bypassed by UI tricks or API calls. At the same time, they are increasingly wary of centralizing identity data in yet another proprietary platform.
By basing “on-chain KYC” on SSI and verifiable credentials, STRATA aligns with both sides of that reality. Compliance checks remain anchored in regulated identity providers and real-world frameworks. Enforcement happens on-chain, consistently, through Authorization PDAs and smart contracts that cannot be socially overridden.
For RWA vaults that want to be more than a DeFi experiment, this is the difference between a marketing claim and a credible infrastructure layer. On STRATA, identity is not an afterthought. It is encoded as part of the protocol’s core machinery – without ever turning the blockchain into an identity database.
If you need help hardening the off-chain side of your crypto project (wallets, backend, domains, or incident response), you can request a security-focused engagement through the Services page or reach out directly via the Contact terminal.