Reusable digital identity is increasingly discussed as a foundation for Web3 onboarding and compliance. As concepts like self-sovereign identity and digital identity ownership move from theory into infrastructure, new questions arise around control, responsibility, sanctions screening, and account takeover prevention.
In this interview with CoinsPaid Media, Sumsub’s Chief Growth Officer, Ilya Brovin, explains how reusable digital identity works, where its real risks lie, and why identity in Web3 must balance user control with regulatory accountability.
Who Controls Reusable Digital Identity Ownership in Web3
If reusable digital identity becomes the default, do we risk platform dependence by replacing banks with identity providers?
If reusable identity becomes the default, the real risk is not “banks vs. identity providers” but whether we recreate closed silos that control both credentials and rules without transparency. Identity providers, unlike banks, don’t have any other purpose for holding the data other than allowing their users to reuse it. In the Web3 model, most service providers don’t own the data in the same way banks do, so using identity providers as a neutral infrastructure layer gives much more control to the user.
If you remember, to allow users access to their data held by banks, most countries had to implement open banking laws, whereas in Web3, data ownership and control by the users is created by default.
What is the right definition of digital identity ownership: private keys, control over attestations, or legal data rights?
In the Web3 space, “ownership” cannot be reduced to who holds the keys; it has three dimensions: custody, control, and accountability. Custody is about holding private keys or a wallet that anchors on-chain attestations, which should clearly sit with the user in self-hosted or user-centric models. Control is about when and how attributes are shared — age, country, proof of humanity — which must be governed by revocable consent and granular disclosure, not blanket data exports. Accountability is about who stands behind the verification — who runs the KYC, under which regulation, and who keeps the audit trail — because regulators do not accept anonymous attestations as a substitute for a regulated AML process.
Hence, a meaningful definition of digital identity ownership is: the user controls distribution and reuse of verified data, while regulated verifiers retain responsibility for how that data was established in the first place. But it should be noted that identity providers hold the data for the user directly and have no other purpose than enabling reusability by default.
Who should not be allowed to issue or revoke reusable digital identity credentials, even under regulatory pressure?
No single actor should have unilateral power to issue or revoke a reusable credential in a way that silently rewrites someone’s compliance status across an entire ecosystem.
Even under regulatory pressure, neither a private issuer nor a state actor should be able to “flip a switch” that instantly de-banks or de-platforms a user everywhere, without a due diligence process or context-specific review.
In Web3, credential issuance and revocation should be tied to clear policies: issuers can withdraw trust in their own attestations, regulators can require re-screening or blocking at the level of specific obliged entities, but each relying platform must still run its own risk-based checks instead of inheriting a global “yes/no” flag that it cannot explain to users or auditors.
But we need to be clear that in the end, in the absence of a truly self-sovereign identity, the regulator or the government would still have powers to force any kind of a player to take certain steps, but we live in a world where legal identity still comes from the government and is not therefore self-sovereign, so we should not take this practical debate into the philosophical realm.
Risk, Failure, and Accountability in Reusable Digital Identity Systems
What is the most underestimated failure mode in reusable digital identity and self-sovereign identity systems?
The failure mode that is still underestimated is “compliance drift” inside reusable identity: credentials that technically work but are no longer aligned with current AML expectations. As sanctions lists, risk factors, and regulatory guidance change, a credential that was valid at issuance can quietly become out-of-date while still being reused across multiple platforms, creating a false sense of security for both users and businesses.
This is why Sumsub ID separates reusable documents from liveness checks: users can reuse securely stored data like verified ID cards to cut friction, but liveness checks must be refreshed at the moment of each onboarding. Sumsub ID is a reusable digital identity that lets users verify their identity once and then reuse it across over 4,000 companies that are in Sumsub’s ecosystem. By using Sumsub ID, we see a 50% reduction in onboarding time and a 30% increase in conversion rates, on average.
How should responsibility be split when a reusable digital identity causes a multi-platform lockout?
It should be noted that what reusable identity provides is increased convenience and protection from fraud, but not total reliance on all the platforms on a third-party (e.g., identity provider) to make the compliance decision for them. So, each platform has to make its own compliance decision. If there is an issue with an identity credential, this is just an input for the platform in making the decision around blocking services or requesting the user to re-verify themselves.
Putting this into the scenario of Sumsub ID, if one platform blocks a user based on its internal risk rules, that should not automatically prevent the same user from applying elsewhere in the Sumsub ecosystem: they can present the same Sumsub ID profile to another platform, which remains free to make an independent onboarding decision based on its own checks and policies.
What does a real failsafe for reusable digital identity look like in practice?
The point is that the reusable identity is still a real-world identity, so a user would still have the ability to access their account and correct any mistakes, once they have been able to prove their identity, and with all the applicable account takeover controls.
A real failsafe for reusable identity is not a magic “undo” button, but an architecture that assumes failure and makes it reversible, auditable, and contained. In practice, this means: reusable evidence rather than reusable decisions; the ability for users to revoke credentials; and enforced continuous monitoring at different touchpoints throughout the user journey so a single stale credential cannot propagate indefinitely.
Privacy, Pseudonymity, and Fragmentation in Reusable Digital Identity
Can a reusable digital identity be compatible with pseudonymity in Web3?
With on-chain attestations and zero-knowledge techniques, it is possible to anchor a wallet to a trusted off-chain profile, while only revealing specific attributes — “human and unique”, “not from a restricted jurisdiction”, “over 18” without publishing the passport or legal name on-chain.
At Sumsub, we are leveraging Sumsub ID to create a Web3 digital representation of a user’s off-chain identity. For non-KYC use cases like proving a person’s humanity or uniqueness, Sumsub can serve as an issuer of on-chain credentials that attest to these characteristics. We are already doing this with blockchain platforms like Solana and Linea.
What is the most misunderstood privacy trade-off when users reuse digital identity across wallets and apps?
Even if no sensitive fields are leaked, repeatedly presenting the same identifier or attestation to many wallets, DeFi protocols, and dApps allows third parties to stitch together behavior and build rich profiles that go far beyond what the user intended.
However, this is the same issue that users have when conducting activity on-chain, which is publicly visible and traceable, and even though it is conducted from anonymous wallets, this information would still be pieced together.
A privacy-respecting reusable identity must therefore support context-specific, even pseudonymous, presentations — different attestations for different ecosystems, minimal attribute disclosure, and strong consent records — so that convenience does not automatically equal cross-context traceability.
How close are we to granular, user-controlled disclosure without exposing full identity data?
Technically, it is all possible, and in the use cases where there is no strict AML-level regulatory compliance, it already can work. But from an AML point of view, regulations still need to adapt to make these methods compliant.
The industry is already moving towards granular, user-controlled disclosure, but adoption is uneven. Frameworks like the EU’s eIDAS 2.0 regulation and verifiable credentials allow a user to prove “over 18 and not on sanctions lists” by combining verified attributes with live screening in the background, instead of exposing their full passport or address every time.
Sumsub’s Reusable Digital Identity product suite is built around this idea: documents and personally identifiable information are held off-chain, while the relying service receives only what is necessary for its risk profile, backed by an auditable KYC trail rather than raw document dumps.
UX, Trust, and KYC Fatigue in Digital Identity Verification
Why does KYC fatigue damage onboarding and business growth the most in regulated user journeys?
KYC fatigue is most visible where the same user journey crosses multiple regulated touchpoints and services, like wallets, on- and off-ramps, trading platforms, and each one restarts the process from zero.
At Sumsub, we process millions of identity checks weekly, and our aggregated data analysis reveals that one in three applicants has been verified previously with Sumsub, highlighting the recurring KYC issue. This repetitive process creates friction and frustration, often leading to high drop-off rates and less user interest, impacting both user experience and business conversion rates.
To address the “KYC fatigue”, Sumsub launched the Reusable Digital Identity product suite — Reusable KYC and Sumsub ID. Both solutions allow users to securely store and reuse their verified documents for multiple verifications across more than 4,000 Sumsub client platforms, and companies in the Sumsub ecosystem can also share applicants’ data upon receiving their consent.
On average, onboarding time can drop by 50%, and businesses have seen conversion rates jump 30% by removing repeated steps.
Does reusable digital identity remove onboarding friction or just move it elsewhere?
With Sumsub’s Reusable Digital Identity product suite and on-chain attestation integrations, “verify once, use anywhere” is already being piloted at scale in Sumsub’s ecosystem, from Web3 use cases to more traditional regulated platforms. The friction is not moved somewhere, but actually removed as far as the KYC procedure is concerned.
Users spend less time going through the process, and it achieves a higher success rate. But other areas of friction remain unaffected, such as the drop-off rates at the payment step.
What still needs work is not the core technology but the ecosystem around it: interoperability between different identity frameworks, common standards for how reusable credentials are expressed and trusted, and greater regulatory development, treating a high-quality, reusable verification as a valid building block for compliance rather than requiring every business to start from zero each time.
Standards, interoperability, and the future of reusable digital identity in 2026
What does true interoperability between digital identity frameworks require legally and technically?
The various systems you mentioned are actually working very differently and addressing different problems, but they are actually able to work together. At the end of the day, there still needs to be a compliant KYC process to the level acceptable to the regulators, which is what Sumsub can provide, while still working with the mentioned technologies to give users the best experience, which is closely aligned with their expectations and values.
What policy move in 2026 could make reusable digital identity mainstream — and what could kill it?
A powerful move in 2026 would be to explicitly recognize reusable verification in AML/KYC frameworks — allowing accredited verifiers to provide standardized, reusable credentials that other institutions can rely on, within clear guardrails. This would unlock significant efficiency while preserving the principle that each obligated entity must still understand and stand behind its own risk assessment, not blindly accept anonymous on-chain claims.
The corresponding misstep would be trying to mandate a one-size-fits-all, centralized “universal KYC” that ignores risk-based differences between businesses; that would clash with existing regulations, erode trust in reusable models, and likely push innovation back into unregulated corners instead of bringing it into the supervised perimeter.
Will digital identity remain something we verify, or become a living credential over time?
Over the long term, identity will look more like a living credential that stays in sync with both the person and the regulatory environment. In practice, this means linking reusable identity to ongoing monitoring, like sanctions, PEP status, and risk signals, so that what is true enough for onboarding today can be refreshed, strengthened, or downgraded as the external environment changes, without forcing users through the same identity verification journey each time.
At Sumsub, we focus on being the bridge that connects a reliable and compliant off-chain profile with a reusable, privacy-preserving identity that can be used in Web3. The goal is to let people verify themselves once, then reuse across platforms with an identity that businesses can trust, while the users themselves have full control over it.
