PM SYSTEM DESIGN FRAMEWORK: Blockchain Identity Verification for DeFi Platforms

Overview

This framework addresses designing a blockchain-based identity verification system for DeFi platforms that must balance decentralization principles with regulatory compliance requirements (KYC/AML). Fintech/blockchain domain requiring attention to regulatory compliance, security, privacy, and transaction accuracy.

---

PHASE 1: CLARIFYING QUESTIONS (5 minutes)

Product Scope:

• Are we building infrastructure for DeFi platforms to integrate, or consumer-facing identity?
• Which compliance regimes are primary: US (FinCEN), EU (MiCA), or global?
• What DeFi activities require verification: trading, lending, staking, or all?

Technical Constraints:

• Which blockchains must we support: Ethereum, Solana, multi-chain?
• On-chain vs off-chain identity data storage preferences?
• Privacy requirements: zero-knowledge proofs, encryption standards?

Regulatory Constraints:

• Must we support selective disclosure (prove age without revealing birthdate)?
• Right to be forgotten vs blockchain immutability - how do we reconcile?

---

PHASE 2: USER NEEDS & PERSONAS (5 minutes)

Persona 1: DeFi User (Individual Retail)

• Need: Access DeFi services without sacrificing privacy
• Need: Verify identity once, use across multiple platforms
• Need: Control over what personal data is shared
• Job: “Participate in DeFi without revealing entire financial history to every platform”

Persona 2: DeFi Platform Operator

• Need: Meet regulatory compliance without losing users
• Need: Fast, reliable verification to reduce drop-off
• Job: “Verify users satisfy compliance without building identity infrastructure myself”

Persona 3: Compliance Officer / Regulator

• Need: Audit trail proving KYC/AML requirements were met
• Need: Ability to investigate suspicious activity
• Job: “Verifiable proof platforms follow regulations while respecting user privacy”

---

PHASE 3: HIGH-LEVEL ARCHITECTURE (10 minutes)

[User Mobile/Web App]
        |
        v
[Identity Verification Service] <--> [3rd Party KYC Providers]
        |                                (Jumio, Onfido, etc.)
        v
[Credential Issuance Service] -----> [Decentralized Identity Store]
        |                                (On-chain: attestations)
        |                                (Off-chain: encrypted PII)
        v
[User Wallet] <--> [DeFi Platform Smart Contracts]
        |                      |
        |                      v
        |              [Compliance Verification API]
        |                      |
        +----------------------+
                  |
                  v
         [Audit & Reporting Service]

Key Components (PM Level):

Identity Verification Service: Orchestrates KYC checks with 3rd party providers

• Why: Leverage existing infrastructure rather than building ID verification from scratch
• PM consideration: Vendor selection affects pass rates, cost per verification, UX

Decentralized Identity Store: Attestations on-chain, encrypted PII off-chain

• Why: Balances transparency (compliance) with privacy (user control)
• PM consideration: Architecture determines privacy, cost, and regulatory compliance

Compliance Verification API: DeFi platforms check requirements without seeing raw PII

• Why: Zero-knowledge verification satisfies both privacy and compliance
• PM consideration: API simplicity affects platform integration speed

What NOT to Discuss:

• Specific zero-knowledge proof algorithms (zk-SNARKs vs zk-STARKs)
• Smart contract code or Solidity implementation
• Cryptographic key management protocols
• Blockchain consensus mechanisms or gas optimization

---

PHASE 4: KEY TRADE-OFFS (10 minutes)

Trade-off 1: On-Chain vs Off-Chain PII Storage

• Options: Full on-chain (encrypted) | Hybrid | Full off-chain with blockchain audit
• PM Reasoning: Blockchain immutability conflicts with GDPR’s “right to be forgotten.” Storing PII on-chain creates permanent records. Purely off-chain undermines decentralization.
• Recommendation: Hybrid - cryptographic attestations on-chain, encrypted PII off-chain in decentralized storage with user-controlled encryption keys
• Impact: Satisfies GDPR (data deletion = key destruction); lower gas fees; requires coordination between systems

Trade-off 2: Verification Level Tiers

• Options: Single full KYC for all | Tiered verification | Risk-based dynamic
• PM Reasoning: Full KYC for all creates friction. No verification violates compliance. Tiered approach balances privacy with regulatory requirements.
• Recommendation: Tiered with transaction limits
  • Tier 1: Email + phone, $1K/month limit
  • Tier 2: ID document + selfie, $10K/month limit
  • Tier 3: Full KYC + proof of funds, unlimited
• Impact: Lower friction for entry; meets AML thresholds; gradual verification as engagement grows

Trade-off 3: Centralized vs Decentralized Verification

• Options: Single entity performs all KYC | Federated network of verifiers | Fully decentralized P2P
• PM Reasoning: Centralized is fastest to build but contradicts DeFi ethos. Fully decentralized lacks regulatory accountability.
• Recommendation: Federated verification network - approved KYC providers issue verifiable credentials; governance token holders approve/remove verifiers
• Impact: No single point of failure; regulators can audit verifiers; multiple providers improve quality and pricing

Trade-off 4: Privacy Model (Full Disclosure vs Zero-Knowledge)

• Options: Full disclosure to platforms | Selective disclosure | Zero-knowledge proofs
• Recommendation: ZK proofs for critical attributes (age, jurisdiction eligibility, accredited investor status); selective disclosure for optional attributes
• Impact: Maximum privacy; more complex UX requiring education; higher computational costs; differentiator for privacy-conscious users

---

PHASE 5: SCALING CONSIDERATIONS (5 minutes)

Geographic Scaling (US to Global):

• Challenge: Different KYC requirements per jurisdiction; data residency laws
• Approach: Regional KYC vendor selection; jurisdiction-specific credential schemas
• Trade-off: Geographic specialization improves compliance but fragments UX

Transaction Volume (1K to 1M verifications/day):

• Challenge: Blockchain gas costs for credential issuance
• Approach: Layer 2 solutions (Polygon, Optimism) to reduce gas costs; caching at DeFi platforms
• Trade-off: L2 reduces costs but adds complexity

---

PHASE 6: SUCCESS METRICS (5 minutes)

Primary Metrics:

• Verification completion rate (target: >75%)
• Credential utilization rate (avg platforms per verified user, target: >3)
• Platform integration rate (% of top 50 DeFi platforms, target: 40% in year one)

Technical Health:

• Verification speed P50/P95 (target: <5 min / <24 hours)
• API uptime (target: 99.9%)
• Smart contract gas costs (target: <$1 per credential via L2)

Trade-off Monitoring:

• Privacy vs compliance: User complaints about data requirements vs regulatory violations
• Verifier concentration: Health of federated verifier network
• Tier distribution: Whether limits match user needs

---

PM vs SWE DEPTH COMPARISON

PM Answer (Just Right):
“I’d use a hybrid approach - storing cryptographic attestations on-chain for transparency and tamper-resistance, while keeping encrypted PII off-chain in decentralized storage. Users control their encryption keys, so they can satisfy ‘right to be forgotten’ by destroying keys rather than trying to delete blockchain data. Key trade-off is additional complexity in coordinating systems, but essential for GDPR compliance.”

Too SWE:
“I’d implement a smart contract in Solidity with a mapping of user addresses to IPFS content hashes. Use AES-256-GCM for PII encryption with user-derived keys from wallet signature. Store attestations as EIP-712 typed structured data. Implement merkle trees for batch verification.”

---

DOMAIN-SPECIFIC NOTES: FINTECH + BLOCKCHAIN

Regulatory Landscape:

• US: Bank Secrecy Act, FinCEN Travel Rule, OFAC sanctions screening
• EU: MiCA (Markets in Crypto-Assets), GDPR, AML5
• Global: FATF guidelines for virtual assets

Core Tension:
Identity verification inherently requires trust in verifiers, conflicting with DeFi’s “don’t trust, verify” ethos. Strategy: Acknowledge transparently, use decentralization where it adds value, accept centralization where necessary, communicate honestly.

---

PRACTICE QUESTIONS

• Easier: Design onboarding flow for DeFi platform requiring KYC
• Same level: Design decentralized credit scoring system for DeFi lending
• Harder: Design identity verification for hybrid finance (DeFi + traditional assets)

---

Framework Generated by: PM System Design Framework Generator