Verify once.
Share everywhere.

KYC File is the identity an individual owns and the consent record a regulated business can trust. Verify your passport once. Add your address, your employer, your verified email and phone. When a bank, broker, or fiduciary asks for KYC, you share the artefacts you choose — with a per-item consent record and an audit-grade trail of who received what.

For regulated businesses → For individuals →
Read time · 6 min
§ 01 below

A typical professional re-uploads their passport three to five times a year — a new bank account, a brokerage, a fiduciary engagement, a corporate-card application. Each time, the regulated business pays for the same review work. Each time, the individual hands over the same documents and answers the same questions. Nothing of that effort accrues; the next request starts at zero.

That model was the default because no neutral layer existed where a verified identity could live, persist, and be shared with consent. The data was either inside one operator's KYC file (theirs, not the consumer's) or scattered across PDFs in inboxes. There was no Stripe for identity, no Plaid for consent.

KYC File is that layer. The consumer holds the verified identity. The operator pays a fraction of the per-customer onboarding cost they pay today. The platform keeps a regulator-grade audit trail of every artefact, every share, every consent. Each new consumer who completes verification raises the value to every operator. Each operator that adopts the canonical workflow raises the value to every consumer.

“Operators can be re-platformed. Consumer accounts compound.”

— Why we are building this

Two market signals drove the shift. The first: regulated businesses actively want the per-customer onboarding cost down — particularly during core-banking migrations, when an entire individual book must be re-verified inside a quarter. The second: individuals will adopt a layer that respects them — explicit consent, transparent audit, no opaque redistribution. Owning the consumer-side relationship is the durable position. Owning only the operator relationship is the brittle one.

FIG. 01 — THE TWO-LAYER MODEL

LAYER A · COMPLIANCE REVIEW The operator's file. Their rules. Their decision. Reviewer queue · Operator KYC/AML rules Approve / reject / replace · Risk rating & escalation AI-assisted review · Audit handoff A PER-ITEM EXPLICIT CONSENT · OPERATOR-TIER-GATED · AUDIT-RECORDED LAYER B · CONSUMER-OWNED IDENTITY & CONSENT The individual's record. Theirs to share, always. Verified passport (Didit) · Supporting documents Self-declared profile · Verified email & phone Consent ledger · Per-share audit trail B FIG. 01 KYCFILE · 2026

Figure 1 — Operator brings the rules. Consumer brings the identity. KYC File brokers the consent. Each share is per-item, per-operator, time-stamped, and audit-recorded.

FOR — INDIVIDUALS

Verify once. Stay in control.

Open one account. Complete a passport-grade identity check (Didit: document, liveness, face match, AML screening — about sixty seconds on a phone). Add your verified emails and phones. Add the addresses you actually live at and where you actually work.

When a bank, broker, fiduciary, or insurer asks for KYC, the request appears in your dashboard. You decide which artefacts to share, with whom, item by item. Every share is a deliberate, audited action — never an implicit handover.

The system never auto-merges, never auto-shares, never resells identity. You see the consent text before you agree to it. You see every operator that has ever received anything from you. You can revoke later.

FOR — REGULATED BUSINESSES

Receive what you actually need.

Send a request, targeting a specific consumer by email. If they already have a KYC File account, the request lands in their dashboard as a claim. If not, signing up takes a minute.

Receive verified identity, supporting documents, and a cryptographically clean consent ledger. Your reviewer sees the items in the same queue they use today — the source of the artefact (consumer share vs. legacy upload) is annotated, not hidden.

What the consumer hands you is shaped by your operator tier — a regulated bank's review receives the full compliance picture; a lower-tier operator receives only the verified summary. Never the wrong amount of detail for the regulatory context.

CONSUMER TRACK

  1. 01

    Open an account.

    Magic-link signin. No passwords. Verify your email in two taps.

  2. 02

    Verify your identity.

    Passport + liveness + face match. ~60 seconds on phone or webcam.

  3. 03

    Add what completes you.

    Residential address, employer, tax residence, PEP declaration, supporting documents.

  4. 04 — MEETING POINT

    Claim & share, on consent.

    A request lands. You pick which artefacts to share, item by item. Each share is a deliberate act.

OPERATOR TRACK

  1. 01

    Apply a workflow.

    Pick the template that matches the engagement — individual, business, or canonical KYC.

  2. 02

    Target by consumer email.

    The same address your customer uses with you. We resolve the consumer record or invite signup.

  3. 03

    Send and wait.

    The consumer claims. No chasing. No spreadsheet of who uploaded what.

  4. 04 — MEETING POINT

    Review & decide.

    Items arrive in your reviewer's queue. Approve, request replacement, or escalate — every action audit-logged.

  1. CASE 01

    Core-system refresh

    A bank moving core platforms must re-verify part or all of its individual book.

    Targeted customers receive a single claim. Verifications they already hold are reused with consent; only missing pieces are collected fresh.

  2. CASE 02

    New account opening

    A retail bank, brokerage, fiduciary, or insurer onboards a new individual.

    Existing KYC File holders complete onboarding in a few clicks. Net-new individuals onboard once and reuse next time.

  3. CASE 03

    Cross-operator reuse

    A customer of Bank A opens an account with Bank B.

    Bank B reuses the verified identity from Bank A’s engagement — with a fresh per-bank consent record, never silent redistribution.

  4. CASE 04

    Ongoing-KYC refresh

    A regulator-mandated periodic refresh — annual, biennial, or risk-triggered.

    The consumer’s record is already maintained. The refresh is a re-share, not a re-collection.

01

Tenant-isolated by design

Every database query is scoped to the operator org. Cross-tenant leakage is impossible — enforced at the architectural layer, not patched by application code.

02

Append-only audit log

Audit entries are immutable, enforced by Postgres triggers. Every action carries actor, IP, timestamp. The trail cannot be silently rewritten.

03

Anti-virus on every upload

ClamAV scans every file before any reviewer opens it. Infected uploads are quarantined; clean files move to live storage with a SHA-256 checksum on record.

04

Consent provenance

Every consumer share records the artefact, the operator, the consent text agreed to, the IP, and the timestamp. The chain of custody is unambiguous and exportable.

05

Encrypted at rest

Documents encrypted in object storage. Nightly off-site backups encrypted with a separately-vaulted key. 90-day retention with proven round-trip restore.

06

Multi-factor for staff

Required for super_admin, org_admin, reviewer roles. Optional for individual users so the upload flow stays low-friction without compromising staff security.

07

Caribbean-built, EU-hosted

Designed by a team that works with Caribbean financial institutions every day. CFATF and ECCB expectations baked in. Hosted in Germany for predictable jurisdiction, TLS 1.3, proven backup-restore chain.

  1. STAGE 01 · NOW

    Consumer-owned identity, working today.

    Verify · profile · documents · per-item consent share. Tenant-isolated, audit-grade, end-to-end on the staging environment as of May 2026.

  2. STAGE 02 · NEXT

    Consent-link onboarding for any address.

    When an operator sends a request to an address an individual has not yet added to their account, a signed consent token in the invite handles attachment without creating a duplicate record — no friction, no silent dupes.

  3. STAGE 03 · AFTER

    Tiered operator model.

    What an operator receives back is shaped by their regulatory tier. A fully regulated bank’s review receives the complete compliance picture; a lower-tier operator receives the verified summary alone. The consumer sees the tier on the consent dialog.

  4. STAGE 04 · THEN

    AI-assisted compliance review.

    A clean entity file plus an operator’s own KYC/AML rule set, surfaced to a review agent that risk-rates and escalates the edge cases — the human reviewer handles judgement, not data assembly. The platform is the data layer the review agent depends on.

FOR — REGULATED BUSINESSES

Talk to us about the data layer.

We will walk you through the reviewer surface, the consent ledger, and the way a real consumer–operator flow lands on your reviewer's queue. On real, redacted data.

Email us  →  hello@kycfile.com

FOR — INDIVIDUALS

Open your account.

Magic-link signin, no passwords. Verify your identity once. From then on, every operator that asks for KYC asks you, not your inbox.

Sign in or sign up  →