This week I had an exciting new experience: testifying to a state legislative committee. The Vermont House of Representatives is working on a bill (H. 211 - an act relating to data brokers and personal information) addressing a modern question: how to protect consumers’ personal data given the realities of the data monetization ecosystem? I met Vermont State Rep. Monique Priestley through a kind recommendation from Internet Safety Labs’ executive director Lisa LeVasseur, and Rep. Priestley asked me to help educate the House Committee on Commerce and Economic Development about identity verification. Following is a rough testimony transcript. The recording is here, and the resources I referenced are here.

Thank you Chair Marcotte, Vice Chair Graning, and members of the committee.

My name is Eve Maler.

I’m the founder and president of digital identity advisory firm Venn Factory and author of the forthcoming book Mastering Digital Identity: From Risk to Revenue.

I’ve been in the digital identity sector since the year 2000, when I worked with colleagues across the industry to start and run the committee that designed the SAML standard — Security Assertion Markup Language, the first open standard for single sign-on across business entities.

Most recently I was Chief Technology Officer of ForgeRock, an identity and access management platform provider serving banks, government agencies, healthcare providers and payers, and many others.

In 2016 I testified to the API Privacy and Security Task Force of the US Health and Human Services Office of the National Coordinator.

I want to thank Representative Priestley for sharing some questions with me ahead of time to ensure I addressed issues of concern.

Let me start with some background on Know Your Customer, or KYC.

KYC is a legal requirement under the Bank Secrecy Act.

It obliges financial institutions to confirm the real-world identity of their customers — in other words, to establish that a person is who they say they are — before opening accounts or conducting transactions.

Its purpose is to prevent financial crime: money laundering, fraud, and the financing of illegal activity.

This is a real and important obligation.

In technical terms, what KYC requires is called identity verification, or IDV.

What it does not require is any particular method of verification.

A bank can satisfy its KYC obligations using a driver’s license scan, a biometric match against a passport, or a government-issued digital credential.

It can also use a quiz drawn from a data broker’s database — but that approach, known as knowledge-based verification, or KBV, is the one that federal security standards have now explicitly prohibited.

KBV questions look like: what street did you live on in 2010, what’s your mother’s maiden name, what was your first car?

All of that information exists in data broker databases — that’s where the questions come from.

I’ll come back to why that’s a problem.

The reason this distinction matters is that we’ve been hearing that financial institutions need broad access to data broker data for KYC.

That framing is accurate in the sense that KYC requires verification — but it conflates the legal obligation with one specific, outdated implementation choice.

KYC doesn’t require data broker data.

Some institutions have chosen to use data broker data for a particular approach to KYC.

That’s an approach that federal guidelines have moved away from.

And that move away is not the same thing as KYC being impossible without data brokers.

OK. Why does the National Institute of Standards and Technology no longer consider KBV to be strong evidence for identity verification?

If an institution is using KBV, it means they’re using an approach the federal government’s top technical standards body has formally abandoned.

In fact, NIST’s current guidelines, updated in 2025, now explicitly prohibit KBV for identity verification.

An institution still relying on it is behind the curve on security, not leading it.

If a financial institution is buying data broker data to perform KBV, what does that mean for the integrity of the verification process?

It means the supposed secret underlying the method isn’t secret anymore.

KBV works only if the answers are known to the applicant and no one else.

Data broker databases have been breached repeatedly — most dramatically in 2024, when a single breach allegedly exposed up to 2.9 billion records on an estimated 170 million people in the US, UK, and Canada.

If a fraudster can buy the same answers the verification system expects, the quiz doesn’t distinguish between the real person and an impostor.

Let’s look at the implications of KBV specifically on security. What does continued use of KBV-based KYC tell us about the security posture of banks and insurers still using it?

It tells you they’re optimizing for low cost, not for security or even for a smooth and pleasant user experience.

KYC is a legal compliance requirement; how you meet it is a choice.

Using quiz questions based on purchasable consumer data is one of the cheapest ways to check a KYC box, and one of the weakest from both the security and usability standpoints.

Better alternatives exist; institutions that aren’t using them have made a deliberate tradeoff.

Let’s look at the quality of the personal data in these systems. How accurate and current is personal data that flows through commercial data brokers?

The data is unreliable by its very nature.

Brokers aggregate data from many sources without authoritative correction mechanisms, so records go stale and errors propagate.

A 2019 peer-reviewed study found that at least 40% of data broker attributes were inaccurate — and a 2014 Federal Trade Commission (FTC) report reached similar conclusions.

No federal audit standard has been established in the years since either finding.

The consumer typically has no way to know their record is wrong, let alone fix it.

Let’s look at potential alternatives.

What verification methods have replaced KBV in modern financial services, and are they available to smaller institutions?

Document verification — scanning a driver’s license or passport combined with a live photo match — has become the baseline for secure identity verification.

It’s available to institutions of any size through pay-per-transaction vendor services.

KYC-quality document verification typically runs around $1 per check.

KBV runs $0.20–$0.50, with volume discounts that can reach $0.10 at scale.

That gap is real, and smaller institutions that can’t negotiate volume discounts will feel it more acutely than large ones.

But the economics look different once you account for fraud exposure — and for the hidden costs within KBV itself.

For example, when a user mistypes an answer — which happens regularly — the system triggers manual review, which costs more than the automated check and can take up to a day to resolve.

That degrades both the economics and the customer experience.

Let’s look specifically at the needs of smaller financial institutions.

If a smaller institution needed to transition away from KBV, is that technically feasible? And does it improve security?

The answers are yes and yes.

The technical work is integration — connecting to an existing vendor service.

It is a bounded, solvable problem, not a novel engineering challenge.

And the resulting security posture is substantially better: document verification is much harder to defeat than a quiz based on purchasable data, because the attacker needs the physical credential, not just information they can buy.

You might wonder, what happens if a consumer deletes their data from a broker? Do things break?

The concern is less substantial than it sounds, for two compounding reasons — one practical, and one analytical.

The practical one: complete deletion from the data broker ecosystem is actually very difficult to achieve.

Brokers use each other as data sources, so the same attributes propagate across multiple databases.

A deletion from one broker typically leaves the same record intact in others that sourced from it or share the same upstream inputs.

The disruption to KBV pipelines that critics warn about is therefore largely theoretical.

The analytical one: even if deletion did succeed, the data being retained was either inaccurate or accurate — and neither scenario supports keeping it.

Inaccurate data was already generating wrong verification outcomes, so removing it is a correction, not a loss.

Accurate data is exactly what a fraudster wants to acquire; its continued presence in a broker database isn’t protective — it’s a standing liability.

The risks run in different directions, but the conclusion is the same: the case for retaining this data in a broker’s hands is weaker than the deletion concern implies.

Is it reasonable for a financial institution or insurer to argue at this point, in 2026, that they can’t operate without broad, unrestricted data broker access?

No, not for KYC compliance purposes.

NIST has explicitly prohibited KBV — the primary use case being mooted— since 2025, and alternatives are commercially available.

The argument is better characterized as a preference for low-cost, legacy workflows than a general operational necessity.

Narrow, purpose-based exemptions for specific legitimate uses (fraud detection or sanctions screening) can be evaluated on their merits, and as I understand it, the bill has already done the careful work of identifying which uses justify overriding a deletion request.

Finally:

What happens to deceased persons’ data in broker databases, and what risks does that create?

Deceased individuals’ records persist indefinitely in most broker databases — brokers have no authoritative, real-time connection to official death records.

That stale data creates two distinct risks.

The first is identity fraud: a deceased person’s KBV answers still work, and their data can be used to open fraudulent accounts or to impersonate them in scams targeting surviving family members.

The second is operational error: incorrect or incomplete death records cause problems in legitimate claims processing.

Both argue for better data sourcing, not more data accumulation.

I co-chair a group called Death and the Digital Estate Community Group, DADE, at the OpenID Foundation, which recently published a white paper on relevant topics here.

Rep. Priestley: We have a related bill, and in order to consider future use cases as well: what about mobile driver’s licenses?

Mobile driver’s license technology is an instance of what’s known as decentralized identity and verifiable credentials in the identity industry. That’s new technology that has come onto the scene for delivering verification in a reusable fashion. Let’s examine it briefly.

What about mobile driver’s licenses — are those a viable path forward for Vermont institutions?

Mobile driver’s licenses are a promising direction, but Vermont hasn’t deployed them yet — and they’re not a prerequisite for institutions that want to transition away from KBV today.

A financial institution verifying identity through a standard vendor API against a physical driver’s license or passport doesn’t strictly need a state mDL program.

That path is available now.

Rep. Cooper: I think what I’m largely hearing is arguments against this legislation that pertain to what we have to do to Know Your Customer — you’re saying, one, NIST is saying this is not the best way to go about things. It’s also, as you said, a preference. I hear a lot about, well, that’s a cost we have to pass along to the consumer. I’d like you to spend a little bit more time on the viable alternatives you were describing. I think you’re saying that Know Your Customer goes back 50 some-odd years, and we’re looking at an early iteration of how it made sense to do that work.

We have crossed that Rubicon thirty times over technologically, and we still are using an older approach, a more Mayberry RFD sort of era. What I’m also trying to get at is, is that doomed to happen to every single data type that we might be looking at technologically, that they become relics and I don’t believe their usefulness?

The challenge with cybersecurity and with fraud, which is a close cousin, is that it’s an arms race, so to speak. And bad actors are improving their techniques. Like one of the techniques is AI deepfakes, for example, which can also impact things like the recognizing of things like passports and physical driver’s licenses.

So they’re not immune either from this kind of degradation over time. You may be familiar with SMS OTPs, texted one-time passwords that we frequently get. That’s another method that NIST has deprecated over time. And we could be grateful that NIST has been keeping up with the technology and also that KYC rules do not specify the method so that we can keep up as different methods degrade over time.

Right now, there’s quite a lot of innovation in the identity verification space. We did not have some of the biometrically rooted methods five years ago and they’ve been innovating very quickly. These are coming online, and they are not only becoming available to smaller and smaller institutions, but there’s price pressure downward as well.

I will mention from my experience working with retailers, so not necessarily under a KYC requirement, but they often have a need to do identity verification —it used to cost maybe $5, $10, $15 per verification, but getting that customer on board was so valuable, it was worth the price of admission, so to speak.

So it is possible for the trade-off in terms of security protection and fraud protection to be so great that even a $1 cost, or even a little more than a $1 cost, which might be going down soon enough, might be quite available, especially to smaller institutions who are not onboarding that many new bank customers in any one month or year.