— Toward a Two-Layer Compliance Framework Required for the XDC Network —
Introduction
The Globiance incident has cast serious doubt on the institutional reliability of the XDC Network’s KYC framework. Concerns are spreading that, in practice, masternode reviews may amount to little more than “submit the documents and you’re approved.” If verification remains merely procedural, it does not guarantee trust; rather, it risks overlooking misconduct and inviting significant threats.
The XDC team itself originally described “KYC Enabled Masternodes” as “an additional layer of trust and compliance.” In other words, the system was meant to ensure regulatory adherence and to provide a framework in which enterprises and financial institutions could participate with confidence. (See referenced article.)
In actual operation, however, it has been limited to document checks, diverging sharply from that founding intent. This is precisely why XDC now needs a two-layer architecture—long discussed on xdc.dev—that combines outsourcing to traditional-finance KYC/AML vendors to secure trust at the point of entry, with crypto-asset forensics to ensure transparency of fund flows (off-chain KYC + on-chain monitoring).
This paper organizes why such a structure is necessary and sets out the conclusions and lessons that follow.
(Note)
Although this article has already been published, we plan to make ongoing corrections to typos, as well as add images and content updates where appropriate. The aim is to further enrich the material and make it more useful to readers.
Structure of This Article
- The Necessity of a Two-Layer Compliance Architecture
- The Limits and Hollowing-Out of the Current KYC
- Risk Scoring by KYC/AML Vendors
- Past Disclosure of KYC Documents and the Risks It Revealed
- The Limits of Formalistic KYC in International Cases
- Risk and Responsibility Diversification via KYC Vendor Adoption
- Proposals for Rebuilding the KYC Regime
1. Necessity of a Two-Layer Compliance Architecture
What XDC needs is a two-layer compliance architecture that combines two distinct categories of vendors.
Layer 1: Trust at the Point of Entry (Traditional-Finance KYC/AML Vendors)
The first requirement is a traditional-finance KYC/AML vendor. Such vendors perform systematic identity verification for individuals and entities; authenticate corporate registrations and licenses; identify ultimate beneficial owners (UBOs); conduct sanctions and politically exposed person (PEP) checks; and screen against adverse media. They also quantify jurisdictional and entity-level trust via risk scoring, thereby safeguarding trust at the entry point to the network.
Representative vendors include:
Layer 2: Transparency of Fund Flows (Blockchain Analytics Vendors)
The next requirement is blockchain analytics vendors. They handle wallet- and transaction-level risk assessment, trace the movement of funds, detect sanctions evasion and money laundering, and conduct cross-chain investigations—thereby ensuring network-wide transparency of fund flows.
Representative vendors include:
The Significance of the Two-Layer Model
Only by integrating KYC/AML to secure trust at the entry point with blockchain analytics to ensure transparency of fund flows does a globally viable compliance regime take institutional shape.
2. The Limits and Hollowing-Out of the Current KYC
So where does XDC stand today?
In May 2025, XDC expanded its integration with Elliptic, advancing the development of Layer 2 (on-chain monitoring). This now covers not only network transaction surveillance but also real-time cross-chain tracing and analytics for RWAs (real-world assets), significantly improving transparency of fund flows. (See referenced article.)
However, Elliptic does not verify the authenticity of off-chain entities—such as the identities of individuals or corporations, their licenses, or their ultimate beneficial owners (UBOs). In other words, Layer 1, which guarantees “trust at the point of entry,” remains missing, leaving the overall framework incomplete.
To fill this gap, traditional-finance KYC/AML vendors are indispensable. They go far beyond simple identity verification, providing validation of corporate registrations and licenses, identification of UBOs, screening against sanctions, PEP, and adverse media lists, and even quantifying each entity’s level of trust through risk scoring—thus forming the very foundation of Layer 1.
In conclusion, the establishment of this Layer 1 is the highest priority. Without it, no matter how robust Layer 2 becomes, the foundation of trust will never be solid.
3. Risk Scoring by KYC/AML Vendors
Traditional-finance KYC/AML vendors provide more than simple identity checks. They also quantify jurisdictional trust differentials and entity-level risk, effectively operating with something akin to a “credit-style” risk score.
Risk Scoring Used by Vendors
Most KYC/AML vendors assign a risk score to each individual or entity, typically combining the following factors (scored or ranked):
1. Jurisdiction Risk
- Based on the regulatory environment and the strength of AML controls in the country of registration. → Japan and EU countries tend to be low-risk; El Salvador and certain offshore jurisdictions are often treated as high-risk. In making such determinations, vendors and network operators reference evaluations by FATF and the OECD, as well as sanctions-evasion country lists, among other materials.
2. Entity Risk
- For entities: industry (e.g., casinos or crypto-related businesses are higher risk), licensing status, and the credibility of supervisory authorities.
- For individuals: PEP status, prior scandals or litigation history, and whether they appear on sanctions lists.
3. Media & External Information
- Automated collection of negative media, litigation coverage, and regulatory breaches, with relevance reflected in the score.
4. Relationships & UBO Structure
- Whether the UBOs are high-risk persons and whether ownership structures lack transparency.
Handling “Jurisdictional Trust”
This approach enables practical differentiation: even if two applicants both call themselves “banks,” Japan versus El Salvador leads to different treatments in practice.
- Japan/Singapore → strict supervision by the FSA or MAS → “low-risk jurisdictions.”
- El Salvador and some emerging markets → underdeveloped regulation or political instability → “high-risk jurisdictions.”
Consequently, the weight of a banking license differs by country in real-world operations.
How Scores Are Used
Vendors return categorizations or numeric values such as low/medium/high risk. Recipients (banks, network operators, exchanges, etc.) then set thresholds consistent with their risk tolerance. Scales differ by vendor, and re-KYC (periodic refresh) or event-driven reviews are assumed.
Example operational policy:
- Decline high-risk (e.g., scores ≥ 80)
- Request additional documentation for medium-risk
- Approve low-risk promptly
Meaning in a Blockchain Context
For a network like XDC:
- Use vendor risk scores to decide whether to approve a node application;
- Present those scores to investors and regulators as evidence of entry-point trust.
Because these scores aggregate jurisdictional regulation, industry, PEP/sanctions, and adverse information, they go beyond identity alone and form a fitness criterion for masternode operation. For example, decline high-risk applicants, require supplemental documentation for medium-risk ones—directly supporting practical decision-making.
Moreover, such scores provide a rational basis to explain “why this node was accepted,” serving as reassurance to investors and as a documented risk-management procedure for regulators—thus institutionalizing transparency and accountability.
This is how risk scoring can be realistically applied.
Building Out Layer 1 as the Trust Foundation
Traditional-finance KYC/AML vendors employ credit-like risk scoring that clearly reflects differences in regulatory environments across countries. Thus, even if two applicants both call themselves “banks,” the treatment differs between, say, Japan and El Salvador.
From the outset, XDC embedded KYC in its design to interface with traditional finance and international financial infrastructure—hence it intentionally did not adopt a fully permissionless model like Ethereum, Polygon, or Avalanche (where anyone can run a node), despite being EVM-compatible.
Requiring a substantial stake of 10 million XDC plus KYC submissions effectively gives XDC leverage over who can operate a node. In practice, this means operators are significantly filtered by these conditions.
Yet the operation became overly formalistic. Allowing PDFs uploaded alongside a 10-million-XDC stake to “pass” without thorough examination by personnel with adequate domain expertise entails serious risk. In AML and international fraud cases, document forgery and alteration are basic, common tactics; without the capacity to detect them, KYC becomes hollow.
Therefore, to win international trust, Layer 2 transparency is not enough. Building out Layer 1 is the most urgent task right now.
4. Past KYC Document Disclosure and the Risks It Revealed
How Document Disclosure Exposed Institutional Hollowing-Out
Regarding the PDFs uploaded alongside a 10-million-XDC stake: while they are now fully private, there was reportedly a period during which XDC masternode KYC documents were accessible externally. The exact timeframe is unclear, but since they were later made private following complaints from node operators, XDC should be aware that this occurred.
This episode illuminated several important realities of the KYC process. Of course, external accessibility was itself a serious security risk. What I wish to highlight, however, is how the hollowing-out of the system became visible as a secondary effect.
In practice, submissions showed large regional and individual disparities. One operator attached driver’s licenses and multiple ID copies, while another submitted only a single notarized page—revealing that stringency was not applied consistently.
The Risks of a Single Notarial Certificate and Offshore Entities
What does “a single notarized page” mean? It is merely a document on which a notary certifies, with signature and seal, that “this person is affiliated with the company.” In many jurisdictions, a notary’s role is limited to verifying the signer’s identity and the fact of signing; the truth of the document’s contents is not guaranteed. Functionally, it resembles a sworn statement that still requires independent corroboration for substantive accuracy.
There were also indications that some nodes were registered to offshore companies established in tax havens. Such entities often serve as paper companies with little real business activity, making UBOs hard to identify and enabling asset concealment or money laundering—problems widely criticized internationally. FATF’s Recommendations 24/25 (R.24/25) call on countries to strengthen transparency of beneficial ownership to mitigate these risks.
If approvals could be granted on the strength of a single notarial document, that would hollow out entry-point trust and risk creating a breeding ground for crime. We must not rely on good-faith assumptions; AML and international fraud lessons require that we design systems on the premise of potential abuse, eliminating gaps proactively.
To close those gaps, traditional-finance KYC/AML vendors are indispensable—not only to authenticate registrations, licenses, and UBOs, but also to conduct PEP checks, screen against UN/OFAC/EU sanctions lists, and run adverse-media searches across public records and court filings to detect past misconduct, among other layers of scrutiny.
This is the core mechanism to institutionalize entry-point trust, and it is the foundation XDC needs most urgently. Crucially, the fragility of formalistic KYC is not unique to XDC; it has been exposed repeatedly in international financial scandals.
Below, we review emblematic cases showing how formalistic KYC has hit its limits.
5. Limits of Formalistic KYC in International Cases
The weaknesses of formalistic KYC are not unique to XDC; they have recurred across international financial scandals. More troubling still is when professionals—lawyers, accountants—facilitate such misconduct.
In the 2016 Panama Papers, massive leaks from a Panamanian law firm revealed how politicians and the wealthy worldwide used tax havens for asset concealment, tax evasion, and money laundering. The law firm itself provided company-formation schemes—i.e., legally dubious or outright illicit structures—thereby participating in laundering. In short:
It is not “safe because professionals are involved”; rather, there is a risk precisely because professionals are involved.
The pattern extends beyond the Panama Papers.
In the 2017 Paradise Papers, documents leaked from the major law firm Appleby and corporate service providers exposed large-scale tax avoidance via complex offshore schemes, showing how professionals and large firms actively provided “loopholes.”
In 2018, the Danske Bank money-laundering case revealed that around €200 billion in suspicious funds flowed through its Estonian branch, demonstrating that even a leading European bank can become a conduit when entry-point AML checks are hollowed out.
In 2020, the Wirecard scandal showed that even with audits by one of the Big Four (EY), massive fraud can go undetected—professional assurances do not automatically guarantee trust.
Hence the institutional necessity of independent third-party audits and continuous monitoring. If basics such as verifying registrations and licenses, confirming regulatory registrations, and screening against sanctions and adverse media are missing, KYC becomes KYC in name only. These cases demonstrate that the limits of formalistic KYC are a global issue, and XDC is no exception. The past episode where XDC KYC documents became externally viewable—and thereby exposed vulnerabilities—shows the same problem arises here as well.
6. Diversifying Responsibility by Introducing KYC Vendors
These institutional shortcomings are not merely theoretical. They materialized in practice—namely, in the Globiance incident.
Counterfactually, had an external KYC/AML vendor been engaged at the time of Globiance’s masternode application (or at a functioning re-KYC interval), the authenticity or deficiencies of any banking/exchange licenses, and any presence on regulatory warning lists, might have undergone closer scrutiny. As a result, Globiance may have been flagged early as high-risk, potentially preventing entry into the network’s core.
This also benefits XDC itself.
So long as XDC conducts KYC on its own, responsibility concentrates within XDC. If an independent vendor formally performs the review, XDC can clearly demonstrate reliance on a professional determination, thereby improving procedural propriety and relatively reducing risk (though ultimate governance responsibility still remains with XDC). In this sense, vendor adoption functions not only as risk reduction but also as responsibility sharing.
Thus, the Globiance incident was not a random mishap; it exposed design flaws. The issue is not transient; it indicates structural fragility, which makes reform imperative.
7. Proposals for Rebuilding the KYC Regime
From the design stage, XDC adopted KYC with an eye toward integration with traditional finance and international financial infrastructure. In practice, however, implementation tilted toward paper-based reviews, leaving the checking apparatus insufficient. The result was a de facto reliance on the good faith of masternode operators.
The Globiance incident demonstrated the practical limits of XDC continuing to in-house KYC reviews. Tasks such as verifying registrations and licenses, identifying UBOs, and screening against regulatory lists should be handled continuously and systematically by specialized KYC/AML vendors. It is neither operationally nor from a governance standpoint reasonable for XDC—whose core vocation is blockchain development—to shoulder these as well.
While Globiance is primarily responsible and deserves strong censure, there is also room to acknowledge potential improvements on the XDC side in system design and operation. It would not be surprising if investor perceptions of “network trustworthiness” were influenced, to some degree, by weaknesses in the KYC framework.
Therefore, it is essential to standardize both layers: traditional-finance KYC/AML to secure entry-point trust, and blockchain analytics to ensure transparency of fund flows. With Layer 2 advanced via Elliptic integration, XDC should prioritize completing Layer 1—off-chain verification of organizational and individual authenticity. This two-layer architecture is the shortest path to restoring, and sustaining, trust in the network.
Above all, XDC itself must proactively pursue reform. Leaving defects unaddressed invites recurrence and erodes ecosystem-wide trust. For a project aspiring to connect with international financial infrastructure, allowing KYC to remain merely formalistic is fatal. Reform is not optional—it is imperative.
Let this be a turning point, and let us take the next step forward together with XDC.
11ppm
Discussion (2)
Hello @11ppm
Thank you for your continued support and thoughtful suggestions to help improve our infrastructure. Know that Your input has always been valued and heard.
Regarding the KYC process, discussions have been underway for some time, and we’ve already onboarded a vendor about a month ago to help streamline it. An official announcement will be made shortly.
Hi Sean,
Thank you, as always, for your thoughtful and courteous update.
The news that a KYC vendor has been onboarded is truly wonderful — it’s something many of us have been eagerly awaiting. With this step, the Two-Layer Compliance Framework will finally be complete.
Advancing the KYC process in this way will undoubtedly bring an even brighter future to the XDC ecosystem. Personally, I believe this should have been implemented when KYC was first introduced—or at least much earlier—but I’m genuinely glad to see that lessons from the Globiance incident have led to meaningful progress.
It’s a remarkable step forward for XDC, its team, its developers, and its investors alike.
Congratulations to everyone involved. I look forward to the official announcement.