The $50B figure for global identity verification spend deserves a buyer-side breakdown, because the number alone is unactionable.
Roughly half ($23-27B) is human KYC spend at fintechs, exchanges, banks, and regulated platforms. Of that, the largest fraction is duplicative re-verification — the same user, verified at multiple platforms, paying multiple per-verification fees. The unit economics: $5-50 per verification, depending on documents required and LoA target, multiplied across the user-platform matrix.
Another $10-12B is enterprise IAM (Auth0, Okta, Ping, Microsoft Entra, others). The recurring per-user subscription fees + the integration consulting + the breach-disclosure costs make this category one of the higher-margin enterprise software categories.
Another $5-7B is identity proofing for credit, healthcare, government services. These flows are typically vendor-integrated (Experian, LexisNexis, others) with per-pull fees.
The remaining $5-10B is the long tail: agent identity, machine identity, certificate authorities, identity-adjacent fraud prevention.
For a buyer at a fintech with 1M monthly active users, the rough breakdown of their slice of this $50B is: KYC re-verification at $0.50-2 per MAU per year ($600K-2.4M); CIAM at $0.30-1 per MAU per year ($360K-1.2M); fraud prevention at $0.40-1 per MAU per year. Annual: $1.5-5M depending on tier.
The architectural exit from this stack: portable Verifiable Credentials. The same KYC credential satisfies the bank, the exchange, the fintech, the payment platform. The same CIAM proof works across SaaS tools. The buyer pays once for issuance, accepts presentations against the issuer's anchored key.
The transition cost is real but bounded. Integration cost: ~$200-500K for a mid-size fintech (SDK integration + compliance review + change management). Operational cost during transition: ~6 months of running both stacks. Net 3-year ROI for the typical fintech: $3-8M in cost reduction.
Three triggers to make the decision now: the EU eIDAS 2.0 mandate forces verifier-side integration by Q4 2026 (you need the wallet acceptance path anyway); the agent-identity stack is consolidating around the same primitive (you'll need it for agent traffic in 2027); the regulatory compliance bar is rising (selective disclosure is GDPR-by-architecture, not GDPR-by-policy).
The buyer side has been slow to see this. The CFOs who run the analysis early will be the ones whose identity stack is one of the lowest in the industry by 2028.
Top comments (0)