Customer ID Verification Best Practices

Massive increases in digital transactions, including online payments and buy now pay later (BNPL), have created a security gap that cybercriminals can exploit. Businesses must know who they are dealing with to avoid involvement in financial crime. Know Your Customer (KYC) processes and identity verification (IDV), where an organization verifies an individual’s identity, are essential parts of online transactions. Without verified identity, businesses and governments alike would be at the mercy of financial crime worldwide.

Customer verification is essential in cementing trust in digital transactions for both parties in the online equation. However, customer verification is one of the most complex areas of digital design and implementation because a service must balance security, verification options, and seamless customer experience.

This article explores best practices for customer ID verification, highlighting the methodologies used in digital identity ecosystems.

Summary of key best practices for customer ID verification

The industry’s leading AI-powered Know Your Customer (KYC) Solution

LEARN MORE

• 

  Verify IDs, documents, addresses, age, global fraud databases, and sanctions lists

• 

  Increase confidence with biometric technology, image processing, and age estimation

• 

  Protect against fraud and money-laundering risk with AI-powered real-time detection

Establish customer verification requirements

Before you choose a vendor or design a workflow, you need a clear baseline for what your verification flow must achieve. That starts with clarity on assurance and compliance. Which regulations apply to your service and markets, what level of verification is required for each use case, and where do you need step up checks for higher risk actions. At the same time, you need to define operational constraints such as acceptable friction, performance targets, and what happens when verification fails, including alternative pathways for legitimate users.

Finally, make the compliance and security requirements explicit by defining what data is collected, how it is protected, what must be logged for audits, and how long records must be retained. A well defined baseline prevents teams from optimizing for one goal, such as speed, while creating new risks in fraud exposure or regulatory gaps.

Verification requirements analysis will be dependent on the identified system use cases. Use cases for identity verification are broad; some examples include country-specific cases like the UK’s Right to Rent, customer KYC, and high-value financial transactions. Map compliance requirements to reflect all use cases and verification requirements. Other factors during this stage will include non-functional requirements, such as performance, application training, and scalability.

The diagram below summarizes the five key requirement categories that must be gathered before building a customer ID verification system

Key inputs that shape your customer ID verification approach

Identify which regulations cover your organization

Regulations depend on transaction types, geographic location, the service, and your industry sector. If your organization works with government departments or citizens, local assurance levels will likely dictate the verification requirements.

Capture business considerations

Capture any business goals that you wish to reflect in your verification journey. For example, will your organization require white-labeling of their-party solutions, such as app-based offerings? Offerings that provide automated verification can help smaller companies benefit from verification.

Identify verification methods

The requirements-gathering exercise will determine identity verification requirements that are in line with regulations and business needs. Verification comes in many guises, but some general examples of customer verification methods include the following:

• ID documents (passports, driver’s license, etc.)
• Proof of address/domicile
• Anti-money-laundering (AML) screening
• Politically exposed person (PEP) checks

Customer due diligence (CDD) is a form of KYC that checks customer data, such as personal information, against databases, as well as biometric and ID document checks. If a customer is deemed high-risk, an extended due diligence (EDD) process is often required. The Financial Action Task Force (FATF) classifies PEPs as high-risk. EDD requires more intensive KYC checks, including additional documentation and AML checks.

Source of funds (SoF) verification is conducted to identify the origins of funds in a high-value transaction and are mandated by AML regulations. Checks include EDD, PEP checks, and fund location; the latter is determined using technology such as open banking or via banks and law firms.

Implement specialized verification checks

Some use cases, such as those with associated age restrictions, will require more specialized checks. Here are some of the most common:

• Biometric and liveness checks, which are used to tie an individual to a set of identity claims and can be used in use cases that require deepfake prevention
• Age estimation, for use cases that do not require a person’s specific age, e.g., when age over/under is acceptable
• Age verification, for use cases that require the actual age of an individual or need a high level of assurance that a person is over or under a certain age
• Database verification, which may be required to cross-reference identities against global databases to strengthen trust, meet regulatory requirements, and catch fraud early

Identify use cases requiring business verification

Business verification, or know your business (KYB), is required for financial institutions and in use cases such as supply chain due diligence. Checking the legitimacy of a supplier is essential as supply chain cyberattacks become more prevalent.

KYB checks give your business peace of mind by ensuring that the organizations you work with are legitimate. KYB verification checks against global commercial registers. Checking the legitimacy of a business helps reduce risk and ensure regulatory compliance.

An essential aspect of KYB is ultimate beneficial owner (UBO) verification. UBO checks are part of every major AML framework. Checking the UBO status of a company you wish to do business with is vital for identifying potential fraudulent activity and protecting your business from reputational damage. Having a robust UBO process in place is a fundamental part of AML compliance.

Evaluate customer verification vendors

Once you have gathered all your requirements and determined the capabilities you need, you will need to source a customer verification vendor. Decide on a short list of vendors who can meet both functional and non-functional requirements.

Vendor platforms must offer a comprehensive package of verification types. (source)

Vendors that offer multiple sources of verification and anti-fraud checks, as presented in the graphic above, provide a unified approach to customer ID verification.

Once you have created a shortlist of vendors, you can begin the evaluation process. The following list of features will help you identify best-fit verification vendors:

• Easy integration: Prioritize vendors with APIs and SDKs that fit your tech stack and delivery workflow, supported by clear documentation and a testing environment so your team can validate the end-to-end flow early.During evaluation, ask for measurable proof of implementation speed and verification performance, including typical integration timelines for teams like yours and the expected engineering effort. Confirm typical end-to-end verification time for first-time users and how that metric is measured, including averages and high percentile results by region and document type.Also, validate coverage upfront by confirming supported countries and territories, supported languages, and supported identity documents, and make sure the vendor can meet your current user base plus planned expansion. Use a concrete benchmark to estimate onboarding impact, such as first-time verification in six seconds or less, and require vendors to provide comparable numbers using the same measurement approach.
• Rapid, friction-reducing verification: The vendor solution must demonstrate rapid verification checks that reduce friction for the customer. Rapid real-time verification checks reduce friction and maintain security. Ask for performance data from the vendor.
• Verification optimization: AML checking is data-intensive. Look for vendors who can future-proof and optimize AML checks using AI-assisted technologies.
• PEP checks offered as part of the vendor solution: If your use case requires PEP checks, your vendor choice must include comprehensive checks that cross-reference multiple sanction lists and watchlists. As PEP lists are fluid, check that the vendor has access to up-to-the-minute PEP lists.
  It should also be noted that sanction checks and PEP checks are not necessarily mutually exclusive. Businesses can have a legitimate relationship with a PEP, but not with a sanctioned person.
• Effective cyber-attack prevention: The identity vendor must offer verification technologies that reduce the risk of identity-based cyberattacks, including deepfakes.
• Re-verification: Confirm the vendor supports configurable reverification triggers and workflows, such as time-based reviews, event-based triggers, document expiry, and risk-based step-up checks, along with audit-ready logs of reverification outcomes.

Identify and execute privacy and security verification best practices

Identity verification is one aspect of creating secure customer transactions with your business. However, security and privacy-by-design must be baked into the entire service to adhere to strict privacy regulations such as the EU’s GDPR.

Article 9 of GDPR, for example, covers the processing of special categories of personal data, including biometric data. To process biometric data for AML purposes, an organization must have a lawful basis for its use. Article 6 of the GDPR lists reasons for a lawful basis for processing, including when “processing is necessary for compliance with a legal obligation to which the controller is subject.”

Achieving a secure and privacy-respectful service requires a holistic approach that includes the following areas of focus:

• Carry out a risk assessment: Your risk assessment must incorporate verification data exchange and consider the risks posed by deepfakes, synthetic IDs, etc. The resulting risk assessment document will inform security decisions during the design and development of the service. A privacy impact assessment (PIA) identifies privacy risks, such as consent-to-share issues during the verification process.
• Data storage security requirements: Decide if the verified data will be used to create a persistent identity, for example, in a company-branded app. If so, where will the stored data be held (and which jurisdiction and database security measures apply)?
• Data handling and management: Determine the security measures needed to protect data. Measures typically involve data encryption during the transfer and storage of verification data. Establish whether data obfuscation/zero-knowledge proof and data minimization are required, and how your service can meet these requirements.
• Measures for preventing identity risks: How will the service handle deepfake and synthetic identity risks? You should already know the options offered by any potential vendors to mitigate these risks.

Identify and capture user journeys and verification rules

The service design that uses customer ID verification must incorporate the verification options required during registration. The use cases identified during the requirements gathering exercise will inform the system’s design. Use cases should be mapped to user journeys, capturing the steps that incorporate customer ID verification options. User journey design will help clarify the verification rules that will improve security, customer assurance, and service usability.

The following describes the typical steps taken during this design stage:

Capture service flows

Design the service’s flows and sequence diagrams to incorporate verification pathways (UML). These diagrams will serve as blueprints for system architects and developers.

Create design documents

Map use cases to user journeys. UML diagrams can be used to describe the system design, showing components, user interactions, and data flow, and providing input on code requirements.

Example of a simple use case diagram showing a happy path customer ID verification process.

Real-world design documentation is usually more complex and covers multiple use cases. The user journey documentation must capture all possible happy and alternative pathways to ensure that the system responds correctly under all circumstances. Capturing use cases and user journeys can be laborious, but it will result in a more robust and usable service.

Identify edge cases and alt pathways

When designing user journeys, edge cases and alternative pathways should be considered. Edge cases include any use cases that fall outside the happy path and obvious alt paths. For example, an F2F requirement could be seen as an edge case as it may only impact a few customers. Identifying these non-happy-path experiences will help you develop an accessible, comprehensive service that uses customer ID verification.

Determine verification rules and other system rules

Re-verification is typically an integral part of a KYC process and must be seen as continuous customer due diligence, not a one-off process. Reverification involves checking an already-verified individual against a database, capturing updated ID documents, and/or performing biometric verification.

Rules are used to trigger re-verification events. Rules can include reverification after X amount of time or after a risk review of customer profiles. In the latter case, high-risk customers would typically require more frequent re-verification than medium or low-risk customers. Reverification can also be triggered by events such as an ID document expiring (e.g., passport renewal) or changes in the customer’s situation, such as updated beneficial ownership or adverse news signals.

Decide on the rules for ongoing monitoring and log capture. Identify any rules needed for user journey optimization, such as offering alternative verification options if verification fails.

The following graphic illustrates a simple use case typical of a happy-path verification journey for a customer.

Verifying an individual using biometrics adds a layer of security to customer ID verification. (source)

Design best practices for broad demographic customer verification

Online verification may not cover all use cases, so organizations that wish to offer services to a broad range of customers may need to explore alternative user journeys, some of which may require modified user journeys to reflect complex customer needs, such as out-of-band verification options. The initial design stage should have identified any edge cases in which customers will be unlikely to be verified online to the assurance level required by the service. Some of the key considerations when performing this exploration of edge case journeys include the following:

• Handling customers with little or no online presence: Some customers may be challenging to verify online. In these cases, you should explore verification alternatives for customers with a thin file footprint.
• Vouching and verification: Decide if the service needs to handle out-of-band verification via a voucher. If so, you will need to engage a firm or individual to perform vouching (for example, an accountant or law firm). In this case, you will require verification of the individual or business before carrying out any vouching.
• Updating your user journey design documentation: Once you have established any edge cases and offline verification requirements, you should update the design document. The additional alternative or expanded pathways will then become part of your overall design and development process.

Decide on the rules and requirements of auditing and reporting

Audit logs are required to identify system issues and log verification calls and outcomes. Verified identity with audit logging provides a highly transparent way to ensure that the correct access rights are applied and enforced. Logging is useful for determining helpdesk requirements, conducting security assessments, ensuring compliance, and tracking system issues.

Capture audit and logging rules during the service’s design for implementation during production. Use the following best practices with respect to event audit and logging.

Determine the audit rules associated with customer ID verification

The rules used when applying verification to a user journey should include logging verification checks, i.e., logs to capture a verification attempt. Rules must reflect compliance requirements and be retained in accordance with local regulatory requirements; typically, the minimum retention period for records is five years from the last transaction with the customer.

Configure audit event logging

Configure audit trails to reflect the rules. Your audit rules will capture various service events, including login attempts, account changes, and (for customer ID verification) verification events, the customer’s IP address, the computer and browser information, and a timestamp. If a decision is made or the ID is manually approved, the KYC agent or compliance analyst’s record is also logged and retained. The audit trail should capture both failed verification attempts and successful events. Analysis of the logs can offer insights that help optimize user verification journeys.

Establish a system to handle the logs

Do you already have a system that handles event logging, such as a security information and event management (SIEM) system? The solution will collect and log event data from verification events. The solution should also send alerts on failures or other unusual activity to enable analysis and support response to the event.

Generate service reports

Reporting helps demonstrate compliance, so ensure that the logs capture data that show verification checks and outcomes, including issues and failures. Service reports capture verification outcomes and help identify issues with verification options. Some highly granular reporting can also tie issues to specific user demographics, helping identify service improvements to maximize onboarding and verification match rates.

Offer customer transaction history

Identify any requirement to offer customers a history of verification checks. If a customer’s history is to be offered, the service must provide an interface or another option to view verification events.

Put in place elements to future-proof your customer verification

The technology landscape and technical capabilities change over time. AI is one such technological innovation that is changing the risk levels of services that depend on robust digital identity. AI-generated fake identity documents and deepfakes pose a serious and complex threat to customer ID verification. Also, regulations are updated to reflect changes in the risk landscape. It is therefore essential that any service that relies on verification to identify customers put measures in place to futureproof its service and systems.

The following best practice measures are suggested for future-proofing customer ID verification:

• Keep up to date: Maintain your knowledge of the changing technology and customer landscape. Ensure that administrators, system designers, and other stakeholders stay up to date on key changes to verification offerings.
• Build extensibility into your service: Ensure that you design your service to utilize updated verification options as regulations change. You can benefit by choosing a verification vendor that actively future-proofs its solutions. Look for capabilities such as perpetual know your customer (pKYC), which ensures a dynamic, proactive approach to customer verification. Ensure that all use cases and user journeys reflect the changing regulation and security landscape, as well as customer needs.
• Align with changing regulations: Regulations are updated to reflect changing risk landscapes, and verification measures must reflect these changes. Keep up to date with evolving regulations and ensure that you choose a verification vendor that addresses new risks, such as deepfakes, by adapting their technology swiftly and effectively.
• Design with future risk in mind: Choose a verification vendor who understands the risk landscape and has technology that is itself futureproofed. Vendors who understand the importance of future-proofing verification solutions will ensure your service benefits from their know-how and capabilities, with extensibility baked in by design.

Conclusion

Customer ID verification is an essential component of any service that requires KYC capabilities. However, designing and developing a service that complies with regulations, reduces customer transaction risk, and minimizes friction in customer interactions is challenging. Following tried-and-tested best practices across the industry will help prevent insecure services and reduce customer drop-off rates.

Begin by establishing your customer ID verification requirements; this will help you identify the right verification partner for your service. Following best practices in security and privacy, and applying them during the design process, will ensure that your use case and user journeys are comprehensive. Verification and event-logging rules will enhance flexibility and compliance in your design process.

Finally, ensuring that the service is future-proofed through design is essential in a changing landscape. Bringing all of these design principles together is achievable when you choose a customer ID verification vendor that delivers on these goals.

Veriff is a global leader in customer ID verification, providing robust KYC built to meet compliance and prevent fraud. Veriff’s verification solutions build trust with your customers by leveraging AI-powered identity verification and authentication. Veriff combines fraud prevention, compliance, and user experience to deliver secure, scalable solutions trusted by organizations worldwide.