KYC step by step: how comprehensive client verification works in online services

Step 1. Customer Identification Program (CIP): how the KYC process is initiated

CIP is triggered at the moment of the first significant contact of a prospective customer with the service — during account registration, submitting a service application, or attempting to perform a transaction that requires identification. Depending on the jurisdiction and type of business, the trigger may be exceeding a certain transaction threshold (for example, 15 000 rubles for one-off transfers in the Russian Federation) or the intention to use functionality unavailable to anonymous users.

At this stage, the system must address three key tasks: obtain legally valid consent for data processing, determine the optimal channel for conducting verification, and collect a basic set of information to build the initial client profile. The quality of executing these tasks determines the speed of completing the entire procedure and the percentage of successful verifications.

Obtaining client consent and selecting the KYC channel

Consent to the processing of personal data is not a formality, but a legal requirement that protects businesses from regulatory risks. Under the GDPR, the fine for processing data without explicit consent can reach 20 million euros or 4% of the company’s annual turnover. In the Russian jurisdiction, Federal Law No. 152 provides for fines of up to 75,000 rubles and blocking of the service.

Properly drafted consent includes a clear specification of the purposes of processing (identification, background screening, compliance with AML requirements), the list of data processed, retention periods, and the data subject’s rights. Modern platforms integrate consent collection directly into the interface: a checkbox with an active link to the data processing policy or a separate screen for review and confirmation.

The choice of KYC channel is determined by a balance between customer convenience and security requirements. The main options:

Collection of questionnaire data and basic information about the client

The initial questionnaire forms the skeleton of the client profile, onto which data from documents and external sources will be layered. The scope of requested information is determined by the principle of reasonable sufficiency: too many fields reduce conversion, too few create compliance risks.

The minimum required includes full name (exactly as in the document), date of birth, citizenship, and country of residence. For financial services, a TIN or its equivalent, the registration address, and the actual residential address are added. Cryptocurrency platforms often request the source of funds and the expected volume of transactions to assess money laundering risk.

Real-time validation of input data is critically important. Checking the email and phone format, the correctness of the TIN using its checksum, and that the date of birth falls within reasonable limits — these simple checks filter out up to 15% of input errors and attempts to use fake data.

Address information requires special attention. FATF international standards recommend collecting a structured address including the country, region, city, street, and house number. To improve accuracy, address directories and geocoding APIs are used, automatically inserting the correct names when the first characters are entered.

Professional information (place of work, position, field of activity) helps assess risks and determine the need for additional checks. Government officials, politically exposed persons (PEP), and their family members automatically fall into the higher-risk category, requiring enhanced verification at subsequent stages.

Contact details — phone and email — serve a dual function: a communication channel and an additional authentication factor. Verifying the phone number via an SMS code and the email via a confirmation link becomes the first barrier for fraudsters using virtual numbers and temporary email addresses.

Modern platforms complement the traditional questionnaire with behavioral biometrics: they analyze typing speed and rhythm, mouse movement patterns, and the time to fill out fields. Anomalous metrics (copying all data from the clipboard, non-human completion speed, use of automated scripts) serve as indicators of potential fraud.

Собранные на первом этапе данные формируют основу для всех последующих проверок. От их качества и полноты напрямую зависит точность сопоставления с документами, эффективность поиска по санкционным спискам и корректность оценки рисков. Поэтому критически важно найти баланс между минимизацией трения для честных клиентов и сбором достаточного объёма информации для надёжной идентификации.

Stage 2. Collection and verification of documents: what is requested and how authenticity is verified

After obtaining the client’s consent, a critical stage of collecting and verifying identification documents begins. Modern KYC platforms request the minimum necessary set of documents to ensure a balance between security and the convenience of the verification process. At this stage, a fundamental check of the authenticity of the provided documents and the accuracy of the information they contain is performed.

The main task of document verification is to create a reliable basis for further identification. Systems analyze not only visible data, but also numerous hidden parameters of the document: from print quality to the presence of machine-readable zones. Automation of this process has reduced verification time from hours to seconds, while recognition accuracy reaches 98-99% thanks to the use of neural network technologies.

Selecting the document type and photo quality requirements

The first step in document verification is to determine the type of document the client will provide. The standard set includes a national passport, an international passport, a driver’s license, or an ID card. Each document type has its own structural features, security elements, and capture requirements. The platform automatically adapts the verification process to the specific document, taking into account the standards of the issuing country.

Image quality directly affects verification success. The minimum resolution for recognition is 300 DPI, and the optimal is 600 DPI or higher. The document must fit entirely within the frame with visible edges, occupying at least 70% of the image area. Lighting plays a crucial role: even lighting without glare or shadows allows the system to correctly read all elements, including holographic security features.

Modern systems have specific requirements for file formats. JPEG and PNG formats are supported, with a file size from 50 KB to 10 MB. When capturing with a mobile device, the system automatically checks focus, contrast, and text legibility in real time, suggesting the optimal document position to the user. Cropped edges, areas covered by fingers, or perspective distortion of more than 5 degrees are not allowed.

Additional rules apply to documents with a plastic base. The system accounts for possible glare from the laminated surface and automatically prompts you to capture at a slight angle if it detects overexposure in important areas. Glare-compensation algorithms restore information in problem areas, but high-quality original capture significantly speeds up the recognition process.

Automatic document verification (AI-OCR, MRZ, security features)

AI-OCR technology is a comprehensive solution for intelligent document recognition. Unlike traditional OCR, which simply converts an image into text, AI-OCR analyzes the document’s structure, determines its type among thousands of types, and extracts data taking context into account. Neural network models are trained on millions of document samples from 200+ countries, which ensures recognition of even rare types of identity documents.

The machine-readable zone (MRZ) is a key element of automated verification for passports and ID cards that comply with the ICAO 9303 standard. This zone contains encoded information about the document holder in OCR-B format, including the name, date of birth, document number, and checksums for data integrity verification. Algorithms verify the check digits using modulo 10 with a 731 weighting function, which makes it possible to detect reading errors or attempts at forgery.

Verification of security features is performed at multiple levels. The system analyzes the presence and correctness of watermarks, visible under special lighting or at an angle. Holographic elements are verified by analyzing changes in color and brightness at different viewing angles. Microtext, invisible to the naked eye, is recognized by specialized high-resolution algorithms. Security fibers embedded in the paper structure are detected by analyzing the document’s texture.

Particular attention is paid to verifying fonts and their compliance with the standards of a specific country. Each document has unique typography with distinctive features in the shapes of letters and digits. The neural network compares the detected fonts with reference samples, identifying the slightest deviations typical of makeshift forgeries. Additionally, it checks print quality, uniformity of ink application, and the absence of raster artifacts.

Modern algorithms are capable of detecting traces of digital image processing. Analysis of file metadata, checking for the presence of layers in the image, detecting traces of retouching or cloning of areas — all of this happens automatically in fractions of a second. When signs of manipulation are detected, the system flags the document for additional manual review or immediately rejects the application.

Matching the document data with the client’s questionnaire

The final stage of document verification consists of cross-validating the extracted data against the information provided by the client during registration. The system automatically compares the full name, date of birth, document number, and other key fields. Even minimal discrepancies, such as a different spelling of the name or a typo in the date, require additional confirmation or correction.

Intelligent algorithms take into account the specifics of name transliteration when converting from national alphabets to Latin script. The system understands that the same name can be written in different ways in different documents and applies fuzzy string matching algorithms. The acceptable mismatch threshold is configured individually depending on the regulator’s requirements and the level of transaction risk.

Checking the logical consistency of the data identifies potential inconsistencies. For example, if the document issue date precedes the holder’s date of birth or the passport validity period does not comply with the issuing country’s standards, the system automatically flags such cases as suspicious. It also analyzes whether the document series and number comply with the established formats for the specific type and year of issuance.

Step 3. Identity verification: face verification and liveness

After successful document verification, the system proceeds to a critically important stage — biometric identity verification. This step ensures that the person who submitted the document is indeed its owner and is present at the time of verification. Biometric confirmation addresses the key challenge of remote identification: it eliminates the possibility of using someone else’s or forged documents and protects against attempts to bypass the system using photos, video recordings, or deepfake technologies.

At this stage, two interrelated technologies are used: liveness detection (“vitality” check) and face matching. The former confirms the physical presence of a live person in front of the camera, while the latter establishes a match between the user’s face and the photograph in the document. Modern biometric verification algorithms process dozens of facial parameters, analyze micro-movements and reactions, which makes spoofing virtually impossible.

Selfie or video stream for “liveness” verification

Liveness verification is implemented through two main approaches: static (photo) and dynamic (video stream). In the static check, the user takes a selfie, and the system analyzes signs of live presence: natural shadows, highlights in the eyes, skin texture, and the facial microrelief. Machine learning algorithms detect attempts to use printed photographs, images on device screens, or silicone masks by their characteristic artifacts and lack of depth.

Dynamic verification via video stream is considered more reliable and includes active or passive methods. In active verification, the system asks you to perform random actions: turn your head, blink, smile, or say a specific phrase. The sequence of commands is generated randomly, which rules out the possibility of pre-recording a suitable video. Passive verification analyzes a person’s natural behavior without special instructions: micromovements of the head, blink frequency, changes in facial expressions.

Modern liveness detection systems use neural network algorithms trained on millions of examples of real and fake images. They analyze the spectral characteristics of the image, detect signs of digital manipulation, and assess the depth and volume of the face by analyzing shadows and perspective. Some solutions employ infrared sensors or structured light to construct a 3D model of the face, providing an additional level of protection against fakes.

The liveness check takes 2 to 10 seconds, depending on the chosen method. The systems automatically adapt to lighting conditions, device camera quality, and internet connection speed, ensuring stable operation even under non-ideal shooting conditions.

Face comparison with the photo in the document and match assessment

After liveness verification, the system compares the user’s biometric data with the photo from the provided document. The algorithms extract unique facial characteristics — the so-called biometric vectors or face embeddings. These vectors are a mathematical description of the face’s geometry: distances between key points, proportions, angles, contours, and other invariant parameters.

Modern facial recognition systems use deep convolutional neural networks capable of extracting hundreds of features for each face. The algorithms are robust to changes in lighting, camera angle (up to 45 degrees), and partial occlusion of the face by glasses or a medical mask. They work correctly with age-related changes in appearance, if the difference between the photo in the document and the current image does not exceed 10-15 years.

The matching process includes several validation stages. First, the system detects a face in both images and checks their quality: sufficient resolution, absence of blur, correct exposure. Then the images are normalized — alignment by key points, lighting correction, and scaling. After that, biometric vectors are extracted and the degree of their similarity is calculated.

The matching result is expressed as a match percentage or a confidence score. Most systems use threshold values to make a decision: with a match above 95-97% verification is considered successful, at 85-95% additional verification may be required, below 85% — the system rejects verification. Specific thresholds are configured individually depending on security requirements and the acceptable level of false rejections.

To improve accuracy, modern platforms employ ensemble methods — simultaneously using multiple recognition algorithms and making a decision based on their aggregate result. This makes it possible to achieve recognition accuracy above 99% with a false positive rate of less than 0,01%. The entire biometric verification process — from image capture to obtaining the result — takes fractions of a second, ensuring a comfortable user experience without noticeable delays.

Stage 4. Customer Due Diligence (CDD)

After successful identification and identity verification, a critically important phase begins — comprehensive due diligence (Customer Due Diligence, CDD). At this stage, the system shifts from technical verification to the analysis of reputational and legal risks associated with a specific client. The goal of CDD is to determine whether the person poses a potential threat to the business in terms of money laundering, terrorist financing, or reputational damage.

CDD goes beyond simply verifying whether a passport is genuine and focuses on whether it is safe to do business with this client. The procedure includes automated screening across multiple databases and an algorithmic assessment of the risk profile, which enables well-informed decisions about granting the client access to the company’s services.

Screening against sanctions lists, PEP, and adverse media

List screening is the first line of defense against toxic clients. Modern KYC platforms check client data against three main categories of sources simultaneously.

Sanctions lists include international and national registers of persons that are subject to economic restrictions. The system matches the client’s name, date of birth, and other identifiers against records in the databases of the UN, OFAC (USA), the EU Consolidated List (European Union), HM Treasury (United Kingdom), and local sanctions lists of the jurisdiction where the business operates. If a match is found, the transaction is blocked automatically—working with sanctioned persons entails fines of up to millions of dollars and criminal prosecution of the company’s management.

PEP status (Politically Exposed Persons) refers to public officials, their relatives, and close associates. PEPs include heads of state, ministers, members of parliament, judges of higher courts, and executives of state-owned corporations and international organizations. According to FATF recommendations, such clients require enhanced monitoring due to an increased risk of corruption and money laundering. Algorithms screen the client against Dow Jones, World-Check, LexisNexis, and regional PEP registers that contain data on more than 4 million politically exposed persons worldwide.

Negative news and convictions are identified through the analysis of media sources and law enforcement databases. The system scans thousands of news sources, court decisions, and crime reports for mentions of the client in the context of fraud, corruption, drug trafficking, or other crimes. Adverse media screening technology is used with filtering of false positives through context analysis and verification of additional attributes (age, location, occupation).

The screening process takes from 0,5 to 3 seconds and checks the client against 1500-2000 sources simultaneously. If a partial match is detected (for example, a similar name but a different date of birth), the system submits the profile for manual review by a compliance specialist for a final decision.

Client profile analysis and risk level assignment

After screening, the system forms the client’s risk profile based on multiple parameters. Modern KYC platforms use scoring models that take into account 30 to 100 risk factors with different weighting coefficients.

Geographical factors analyze the country of residence, citizenship, and connection IP address. Clients from jurisdictions with a high risk of money laundering (per the FATF Grey List) or countries under international sanctions automatically receive an elevated risk score. A mismatch between the declared country of residence and the IP address geolocation also increases the risk indicator.

Transactional indicators assess the declared volume of transactions, the source of funds, and the purpose for using the services. A client planning to make large international transfers without clear economic justification will receive a higher risk rating than a user with a transparent history of local payments.

Behavioral markers include the speed of filling out the form, the number of verification attempts, and the use of VPNs or anonymizers. The system records anomalies: completing forms too quickly may indicate bot usage, while multiple failed attempts may indicate an attempt to forge documents.

Based on a combination of factors, the algorithm assigns the client to one of the risk levels:

1. Low risk (60-70% of clients) — standard verification completed, no restrictions
2. Medium risk (20-30% of clients) — periodic monitoring of transactions is required; transaction limits may apply
3. High risk (5-10% of clients) — enhanced due diligence (EDD) is required, enhanced monitoring of all transactions
4. Unacceptable risk (1-3% of clients) — refusal of service

The risk rating is not static — the system recalculates it when client behavior patterns change, sanctions lists are updated, or new information appears in open sources. This enables timely response to changes in the risk profile and protects the business from potential threats of compliance violations.

Stage 5. Enhanced Due Diligence for High-Risk Clients (EDD)

Enhanced Due Diligence (EDD) is triggered when the standard KYC procedure identifies elevated risk factors. These factors include: matches with PEP lists (politically exposed persons), residents of offshore jurisdictions, clients with atypically high transaction amounts, a mismatch between declared income and the level of activity, links to high-risk industries (cryptocurrencies, gambling, precious metals trading). Attempts to use complex corporate structures, frequent changes of account jurisdictions, or an unclear source of funds also trigger EDD.

Enhanced due diligence does not replace basic KYC but complements it with additional layers of verification. The EDD procedure increases onboarding time from minutes to several days but is critically important for complying with regulatory requirements and protecting the business from reputational risks. According to FATF statistics, about 5-7% of clients of financial institutions undergo EDD, while this category generates up to 40% of all suspicious transactions.

Request for additional documents and clarifications

When the EDD procedure is activated, a structured request for additional information is sent to the client. The documentation package is expanded depending on the identified risks. To confirm the source of funds, the following are requested: tax returns for the last 2-3 years, bank statements for 6-12 months, asset sale and purchase agreements, inheritance or gift documents, income statements from the employer, dividend payments or royalties.

When working with corporate clients, the following are required: the full ownership structure up to the ultimate beneficial owners, incorporation documents for all companies in the ownership chain, financial statements for the most recent periods, and operating licenses. Particular attention is paid to documents confirming the economic substance of transactions: contracts, invoices, customs declarations, and certificates of completion.

Along with the documents, written explanations are requested regarding the nature of activities, business model, geography of operations, planned transaction volumes and their frequency. The client must describe in detail the flow of funds, specify counterparties, and substantiate the economic rationale of the transactions. When connections with PEPs are identified, disclosure of the nature of the relationships, positions, and powers of the related persons is required.

Modern KYC platforms automate the collection of additional documents through secure portals with data encryption. The system tracks the status of each requested document, reminds of submission deadlines, and automatically validates the received files for compliance with requirements.

Manual review and final assessment by a compliance specialist

After receiving the full set of documents, the stage of manual verification by the compliance team begins. Specialists conduct cross-checks of data from various sources, analyze the logical consistency of the provided information, and look for discrepancies. The authenticity of the documents is verified through inquiries to state registries, tax authorities, and registration chambers.

The compliance officer assesses reputational risks by analyzing open sources: court databases, bankruptcy registries, negative mentions in the media, social media. Specialized databases such as Dow Jones Risk & Compliance, World-Check, and LexisNexis are used, containing information on sanctions, criminal convictions, and ties to organized crime. In international operations, the screening is expanded to foreign jurisdictions with the involvement of local information sources.

The final assessment includes building a complete client risk profile with scores assigned for each factor: geographical risk, industry risk, transactional risk, product risk. The compliance specialist prepares a reasoned conclusion with recommendations: approve with restrictions (limits on transactions, prohibition of certain transactions, enhanced monitoring), request additional guarantees, or refuse service.

Decisions on EDD cases are made collectively with the participation of the head of the compliance department, the risk manager, and a representative of the business unit. All stages of the review, the decisions made, and their justifications are recorded in the system for subsequent audit by regulators. EDD documentation is retained for at least 5 years after the relationship with the client is terminated, which allows demonstrating to the regulator good-faith compliance with anti-money laundering requirements.

Stage 6. Decision and completion of KYC verification

After completing all verification stages, the system produces a comprehensive assessment of the client, based on which the final decision is made. This critical moment determines the subsequent relationship with the user and directly affects the security of the business.

Modern KYC systems analyze dozens of parameters in fractions of a second: document verification results, biometric matching, sanctions screening scores, behavioral factors during the verification process. Machine learning algorithms identify hidden fraud patterns and anomalies that a human might overlook.

The decision-making process is based on a weighted risk assessment. The system assigns a specific weight to each factor depending on the company’s business logic and the regulatory requirements of the jurisdiction. For example, a mismatch between the registered address and the geolocation may carry less weight than finding a client on the OFAC sanctions list.

Client approval, rejection, or request for additional information

The automated system makes one of three decisions, each of which triggers its own scenario for further actions.

Statistics show the distribution of decisions in a typical fintech service: 75-80% of customers receive instant approval, 10-15% are sent for additional review, 5-10% are rejected. These metrics vary depending on the industry, geography, and the company’s risk appetite settings.

Recording the result, setting up client limits and permissions

The decision is immediately recorded in the system, creating an immutable record for audit and regulatory reporting. A digital client dossier is created, containing all collected data, verification results, the assigned risk level, and the rationale for the decision.

For approved clients, the system automatically configures operational parameters in accordance with their risk profile. Low-risk clients receive standard limits on transactions, withdrawals, and the use of premium features. Medium-risk users may encounter reduced limits, requirements for two-factor authentication for critical operations, or restrictions on certain types of transactions.

Dynamic permission settings allow flexible risk management without fully refusing service. For example, a client from a high-risk jurisdiction can perform transactions up to 1000 euros per month without additional checks, but exceeding this threshold will require enhanced verification of the source of funds.

The system records metadata of the verification process: the time taken to complete each stage, the number of document upload attempts, the devices used, and IP addresses. This data forms a behavioral profile that is used to detect anomalies during subsequent logins to the system.

All decisions and actions are logged with millisecond precision, ensuring full traceability for internal investigations and regulatory audits. The logs include the versions of the algorithms used, the threshold values at the time of the check, and operator identifiers in cases of manual intervention.

Integration with the company’s internal systems occurs via secure APIs that transmit the verification result and customer parameters to the CRM, billing system, and limit management platform. This ensures the consistent application of limits across all service channels.

The result of a KYC check determines not only the client’s current status but also lays the foundation for long-term relationships. A well-configured system allows you to instantly onboard trustworthy users, effectively filter out fraudsters, and flexibly handle borderline cases, maximizing conversion while complying with all regulatory requirements.

Stage 7. Continuous monitoring and updating of the KYC profile

KYC verification does not end after the client’s initial approval. Modern regulatory requirements and anti-money laundering standards require companies to conduct ongoing monitoring of user activity and keep user data up to date. This process is called ongoing monitoring, or continuous monitoring—it allows you to identify changes in a client’s risk profile, track suspicious transactions, and keep the database up to date.

Periodic review of data and documents

The frequency and depth of periodic review depend on the risk level assigned to the client at the initial verification stage. For low-risk clients, the standard review period is 12-36 months. Medium-risk clients undergo repeat review every 6-12 months, and high-risk profiles are reviewed quarterly or even monthly.

As part of periodic review, the system automatically checks the expiration dates of identity documents. 30–60 days before a passport or other ID document expires, the client receives a notification to update their information. In parallel, a repeat screening is run against the OFAC, UN, and EU sanctions lists, as well as national lists of extremists and terrorists. The algorithms scan for updates in PEP (politically exposed persons) databases and adverse media related to the client’s name.

Modern platforms use machine learning technologies to automatically detect changes in public sources. The system tracks corporate registers for changes in the ownership structure of the client company and monitors court decisions and bankruptcies. For individuals, the validity of the registered address is checked through government databases, where this is technically possible and permitted by law.

Upon detection of significant changes, a task is automatically created for the compliance specialist. They decide whether to request additional documents, change the risk level, or conduct enhanced due diligence (EDD). All results of periodic checks are recorded in the system with the date, the responsible employee, and the measures taken indicated.

Triggers for KYC re-verification (suspicious transactions, profile changes)

In addition to scheduled checks, there is a set of trigger events that automatically initiate an unscheduled KYC verification. These triggers are divided into several categories: transactional, behavioral, and informational.

Transactional triggers include transactions that fall outside the client’s normal behavior. A sharp increase in transaction volume (exceeding the average monthly turnover by 3-5 times), the receipt or sending of funds to or from high-risk jurisdictions, multiple transfers just below the mandatory reporting threshold (a clear sign of payment structuring) — all of this triggers an automatic review. The system analyzes patterns: frequent circular transactions, transactions at times of day uncharacteristic for the client, the use of new payment instruments or currencies.

Behavioral triggers capture changes in how a customer interacts with the service. A change of IP address to a geographically distant region, login attempts from devices seen in fraudulent schemes, a change in typical activity time — these signals indicate a possible account compromise or a change of beneficial owner. Particular attention is paid to attempts to change key profile data: email, phone number, shipping address, or payment details.

Informational triggers are activated when new client data appears in external sources. Placement on sanctions lists is detected in real time thanks to integration with data providers via API. Adverse media mentions related to financial crimes, corruption, or terrorism automatically increase the client’s risk score. A change in PEP status (appointment to or dismissal from a public office) also requires an immediate profile review.

When a trigger is activated, the system can act according to one of the preconfigured scenarios. For critical events (being added to sanctions lists), transactions are immediately blocked with a notification to the compliance officer. For medium-risk triggers, an additional biometric check is initiated or supporting documents are requested without interrupting service. Low-risk events are recorded in the system for cumulative analysis — if the number of minor triggers exceeds the threshold over a specified period, a full re-verification is initiated.

An important element of the monitoring system is machine learning, which continuously calibrates trigger sensitivity based on historical data. Algorithms learn to distinguish legitimate changes in customer behavior (for example, business seasonality) from potentially suspicious activity, reducing the number of false positives and increasing the accuracy of detecting actual risks.

The results of all checks, both scheduled and trigger-based, form a unified interaction history with the client. This information is used to substantiate decisions to regulators, serves as an evidentiary basis in investigations, and helps continuously improve the company’s risk models.