Make your Linux desktop and Android beautiful.
We design artworks for your Linux desktop, icon themes and applications for your Android devices.
We design artworks for your Linux desktop, icon themes and applications for your Android devices.
Picture this: a new user lands on your product, signs up fast, and is two taps away from the finish line. Then comes a “take a selfie with your ID” step, in low light, with a slow camera prompt. The user quits. It took 18 seconds to lose them.
We all want to stop fraud and follow the law. We also want a clean, quick flow. Both can live together. The trick is to test the small parts, not to ship a huge gate all at once.
Note to reader: This is a practical guide, not legal advice. Your rules may vary by market.
Most drop-off happens when checks feel random, long, or hard to fix. Forms ask for data the user has already given. Camera steps fail with no clear way to retry. People leave when they do not see the point. Research on form UX research shows that extra fields and unclear help cause fast exits.
E‑commerce teams learned this years ago. Strong data backs it up, like the checkout friction studies. KYC can borrow the same proof: shorten, explain, and allow safe retries.
The enemy is not rules. It is guesswork.
There is a gap between the law and our fears. Many teams think “we must do the hardest step for all users.” Not true in many places if you use a risk-based plan and keep good records.
Case A (neobank): A bank replaced an “active” liveness step (turn head, blink) with “passive” liveness and a better camera hint. They also added a clear retry path. False rejects dropped by a third. Time to complete fell by about 20 seconds. Fraud did not rise. Why? Users were not forced into a bad light loop. The model saw signs of life without a chore.
Case B (gaming/betting): An operator used progressive checks. First, a name, date of birth, and address check. Then, based on risk signals, they added doc scan and PEP/sanctions review. Only some users saw liveness. They cut drop-off by around 25% and passed audit. A key trick was clear text that set the “why” for each step in plain words.
We also watch market patterns in high-risk gaming. Independent hubs note when flows are fair and fast, and when they block too much. For a neutral view of how licensed operators handle KYC steps and bonuses across regions, see the independent review site Nya Casinobonusar. It tracks what real users face in sign-up and what works.
KYC has costs you see and costs you do not. A false reject loses a real user and their lifetime value. A false accept lets in fraud and future risk. Your goal is to put checks where they pay for themselves.
Set a simple plan: estimate average LTV per risk band. Estimate fraud loss when bad users slip in. Set a budget for seconds of extra friction per user group. Use standards to guide your level of trust, like the NIST Digital Identity Guidelines. But test in your real flow. Lab metrics do not map 1:1 to the wild.
Face tech can look great in a lab, yet fail on low light or low-end phones. Check the NIST FRVT results, then run A/B in shadow mode with your mix of users. Track false reject rate (FRR), time to pass, and retry success. Keep the model that saves the most good users with stable fraud rates.
Do not bet on one SDK to rule all cases. Use a small set of modes, choose by risk, and monitor. For liveness and anti-spoofing, know the standard: ISO/IEC 30107-3 PAD. Ask vendors for test proof and third-party checks like the iBeta PAD conformance program.
| Document scan + passive liveness | 3 | Low–Med (good light helps) | 4 | Wide (EU/UK/US/SG) | Passports, IDs; broad | 60–120s | High pass rate on phones; test in low light |
| Document scan + active liveness (challenge) | 4 | Med (user errors common) | 5 | Wide | Passports, IDs | 90–150s | Use when risk is high; give clear retry path |
| Database/PII checks (credit bureaus, data brokers) | 1–2 | Low | 3 | Common in US/UK | Strong in some markets | 10–30s | Great prefilter; watch bias and stale data |
| Bank-based verification (Open Banking, BankID) | 2 | Low | 4 | EU/UK/Nordics | Good where banks expose APIs | 30–90s | Strong tie to a real account; watch consent UX |
| eID / eIDAS wallet (EU Digital Identity) | 1–2 | Low | 4–5 | EU (growing) | By member state | 15–45s | Fast when user has an eID; coverage still uneven |
| Face match to existing KYC (re-verification) | 1–2 | Low–Med | 3–4 | Wide | Only for known users | 10–30s | Great for step-up auth; log consent |
| Address verification (postal/utility) | 2–3 | Med | 3 | Varies by law | Good in mature markets | 1–3 days (postal) / 60–120s (online) | Use as a second factor, not first line |
| Sanctions/PEP screening only (as a trigger) | 1 | Low | 2 | Required as part of AML | Global lists | 5–15s | Never standalone for KYC; gate deeper checks |
| Reusable identity (BankID, Singpass) | 1–2 | Low | 4 | Nordics/SG | Strong where issued | 15–45s | High trust; educate users on reuse |
| No-Doc “data-first” (SSN/NIN where legal) as prefilter | 1 | Med (data errors) | 2–3 | US/selected | By country data laws | 10–30s | Great for speed; add docs only when risk rises |
Scores here are guides. Validate them with your live users. Run A/B tests and a shadow mode before you flip the switch.
Start data-first. Ask for name, date of birth, and address first. See if you can verify with a soft check. If it passes, stop there. If not, add doc scan. People accept steps more when they see why now, not “just in case.”
Trigger deep checks. If the device looks risky, the IP is odd, or the name hits a watchlist, then ask for liveness. Make it clear, give tips, and allow an easy retry. Edge tech like FIDO passkeys and W3C WebAuthn can help with return visits and step-up auth without password pain.
Soft blocks. In some cases you can let a low-risk user browse or deposit small sums, while the AML checks clear in the back end. If a hit appears, freeze before a payout. Be sure this matches local law.
Design for retries. A failed selfie is not the end. Offer a simple retry with clear hints: “Stand near a window,” “Hold the phone still,” “Remove glasses.” Add a progress bar and a skip that saves state.
Risk-based onboarding (RBO) is simple in shape. You use signals to get a score. Scores map to tiers. Each tier unlocks the next check. You log each choice for the audit trail.
Global bodies like FATF back this way of thinking. See the FATF digital ID guidance. Some markets set extra terms on when to step up. A clear case is the MAS in Singapore; check MAS Notice 626.
Store only what you must, for only as long as you must. Encrypt at rest. Limit who can view scan images. Use keys with strict roles. Have a delete plan. If law asks you to keep data, set a timer and purge on time. The UK ICO has useful advice on fair checks; see the ICO guidance on identity verification.
Say what you store and why. Make it easy to ask for a copy. Your brand wins when people see you care and act with care.
Do not lock out people with older phones, low light, or different name formats. Offer an upload path if the live camera fails. Support screen readers and clear labels. Check your flow against WCAG 2.2. If the ID type is rare in your market, let users pick “Other” and route to support with a short SLA.
When you assess a vendor, ask for proof, not slides. Look for security marks like ISO/IEC 27001 and AICPA SOC 2 Trust Services Criteria. Ask about data centers, data in transit and at rest, and data residency by region.
For biometrics, ask for PAD test reports and real FRR/FAR on low-end devices. Check SDK size, latency on 3G, and offline fail states. Ask for coverage by document type and country. Get a clear appeals flow for users who fail, with SLAs you can live with.
Balance hard numbers with user love and task ease. A simple frame like the Google HEART framework can anchor your UX goals next to risk goals.
Day 0–30: Shadow-run new checks in parallel. Log but do not block. Compare FRR/FAR, time, and pass rates by device. Train support on new failure reasons.
Day 31–60: A/B test on 10–20% of traffic. Turn on feature flags per region. Watch live dashboards. Tweak copy and retry flows first; they are cheap wins.
Day 61–90: Ramp to 50–100%. Add step-up checks on risk triggers only. Review audit logs with compliance. Ship a short “what changed” note to users if flows look new.
Can we skip selfies?
Yes, for some users and use cases. Use data checks first. If risk is low and law allows, you can stop there. Document why.
Will an auditor accept a risk-based plan?
If you map risks to steps, keep logs, and follow local rules, yes. Many regulators prefer this to blunt, one-size-fits-all checks.
How fast is “good”?
Aim for under 90 seconds for low-risk users, and under 3 minutes for high-risk. Focus on clear help and fast retries.
What if users fail liveness?
Offer two retries with tips. If fail again, route to doc upload or a short video call window. Make the path clear and fair.
What about reusable identity?
If your market has BankID, Singpass, or EU eID pilot access, add it. It cuts time and error. Still keep a fallback for those without it.
Useful reads beyond those linked above:
Editorial note: This article focuses on practical steps that follow a risk-based model. Laws change. Re-check guidance every six months, such as FATF, EBA/FCA, NIST, and local notices. Last updated: [set date].
About the author: Written by a product and risk lead with 8+ years in KYC/AML and remote onboarding, across EU/UK/US markets.