Two minutes. That was the promise on the sign-up screen. A new player tried to make a small deposit. The app asked for a passport photo. The room light was low. The camera warned about glare. The user tried again. This time the selfie check failed. “Move closer.” “Now turn your head.” Still no go. The user quit, left a one-star review, and never came back. That “two minutes” silently turned into twelve and a lost customer.
Every percent you lose in KYC is money gone and risk up. You need proof, but you also need speed. This guide shows how to do both, in plain words and with steps you can ship next week.
KYC and AML exist to stop crime, protect the system, and keep you safe. Users want to move fast, share less, and feel in control. Product teams want high pass rates and low cost. Fraudsters try to blend in. The job is to balance it all without guesswork.
You do not have to pick “hard checks” or “happy users.” Use a risk-based path. Map key rules, then match controls to real risk. For a global baseline, see the FATF recommendations. They push for strong rules, but also for proportional, risk-based steps.
Most rules share a few ideas: know your customer, screen for sanctions, keep records, and turn up checks when the risk rises. Put it in writing and keep proof of how you judge risk. That is the core of “risk-based.”
In the U.S., banks must run a Customer Identification Program (CIP). You need name, address, date of birth, an ID number, and a way to check them. Read the U.S. CIP rule for the base line and keep a clean audit trail.
Sanctions checks are not optional. Screen users and counterparties against official lists, like the OFAC sanctions list. Tune your name match rules to avoid floods of false hits.
In the UK, see the FCA’s guide on financial crime. It explains what good looks like in practice and what “proportionate” means. Start with the FCA financial crime guidance.
For the EU, two items matter a lot: AML risk factors and payment auth rules. The EBA risk factors guidance covers when to step up checks. For payments, learn how PSD2 uses multi‑factor auth (SCA). A good plain intro sits here: PSD2 Strong Customer Authentication.
Friction hides in small places: weak copy, poor light tips, error loops, slow manual reviews, and long forms. Many users fail not because they lie, but because the flow is unclear or the device has limits. Fixing this is cheaper than adding yet another check.
Write clear, short copy. Show what comes next. Let users try later or switch devices. This is not guesswork; there is good UX friction research you can apply in a day.
Design your forms with care. Micro details change pass rates: labels above fields, one idea per step, strong error text, and clear help. See this form usability study for patterns that work.
Do not stack every control for every user. Start light. Step up on signals: high amounts, odd device, bad IP, or hits on watchlists. Use strong methods only when they add real assurance. If you scan passports, follow ICAO Doc 9303. For a common language across risk, look at the NIST Digital Identity Guidelines. For liveness, ask vendors for liveness certification levels. If you test new models like verifiable credentials, start with the Verifiable Credentials data model. And if you bind accounts to devices, plan for passkeys to cut takeovers.
| Government ID scan + OCR | Authentic document and identity data | Medium | Medium | High | Mass market onboarding; EDD triggers | Glare, cut edges; set clear retention; manage vendor false rejects |
| NFC chip read (e‑passport/eID) | Crypto‑bound data from the chip | High | Medium (needs guidance + hardware) | High | High‑risk tiers; EU/EEA; travel docs present | Not all phones support; instructions must be exact |
| Selfie face match with liveness | Person matches document and is present | High (if PAD‑certified) | Medium–High | High | Stop mule farms; unlock payouts or limits | Bias checks; disclose PAD level; give non‑biometric fallback |
| Database/credit file match | PII consistency, address history | Low–Medium | Low | Medium | Low‑risk tiers; step‑up before doc scan | Thin files; data quality varies by country |
| Sanctions/PEP screening | Clears against watchlists | N/A (screening) | Low (background) | Low–Medium | All users; ongoing checks | Name match tuning; handle false positives fast |
| Source of funds/wealth | Legit origin of funds | High (if evidentiary) | High | High | Large amounts; risky patterns; EDD | Secure upload; explain why; allow redaction |
| Open banking account link | Account ownership; balance and flow | Medium–High | Medium | High | Payout accounts; recurring payments | Consent clarity; request the least data you need |
| Device binding (passkeys) | User bound to their device/credential | High (for auth) | Low | Low | Reduce account takeovers and resets | Edge cases on shared devices; recovery flow must be clear |
Collect only what you need for the job. Write down why you need it. Set a clear time to delete it. If you use a vendor, ask where data lives and who can see it. If you must use face data, run a necessity test, use strong consent, and give a non‑biometric path when you can. The UK regulator has a plain guide: ICO guidance on biometrics and special data.
For EU‑level advice on biometric impact and consent, read the EDPB guidance. For a broad privacy frame you can adopt across markets, the OECD Privacy Guidelines are short and practical.
Collect basic PII. Run database match and sanctions. Skip document scans at first. Step up only on alerts (mismatch, risky IP, velocity).
Do ID scan + selfie match with liveness. Offer NFC read if a chip is present. Ask for proof of address only if triggers fire (e.g., high amount, fraud markers).
Use face liveness with clear copy, NFC when possible, and step up to source‑of‑funds on triggers. Build a fast lane for known good users: same device, clean history, stable payment method.
Safe fails matter. If a user fails on mobile, let them switch to desktop. If liveness fails twice, offer a call or a local branch ID check where allowed. Set a clean service time for human help, even on weekends.
For gambling, check age and location early and hard. The UK has strict checks—see the age and identity rules—and many markets have the same spirit even if words differ.
Run small A/B tests: copy on liveness, a help link on doc scan, a switch device prompt after a fail, and a “come back later” save. Ship wins fast.
We are moving from repeated KYC to reusable proof. With Verifiable Credentials, a user can hold a signed “KYC token” and share only what is needed, like age or country. The EU’s push for cross‑border digital ID will speed this trend through eIDAS 2.0.
On the auth side, passkeys cut account takeovers and reduce recovery pain. For open banking and secure APIs, align with FAPI so tokens and scopes are clean.
To build today, read a short primer and try a developer demo: Google’s guide to passkeys for developers is a good start.
Is KYC required for gambling sites?
Yes. Most markets require age and ID checks before play or cash out. The UK is strict and clear; operators must verify age and identity early. Rules change by country, so check local laws and set a written policy.
Are face biometrics allowed under GDPR?
Often yes, but they count as special data. You must have a legal ground, a clear need, and strong security. Give users a non‑biometric option when you can, and avoid keeping raw face data longer than needed. National regulators like the ICO have practical advice.
What is the difference between KYC and SCA?
KYC proves who the user is at onboarding or when risk rises. SCA proves the user controls the account when they log in or pay, using two or more factors (something you know, have, or are). You need both, but at different times.
How do we show a risk‑based approach to auditors?
Write it down. List user types, risks, and triggers. Map each trigger to a step‑up check. Keep logs of decisions, false hits, and updates. Review the policy at least twice a year and after big rule changes.
Not legal advice: This article is for information only. Work with your counsel and MLRO for your market and product. Last reviewed: 2026‑07‑05.