How to Build a Compliant KYC Stack with Document Verification

In 2025, the H2 2025 Top Fraud Trends Report by TransUnion estimates the cost of fraud to businesses worldwide at 534 billion, or 7.7 percent of total annual revenue. Synthetic identity fraud and account takeover combined to contribute almost half of those losses. The majority of them began at onboarding. The majority of them passed a document examination.

That is the real problem with treating document verification as a completed Know Your Customer (KYC) solution. Check a document that informs you that the document is real. It tells you nothing of the person who possesses it. A stolen passport renders all authenticity checks invalid. An artificial identity constructed of both authentic and fake data clears all data matches. Neither is stopped until a biometric layer, liveness check, and face matching are introduced into the flow.

This guide explains what document verification actually covers, where it falls short, and how to create a three-layer KYC stack around it that regulators will accept and fraudsters will be unable to overcome.

Quick Takeaways

• Document verification is a test that certifies that a document is real; it does not certify that the person presenting that document is the owner of that identity.
• A compliant KYC stack must have three layers, namely, data verification, document verification, and biometric liveness with face matching.
• In 2025, synthetic identity fraud and account takeover will drive almost half of all reported losses, costing businesses more than half a trillion dollars globally annually.
• Liveness detection fulfills the requirement of global regulators that prove the presence at onboarding in remote digital channels.
• Facia’s Liveness detection is certified at an iBeta Level 2 with a false acceptance rate of 1-in-100-million.

What Document Verification Actually Does

Document verification is the automated procedure of ensuring that a presented identity document, passport, national ID, or driver’s license is genuine, unaltered, and issued by a recognized authority. The current systems will check four different things on each submission.

• OCR and data extraction read machine-readable zones (MRZs), barcodes, and printed fields to pull name, date of birth, document number, and expiry date.
• Authenticity analysis verifies the validity of the document with the official version of the document, the font types used, the positioning of security features, and the patterns of the hologram. 
• Tamper detection operates at the pixel level of image forensics to detect cloned backgrounds, altered metadata, or security features that have been artificially inserted. 
• Document classification compares the submission to a global library of issued document templates to determine that the format is known and issuer-valid.

The Three-Layer KYC Stack That Regulators Actually Want

Regulatory frameworks are not prescriptive, mandating a particular outcome: verified customer identity and evidence of presence. To produce that outcome, it is always necessary to have three layers of verification that seal up three different vectors of fraud.

Layer 1: Confirm the Data Is Real:

Data, name, date of birth, address, and national ID number submitted by the applicant are verified against government databases or credit bureau records. This layer intercepts synthetic identity constructions in which personal data is synthesized and not present in any authoritative source.

Layer 2: Confirm the Document Is Real:

The provided document is verified using OCR and MRZ scanning, as well as barcode analysis and image forensics. This layer ensures that the document is authentic and that the information printed on it matches the information the applicant provided in Layer 1. It snaps forged documentation and discrepancies of information between the submissions and the actual document.

Layer 3, Confirm the Person Is Real:

The candidate is asked to provide a live selfie. Liveness detection is used to confirm that the person completing a check is a physically present, real individual and not a printed photo, video replay, silicone mask, or AI-generated face. Photo ID matching at that time compares the live capture with the portrait derived from the Layer 2 document and returns a biometric similarity score.

A compliant KYC stack is strongest when each layer verifies a different part of identity: the data, the document, and the person. 

There is no individual layer that will suffice alone. Any stolen document that has an authentic face match fails Layer 3. Layer 3 is violated by a synthetic identity including a fake face. A genuine document in which the applicants’ data does not match fails Layer 1. Each layer seals the hole that the previous layers expose.

Where Face Matching Fits Into Document Verification 

The linkage between an authenticated document and an authenticated individual is the face matching. When verifying a document, the portrait is removed from the ID submitted and stored to be compared by biometric means. This is followed by the applicant submitting a selfie. Face matching compares two biometric templates and provides a similarity score.

A selfie links a live face to the document portrait and prevents impersonation with just a stolen ID. Liveness detection is an additional check: it verifies that the selfie belonged to a real person, who is physically present and not a printed photograph that is being held to the camera, a video replay, or a depth fake image injected into the data stream. In the absence of liveness, a high-quality printed image of the document holder can still pass a face-matching check and even verify with a 100 percent success rate.

The sequence matters. Document verification is performed first, face matching second, and liveness detection concurrently with selfie capture. Every step is a continuation of the previous step. Any omission or rearrangement of a step leaves a particular fraud vector unhacked.

The Compliance Rules Your KYC Stack Must Meet 

The compliance teams that develop a KYC stack in 2025 and 2026 are operating under tightening requirements that now reach far beyond banking.

• Evidence of Presence is a Baseline Expectation: Under FATF Recommendation 10 on Customer Due Diligence, financial institutions should identify customers and verify their identities using reliable, independent source documents, data, or information.  In the case of remote digital onboarding, liveness detection meets this requirement.
• KYC Obligations Now Cover Industries Beyond Finance. Under the EU AML Package, particularly Regulation (EU) 2024/1624, KYC and Customer Due Diligence requirements apply to obliged entities, including crypto-asset service providers, real estate professionals, gambling service providers, and traders in high-value goods. 
• Digital Identity Assurance has a Defined Standard. Digital Identity Assurance has a defined standard. For remote high assurance identity proofing, ETSI TS 119 461 V2.1.1 requires live person verification and presentation attack detection, meaning document verification alone is generally insufficient for EU-regulated remote onboarding. 
• Biometric Data Carries Its Own Legal Obligations. Under Article 9 of the GDPR, Regulation (EU) 2016/679, biometric data processed for the purpose of uniquely identifying a natural person is treated as a special category of personal data. For liveness checks and face matching, compliance teams should document the legal basis for processing, consent where relied upon, data retention rules, and deletion workflows. 
• Audit Trails are Mandatory Evidence. A document verification flow without session-level logging of document result, liveness outcome, face match score, and reason codes per session results in a compliance gap that regulators discover immediately upon review.

Five Document Verification Mistakes That Create Compliance Gaps 

• Running Document Checks Without Liveness Detection: Document-only KYC satisfies a strict interpretation of Customer Identification Program (CIP) requirements, but falls short of the proof-of-presence standard that regulators currently expect. Liveness is not an improvement; it is a starting point.
• Skipping Tamper Detection on Submitted Images: OCR is ineffective in detecting pixel-level manipulation. Image forensics systems cannot withstand tools that modify metadata or add synthetic security capabilities to fake IDs.
• No Biometric Data Consent Documentation. A selfie gathered without explicit, timestamped, and explicit consent records constitutes direct GDPR and BIPA (Biometric Information Privacy Act) liability that is revealed during audits.
• Misconfigured Face Match Thresholds.  A low threshold is one that accepts fraudulent submissions that are partially similar. When a threshold is established too high, it will reject real users with lighting or device variation. The thresholds must be carefully adjusted to match the risk appetite of the institution.
• Incomplete Session Audit Trails. A document verification flow where there are no per-session logs, result codes, liveness outcome, and face match score will leave gaps in compliance evidence that will be raised by regulators and fraud investigators.

Your Pre-Launch Document Verification Checklist 

Before going live with any document verification flow, confirm every item below:

•  Document library covers all expected submission countries and document types
• Tamper detection runs on every submission, not just template matching
• Liveness detection is integrated in the same flow, not a separate, disconnected step
• Face match compares a live selfie against a document portrait with a configurable threshold
• Deepfake detection covers AI-generated selfie submissions
• Biometric consent is captured and logged per session with a timestamp
• Audit logs are exportable and include result codes and reason codes per session
• Data retention and deletion policies are documented and enforced
• On-premises deployment evaluated for regulated data residency requirements
• Liveness vendor holds iBeta Level 2 certification under ISO 30107-3

How Facia Completes the Document Verification Stack 

Document verification handles the document. Facia handles the person. 

Facia’s customer onboarding workflow integrates liveness detection, face matching, and deepfake detection into a single API call that sits directly on top of any document verification layer. Every session produces a timestamped, audit-ready result covering liveness outcome, face match score, and reason codes, the exact evidence compliance teams need during regulatory review.

Facia’s liveness detection holds iBeta Level 2 certification under ISO 30107-3: Presentation Attack Detection, the highest commercial standard for spoof resistance. The system protects against different attack types, including printed photos, video replays, 3D silicone masks, and digital injection attacks. False acceptance rate: 1-in-100-million. False rejection rate: sub-1%. Every check completes in under one second.

Facia’s deepfake detection identifies AI-generated selfies, GAN-generated faces, face-swap models, and diffusion-synthesized images that bypass standard liveness systems. The same protection applies directly to KYC selfie submissions at any scale.

Facia is GDPR compliant, CCPA compliant, and ICAO compliant. On-premises deployment is available for institutions that cannot transfer biometric data to a cloud processor.

Book a Demo with Facia to see how iBeta Level 2 certified liveness detection and Morpheus 2.0 deepfake detection complete your document verification stack.