If your institution is acquiring customers in 2026 — whether you're a UK challenger bank, a European e-money institution, a payment service provider in Lithuania, or a MiCA-licensed crypto exchange — digital KYC is no longer optional. The EBA Guidelines on Remote Customer Onboarding (effective October 2023), AMLD provisions on customer due diligence, eIDAS-aligned electronic identification, and the FCA's expectations under MLR 2017 have collectively redrawn the line: a customer's first interaction with a regulated institution can happen entirely on a smartphone. But getting it right requires layering NFC chip reading, face biometrics, liveness detection, and — for higher-risk profiles — a live operator video session. This guide walks through every layer.
Quick Summary
- Digital KYC = identity document capture + biometric face matching + liveness detection + (for high-risk) live video ID verification.
- EU institutions operate under AMLD, EBA Remote Onboarding Guidelines, GDPR (special category data for biometrics), and eIDAS for trust services.
- UK institutions follow MLR 2017, JMLSG guidance, and FCA expectations on electronic identification and verification (eIDV).
- NFC chip reading via ICAO 9303 PKD provides cryptographic proof of document authenticity — the gold standard for high-assurance verification.
- Operational success depends less on technology choice than on retry flow design and live-operator backup capacity.
What Is Digital KYC?
Digital KYC (Know Your Customer) is the remote identification and verification of a customer using digital channels, without requiring in-person presence at a branch. In the EU, this falls under AMLD's customer due diligence requirements, with technical implementation expectations clarified by the EBA's October 2023 guidelines on the use of remote customer onboarding solutions. In the UK, the framework lives in MLR 2017 plus JMLSG guidance plus the FCA's published expectations on electronic identification.
A typical digital KYC flow has four technical stages:
- Document capture — chip reading via NFC, or OCR of the document's front and back including the Machine Readable Zone (MRZ).
- Document verification — checking authenticity signals: MRZ checksums, hologram detection, chip signature validation against the issuing country's PKD.
- Selfie + liveness detection — confirming the user is a live human and matches the document's photo.
- Video ID verification (when required) — a live, simultaneous operator session.
Not every customer requires all four stages. Risk-based application — light-touch for low-risk, low-balance accounts; full stack for high-risk profiles — is both a regulatory expectation (AMLD's risk-based approach) and a commercial necessity (every additional friction step costs 5-15% of conversions).
Regulatory Framing — EU
EBA Remote Customer Onboarding Guidelines
Issued October 2023, effective for all EU credit and financial institutions. Key requirements:
- Risk-based approach — institutions classify the customer and choose proportionate verification.
- Technology agnostic — neither mandates nor forbids specific tools, but expects PAD-tested liveness, document authenticity verification, and adequate audit trails.
- Continuous monitoring — KYC is not a one-time event; ongoing CDD applies.
eIDAS and Qualified Electronic Identification
For EU institutions, an alternative to building bespoke document verification is leveraging Qualified Electronic Identification Schemes (eIDAS notified) such as Italy's SPID, Germany's BundID, or Estonia's e-ID. Where eIDAS schemes are mature, they substitute for document capture. In practice, cross-border coverage remains uneven; most institutions deploy hybrid eID-plus-document flows. See our EU financial regulation guide for the broader regulatory landscape.
GDPR and Biometric Data
Face biometrics and liveness templates fall under GDPR Article 9 special category data. Lawful basis is typically explicit consent or substantial public interest (Article 9(2)(g)) read together with AML obligations. Practical implications:
- Explicit consent flow before biometric capture.
- Data minimization — store templates, not raw selfies, where possible.
- Retention aligned to AML retention (typically 5-10 years depending on member state).
- Restricted access lists with audit logging.
Regulatory Framing — UK
MLR 2017 and JMLSG Guidance
The Money Laundering Regulations 2017 require regulated firms to verify customer identity using "reliable sources independent of the customer." JMLSG Part I, Chapter 5 elaborates on electronic identification:
- Multiple data sources should be used where possible.
- The verification process should be "robust" — not solely reliant on data the customer provides.
- Risk-based application is explicit.
FCA Expectations
The FCA does not approve specific eIDV providers but expects regulated firms to:
- Demonstrate due diligence on the provider's accuracy and security.
- Maintain governance over the verification process.
- Be able to evidence how identity was verified for any customer at any point.
Crypto firms registered or applying under MLR 2017 with the FCA face heightened scrutiny on KYC processes — see our FCA crypto registration guide for crypto-specific expectations.
Technology Layers of Digital KYC
1. Document Capture: OCR vs NFC
Two approaches dominate:
OCR (Optical Character Recognition): The user photographs the front and back of their document; software parses the MRZ and visual fields. Works on any device. Failure modes: glare, angle, low-resolution cameras, damaged documents.
NFC chip reading: The user taps the document chip against the phone's NFC reader; the chip's signed data is read. The chip data is cryptographically signed by the issuing country's certificate authority (ICAO 9303 PKD). Failure modes: not all devices have NFC, not all documents have chips, mid-tier Android antennas struggle.
In production, hybrid approaches are standard: try NFC first, fall back to OCR. See our deep dive on how NFC ID verification works.
2. Biometric Face Matching
The user's selfie is compared to the document photograph. Two modes:
- 1:1 matching — selfie matches the document face (standard KYC).
- 1:N matching — selfie matches any face in the institution's existing biometric database (duplicate-account prevention — critical for crypto exchanges).
Match scores typically range 0-100; production thresholds start at 80+ for auto-pass, 60-80 for operator review, below 60 for rejection. Threshold calibration is institution-specific.
3. Liveness Detection
The most frequently undersized layer. An attacker holding a photo or replaying a video can defeat naive biometric matching. Liveness detection (also called Presentation Attack Detection, PAD) prevents this. Two types:
- Passive liveness — runs invisibly during the selfie capture; analyses depth, texture, lighting consistency.
- Active liveness — challenges the user (turn head, blink, read a number aloud); resistant to replay.
NIST PAD certification levels (ISO/IEC 30107-3): Level 1 catches basic photo attacks, Level 2 catches video replays and simple masks, Level 3 catches sophisticated 3D masks and high-quality deepfakes. PAD Level 2 is the production minimum; Level 3 is increasingly expected for crypto and high-value banking. See our explainer on liveness detection.
4. Video ID Verification
A live, simultaneous session between the customer and a trained operator. In Germany, this corresponds to the Federal Financial Supervisory Authority (BaFin) VideoIdent procedure; in many other EU jurisdictions, video ID is risk-based rather than universally mandated. In the UK, video ID is increasingly used for higher-risk profiles and is JMLSG-recognized as a robust verification approach.
The technical components:
- Real-time bidirectional video/audio — WebRTC, end-to-end encrypted.
- Recording and retention — full session including audio retained per local AML retention rules (5-10 years typical).
- Operator authorization tracking — every decision linked to a specific authorized operator.
Architecture: Risk-Based KYC Flow
A risk-based flow doesn't impose the same friction on every customer. A typical three-tier structure:
| Risk Level | Trigger | KYC Components |
|---|---|---|
| Low | Low-balance wallet, EU citizen, no PEP/sanctions hit | NFC + selfie + passive liveness |
| Medium | Transaction threshold exceeded, additional country | NFC + selfie + active liveness + address verification |
| High | High balance, PEP, high-risk country, regulatory trigger | All of the above + video ID session |
This segmentation balances regulatory compliance with conversion. Applying the highest-friction flow to every applicant typically loses 30-40% of would-be customers.
Operational Numbers
A typical European challenger bank or EMI deploys digital KYC at the following ranges (anonymized aggregates):
- NFC read success rate: ~94% on iPhone, ~88% on mid-tier Android, ~72% on lower-end Android. Hybrid OCR fallback pushes overall success above 96%.
- First-attempt onboarding completion: 62-71%. Retry flow design lifts this to 85%+.
- Video ID operator session length: 3-4 minutes average. Peak-hour queue wait: 2-8 minutes.
- Manual review rate: 8-12% of automated flow reaches an operator (score thresholds, document issues, liveness suspicion).
None of these numbers are static — they improve with threshold calibration, retry design, and SDK quality.
Common Mistakes and How to Avoid Them
Mistake 1: One-shot flow design. A user whose first NFC attempt fails drops off. Solution: at least 2 retries, OCR fallback, last-resort video ID queue.
Mistake 2: Skipping liveness detection. "NFC + face match is enough" leaves you exposed to photo spoofing and deepfakes. A NIST PAD Level 2 certified liveness layer is the floor, not the ceiling.
Mistake 3: No operator backup capacity. The automated flow handles 88-92%; the remaining 8-12% needs a human. If your operator queue isn't integrated into the flow, those customers are lost.
Mistake 4: Underestimating retention infrastructure. 5-10 year retention isn't just "keep the files" — it requires migration-resilient hash chains, audit logs, and access controls.
Mistake 5: Treating AML screening as separate from KYC. Identity verification must be paired with sanctions, PEP, and adverse media screening — see our AML screening guide for the screening side.
Sector Applications
Banks: The most stringent framework. AMLD, EBA Remote Onboarding Guidelines, GDPR, and local prudential rules intersect.
E-money institutions (EMIs): EMD2 (Electronic Money Directive 2) sets the EU-wide framework; EBA's guidelines apply for remote onboarding. See video KYC for EMIs.
Payment service providers (PSPs): PSD2 governs; KYC obligations stem from AMLD. Tiered low-balance wallet flows are common.
Crypto exchanges: MiCA-licensed VASPs face heightened CDD obligations; the TFR (Transfer of Funds Regulation) ties KYC data into Travel Rule messaging. See digital KYC for crypto exchanges.
Integration in Practice
Building digital KYC from scratch — implementing NFC SDKs for iOS/Android, building a liveness model, training face-matching, standing up a video session platform — takes 12-18 months and 5-8 FTE engineers. Most institutions deploy via a vendor SDK + API. The integration walkthrough is covered in how to integrate digital KYC.
Frequently Asked Questions
How does digital KYC differ from traditional KYC?
Traditional KYC required the customer to visit a branch, present a physical ID, and be verified by a staff member. Digital KYC performs the same legal verification remotely via mobile or web, satisfying the same AML obligations (identity verification, risk profile, recordkeeping) — but cuts onboarding time from days to minutes and removes geographic friction.
Is video ID verification always required under EU rules?
No. The EBA's October 2023 guidelines take a risk-based approach: video ID is one robust method but not universally mandated. Some member states (notably Germany via VideoIdent) have historically required it broadly; others permit fully automated flows for low-risk customers. High-risk customers — PEPs, high-balance, high-risk jurisdictions — generally do require it. The default for crypto VASPs under MiCA is moving toward video for higher-risk segments.
What's the difference between eIDAS-notified eID and digital KYC?
eIDAS-notified electronic identification schemes (SPID, BundID, e-ID, etc.) are state-issued and pre-verified — using them substitutes for the document verification step. Digital KYC document verification (NFC, OCR) verifies a passport or national ID at the moment of onboarding. Many institutions use eID where available and fall back to document verification for users without one.
Can passport NFC chips be read just like national ID cards?
Yes. ICAO 9303 is the international standard for travel documents and includes the chip authentication framework used by passports worldwide. The same SDK that reads an EU national ID chip can read a passport chip — but the PKD root certificates differ by issuing country, and not all countries publish their CSCAs to the ICAO PKD. SDK vendors maintain coverage matrices.
How long must KYC records be retained?
EU AMLD requires retention for at least 5 years after the business relationship ends, extendable to 10 by member state law. The UK MLR 2017 sets 5 years. In practice, most institutions retain for the longer of 5 years post-termination or 7 years from creation, structured with WORM storage and hash-chain integrity to survive system migrations.
How Legichain helps
Building digital KYC in-house requires integrating four to five distinct vendors — NFC SDK, liveness, face matching, video session platform, audit infrastructure — each with separate contracts, SLAs, and audit-log formats. Legichain's Digital KYC platform consolidates these layers into a single SDK and API, designed for EU AMLD and EBA guidelines, UK MLR 2017, and Turkish BDDK/SPK rules out of the box. NFC chip reading with full ICAO 9303 PKD validation, NIST PAD Level 2 certified liveness, 1:1 and 1:N face matching, and the Legichain Video KYC operator console run on a single session, with retention and audit handled automatically. Continuous-monitoring webhooks tie KYC outcomes into your risk engine, and the same platform exposes AML screening (sanctions, PEP, adverse media) and on-chain risk for crypto wallets. Typical institutions move from in-house plan to production in 6-8 weeks, versus 12-18 months for self-build.