Video KYC guide cover: most video KYC breaks the day a deepfake shows up, on a dark Fora Soft background.

Key takeaways

Video KYC is three checks in one session, not a video call. Liveness (a real, live person), document authenticity (the ID is genuine), and a 1:1 face match, tied together with consent and an audit record.

The regulator decides how strict. India's RBI prescribes V-CIP and treats it as face-to-face; the US leaves the method to you but expects NIST-grade assurance; the EU is steering video toward a fallback behind eIDAS eID.

Liveness is the product. A document photo alone proves nothing in 2026. NIST's 2025 rules now require presentation-attack detection and deepfake analysis for remote identity proofing.

Build vs buy turns on volume. Managed identity APIs charge per verification (Sumsub Basic is $1.35 each, from their pricing page on 2026-07-12); custom orchestration is a flat build that pays back once fees outgrow it.

A custom video KYC MVP runs about $55–180k. Read this as a build map and a build-vs-buy decision tool, with the vendor fees and compliance lines drawn honestly.

A customer opens your app at midnight to fund a new account, and in ninety seconds your video KYC flow has to prove they are a real, live human, that their ID is genuine, and that the face on camera matches it, before a deepfake does the same thing for a fraudster. Video KYC is the process of verifying a customer's identity during a live or recorded video session, combining liveness detection, document verification, and a biometric face match into one auditable decision. Get it wrong and you either wave through synthetic-identity fraud or bounce good customers at signup. Get it right and remote onboarding stops being your weakest control.

We're Fora Soft. Since 2005 we've built real-time video and computer-vision products where identity, recording, and an audit trail are part of the architecture rather than an afterthought, including in-call identity checks with legally valid e-signing on ProVideoMeeting and object-recognition systems that read the world through a camera. This is the briefing we hand a fintech, bank, or marketplace on day one of a video KYC build: what it is, where each regulator draws the line, how the pipeline fits together, which parts to buy versus build, and what it costs.

Why Fora Soft wrote this video KYC guide

Video KYC sits on top of two things we do for a living: secure real-time video and computer vision. On ProVideoMeeting we shipped a WebRTC product that checks identity inside the call, ties each e-signature to an SMS or photo verification, and keeps a per-document record of who signed what and how they proved it. Swap "signed a contract" for "opened an account" and most of the identity-and-audit spine is the same.

On the vision side, we've built object-recognition and video-analysis systems that detect and classify what a camera sees, which is the same machine-learning muscle a liveness model and a document reader use. And on the regulated side, CirrusMED has run HIPAA-grade telehealth video in production for years without a failed audit. Video KYC borrows that same discipline: encryption in motion and at rest, strong identity, least-privilege access, and a record you can defend.

Two honest limits up front. We build and orchestrate the platform; the liveness model itself is usually a specialist vendor's API, and we'll tell you plainly where that line sits and why. And KYC rules differ by country and change often, so treat the compliance sections here as a map of what to check with counsel, not legal advice. Every number below carries a year and a source, and the vendor prices come from vendor pages we read the week we wrote this.

Scoping a video KYC flow for your product?

Tell us your regulators, your onboarding volume, and your risk appetite. We'll map the pipeline and quote a fixed range in 30 minutes.

Book a 30-min call → WhatsApp → Email us →

What video KYC actually is

Video KYC (video-based Know Your Customer) is a remote identity check that runs over video, either a live call with an agent or a recorded self-service session, and confirms three things at once: that the person is live and present, that their government ID is genuine, and that their face matches that ID. The output is a pass, a referral for human review, or a rejection, plus a recorded, timestamped evidence bundle a regulator or auditor can replay later.

The word that carries the weight is verification, not video. A plain video call shows two faces. A video KYC session has to defeat a printed photo, a screen replay, and an AI-generated face, read the security features on an ID, match a selfie to that ID with a measurable confidence score, screen the person against sanctions and watchlists, and write the whole thing to a log that can't be edited after the fact. The video is the easy 10%. The other 90% is identity engineering.

Two flavors exist, and teams conflate them. Assisted (live-agent) video KYC puts a trained reviewer on a call, which India's rules require for banks; it's higher trust and higher cost per session. Unassisted (async) video KYC is a self-service capture the customer completes alone, scored by AI in seconds; it's cheaper and scales, and it's what most fintechs ship first. Same building blocks, different staffing and latency.

Video KYC vs document-only and in-person KYC

Video KYC beats document-only onboarding because it adds presence and defeats replayed media, and it beats a branch visit because it does that remotely in minutes. Document-only checks, a photo of an ID plus a selfie, were the norm for years, but they fold against a stolen ID paired with a deepfake selfie. In-person KYC is the gold standard for trust and the worst for conversion; every branch visit you demand is a signup you lose.

Video KYC lands in the middle and, done well, close to in-person. It captures the same three signals a teller relies on, that a live human is present, holding a genuine document, whose face matches it, and it records them. That's exactly why India's regulator treats a properly run video session as equivalent to face-to-face. The catch is that "done well" now means active defenses against synthetic media, not a one-frame selfie, which is the subject of half this guide.

Reach for video KYC when: you onboard customers remotely and the regulator or your fraud losses demand more than a document photo, think account opening, lending, crypto, and regulated marketplaces rather than a low-risk newsletter signup.

Where video KYC is required: the US, India, and EU map

There's no single global rule, and building as if there were is the most expensive mistake in this space. The same video session passes or fails three different legal tests depending on where your customer sits. Three regimes cover most of the market, and they disagree on how prescriptive to be.

India is the most prescriptive. The Reserve Bank of India amended its KYC Master Direction on 9 January 2020 to permit the Video-based Customer Identification Process (V-CIP) and treats it as equivalent to in-person identification. It spells out the requirements: a live, consent-based session run by a trained official, facial recognition and liveness, geotagging, a recorded audio-video interaction, and end-to-end encryption originating from the institution's own secured network. If you serve India, the checklist is written for you.

The US is risk-based. There's no federal "video KYC" mandate. Identity verification falls under the Bank Secrecy Act and the USA PATRIOT Act's Customer Identification Program rule at 31 CFR 1020.220, plus the FinCEN Customer Due Diligence rule. You choose the method, but you have to form a reasonable belief you know who the customer is, and the benchmark most fintechs target is NIST's identity-assurance guidance, covered next.

The EU is shifting. The European Banking Authority's remote-onboarding guidelines took effect on 2 October 2023 and lean on the eIDAS framework: compliance is presumed when you use a notified electronic ID at "substantial" or "high" assurance. Video identification is still allowed, and Germany's BaFin has governed VideoIdent since Circular 3/2017, but the EU is steadily positioning live video as a fallback behind government-grade digital ID.

Video KYC regulatory matrix: US risk-based (NIST IAL2), India RBI V-CIP prescribed, EU eIDAS with video as fallback.

Figure 1. One video session, three legal tests. India prescribes the method, the US judges the outcome, and the EU is routing around live video toward eIDAS.

Identity assurance: NIST IAL2 and what "good enough" means

"Good enough" has a definition, and in the US it's Identity Assurance Level 2. NIST finalized Special Publication 800-63-4 on 31 July 2025, its first major revision since 2017, and it now formally endorses remote identity proofing as a path to IAL2. That's the level most banks, fintechs, and crypto platforms aim for, and it maps almost exactly onto a well-built video KYC flow: strong evidence such as a driver's license, a biometric comparison to the person, and, the new part, defenses against fakery.

Here's the line that should change your architecture. For asynchronous remote proofing at IAL2, the 2025 revision requires presentation-attack detection and analysis of the submitted media for signatures of AI-generated content and deepfakes. Read that twice: the US federal identity standard now names deepfake detection as a requirement, not a bonus. The FATF's 2020 Guidance on Digital Identity points the same way internationally, allowing remote onboarding to count as standard or even lower risk when the digital ID carries the right assurance. The takeaway for a build is simple: design to a named assurance level, and make liveness and deepfake analysis non-negotiable parts of it.

Reach for IAL2-grade proofing when: the account can hold funds, move money, or take on credit, tie your flow to a named assurance level so an auditor sees a standard, not a homegrown guess.

Reference architecture for a video KYC solution

A video KYC solution is an orchestration problem: a handful of specialized services wired into one flow with a clean audit spine. Here's the shape we build, from the customer's camera to your compliance team's dashboard.

Capture layer. A web and mobile client that opens the camera, captures consent, and either records an async session or joins a live WebRTC call with an agent. Media is encrypted by default, and on mobile you read the ID's NFC chip here where the hardware allows.

Verification services. The specialist engines: a liveness and presentation-attack model, a document reader that does OCR and, where possible, NFC chip validation, and a 1:1 face-match model that scores the selfie against the ID portrait. These are the parts you most often buy as an API rather than train from scratch.

Screening and decision. Sanctions, watchlist, and politically-exposed-person screening, then a decision engine that turns the scores and hits into approve, refer, or reject against your risk policy. Referrals route to a human review console, which is where enhanced due diligence happens.

Audit and integration spine. An append-only log that stores every step, score, and piece of media with timestamps, wired into your core system, CRM, and case management. This is the part that turns a clever demo into a system that survives an exam, and it's where secure storage and access control earn their keep.

Inside one video KYC session, step by step

Follow a single onboarding from tap to decision and the fraud checkpoints become obvious. Each stage leaves evidence, and a few stages are where the whole thing is won or lost.

The customer consents and the session opens with recording on. They photograph their ID; the system runs OCR on the printed data and, if the document has a chip and the phone can read it, pulls the issuer-signed data over NFC. Then the part that matters most: a liveness check confirms a live person is present, and a face-match model scores that live face against the ID portrait. Only then does the flow screen the verified identity against sanctions and PEP lists.

A decision engine weighs the scores and hits and returns approve, refer, or reject. Referrals land in front of a human reviewer for enhanced due diligence, because a model that auto-rejects good customers is as expensive as one that lets fraud through. Every step, the consent, the scores, the media, the reviewer's verdict, writes to an append-only record. That record, not the video, is the deliverable a regulator asks for.

Video KYC session pipeline: consent, capture, liveness, face match, AML screen, decision, human review, and audit log.

Figure 2. One onboarding session. The orange stages, liveness, face match, the decision, and the record, are where fraud is stopped and where an auditor looks first.

Liveness detection: active, passive, and anti-spoofing

Liveness detection is the AI check that the face on camera belongs to a live human present right now, not a photo, a replayed video, or a deepfake. It's the single most important component in the stack, and it comes in two styles. Active liveness asks the user to do something, blink, turn, smile, or read a one-time prompt, and checks the response. Passive liveness runs silently, analyzing texture, depth, and micro-signals in a single capture with no user action. Many teams run a hybrid: passive by default for conversion, active as a step-up when risk is high.

The security bar has a name. ISO/IEC 30107-3 is the international standard for presentation-attack detection, and labs like iBeta certify conformance. Level 1 covers basic attacks, printed photos, screen replays, and paper masks; Level 2 adds sophisticated 3D and silicone masks. When you evaluate a liveness vendor, the certification level and its date are the first two things to ask for, and "we're certified" without a level is not an answer.

There are two attack classes, and they need different defenses. Presentation attacks show a fake to a real camera, and PAD models catch them. Injection attacks skip the camera entirely, feeding a virtual camera or a deepfake stream straight into the pipeline, and they need device-integrity signals and AI-generated-media analysis instead. Confusing the two is how teams buy a Level 2 PAD model and still get owned by a virtual camera.

Liveness anti-spoofing: presentation attacks stopped by PAD; injection attacks stopped by integrity and deepfake checks.

Figure 3. Two attack classes, two sets of defenses. PAD stops what's shown to the camera; integrity signals and deepfake analysis stop what's injected around it.

Reach for iBeta Level 2 plus injection defense when: you onboard at scale in a high-value vertical, a Level 1 PAD model and a virtual-camera check together beat a Level 2 model that ignores injection entirely.

Document verification: OCR, NFC, and face match

Proving the document is as important as proving the person, and there are two ways to read an ID that answer very different questions. OCR photographs the document and interprets the pixels, asking "does this look real?" It has huge reach, working on passports, licenses, and residence permits across hundreds of formats, and it's the natural first capture step. Its weakness is that a good forgery is built to fool a camera.

NFC reads the chip embedded in modern passports and eID cards, asking "does the issuer's signature verify?" The chip holds cryptographically signed data, accessed using the document number and dates from the machine-readable zone, so a forgery that never had the issuer's private key can't produce a valid signature. NFC catches fakes OCR waves through; OCR reaches documents NFC can't. The right design reads the chip where it exists and falls back cleanly to OCR plus database checks where it doesn't.

The last link is the face match: a 1:1 comparison of the live, liveness-verified selfie against the portrait on the now-authenticated ID, returning a similarity score you threshold against your risk policy. Order matters, liveness first so you're matching a real face, then the document check, then the match, so a single verdict rests on three independent signals instead of one.

Reach for NFC chip reading when: your customers carry chipped passports or eIDs and the fraud you fear is high-quality forgery, the cryptographic check is a different class of proof than any camera-based OCR.

Deepfakes and injection attacks: the 2026 threat model

The reason liveness stopped being optional is that faking a face got cheap and convincing at the same time. In 2025, a synthetic face capable of passing many verification systems could be produced for under $20 and about half an hour of setup, per industry threat reporting. Humans can't backstop this: an iProov study that year found only 0.1% of people correctly spotted every real and fake sample they were shown.

The attack pattern also moved. iProov's Threat Intelligence Report 2026, published in April 2026, found iOS injection attacks up 741% year over year in 2025, with a 1,151% surge in the second half of the year alone. Jumio separately reported an 88% year-over-year rise in injection attacks in 2025. Translation: attackers increasingly bypass the camera rather than hold something up to it, which is why device integrity and deepfake analysis now matter as much as classic PAD.

This isn't theoretical. In early 2024, an employee at the engineering firm Arup was tricked into 15 transfers worth $25.6 million after a video call where the "CFO" and colleagues were all AI deepfakes; Hong Kong police reported it that February. A KYC flow built for 2020, document photo plus a single selfie, is exactly what these techniques are built to defeat. The same fraud engineering shows up in adjacent regulated products, which is why KYC for betting and gaming operators faces the same deepfake pressure from a different angle.

Worried your onboarding folds against deepfakes?

We'll pressure-test your identity flow against presentation and injection attacks, name the gaps, and show you the liveness and device-integrity design that closes them.

Book a 30-min call → WhatsApp → Email us →

Build vs buy: managed IDV APIs vs custom orchestration

Almost nobody trains their own liveness model, and almost everybody has to decide how much of the flow to own. There are three honest paths, and they trade time-to-live against control and unit economics.

All-in-one IDV platform. Vendors like Sumsub, Veriff, Onfido (now Entrust), and Jumio hand you liveness, document checks, face match, and AML screening behind one API. You integrate in weeks and pay per verification. The trade is a customization ceiling, per-check economics that grow with you, and your onboarding UX living partly inside someone else's SDK.

Custom orchestration over best-of-breed APIs. You own the flow, the UX, the decision logic, and the audit log, and you call a specialist liveness or document API where it makes sense. This is the path when you want control over the customer experience and the data, need deep integration with your core, or expect volume high enough that flat build cost beats per-check fees. It's what we build most often.

Fully custom, models included. Training your own liveness and document models is rarely worth it; it's a research program with an ongoing arms race against new attacks. We'll talk you out of this unless you have a genuine reason and the data to back it.

Option Best for Control & UX Compliance ownership Cost shape
Custom orchestration Own UX, deep integration, scale Full Exactly what you design Build once + pass-through fees
All-in-one IDV API Fast launch, standard flows Themed inside their SDK Vendor-provided; verify certs Per verification
Live-agent V-CIP India banks, high-trust flows Full, agent in the loop You own the process + audit Build + agent staffing
Fully custom models Rare; unique data advantage Total, including the models All of it, plus the arms race High R&D + upkeep

Reach for custom orchestration over best-of-breed APIs when: the onboarding experience is part of your product, you need the data and audit log under your control, or your volume makes per-check fees the bigger line item, otherwise a managed API gets you live faster.

What a video KYC solution costs to build

Straight answer: a custom video KYC MVP over best-of-breed APIs typically lands around $55–180k to build, and then you pay per-verification vendor fees on top. The build spread comes from platform count, how many verticals' rules you support, and the depth of your core integration and review console. These are the ranges we quote, compressed by our Agent Engineering practice and still reviewed by a senior human on every pull request. Treat any single number with suspicion; the honest output is a range against a spec.

Single-platform MVP, $55–90k, 8–12 weeks. Web or mobile capture, a liveness and document API integrated, face match, a decision engine, and an audit log. Enough to onboard real customers in one market.

Cross-platform with review console, $110–180k, 14–20 weeks. Web plus native iOS and Android, NFC reading, a human-review dashboard for referrals, and multi-region rule handling, the realistic shape for a regulated fintech.

The vendor fees are the recurring number, and they decide build vs buy. Managed per-verification pricing is published: Sumsub's Basic plan is $1.35 per verification with a $149 monthly minimum and liveness plus face match included, and its Compliance plan is $1.85 with AML screening added (both from Sumsub's pricing page on 2026-07-12). Veriff prices per verification on a self-serve model; Onfido, now Entrust, is quote-based enterprise. Run your real monthly volume against those fees before you decide.

Video KYC build vs buy cost math: 10,000 checks a month at $1.35 each is $13,500 monthly, about $162k a year in vendor fees.

Figure 4. The build is a one-time cost; the per-verification fees recur. Where the two cross is where owning the orchestration starts to pay.

Here's the arithmetic that decides it. At 10,000 verifications a month and $1.35 each, you spend $13,500 a month, roughly $162,000 a year, in vendor fees alone, on top of whatever you paid to integrate. A custom orchestration build at $110–180k is a one-time number that the annual fees clear inside a year at that volume, after which owning the flow is cheaper and you keep the data and the audit log. Below a few thousand checks a month, the managed API is the rational choice; above it, the math flips.

Want the build-vs-buy math run on your numbers?

Send us your monthly onboarding volume, markets, and target assurance level. We'll model API fees against a custom build and hand you the spreadsheet, whichever way it points.

Book a 30-min call → WhatsApp → Email us →

Video KYC use cases: neobanks, lending, crypto, and more

Video KYC earns its keep wherever a regulator demands verified identity and a customer would rather not visit an office. Five use cases carry most of the demand.

Neobanks and digital account opening. The flagship case. A prospect opens an account from their couch, and the flow has to satisfy CIP or V-CIP without a branch. This is where conversion and compliance pull hardest against each other, and where good liveness UX pays for itself.

Digital lending. Loan origination needs verified identity plus income and document capture. Video KYC folds the identity step into the same session as document collection, cutting a multi-step application into one recorded flow.

Crypto and trading. Exchanges live under intense KYC and AML scrutiny and onboard globally, so they need liveness that resists deepfakes and screening that spans jurisdictions. This vertical feels the injection-attack surge first.

Gaming and telehealth. Betting and gaming operators verify age and identity under licensing rules, a lane we cover in depth for sportsbook platforms; telehealth verifies patients before issuing prescriptions. Different rulebooks, same three-signal check underneath.

Mini-case: the identity and audit spine we've shipped

The fastest way to see how close a well-built video product already sits to a KYC flow is to look at one we shipped. ProVideoMeeting is a WebRTC conferencing platform we built with legally valid e-signing inside the call. The brief was business meetings, but the identity plumbing reads like the spine of a KYC session.

It captures consent, verifies the signer with an SMS or photo identity check, binds that verification to the document they sign, and keeps a per-document history of who signed what and how they proved it, all inside an encrypted session that adapts video quality to a weak connection. Consent, identity binding, an immutable record, and resilient video: four of the pieces a video KYC flow needs, already working together rather than stapled on afterward.

The gap between that and full video KYC is the identity-grade layer: a certified liveness model, document OCR and NFC, a face-match score, and AML screening wired into a decision engine. Those we integrate from specialists and orchestrate, exactly the pattern in the architecture section, on top of a video-and-audit base we've shipped before. It's the same discipline that keeps CirrusMED audit-clean in healthcare, pointed at KYC instead of HIPAA. Want a similar assessment for your scope?

A decision framework in five questions

Before you pick a path, answer these five out loud with your compliance lead in the room. They settle build vs buy faster than any feature matrix.

1. Which regulators do you answer to? India's V-CIP prescribes a live agent and specific steps; the US judges the outcome; the EU steers toward eIDAS. Your strictest market sets the floor for the whole build.

2. What's your monthly onboarding volume? Below a few thousand checks, per-verification API fees are cheaper than a build. Above that, a custom orchestration starts to pay back, and the crossover is arithmetic, not opinion.

3. Is onboarding part of your product? If the signup experience is a differentiator and has to be unmistakably yours, a managed SDK hits a ceiling and custom is the answer. If it's a compliance box to tick, buy it.

4. How high is your fraud target? If you're in crypto or high-value lending, injection-attack defense and NFC belong in scope from day one. A low-risk product can start lighter and step up.

5. Who owns the audit and the data? Buy, and you inherit a vendor's posture and data flows; build, and the log and the customer data sit where you decide. If you want a partner who's answered all five for regulated video before, that's the conversation we have every week.

When NOT to build custom video KYC

Custom isn't always right, and a partner who says otherwise is selling. Four situations argue for buying a managed platform, or for a lighter check entirely.

You're pre-scale with standard flows. If you onboard hundreds, not thousands, a month and a managed API's stock flow fits your rules, integrate it and ship this quarter. Owning orchestration you don't need yet is a cost, not a moat.

Your risk doesn't call for video. If the regulation and your fraud data are satisfied by a document plus a passive selfie check, full video KYC can be friction that costs you signups. Match the check to the risk.

You can't staff the compliance side. Custom means you own the SOC 2, the retention policy, and the review workflow. Without a compliance function to carry that, a vendor's audited platform is the safer path.

You'd be training your own models. Unless you have a rare data advantage, building liveness and document models in-house is a research commitment with a permanent arms race attached. Buy the model, own the flow.

Five pitfalls in video KYC projects

1. Buying PAD and ignoring injection. A Level 2 presentation-attack model does nothing against a virtual camera feeding a deepfake. Injection defense is a separate control, and in 2026 it's the one attackers reach for first.

2. Treating the audit log as a feature. If identity method, scores, media, and reviewer decisions aren't captured in an append-only record from day one, you'll rebuild the flow the first time an examiner asks for evidence. Design the record first.

3. One threshold for every market. A face-match score and a risk policy tuned for one country will over-reject in another. Rules, thresholds, and document coverage are per-jurisdiction settings, not global constants.

4. No human in the loop. A model that auto-rejects on any doubt burns good customers; one that auto-approves on any signal lets fraud through. Referrals need a review console and a trained reviewer, budgeted from the start.

5. Skipping NFC where it exists. When a customer holds a chipped passport, OCR alone leaves cryptographic proof on the table. Reading the chip is a different class of evidence, and forgers can't fake the issuer's signature.

What to measure after launch

Conversion KPIs. Completion rate through the flow, drop-off by step, and first-attempt pass rate. If verified customers abandon at the selfie step, your liveness UX is costing you real signups, and that's usually the biggest lever.

Accuracy KPIs. False-reject rate (good customers wrongly bounced), fraud caught, manual-review rate, and average decision time. These four move against each other; tuning one without watching the others is how a metric improves while the business gets worse.

Compliance KPIs. Audit-log completeness at 100% (every step recorded), screening coverage across required lists, and evidence-retrieval time when an examiner asks for a specific case. If you can't pull a full evidence bundle for one account in minutes, the record isn't doing its job.

FAQ

What is video KYC?

Video KYC is a remote identity check performed over a live or recorded video session that confirms three things at once: that the person is a live human present now (liveness), that their government ID is genuine (document verification), and that their face matches the ID (a 1:1 face match). It produces a pass, refer, or reject decision plus a recorded evidence trail an auditor can replay.

How does video KYC work, step by step?

The customer consents and the session records. They capture their ID (OCR, plus NFC chip reading where available), a liveness check confirms a live person, and a face-match model scores the selfie against the ID portrait. The verified identity is screened against sanctions and PEP lists, a decision engine returns approve, refer, or reject, referrals go to a human reviewer, and every step is written to an append-only audit log.

Is video KYC safe against deepfakes?

It can be, but only with the right defenses. Presentation-attack detection (ISO/IEC 30107-3, iBeta Level 1 or 2) stops fakes shown to the camera; device-integrity signals and AI-generated-media analysis stop injection attacks that bypass the camera. NIST's 2025 guidance now requires both PAD and deepfake analysis for remote identity proofing. A document photo plus a single selfie is no longer safe on its own.

How much does it cost to build a video KYC solution?

A custom orchestration MVP over best-of-breed APIs runs about $55–90k for a single platform (8–12 weeks) and $110–180k for cross-platform with NFC and a human-review console (14–20 weeks). On top of the build you pay per-verification vendor fees, for example Sumsub Basic at $1.35 per check (its pricing page, 2026-07-12). Run your monthly volume against those fees to compare build vs buy.

What is liveness detection, and what's active vs passive?

Liveness detection is an AI check that the face on camera is a live person, not a photo, replay, or deepfake. Active liveness asks the user to act (blink, turn, read a prompt) and checks the response; passive liveness runs silently on a single capture, analyzing texture and depth with no user action. Many flows use a hybrid: passive by default for conversion, active as a step-up when risk is high.

Is video KYC legally required in the US?

No. The US has no federal mandate for video specifically. Identity verification is required under the Bank Secrecy Act and the USA PATRIOT Act's Customer Identification Program rule (31 CFR 1020.220), but the method is risk-based and up to you. Most fintechs target NIST 800-63-4 Identity Assurance Level 2 as the benchmark, and a well-built video KYC flow is one way to meet it. India, by contrast, prescribes V-CIP.

What is the difference between OCR and NFC document checks?

OCR photographs an ID and interprets the pixels, asking whether it looks genuine; it works on almost any document but can be fooled by a good forgery. NFC reads the signed chip in modern passports and eIDs, asking whether the issuer's cryptographic signature verifies; it catches forgeries OCR misses but only works on chipped documents. The strongest designs read the chip where it exists and fall back to OCR plus database checks where it doesn't.

Should we build video KYC or buy an IDV API like Sumsub or Veriff?

Buy a managed IDV API when you need to launch fast, your flows are standard, and your volume is modest, since per-verification fees are cheaper than a build at low scale. Build custom orchestration when onboarding is part of your product, you need control of the data and audit log, or your volume makes flat build cost beat growing per-check fees. Almost nobody should train their own liveness models.

Computer vision

Video Recognition Software Development

The vision engine behind liveness, face match, and document reading.

Security

WebRTC Security in Plain Language

How the video layer encrypts itself, and where you still have work to do.

Fintech

Video Banking Platform Development

Where video KYC plugs into a full remote-banking build.

iGaming

Sportsbook Platform Development

KYC and age checks for betting operators, the same signals, a different rulebook.

Services

AI Integration Services

How we wire liveness, document, and screening APIs into one flow.

Ready to build your video KYC flow?

Video KYC is a solved problem on the video side and an exacting one on the identity side. The stack is well understood: capture, liveness, document verification, face match, screening, a decision engine, and an audit log. The hard parts are getting the liveness and anti-injection defenses right for a 2026 threat model, matching the flow to whichever regulator you answer to, and building the record that survives an exam. Learn the AI pieces deeper in our AI for video engineering track.

The build-vs-buy call comes down to volume and control. A managed IDV API gets you live in weeks and charges per check; custom orchestration is a flat build that pays back past a volume threshold and keeps the data and audit log yours. Get the liveness and the record right first, decide build vs buy on the arithmetic, and the rest is engineering we do all the time.

Build a video KYC flow that stops deepfakes and passes the exam

30 minutes, real engineering opinions, no slides. Bring your markets, volume, and risk appetite; leave with a fixed-range estimate and a build-vs-buy call.

Book a 30-min call → WhatsApp → Email us →

  • Technologies
    Development
    Services