Identity Verification for Neobanks: Process, Regulation, and What Goes Wrong at Scale

Identity verification for neobanks is the process of confirming that the person opening a digital account is who they say they are, using document checks, biometric matching, and database lookups, before any account access is granted.

That definition sounds straightforward. In practice, it sits at the intersection of anti-money laundering law, consumer data protection, and product experience. A neobank that gets it wrong faces fines. One that over-engineers it loses customers to abandonment during onboarding. The regulatory and commercial pressures pull in opposite directions, which is why the verification architecture matters.

For traditional banks, identity verification often happens in a branch. A customer presents a document, a staff member checks it, and the file is opened. For neobanks, the entire process is remote. There is no staff member and no in-person check. The digital customer onboarding process must therefore replicate the assurance a branch interaction provides, using technology alone.

How the Neobank Identity Verification process works: step-by-step guide

Document capture and data extraction

The customer uploads or photographs a government-issued ID, typically a passport, national identity card, or driver’s licence. Optical character recognition extracts the name, date of birth, document number, and expiry date. Forensic checks run in the background, covering font consistency, security feature analysis, and MRZ (machine-readable zone) validation.

This step establishes the claimed identity. It does not confirm that the person submitting the document is its actual owner. That requires a separate check.

Biometric face matching and liveness detection

The customer captures a selfie or short video. The system compares the facial geometry in the selfie against the photo on the submitted document. A match score is returned. If the score falls below a defined threshold, the application is flagged for review or declined.

Liveness detection runs alongside the face match to confirm the selfie was taken by a living person and not a photograph, a deepfake video, or a mask. The EBA Guidelines on Remote Customer Onboarding (EBA-GL-2022-15), which apply across the EU from October 2023, specifically require liveness detection in unattended verification flows, precisely because the risk of a spoof submission is highest when no human agent is watching.

For neobanks deploying face verification in their onboarding flows, the liveness component is not optional under the EBA framework. It is a baseline requirement.

AML screening and database lookups

Once the identity is confirmed, the customer’s name and details are screened against sanctions lists, politically exposed person (PEP) databases, and adverse media sources. This is the AML layer of the process, and it runs in parallel or immediately after the document and biometric checks.

The FATF Guidance on Digital Identity confirms that reliable digital ID systems make it easier and more cost-effective to meet customer due diligence requirements. But the ID check and the AML screen are distinct obligations. Passing a document check does not exempt a customer from sanctions screening, and a clean AML result does not compensate for a failed document check.

AML screening must also be ongoing, not just a one-time check at account opening. Sanctions lists are updated frequently, and a customer’s risk profile can change.

The Regulatory Framework That Neobanks Must Meet

EBA guidelines on remote customer onboarding

The EBA guidelines published in November 2022 and applicable from October 2023 set binding standards for how financial institutions across the EU must approach digital onboarding verification. They cover the choice of onboarding tools, the risk-sensitivity of the due diligence, and the specific technical requirements for remote ID verification.

The guidelines cover a risk-based approach to tool selection, liveness detection in unattended flows, clear audit trails for each onboarding decision, and governance frameworks that confirm the onboarding technology is regularly assessed for adequacy and reliability.

The guidelines are technologically neutral. They do not mandate a specific vendor or method. They do mandate that whatever tools a neobank uses must meet the EBA’s standards for accuracy, security, and AML compliance.

Anti-Money Laundering Directive obligations

The Anti-Money Laundering Directive sets the overarching EU legal framework for customer due diligence. Neobanks, as financial institutions, must conduct initial customer due diligence at onboarding and apply ongoing monitoring throughout the relationship.

In practice, identity verification is not a one-time event. It is the start of a compliance relationship. The onboarding check establishes the customer’s identity and risk rating. Subsequent transactions and behaviour are monitored against that profile.

In 2024, total payment fraud losses across the EU reached EUR 2.485 billion, a 16% year-on-year increase in credit transfer fraud, according to the joint EBA and ECB report on payment fraud. Weak onboarding controls are one of the entry points for fraud to exploit. Strong identity verification at account opening is the first line of defense.

Where do neobanks get it wrong?

The Starling Bank case points to a pattern the FCA’s multi-firm review of financial crime controls at challenger banks documented across the sector: compliance infrastructure that works at a given customer volume stops working when that volume doubles or triples.

Three failure modes appear most often. First, neobanks screen customers against incomplete watchlists because the screening system was not updated as the full list expanded. Second, the technical controls on account types are inconsistently applied, so high-risk account restrictions are bypassed by volume. Third, the biometric and document checks are outsourced to a vendor whose accuracy degrades at scale without the neobank noticing because no internal testing program is in place.

The common thread is growth without governance. The KYC process is built for day one, not day one thousand. Regulators now look explicitly at whether compliance controls kept pace with customer acquisition, and fines reflect the gap.

The operational fix is architecture, not effort. Automated verification that runs the same checks at 100 verifications per day and 100,000 per day, with no manual shortcuts and no incomplete watchlists, removes the human bottleneck that creates the gap. That is what neobanks building for scale need to get right from the start.