Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

What happens during a Shufti identity check?

TL;DR

  • A Shufti identity check runs four owned steps: capture, document forensics, biometrics, and screening.
  • The whole flow completes in seconds, not days, on any mobile browser.
  • Document verification proves the ID is real; biometrics prove you are its owner.
  • iBeta Level 3 conformance under ISO/IEC 30107-3 backs the liveness step.
  • A failed check triggers a retry or manual review, not silent rejection

It’s 9 pm, and someone is opening a trading account from their phone. They photograph a passport, take a selfie, and tap verify. Ten seconds later, the account is live. In that gap, a lot happened. The passport was read, checked for forgery, and matched against a live face. A name was screened against sanctions and watchlists. A decision was made and logged. This article walks through each of those steps as a Shufti identity check runs them, so you know exactly what sits behind that ten-second wait.

An identity check answers one question a regulated business cannot skip. Is this person who they claim to be? Getting the answer wrong at onboarding is how fraudsters open accounts, launder funds, and trigger the fines that follow. So the check is built to be fast for genuine users and hard for everyone else.

What is an identity check, and what does it actually involve?

An identity check is the process of confirming that a real person matches the identity they present, using evidence a business can defend to a regulator. In compliance terms, this is identity proofing, and it sits at the front of every Know Your Customer (KYC) programme.

A complete check involves three things working together. It confirms the identity document is authentic and unaltered. It confirms the person presenting it is a live human, not a photo or a video. And it confirms that person is not on a sanctions list or flagged for money laundering risk. 

The Financial Action Task Force (FATF) guidance on digital identity accepts remote digital checks for customer due diligence, provided the system reaches an appropriate assurance level for the risk involved. That assurance level is what the steps below are designed to produce.

What happens step by step during a Shufti identity check?

A Shufti identity check moves through four steps in one continuous session, each handled by technology Shufti built and owns rather than stitched together from outside vendors. That order is not fixed for everyone.

Businesses can shape the flow with Shufti’s Journey Builder, configuring which steps run, what thresholds apply, and where fallback rules kick in based on their own requirements and each customer’s risk score. A low-risk user can pass through a light check while a high-risk one is routed into extra document, biometric, or screening steps, all on the same platform. In the standard journey below, the user only sees the capture screen.

Step 1: Document capture

The check starts when the user photographs a government-issued ID or reads its chip. Shufti’s own SDK guides the capture, checks focus and glare in real time, and prompts a retake before a bad image ever reaches the verification layer. 

Once a clean image lands, Shufti’s proprietary optical character recognition reads the fields straight off the document, pulling the name, date of birth, and document number natively across 150+ languages so an Arabic or Thai script is captured as cleanly as Latin text. 

That native reading is what removes the manual keying and low-confidence retries that stall weaker systems, so the capture step is tuned to get a usable image and a clean data extract on the first try.

Step 2: Document verification

Next, forensic AI inspects the document itself. It parses the machine-readable zone, reads the NFC chip where one is present, and checks security features such as holograms, microprint, and font consistency. These document verification steps catch manipulated IDs that would pass a simple photo match. 

Shufti’s document verification recognises 10,000+ document types across 240+ countries and territories, with proprietary optical character recognition trained natively on 150+ languages, so a Thai national ID or an Arabic passport is read as accurately as a US driver’s licence.

Step 3: Biometric and liveness check

The user then takes a selfie. A biometric identity check matches that face to the photo on the verified document, and a liveness layer confirms the face belongs to a live person in real time. Passive liveness runs silently in the background, looking at depth, texture, and screen-replay artefacts to flag deepfakes and face-swap attempts. 

Shufti’s face verification holds iBeta Level 3 conformance under ISO/IEC 30107-3, the testing standard for biometric presentation-attack detection. This automated identity check step is where a stolen document alone stops being enough to pass.

Step 4: Screening and decision

Finally, the verified identity runs through AML screening against sanctions lists, politically exposed person databases, and adverse media. 

Running alongside it, Shufti’s fraud prevention layer scores the session for risk signals a single check misses, such as device reputation, repeated data across accounts, and behavioural anomalies. 

Shufti’s screening engine returns a risk-scored result, and the full KYC identity check process ends with a single decision: approved, declined, or routed to a human reviewer. Every step is logged into an audit pack the compliance team can produce on demand.

Document verification vs biometric verification, what’s the difference?

These two steps are often confused, but they answer different questions. Document verification asks whether the ID is genuine. Biometric verification asks whether the person holding it is its rightful owner. A check needs both, because a real document in the wrong hands and a genuine face with a forged document are both failure modes.

Attribute Document verification Biometric verification
Core question Is this ID authentic and unaltered? Is this a live person who matches the ID?
What it inspects MRZ, NFC chip, security features, fonts Face match plus liveness signals
Fraud it stops Forged, edited, or template documents Stolen IDs, photos, videos, deepfakes
Primary input Photo or chip read of the document Selfie or short video of the user

How long does a Shufti identity check take, and can it run on mobile?

A Shufti identity check typically completes in seconds. Because the document, biometric, and screening steps run as automated, real-time identity verification rather than manual review, a genuine user is usually approved before they put their phone down. There is no batch queue and no overnight wait for the standard path.

The entire flow is built mobile-first and runs in a mobile browser or inside an app, with no download required for the standard journey. The same digital ID check process also accepts alternatives to a physical document where they exist, including national digital identity schemes and, under eIDAS 2.0, the EU Digital Identity Wallet. EU member states must issue those wallets to citizens by the end of 2026, and regulated institutions must accept them by December 2027, and Shufti accepts them today.

What happens to your data, and what if a check fails?

If a check fails, it is not a dead end. A failure usually means the image was unclear, the document was unsupported, or a liveness or screening signal needs a second look. The user is prompted to retry, or the session is routed to a manual reviewer for a decision rather than being silently rejected. This keeps genuine customers who hit a bad photo or an edge-case document from being lost.

On data, a regulated identity check is governed by frameworks such as the General Data Protection Regulation (GDPR). Personal data is processed to complete the verification and is retained only as long as compliance obligations require, with the specifics set by the business running the check and the deployment model it chooses. 

Shufti offers cloud, regional local cloud, and on-premises deployment, so a business subject to strict data-residency rules can keep verification data inside its own jurisdiction or its own infrastructure.

How Shufti handles identity checks at scale

If your users are in Vietnam, Indonesia, Brazil, South Asia, or the Gulf, you have probably watched pass rates fall on documents a Western-trained system was never built to read. Most vendors bolted on non-Latin coverage later, and it shows at the worst moment, when a genuine customer abandons a retry loop. 

Shufti built and owns its entire verification stack, so document intelligence, liveness, and screening all run on models trained on those markets from the start rather than being retrofitted. Stripe uses Shufti specifically for MENA and APAC documents despite running its own verification capability, which tells you where an owned stack earns its keep. One platform. Fully owned technology. Global coverage with real local depth.

See how a Shufti identity check performs on your hardest markets and real documents. Book a 20-minute demo.

Frequently Asked Questions

What documents are needed to complete an identity verification check?

A government-issued photo ID is the core requirement, usually a passport, national ID card, driver's licence, or residence permit. Shufti recognises 10,000+ document types across 240+ countries and territories, and some journeys also accept a national digital identity or an EU Digital Identity Wallet instead of a physical document.

How does biometric verification work during a Shufti identity check?

The user takes a selfie, and Shufti matches that face to the photo on the verified document. A liveness layer then confirms the face is a live person, not a photo, video, or deepfake, using passive signals such as depth and texture analysis backed by iBeta Level 3 conformance under ISO/IEC 30107-3.

Can an identity check be done entirely on a mobile device?

Yes. The full flow runs in a mobile browser or app, with no download required for the standard journey. Document capture, the selfie, and the automated checks all happen on the phone, and most genuine users are verified in seconds without ever leaving the mobile screen.

Is personal data stored after an identity check is completed?

Data is processed to complete the check and retained only as long as compliance rules require, under frameworks such as GDPR. The business running the check sets retention, and Shufti's cloud, local cloud, and on-premises options let it keep verification data in its own jurisdiction or infrastructure.

Related Posts

Shufti Blog

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Shufti Blog

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

Explore More

Shufti Blog

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

Explore More

Shufti Blog

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Shufti Blog

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

Explore More

Shufti Blog

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started