Government ID Verification in the US: Digital Identity Programs and Federal Requirements

The United States does not have a single national identity card. What it does have — and what every regulated business must navigate — is a layered system of federal mandates, state-issued credentials, and agency-specific digital identity programs. The REAL ID Act's full enforcement deadline of May 7, 2025 raised the floor for all state-issued driver's licenses and IDs used for federal purposes. At the same time, FinCEN's Customer Identification Program (CIP) rule under the Bank Secrecy Act (BSA) requires financial institutions to verify customer identity using government-issued documents before opening accounts. And mobile driver's licenses (mDLs) are now live in more than 30 states, built on the ISO/IEC 18013-5 standard. As of April 2026, every bank, credit union, broker-dealer, and money services business subject to BSA obligations must have documented procedures for verifying government-issued IDs — and the technical standards for what qualifies have never been higher.

This guide maps the US government ID verification landscape: the federal programs, the regulatory requirements, the accepted document types, and how automated verification fits into a BSA/AML compliance program in 2026.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

---

What Is Government ID Verification in the US?

Government ID verification in the US is the process of confirming that a document presented by an individual was genuinely issued by an authorized government authority — a state DMV, the US State Department, or a federal immigration agency — and that the document belongs to the person presenting it. For regulated businesses, this is not a best practice; it is a legal obligation.

The Bank Secrecy Act (BSA), codified at 31 USC §5311, is the foundation of US anti-money laundering (AML) law. The FinCEN Customer Identification Program (CIP) rule at 31 CFR 1020.220 requires every bank to implement written procedures to verify the identity of each customer who opens an account. At minimum, the CIP rule requires collection and verification of a customer's name, date of birth, address, and identification number — verified using a government-issued document with a photograph, such as a driver's license or passport (FinCEN CIP Rule, 31 CFR 1020.220).

This requirement applies to banks, savings associations, credit unions, broker-dealers, mutual funds, futures commission merchants, and introducing brokers. Money services businesses (MSBs) face parallel identity verification requirements under 31 CFR Part 1022. The Anti-Money Laundering Act 2020 (AMLA) expanded FinCEN's rulemaking authority and explicitly called for modernizing CIP standards to accommodate digital identity verification, biometrics, and mobile credentials.

For a full breakdown of KYC obligations by sector, see our industry verification guide.

US Government Digital Identity Programs

Four federal and quasi-federal programs define the digital identity infrastructure that businesses interact with in 2026.

Login.gov is the federal government's official digital identity solution, operated by the General Services Administration (GSA). It is compliant with NIST SP 800-63-3 at Identity Assurance Level 2 (IAL2), which requires remote identity proofing: the user submits a government-issued ID, a selfie, and either a Social Security Number or other confirming information. Login.gov has 50 million or more enrolled users and is accepted by over 50 federal agencies including the Social Security Administration, the Department of Veterans Affairs, and USAJOBS (Login.gov, GSA). For businesses building identity verification flows that need to interact with federal systems, Login.gov represents the government's declared standard.

ID.me is a private identity verification network authorized by the IRS, VA, and SSA for benefits access. Unlike Login.gov, ID.me uses commercial biometric verification (facial recognition against a selfie, verified against the identity document). It is also NIST IAL2-compliant. The key distinction for businesses: ID.me is a commercially operated credential service provider (CSP), while Login.gov is government-operated. Financial institutions are not required to use either for their own CIP processes, but both are accepted reference points for what IAL2-level verification looks like in practice.

REAL ID is not a digital program but a federal standards mandate for physical state-issued credentials. The REAL ID Act (2005) set minimum security standards for state-issued driver's licenses and IDs: machine-readable zones, anti-counterfeiting features, and verified source documentation (birth certificate, SSN record, proof of address). As of May 7, 2025, the full enforcement of the REAL ID Act means only REAL ID-compliant state licenses and IDs are accepted for federal purposes including boarding commercial aircraft (TSA REAL ID Enforcement Notice, DHS.gov). For identity verification in financial services, REAL ID-compliant credentials are now the baseline for state-issued ID acceptance.

Mobile Driver's Licenses (mDLs) are digital versions of state-issued credentials, built on the ISO/IEC 18013-5 standard. As of Q1 2026, more than 30 states have active mDL programs. An mDL is not simply a photo of a license stored in an app — it is a cryptographically signed credential issued by the state DMV, with selective disclosure capabilities (a user can prove they are over 21 without revealing their address or date of birth). Apple Wallet and Google Wallet both support ISO 18013-5 mDLs in participating states. The American Association of Motor Vehicle Administrators (AAMVA) maintains an mDL Implementation Status tracker and the AAMVA mDL Connection Service enables online verification by relying parties.

US Regulatory Framework: BSA, FinCEN, AMLA 2020, and the Corporate Transparency Act

The US AML and identity verification regulatory framework rests on four pillars enacted between 1970 and 2021.

The Bank Secrecy Act (BSA), 31 USC §5311 et seq., enacted in 1970, requires financial institutions to maintain records and file reports — including Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) — that help law enforcement detect and prosecute money laundering. The BSA is implemented through FinCEN regulations. Every identity verification requirement for financial institutions traces back to BSA authority.

FinCEN's Customer Identification Program (CIP) Rule (31 CFR 1020.220), finalized in 2003, sets the specific document verification requirements for bank account opening. The rule requires: collecting name, DOB, address, and ID number; verifying those details through documentary or non-documentary methods; checking names against government lists (including OFAC's Specially Designated Nationals list); and retaining records for five years. Documentary verification must use a government-issued photo ID — a driver's license, passport, or equivalent.

The Anti-Money Laundering Act 2020 (AMLA), enacted as part of the National Defense Authorization Act for FY 2021, was the most significant overhaul of US AML law since the PATRIOT Act. The AMLA directed FinCEN to update its regulations to include digital identity verification, authorized FinCEN to issue innovation pilots for new CIP technologies, and established the FinCEN Exchange program. It also substantially increased civil and criminal penalties for BSA violations. FinCEN's implementation of the AMLA through its National AML/CFT Priorities (issued June 2021, updated 2024) explicitly lists identity fraud and synthetic identity as priority concerns for financial institutions (FinCEN AML/CFT National Priorities).

The Corporate Transparency Act (CTA) 2021, effective January 1, 2024, requires most US corporations, LLCs, and similar entities to report their beneficial owners to FinCEN's Beneficial Ownership Secure System (BOSS). Each beneficial owner report must include name, date of birth, address, and a unique identifying number from a government-issued ID — along with a copy of that ID. This means every entity subject to the CTA must collect and report government-issued ID data for each individual who owns or controls 25% or more of the entity (FinCEN Beneficial Ownership Reporting, fincen.gov). This is a separate obligation from CIP and applies to the entities themselves, not just their customers.

For businesses operating across jurisdictions, OFAC sanctions screening must be integrated with identity verification: every customer whose identity is verified must be screened against OFAC's SDN list and sector-specific sanctions programs. For more on sanctions list screening, see our sanctions screening guide.

Privacy framework: Unlike the EU's GDPR, the US has no single federal data privacy law governing identity document handling. The patchwork includes the California Consumer Privacy Act (CCPA/CPRA), Virginia's VCDPA, Colorado's CPA, and more than a dozen other state privacy laws. Businesses collecting identity documents must comply with applicable state privacy laws as well as federal data retention and disposal requirements under the BSA (five-year minimum retention) and the FTC Safeguards Rule for financial institutions.

Government-Issued ID Documents in the US

The following documents are accepted for identity verification under FinCEN's CIP rule and NIST SP 800-63-3 IAL2-level verification standards.

Our platform processes over 3,200 document types across 32 jurisdictions, including all 50 US states' driver's licenses and IDs. This coverage is essential given the structural complexity of US identity: each state issues its own credential with distinct security features, barcode formats, and data field layouts.

Federal vs. State Complexity in US ID Verification

US identity verification is structurally more complex than in countries with a national ID card. Every state operates its own Department of Motor Vehicles (DMV), issues its own driver's license design, and updates that design on its own schedule. A financial institution accepting driver's licenses for CIP purposes must be able to authenticate credentials from all 50 states, Washington DC, and US territories — each with different hologram patterns, barcode formats (PDF417 2D barcodes following AAMVA standards), magnetic stripe layouts, and security feature placements.

The REAL ID Act imposed minimum federal standards, but implementation details vary. A REAL ID-compliant California driver's license and a REAL ID-compliant Texas driver's license both carry the star marking and meet the federal security minimums — but their physical designs, chip configurations (where present), and barcode data structures differ. Automated verification systems must maintain current template libraries for every issuing state and jurisdiction.

NIST SP 800-63-3 IAL2 requirements specify that remote identity proofing must include: (1) collection of a government-issued ID with a photograph, (2) validation that the document is genuine and not counterfeit, (3) verification that the identity attributes on the document match the applicant, and (4) a liveness check or other binding step. For in-person proofing (IAL3), additional steps including biometric capture are required (NIST SP 800-63A, Section 5.3).

The AAMVA's DLID standards govern the data encoding in state-issued driver's license and ID barcodes. Compliant automated systems read the PDF417 barcode, decode AAMVA-standard data fields, and cross-validate them against the visual information on the document — detecting discrepancies that indicate tampering or forgery.

For a comprehensive overview of automated document verification methods, including OCR and barcode validation, see our document verification guide.

Automated Verification Methods for Government IDs

Automated government ID verification in 2026 uses a stack of complementary technologies, each targeting a different fraud vector.

Optical Character Recognition (OCR) extracts text data from the visual zones of a document — name, date of birth, address, document number, expiration date. Modern OCR trained on government ID templates achieves high extraction accuracy for in-scope documents but must be paired with structural validation (is the data in the right field?) to catch manipulated documents.

Machine Readable Zone (MRZ) parsing reads the two- or three-line code at the bottom of passports and some government IDs. The MRZ encodes name, document number, nationality, date of birth, and expiration in a standardized format (ICAO 9303). Cross-validating MRZ data against the visual zone data is a foundational fraud check.

AAMVA barcode decoding reads the PDF417 2D barcode on the back of US driver's licenses and state IDs. The barcode contains the same personal data as the visual front, encoded in AAMVA DLID standard fields. Discrepancies between the barcode and the visual zone — or barcode data that fails AAMVA checksum validation — are strong indicators of a fraudulent or altered document.

NFC chip reading is increasingly relevant as more states issue REAL ID-compliant credentials with embedded chips and as mDLs become standard. Reading the NFC chip provides cryptographically signed data from the issuing authority, which cannot be forged without access to the DMV's private key.

Liveness detection and biometric matching bind the verified document to the presenting individual. ISO/IEC 30107-3 Presentation Attack Detection (PAD) standards define the technical requirements. NIST SP 800-63B-4 requires PAD compliance for federal agency remote identity proofing. FinCEN has acknowledged biometric liveness checks as an acceptable CIP verification method in updated guidance.

Challenges in US Government ID Verification in 2026

Synthetic identity fraud is the defining challenge in US identity verification. The FBI and FTC estimate that synthetic identity fraud — where a fraudster creates a new identity by combining real and fabricated data, often using a real Social Security Number — accounts for 56% of identity fraud losses in the US financial system. Synthetic identities are harder to detect than stolen identities because the fraudster may have a real SSN (often belonging to a child or elderly person with thin credit files) and a fabricated or altered government ID. Detection requires cross-referencing identity data against credit bureau records, SSA data, and behavioral signals — not just validating the document itself.

AI-generated document fraud is accelerating. Commercially available image generation tools can produce photorealistic fraudulent driver's licenses that defeat basic visual inspection. The fraud mitigation industry has responded with trained neural network classifiers that detect AI-generated documents by identifying statistical artifacts in image data, inconsistent lighting on security features, and anomalies in the spatial layout of text and images that differ from genuine templates.

OFAC sanctions screening integration is a compliance requirement, not an enhancement. Every identity verification workflow at a regulated financial institution must include real-time or near-real-time screening against OFAC's SDN list and other applicable sanctions lists. False positives from name-matching algorithms (particularly for common names or transliterated names) must be managed through documented review procedures.

mDL verification readiness is an emerging gap. As mDLs replace physical licenses in consumers' wallets, verification systems that rely only on physical document inspection will fall behind. Financial institutions are evaluating how to accept and cryptographically verify mDL presentations — a workflow that differs from scanning a physical card and requires integration with ISO 18013-5 verification libraries or third-party verification services.

For more on emerging identity fraud techniques and detection methods, see our digital identity trends guide for 2026.

Automating Government ID Verification with CheckFile

For financial institutions, FinTechs, and any business subject to BSA/FinCEN requirements, automated government ID verification is not a convenience — it is a compliance necessity. Manual document review cannot scale to modern onboarding volumes, and human reviewers are demonstrably less accurate than automated systems at detecting sophisticated document fraud.

CheckFile's document verification platform supports the full US government ID stack: US passports and passport cards (MRZ + NFC), REAL ID-compliant driver's licenses and state IDs from all 50 states and DC (OCR + barcode + template validation), Permanent Resident Cards and Employment Authorization Documents (OCR + MRZ), and mobile driver's licenses via ISO 18013-5 integration. Our platform processes over 3,200 document types across 32 jurisdictions, including all 50 US states' driver's licenses and IDs — with template libraries updated in real time as states refresh credential designs.

For BSA/CIP compliance, our workflows generate audit-ready verification records that meet the five-year retention requirements of 31 CFR 1020.220. For Corporate Transparency Act reporting, our platform supports automated extraction of beneficial owner data from government-issued IDs for FinCEN BOSS submission.

Explore our KYC verification solutions for banks and financial institutions or review our security and infrastructure documentation to understand how verification data is handled, retained, and protected under FTC Safeguards Rule and applicable state privacy law requirements.

For a broader look at how ID verification fits into your compliance program, see our industry verification guide.

---

Frequently Asked Questions

What government IDs are accepted for BSA/FinCEN Customer Identification Programs?

FinCEN's CIP rule (31 CFR 1020.220) accepts any unexpired government-issued photo ID for documentary verification. In practice, this means US passports, REAL ID-compliant driver's licenses and state IDs, Permanent Resident Cards, Employment Authorization Documents, and military IDs are all acceptable. Since the REAL ID Act's full enforcement date of May 7, 2025, non-REAL ID-compliant state licenses are no longer accepted for federal purposes, though individual financial institutions may set their own documentary standards above the regulatory minimum. mDLs are increasingly accepted, though institutions should document their acceptance policy and verification method in their CIP procedures.

How does the REAL ID Act affect business identity verification in the US?

The REAL ID Act directly affects which state-issued credentials are acceptable for federal purposes, including identity verification at federal facilities and boarding commercial aircraft. For businesses, the impact is indirect but significant: REAL ID compliance sets a higher floor for document security features (source document verification, anti-counterfeiting measures, machine-readable zones), which means REAL ID-compliant credentials are harder to forge. Financial institutions subject to FinCEN CIP requirements benefit from accepting only REAL ID-compliant credentials from states, as they carry higher assurance of authenticity. The Act does not directly mandate what private businesses must accept, but FinCEN-regulated entities should document their rationale for accepting or rejecting non-compliant credentials.

What is the difference between Login.gov and ID.me for business use?

Login.gov is operated by the US federal government (GSA) and is designed primarily for access to federal agency services by individuals — not as a B2B identity verification service for private businesses. ID.me is a commercially operated identity verification network that offers its verified credential to third-party relying parties, including financial institutions, through an API. Both are NIST IAL2-compliant. For a financial institution building a CIP-compliant onboarding flow, ID.me offers a more direct integration path, while Login.gov is primarily relevant when your customers need to interact with federal benefit programs and you want to reduce re-verification friction. Neither replaces a full CIP verification program — they are credential service providers that can be components of one.

Does the Corporate Transparency Act require businesses to re-verify identity?

The Corporate Transparency Act (CTA) 2021, effective January 1, 2024, requires reporting companies to collect and submit to FinCEN a copy of the government-issued ID for each beneficial owner and company applicant, along with the ID number from that document. This is a reporting obligation on the entity itself — not a CIP obligation on a financial institution. FinCEN has issued guidance indicating that reporting companies should retain copies of submitted IDs and update reports within 30 days of any change in beneficial ownership. Financial institutions that rely on FinCEN's CDD Final Rule exemption (allowing reliance on FinCEN-reported beneficial ownership data) still need their own CIP documentation — the CTA does not eliminate CIP requirements, it creates a parallel reporting infrastructure.

How do US AML requirements compare to EU AMLD6 for identity verification?

The EU's Sixth Anti-Money Laundering Directive (AMLD6, effective December 2020) and the US Bank Secrecy Act / AMLA 2020 framework share the same underlying goals — detecting and preventing money laundering — but differ in structure. AMLD6 is a directive that member states must transpose into national law, creating some variation across EU jurisdictions; the BSA/AMLA framework is federal law with uniform FinCEN regulations. Both require Customer Due Diligence (CDD) including identity verification with government-issued ID, beneficial ownership identification, and ongoing monitoring. Key differences: the EU's eIDAS 2.0 framework is creating a harmonized digital identity infrastructure (the European Digital Identity Wallet) that has no direct US equivalent; the US Corporate Transparency Act is a closer analog to EU beneficial ownership registers, but FinCEN's BOSS system is not publicly searchable. For a detailed comparison of eIDAS 2.0 and its implications for cross-border verification, see our eIDAS 2.0 European Digital Identity Wallet guide.