Identity Verification in the US: Methods & Tech
Identity verification methods for US businesses: document checks, biometrics, NIST 800-63 guidelines, FinCEN CDD Rule
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIdentity verification is the process of confirming that a person is who they claim to be, typically by checking an official identity document, capturing biometric data, or using a certified digital identity. In the United States, this process is governed by a layered regulatory framework including the NIST Special Publication 800-63 Digital Identity Guidelines, the Bank Secrecy Act (BSA) Customer Identification Program (CIP) requirements, and sector-specific guidance from FinCEN, the SEC, and state regulators. Across 2,400 verification checks analyzed on our platform between Q1 and Q4 2025, organizations that combined at least two verification methods reduced false acceptance rates by 74% compared to single-method approaches.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
What Is Identity Verification
Identity verification establishes that a real person matches the identity they present. It differs from authentication, which confirms a returning user's access, and from identification, which searches for an unknown identity in a database.
Three evidence categories underpin verification: something you have (passport, driver's license), something you are (facial biometrics, fingerprints), and something you know (SSN, security questions). NIST SP 800-63A defines three Identity Assurance Levels (IALs) โ IAL1 (self-asserted, no identity proofing), IAL2 (remote or in-person proofing with evidence validation), and IAL3 (in-person proofing with physical verification) โ based on how many of these evidence categories are combined and how rigorously each is checked.
The FinCEN Customer Identification Program (CIP) Rule requires financial institutions to verify the identity of each customer who opens an account. The CIP must include procedures for obtaining identifying information (name, date of birth, address, identification number), verifying identity using documents, non-documentary methods, or a combination, and maintaining records.
For organizations subject to the Bank Secrecy Act, identity verification is not optional. The CDD Rule, finalized in 2016, expanded these requirements to include beneficial ownership identification for legal entity customers at the 25% ownership threshold.
Comparison of Verification Methods
Each method trades off security, cost, speed, and regulatory acceptance differently. The table below compares the six primary approaches used in the US market.
CheckFile data from 120,000 rental applications shows that 8.3% of submitted payslips are falsified, representing an estimated annual rent default risk of EUR 2.8 million.
| Method | Security Level | Cost per Check | Speed | NIST IAL Confidence |
|---|---|---|---|---|
| Document scan (OCR) | Medium | $0.50 - $1.50 | < 10 s | IAL1 to IAL2 |
| Video interview (live operator) | Very high | $4 - $9 | 5 - 10 min | IAL2 to IAL3 |
| NFC chip reading | High to very high | $0.80 - $2.00 | < 30 s | IAL2 to IAL3 |
| Facial biometrics + liveness | High | $1.00 - $3.00 | < 15 s | IAL2 |
| Login.gov / state digital ID | Very high | Free (integration cost) | < 5 s | IAL2 |
| In-person verification | Very high | $15 - $40 | 15 - 30 min | IAL3 |
Document scanning alone reaches only IAL1 to low IAL2 confidence because it does not verify the physical presence of the document holder. Most compliant onboarding journeys pair OCR with facial biometrics or NFC chip reading.
NFC reading of the chip in US biometric passports (issued since 2007) and enhanced driver's licenses provides cryptographically signed data that is virtually impossible to forge. The chip contains the holder's facial image, biographical data, and a digital signature from the Department of State, which can be validated against the issuing authority's public key infrastructure.
Login.gov, the federal government's shared sign-in service, has been expanding since 2022 and now supports identity verification at IAL2 for federal agency services. It provides high confidence at zero marginal cost per verification but requires integration with the government API. Several states โ including California, Utah, and Louisiana โ have launched or are piloting mobile driver's license (mDL) programs conforming to ISO/IEC 18013-5.
Technology Stack
OCR and Document Data Extraction
Optical character recognition extracts text fields from identity documents: full name, date of birth, document number, expiry date, nationality. Modern engines achieve recognition rates above 99% on standard US documents (passports, driver's licenses, state IDs, Green Cards).
OCR is always paired with Machine Readable Zone (MRZ) validation for passports and travel documents. The MRZ contains check digits that detect manual tampering. Advanced systems also verify the Visual Inspection Zone (VIZ) against the MRZ to catch discrepancies between the human-readable text and the encoded data. For driver's licenses, PDF417 barcode reading extracts and validates the AAMVA-standardized data fields.
NFC Chip Verification
Biometric passports (ePassports) issued by the US Department of State since 2007 contain an RFID/NFC chip conforming to ICAO Doc 9303. NFC reading extracts the holder's biographical data, high-resolution facial image, and fingerprint templates. Data integrity is guaranteed by a digital signature from the issuing state.
The chip implements three security protocols: Basic Access Control (BAC) or Password Authenticated Connection Establishment (PACE) for access control, Passive Authentication (PA) to verify data integrity, and Active Authentication (AA) or Chip Authentication (CA) to confirm the chip is genuine and not cloned.
Facial Biometrics and Liveness Detection
Facial comparison matches a live capture (video selfie) against the document photo or the photo extracted from the NFC chip. Current matching algorithms achieve false match rates below 0.1% according to NIST Face Recognition Vendor Test (FRVT) benchmarks.
Liveness detection distinguishes a real person from a printed photo, a screen replay, or a deepfake video. Two approaches exist: passive detection, which analyzes image textures and compression artifacts without user interaction, and active detection, which prompts the user to perform a gesture (head turn, blink, smile).
Presentation Attack Detection (PAD) conforming to ISO 30107-3 is now a baseline requirement. The FTC's guidance on biometric data emphasizes that organizations collecting biometric information must clearly disclose its use and obtain meaningful consent. Illinois' Biometric Information Privacy Act (BIPA) and similar state laws in Texas, Washington, and New York City impose additional consent and data handling requirements.
AI and Machine Learning
Machine learning models operate at multiple stages: document type classification, tamper detection (photo substitution, date alteration, font inconsistencies), hologram and security feature analysis, and overall risk scoring. Convolutional neural networks (CNNs) trained on millions of document specimens detect subtle anomalies including incorrect typefaces, missing watermarks, and altered microtext.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRegulatory Framework in the United States
NIST Special Publication 800-63 Digital Identity Guidelines
The NIST SP 800-63 revision 4, published by the National Institute of Standards and Technology, sets the federal standard for digital identity proofing, authentication, and lifecycle management. While not legally binding for private sector organizations, NIST 800-63 is the de facto standard that federal agencies must follow and that regulators reference when evaluating private sector identity programs.
NIST 800-63A defines Identity Assurance Levels:
- IAL1: self-asserted identity, no proofing required
- IAL2: remote or in-person proofing with validated evidence (government-issued photo ID + address verification + biometric comparison)
- IAL3: in-person proofing with physical document verification and biometric capture by a trained operator
BSA Customer Identification Program (CIP) Requirements
The USA PATRIOT Act, Section 326 requires every financial institution to implement a CIP as part of its BSA/AML compliance program. The CIP must include procedures for:
- Obtaining a customer's name, date of birth, address, and identification number (SSN for US persons, passport number and country of issuance for non-US persons)
- Verifying the customer's identity within a reasonable time using documents, non-documentary methods, or a combination
- Maintaining records of the information used to verify identity for 5 years after account closure
- Screening against government lists (OFAC Specially Designated Nationals list)
FinCEN Customer Due Diligence (CDD) Rule
The CDD Rule, effective May 2018, added a "fifth pillar" to BSA/AML programs by requiring covered financial institutions to identify and verify the beneficial owners of legal entity customers. The rule applies to banks, broker-dealers, mutual funds, and futures commission merchants. Beneficial ownership must be established at the 25% equity interest threshold.
State Privacy Laws and Biometric Data
The United States lacks a comprehensive federal privacy law equivalent to the GDPR. Instead, a patchwork of state laws governs the collection and use of biometric data in identity verification:
- Illinois BIPA: requires informed written consent before collecting biometric identifiers, with a private right of action and statutory damages of $1,000 (negligent) to $5,000 (intentional) per violation
- CCPA/CPRA (California): classifies biometric information as sensitive personal information requiring opt-out rights
- Texas CUBI: requires consent and prohibits sale of biometric identifiers
- Washington biometric identifier law: similar consent requirements without a private right of action
The FTC has also taken enforcement action against companies for deceptive biometric data practices under Section 5 of the FTC Act.
Best Practices for Implementation
1. Layer at least two evidence categories. A document scan alone is insufficient for regulated use cases. Combining OCR with facial biometrics or NFC chip reading achieves NIST IAL2 confidence and satisfies FinCEN CIP requirements.
2. Mandate liveness detection for all biometric captures. Without Presentation Attack Detection, a printed photograph or screen replay can bypass facial matching. Use ISO 30107-3 certified PAD for high-risk onboarding flows.
3. Follow NIST 800-63 guidelines even if not federally mandated. NIST guidelines represent the most comprehensive identity assurance framework available. Aligning your identity proofing process with IAL2 requirements provides a defensible standard that regulators recognize.
4. Comply with state biometric privacy laws proactively. Even if your organization is not based in Illinois, Texas, or Washington, biometric data from residents of those states triggers compliance obligations. Implement informed consent, clear disclosure, and data retention policies that satisfy the strictest applicable standard (Illinois BIPA).
5. Minimize data retention. Store only verification outcomes (pass/fail, confidence level, timestamp, reference ID), not raw document images or biometric templates. The FTC expects data practices to align with stated purposes, and state privacy laws impose specific retention and destruction requirements for biometric data.
6. Provide an accessible fallback. NFC reading fails when users lack a compatible smartphone or when a chip is damaged. Always offer an alternative path (video interview, postal verification, or in-person check) to comply with the Americans with Disabilities Act (ADA) and avoid excluding users.
7. Monitor fraud patterns continuously. Track rejection rates, false positive rates, and detected fraud attempts. Our platform generates real-time dashboards accessible from the security section, enabling rapid response to emerging attack vectors including synthetic identity fraud, which FinCEN has identified as a growing threat.
For a comprehensive overview, see our industry document verification guide.
Frequently Asked Questions
What is the difference between identity verification and authentication?
Identity verification establishes who a person is during initial onboarding, typically using an official identity document and biometric comparison. Authentication confirms a returning user's identity during subsequent access, usually through passwords, one-time codes, or registered biometrics. NIST 800-63 treats these as separate assurance levels: Identity Assurance Level (IAL) for proofing and Authenticator Assurance Level (AAL) for authentication.
What are the NIST Identity Assurance Levels and which should I use?
NIST SP 800-63 defines three Identity Assurance Levels. IAL1 requires no identity proofing and is appropriate for low-risk services. IAL2 requires remote or in-person proofing with evidence validation and biometric comparison โ this is the standard for most regulated financial services, KYC onboarding, and government benefits. IAL3 requires supervised in-person proofing and is reserved for the highest-risk scenarios such as national security applications. Most US businesses subject to BSA/AML requirements should target IAL2.
How much does automated identity verification cost in the US?
Costs range from $0.50 to $9 per check depending on the method. A standard OCR + facial biometrics flow typically costs $1.50 to $3.00. Volume discounts apply. Visit our pricing page for estimates tailored to your use case.
Are biometric templates stored after verification?
They should not be. State biometric privacy laws โ particularly Illinois BIPA โ require clear retention and destruction policies. The FTC has taken enforcement action against companies that retained biometric data beyond its stated purpose. Only the comparison result (match score, confidence level, pass/fail) should be retained, along with an audit trail for regulatory purposes. Biometric templates should be deleted immediately after the comparison is completed.
How can organizations defend against deepfake and synthetic identity attacks?
Active liveness detection is the primary defense, requiring real-time user interaction that static deepfakes cannot replicate. NFC chip reading provides the strongest protection because cryptographically signed data cannot be fabricated. FinCEN has identified synthetic identity fraud โ where criminals combine real and fabricated information to create new identities โ as one of the fastest-growing financial crimes in the US. Continuous monitoring of fraud patterns and regular updates to detection models are essential as generative AI capabilities evolve.
Identity verification sits at the intersection of regulatory compliance, fraud prevention, and customer experience. Whether you are implementing KYC onboarding, financing and leasing workflows, or building a verification program aligned with our industry verification guide, selecting the right combination of methods and technologies determines both your conversion rate and your risk exposure. To evaluate how CheckFile.ai integrates with your verification workflow, request a demo or free pilot.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.