Verify identity once. Comply everywhere.
Regulated businesses face a fundamental challenge: they must verify who their customers are before onboarding them, and they must do so quickly, accurately and in a way that satisfies regulators. OpenKYC provides the open source infrastructure for this - document verification, facial liveness detection, biometric matching and watchlist screening - without the per-verification pricing that makes commercial KYC vendors expensive at scale. Node deploys, operates and supports OpenKYC as a fully managed service.
What KYC verification is and why it matters
Know Your Customer (KYC) is the regulatory requirement for businesses to verify the identity of their customers before entering into a financial or contractual relationship. It is a legal obligation for financial services firms, fintechs, crypto exchanges, insurance providers, legal firms and a growing number of regulated industries under anti-money laundering (AML) and counter-terrorism financing (CTF) legislation.
Failing to verify identity adequately carries significant consequences - regulatory fines, reputational damage, and in serious cases, criminal liability for the organisation and its officers. But KYC verification is not just about compliance. It protects your business from fraud, protects your legitimate customers from identity theft, and underpins the trust that regulated businesses are built on.
OpenKYC is an open source identity verification platform that brings together the components needed to meet these requirements: document capture and extraction, facial biometric verification, liveness detection to prevent spoofing, and automated screening against sanctions lists, politically exposed person (PEP) databases and adverse media sources. Node integrates these components into a production-grade managed service tailored to your onboarding workflow.
Document verification and data extraction
The foundation of KYC is confirming that a customer's identity document is genuine and belongs to them.
Supported document types - passports, national identity cards, driving licences and residency documents from over 190 countries. Our deployment uses machine-readable zone (MRZ) parsing, NFC chip reading for e-passports, and visual authenticity checks to confirm the document is genuine and unaltered.
Automated data extraction - optical character recognition (OCR) extracts name, date of birth, document number, expiry date and nationality from the document. This data is validated against the document's checksum digits and cross-referenced with the MRZ or chip where available.
Fraud signal detection - we configure checks for common document fraud indicators: inconsistent fonts, irregular layout proportions, evidence of digital manipulation, expired documents and mismatched check digits. Suspicious documents are flagged for manual review rather than automatically rejected, reducing false positives.
Structured data output - verified document data is returned as structured JSON to your application or case management system. You receive clean, normalised identity data that feeds directly into your CRM, onboarding workflow or compliance records without manual re-entry.
Facial biometric verification and liveness detection
Confirming that a document is genuine is half the problem. Confirming that the person presenting it is the same person in the document photograph - and is physically present, not using a photograph or video - is the other half.
Face matching - we compare the selfie captured during onboarding against the photograph extracted from the identity document using deep learning facial recognition models. Match confidence scores are configurable against your risk threshold: higher-risk onboarding processes can require a stricter match threshold than lower-risk ones.
Passive liveness detection - our deployment uses passive liveness analysis that detects presentation attacks - printed photographs, digital screen displays, masks and deepfake video - without requiring the user to perform actions like blinking or turning their head. Passive liveness is less intrusive for the user and more effective against modern spoofing techniques.
Active liveness challenges - for higher assurance contexts, we can enable active liveness challenges that require the user to perform specific movements. This provides an additional layer of assurance for high-value onboarding or re-authentication scenarios.
Audit trail and image retention - all biometric checks generate a timestamped audit record with confidence scores, decision rationale and retained images for the retention period required by your regulatory framework. Your compliance team has full access to this record for any manual review or regulatory enquiry.
AML screening and watchlist checks
Identity verification alone is not sufficient for AML compliance. You must also screen verified identities against sanctions lists and other watchlist sources.
Sanctions screening - automated matching against OFAC, HM Treasury, EU, UN and other major sanctions lists. Screening runs at the point of onboarding and can be scheduled to re-run continuously against your existing customer base as watchlists are updated.
Politically Exposed Persons (PEP) screening - PEP status indicates elevated money laundering risk due to a person's political position or family connections. Our integration checks against commercial PEP databases covering heads of state, senior government officials, judges, military officers and their close associates across all jurisdictions.
Adverse media monitoring - automated screening of news sources and media databases for negative coverage associated with your customer - criminal proceedings, financial fraud, regulatory sanctions and other risk indicators that may not appear on formal watchlists.
Configurable risk scoring - we configure a composite risk score that weighs document verification result, biometric match confidence, liveness assurance level, sanctions and PEP status, and adverse media findings into a single onboarding decision that maps to your risk appetite. Clear passes, clear fails and borderline cases can each be routed differently.
Integration with your onboarding workflow
OpenKYC is not a standalone product - it is an infrastructure component that we integrate into your customer journey.
REST API - all verification functions are exposed via a documented REST API. Your application calls the API to initiate a verification session, retrieve results and query historical records. The integration pattern is straightforward for any web or mobile application.
Hosted verification flows - for organisations that want a rapid deployment, we provide hosted verification flows - mobile-optimised web pages that handle document capture, selfie capture and liveness detection without requiring changes to your own application. Your application redirects to the hosted flow and receives results via webhook.
Webhook notifications - verification results are delivered to your application via webhook in real time. Your onboarding process receives the decision, the extracted data and the risk score as soon as the verification is complete.
Case management integration - for organisations with manual review workflows, we integrate with case management systems to route flagged verifications to your compliance team with all supporting evidence attached.
Keycloak integration - for organisations already running Keycloak for identity and access management, OpenKYC integrates as a pre-registration verification step. A user cannot create an account until their KYC verification is complete, and their verified identity data is stored as attributes on their Keycloak identity record.
Regulatory compliance and data residency
KYC data is sensitive personal data subject to strict regulatory requirements. How and where it is stored matters as much as how it is collected.
GDPR compliance - we deploy OpenKYC with configurable data retention policies. Biometric data can be purged after verification is complete if your regulatory framework does not require long-term retention. All data is encrypted at rest and in transit with comprehensive access logging.
Data residency - our managed deployment runs in the UK and EU by default, keeping personal data within the jurisdiction required by your compliance obligations. We can deploy to your own cloud tenancy or on-premise environment if your data residency requirements are specific to your organisation's regulatory framework.
Audit logging - every verification event, every manual review action, every API call and every data access is logged to an immutable audit trail. Your compliance team can produce a complete record of every KYC decision for any customer at any point in their lifecycle.
Right to erasure - we implement GDPR-compliant data deletion workflows. When a customer exercises their right to erasure, verification data is purged from the active system and from backups according to the schedules your legal team specifies.
The case for open source KYC infrastructure - commercial KYC vendors charge per verification. At low volumes this is acceptable, but for businesses processing thousands of verifications per month the cumulative cost is substantial - and escalates with your growth. OpenKYC provides the same verification capabilities as commercial platforms as self-hosted infrastructure with a fixed operational cost. You own your verification stack, your data never leaves your infrastructure boundary, and your cost per verification falls as volume grows. Node provides the managed operations layer that makes it enterprise-ready: deployment, monitoring, updates, support and compliance tooling included.
Talk to us about KYC verification.
Drop us a line, and our team will discuss how OpenKYC can power your customer onboarding, meet your regulatory requirements and reduce the cost of compliance.