Skip to content
Compliance Due diligence Automation

KYC document verification: the complete guide for fintechs

by Julia Jansen 15 min read

In January 2025, cryptocurrency exchange KuCoin pleaded guilty to violating US anti-money laundering laws and agreed to pay $297 million in fines. The reason? From 2017 to 2023, KuCoin did not require know-your-customer procedures from its users. No ID checks, no document verification, no suspicious activity reports. For six years, billions of dollars flowed through the platform with zero oversight.

That fine should be a wake-up call for every fintech founder reading this. But here is what most people miss: KuCoin did not just lack KYC. They had zero document verification. And many fintechs that do have KYC in place are still dangerously exposed, because they stop at ID verification and never look at the documents that actually reveal fraud.

This guide breaks down KYC document verification in 2026: the basics of CDD and EDD, the EU’s new AMLA authority and why the documents you are probably not checking are the ones fraudsters count on you ignoring.

Most fintechs stop at ID verification, and that is where the problems start

Here is a pattern we see constantly at VerifyPDF: a fintech has invested heavily in identity verification. They have selfie matching, liveness detection, government ID scanning, the works. Their onboarding flow is slick and their compliance team is confident.

Then fraud happens anyway.

Why? Because verifying that someone is who they claim to be is only the first step. The second, and arguably more important, step is verifying the documents they submit to support their application.

Bank statements, payslips, tax returns, proof of address, source of funds documentation. These are the documents that determine whether a customer qualifies for a loan, gets approved for a higher credit limit or passes enhanced due diligence.

As we wrote in our post on why ID verification alone is not enough, most fraud does not happen at the identity layer. It happens at the document layer. A real person, with a real ID, submitting fake bank statements to inflate their income. That is not identity fraud, it is document fraud. And your ID verification provider will not catch it.

CDD, EDD and the alphabet soup of KYC requirements

If you work in fintech compliance, you already know these acronyms. But the distinction between CDD and EDD is where most document verification gaps hide, so let me spell them out.

Customer Due Diligence (CDD) is the baseline. Every customer, every time. It includes:

  • Verifying the customer’s identity (ID document + biometric match)
  • Understanding the nature and purpose of the business relationship
  • Identifying beneficial owners (for business accounts)
  • Ongoing monitoring of transactions

CDD is what most fintechs have nailed. The identity piece is well covered by providers like Onfido, Jumio or Sumsub. But CDD also requires understanding the customer’s financial profile and that means looking at documents.

Enhanced Due Diligence (EDD) kicks in for higher-risk customers: politically exposed persons (PEPs), customers from high-risk jurisdictions, complex corporate structures or unusually large transactions. EDD requires:

  • Additional identity evidence
  • Source of funds and source of wealth documentation
  • More detailed ongoing monitoring
  • Senior management approval for the relationship

And criminals know this. Source of funds documentation means bank statements, investment portfolio reports, property sale contracts, inheritance documents. These are all PDF documents. And fraudsters know that most fintechs have no automated way to verify whether they are genuine.

The documents that actually matter (and why most fintechs skip them)

Here are the specific documents that KYC requires beyond the passport or driver’s license. For most fintechs, these fall into four categories.

Income verification

Payslips, employment contracts and tax returns. When a customer applies for a loan or requests a credit increase, you need to verify their income. The problem? Payslips are embarrassingly easy to fake. Any PDF editor can change the numbers on a legitimate payslip without leaving visible traces to the naked eye.

We covered this in our post on fake payslips and why source data alone is not the solution. The short version: even “data from the source” solutions have gaps, and document forensics remains essential.

Bank statements

The most commonly submitted, and most commonly forged, financial document. At VerifyPDF, bank statements are the number one document type we process. As we covered in our analysis of the rising threat of fake bank statements, the quality of forgeries keeps improving while detection methods at most institutions have barely moved.

Bank statements matter for KYC because they reveal:

  • Actual income (cross-referenced against payslips)
  • Spending patterns and financial behavior
  • Source of funds for large transactions
  • Potential connections to high-risk activities

Proof of address

Utility bills, government correspondence and bank letters. These seem low-risk, but fraudsters use fake proof of address documents to establish residency in jurisdictions with more favorable regulatory treatment or simply to hide their real location.

In the Netherlands, for example, a valid proof of address can be the difference between being subject to Dutch AML requirements or falling through the cracks entirely. Fake utility bills are trivially easy to produce, even easier than payslips, because most utility providers do not embed any form of digital verification in their PDFs.

Source of wealth documentation

For EDD cases, you may need investment statements, property deeds, business financial statements or inheritance documentation. These are complex documents that vary wildly in format. Almost nobody verifies them automatically. Most compliance teams review them manually. If they review them at all.

How many compliance officers can genuinely distinguish a Swiss investment portfolio statement from a fake one? Or verify that a property deed from Portugal is authentic? The answer, in our experience, is very few. And that is not a criticism of the people, it is a criticism of the process that expects them to do the impossible without the right tools.

Most fraud happens after the initial KYC check

Here is something that should worry you: the majority of financial fraud losses occur not during onboarding, but during the ongoing customer relationship. The initial KYC check is a snapshot, it tells you who the customer was on the day they signed up. It tells you nothing about what happens next.

I have seen this play out more times than I can count. Here is one version, with names changed.

NovaPay was a mid-sized European payment platform with a solid onboarding process. Identity verification with liveness detection, PEP screening, sanction checks, everything by the book. A customer named Marco passed all checks with legitimate documents. Clean ID, real address, genuine initial bank statements. NovaPay approved him for a standard business account.

Eight months later, Marco applied for an increased transaction limit and submitted new bank statements showing his business revenue had tripled. The compliance team glanced at them, same bank, same format, looked consistent. They approved the increase.

Three months after that, Marco’s account was used to process 1.2 million euros in transactions tied to a money laundering network. The bank statements showing the revenue growth? Manipulated PDFs. The numbers had been edited, but the internal structure of the document was never checked.

This is first-party fraud, real people, real identities, fake documents. We covered the mechanics in our post on the three types of fraud and it is by far the hardest to catch because there is nothing wrong with the identity itself.

Ongoing KYC document verification is not optional. Every time a customer submits a new document, for a credit increase, a new product, an annual review, that document needs the same level of scrutiny as the ones submitted during onboarding. Probably more, actually, because fraudsters who have already passed initial checks know exactly what your process looks for.

AMLA is coming: what the EU’s new authority means for fintechs

If you operate in Europe or serve European customers, this one is for you. The EU’s Anti-Money Laundering Authority (AMLA) officially launched in Frankfurt in 2025 and it is going to change how fintechs think about compliance.

Here is what you need to know:

Direct supervision starts in 2028. AMLA will directly oversee 40 of the EU’s highest-risk financial institutions. If your fintech handles significant transaction volumes, you could end up on that list. Are you ready for that level of scrutiny?

Uniform standards across the EU. No more regulatory arbitrage. The days of choosing your headquarters based on which country has the lightest AML requirements are over. AMLA will set consistent standards that all member states must follow.

The new AML Regulation (AMLR) applies from July 2027. This regulation replaces the current directive-based approach with a directly applicable regulation. For fintechs, this means:

  • Standardized CDD and EDD requirements across all EU countries
  • Stricter rules on source of funds verification
  • Enhanced requirements for ongoing monitoring
  • Mandatory suspicious activity reporting to AMLA’s data-sharing hub

What this means for document verification: the AMLR places heavy emphasis on verifying the authenticity of documents submitted during CDD and EDD. Accepting documents at face value, which is what most manual review amounts to, will not meet the new standard. Fintechs will need to prove they can actually detect manipulated documents. Saying you review them is not enough.

The Netherlands is already ahead here. Dutch officials have unveiled plans to give banks access to a government database of resident details to support AML compliance, and the Dutch Public Prosecution Service has been deepening its expertise in money laundering investigation. If you are a fintech operating in the Netherlands, the regulatory pressure is only going to increase.

How automated KYC document checks actually work

So what does “automated document verification” actually mean in a KYC context? If you ask most fintech founders, they will describe OCR, scanning a document, extracting text, maybe running some basic pattern matching. That is a start, but it is nowhere near enough. A well-made fake document will pass OCR with flying colors because the text is perfectly formatted. The fraud lives in the layers you cannot see by reading the document like a human would.

Here is what a real document check looks like.

Document integrity analysis. Before you even look at what a document says, you need to verify that it has not been tampered with. This means analyzing the internal structure of the PDF: metadata, fonts, creation timestamps, editing history, content stream consistency. A document that was created in Adobe Acrobat Pro last Tuesday but claims to be a bank statement from ING generated through their online banking portal? That is a red flag.

This is what VerifyPDF specializes in. Our document forensics engine checks the byte-level structure of every PDF, flagging inconsistencies that no human reviewer could spot. We process documents in less than 5 seconds, analyzing bank statements from over 90 countries.

Data extraction and cross-referencing. Once you know a document has not been tampered with, extract the data and cross-reference it against other documents from the same customer. A payslip showing 5,000 euros monthly salary should match bank statement deposits of roughly that amount. Tax returns should be consistent with both. Discrepancies do not always mean fraud, but they always warrant investigation.

Template and format verification. Legitimate bank statements from major banks follow specific formatting patterns. Font usage, layout, logos and reference number formats are all verifiable. A fake statement might get the logo right but use the wrong font for the account number or place the IBAN in the wrong position.

Behavioral analysis. How was the document submitted? Was it a native PDF download (good) or a screenshot that was printed and scanned back in (suspicious)? Was it uploaded from a mobile device at 3 AM from a different IP than usual? Context matters.

How to build a KYC document verification pipeline that works

Enough theory. Here is what a practical KYC document verification pipeline looks like for a fintech in 2026.

At onboarding (CDD)

  1. Require original PDF documents. No screenshots, no photos of screens, no scanned printouts. If a customer cannot provide the original PDF bank statement from their online banking, that is already worth investigating. There is no legitimate reason to convert a native PDF into a scan.

  2. Run every document through automated verification. Before a human touches the file, let an automated system check the document’s integrity. This catches the obvious fakes instantly and lets your compliance team focus on the edge cases that actually need judgment.

  3. Cross-reference documents against each other. Payslip income should match bank deposits. The address on the utility bill should match the application address. Tax identification numbers should be consistent across all documents.

  4. Flag and escalate, do not auto-reject. Automated systems should flag suspicious documents for human review, not reject applications automatically. False positives damage customer experience. The goal is accuracy, not speed.

During the relationship (ongoing KYC)

  1. Re-verify documents at every lifecycle event. Credit increase? New product application? Annual review? New documents, new verification. Every time.

  2. Track document quality over time. If a customer’s bank statements suddenly change in formatting or come from a different source, investigate. This is especially relevant for recurring document submissions.

  3. Monitor for trigger events. Significant changes in transaction patterns, new connections to high-risk jurisdictions or sudden increases in credit requests should trigger a fresh round of document collection and verification.

For EDD cases

  1. Source of funds gets the highest scrutiny. For PEPs, high-risk jurisdictions or unusually large transactions, source of funds and source of wealth documents must be verified at the same level as identity documents, if not higher.

  2. Multiple document types for corroboration. Do not rely on a single document. Request bank statements AND tax returns AND employment verification. The more documents you can cross-reference, the harder it is for a fraudster to maintain a consistent fake narrative across all of them.

  3. Senior management sign-off with verification evidence. When senior management approves an EDD relationship, they should see the automated verification results alongside the documents themselves. “I reviewed the documents and they looked fine” is not a defensible position when a regulator comes knocking.

The cost of getting KYC document verification wrong

Let’s bring this back to the numbers. KuCoin paid $297 million, a criminal fine of $112.9 million plus asset forfeiture of $184.5 million. They also lost access to the US market for two years. And they are far from alone. Binance paid $4.3 billion in 2023 for similar failures. BitMEX has paid over $200 million in combined penalties since 2021. You see the pattern. Regulators are done asking fintechs whether they have KYC. Now they want proof it actually works.

And “works” increasingly means verifying documents, not just identities. A fintech that can show it verified a customer’s passport but accepted a manipulated bank statement at face value has a compliance problem. The passport check does not save you if the document fraud happened one layer deeper.

Here is the reality:

  • Regulators across Europe, the US and Asia are increasing fines for KYC failures
  • The definition of “adequate KYC” is expanding well beyond identity verification
  • Fintechs are being held to the same standards as traditional banks
  • The EU’s AMLA framework will make cross-border enforcement more effective

And here is what the fine print does not tell you: the reputational damage is often worse than the fine itself. When your fintech appears in headlines for facilitating fraud, customer acquisition costs go up, partnerships fall apart and fundraising becomes harder. For a startup, that can be existential.

What you should do right now

If you have read this far, you either have some document verification in place and want to strengthen it, or you are realizing your KYC process has a gap you had not thought about.

Either way, here is where to start:

  1. Audit your current process. Map out every document type you collect during CDD and EDD. For each one, ask: how do we verify this is genuine? If the answer is “a human looks at it”, that is not verification. That is a hope and a prayer.

  2. Prioritize bank statements and income documents. These are the most commonly forged and the most consequential when fraud succeeds. Automated verification for these two document types alone will close the biggest gap in most fintech KYC programs.

  3. Plan for AMLA compliance now. The AMLR applies from July 2027, but the preparation needs to start today. Review the requirements for document verification and assess where you stand.

  4. Talk to us. At VerifyPDF, we help fintechs add automated document verification to their KYC pipeline. Our API processes documents in seconds, checking the internal structure of PDFs for signs of manipulation that no manual review could catch. Bank statements, payslips, tax returns, source of funds documentation, we have built the infrastructure to verify them at scale.

KYC document verification is not a compliance checkbox. It is how you actually catch fraud. The fintechs that go beyond the selfie and the ID scan to verify the documents that really matter? They will survive the next wave of regulatory scrutiny. The rest will learn the hard way, just like KuCoin did.

Stop guessing. Know in 5 seconds.

Upload a PDF. In under 5 seconds, VerifyPDF tells you if it's genuine or forged, with detailed evidence of every modification. Try it free for 15 days, no credit card needed.

Start free trial Watch demo

Trusted

This document is identical to others from this issuer

Match found in our document database
Document integrity verified
No traces of suspicious editing software