How digital identity can improve your customer due diligence and reduce regulatory burden

How regulations affect compliance requirements across multiple sectors.

Does your company need to complete customer due diligence (CDD)? To answer this question, you’ll need to understand what is digital identity and also the specific regulations that govern your industry. To help companies navigate this complex environment, we have created a guide to explain how regulations impact digital identity verification and CDD requirements across the globe. Before we jump right in, what is digital identity?

Digital identity is the identity used online to represent an external entity. The entity could be an individual, group of individuals, an organization or even a piece of object. With the need for digital identity verification by companies especially fintech and crypto exchanges, countries are constantly developing laws to govern online activities, entities and their information especially as they become accessible to third parties. This is part of the objectives of what is known as the GDPR laws.

Data protection regulations (GDPR/CCPA)

Data protection laws govern the collection, storage, and usage of personal information. Consumer data privacy has become a hot button issue as transactions for goods & services have continued to shift online. Two of the most sweeping regulations are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Implemented in 2018, GDPR covers residents in the EU and information collected, processed or stored in the European Economic Area. Any organization that serves the European market in this age of cross-border commerce is required to comply with GDPR. It aims to ensure that businesses collect information specific to a purpose, while providing the user an explicit option to consent to this collection and processing.

CCPA came into force in January 2020. It empowers Californians with the right to request that businesses disclose or delete previously collected personal data, as well as to request to opt out of the sale of personal information to third parties. Since the state law is the most stringent to date in the US, it acts as the primary guidance for the collection, processing & storage of personal information in the United States.

What does this mean for customer due diligence?

Customer due diligence requires the collection of personal information to identify users, including passport information and drivers’ licenses. Cross-border transactions mean that multiple data privacy regulations are in force at all times. Compliance must be weighed against the need for speed & efficiency during customer onboarding.

Businesses today must be very deliberate about the information they collect from their users. Collecting too much or too little personal information can be a crime. We automate compliance with data privacy regulations for customers around the world. We also directly manage consent and re-dress requirements associated with the collection and processing of biometrics (face) and identity documents, so that our customers can focus on optimising their customer experience.

Financial Services (AML/CFT)

Under the US’s Patriot Act and the EU’s AML directives, Anti-Money Laundering (AML) and countering the financing of terorism (CFT) measures require customer due diligence to identify all parties in a financial transaction. This process is commonly referred to as, “know your customer” (KYC).

Additionally, due diligence checks against the U.N Security Council’s listed sanctions—implemented by all members of the G-20—must ensure that terrorists, war criminals, and parties convicted of laundering money are identified and disqualified from a service.

What does this mean for customer due diligence?

The growth of mobile and digital transactions has given rise to the need for digital identity verification of persons using technologies including biometrics (face, fingerprints) and identity documents (passports, drivers license).

Passbase automates both biometric and identity document authentication along with syndicated checks on sanctions. These include the U.N security council sanctions, as well as financial crime registries, published by the U.S Office of Foreign Assets & Control (OFAC) & HM Treasury to name a few of the 500+ official registers referenced on our borderless platform.

Ecommerce (PSD2 and SCA)

The Revised Payment Services Directive (PSD2) regulates payment service providers. Its goal is to open the payment market to new players within the European Union, without compromising the sanctity of data privacy regulations under GDPR. In keeping with GDPR, PSD2 recently specified a Strong Customer Authentication (SCA) component.

Starting on the 31st of December, 2020, the SCA component will require at least two factors of authentication to validate the identity of a customer during financial transactions and meet the standard for due diligence.

What does this mean for customer due diligence?

Passbase can make this, sometimes difficult, process seamless by automating biometric & identity document authentication in tandem, fulfilling the two factor requirement. In addition, our re-authentication option — where returning customers authenticate against their existing information — provides ongoing monitoring. This low friction process only requires a selfie image to facilitate re-authentication, ensuring speed and accuracy while providing certainty that the right person is accessing the account.

Gig Economy (Right To Work Check)

Right to work checks are mandated in most countries. They ensure that employees are able to legally work in that country or industry, before onboarding with a new company. This may involve checking that they have proper residency papers, licenses to operate specific equipment, or up to date certifications.

Penalties for failing make these checks can be severe. For instance, in the UK, failing to perform a proper due diligence check when onboarding new employees carries a five year jail sentence and an uncapped fine.

What does this mean for employee due diligence?

With such high stakes, right to work checks using employee identity verification are crucial to the success of gig economy businesses. On top of automating biometric & identity document authentication required to identify and onboard hundreds of new workers daily, Passbase offers re-authentication. Returning staff authenticate access against their existing information to provide ongoing monitoring. This simply requires a selfie image to facilitate re-authentication, ensuring speed and accuracy while providing certainty that the right employee is accessing their account.

Telemedicine (Fraud and Abuse Laws)

Across the globe, Telemedicine is steadily growing in popularity. More recently, the outbreak of Covid-19 and social distancing measures, have created an exponential need for access to remote medical assistance.

Physicians are legally obligated to verify their patients’ identities and match up to the insurance information provided at the time of care. Failure to do so can result in steep penalties with fines of up to 3 times the value of a fraudulent claim, plus an additional $11,000 per violation under the United State’s False Claims Act.

What does this mean for patient due diligence?

Considering the associated risks, ensuring your patient is who they claim to be by authenticating their ID & insurance information is critical. By automating biometrics & identity document authentication, Passbase’s borderless identity platform verifies insurance card information. Our process guarantees speed and accuracy while ensuring that the right patient is accessing care and medical records.

Online Gambling (Age Restricted Products)

Online gambling is banned in many countries. Where it is legal, including in the US, EU, and UK, it is highly regulated. All of these regions ban children—classified as persons under 18 years of age—from accessing online casinos, sports betting sites and lotteries. This requirement is strictly enforced.

The United Kingdom’s Gambling Act of 2005 established the country’s primary regulator of online gambling - the Gambling Commission. The commission put strict age restrictions in place, considering anything that, “invites, causes or permits a child or young person to gamble” a violation (Gambling Act 2005,Part 4). The Commission has the power to level fines and even suspend gambling licenses.

What does this mean for customer due diligence?

The burden to verify a user’s age and ensure they’re not a minor falls to each business operating under a gambling license. In addition to automating biometric & identity document authentication, the Passbase borderless identity platform provides support for re authentication. Re-authentication allows returning customers to authenticate access against their initial verification.

This low friction process only requires a selfie image to facilitate re-authentication, ensuring speed and accuracy while providing certainty an age appropriate customer is accessing their registered account.

Future outlook

Privacy laws, regulatory directives for countering terrorism, and prevention of money laundering continue to evolve as more of our economic activities shift online. A proactive approach to mitigating risk through robust customer, employee and patient due diligence checks at the point of sale, onboarding, or registration is key to reducing risk. Fraudulent actors threaten the trust, safety and accessibility of your business to genuine users. Passbase’s borderless identity platform exists to collaborate and meet these challenges effectively.

While we couldn’t possibly cover every relevant regulation across the global in depth within a single article, we do maintain an excellent cohort of experts at the ready to guide you through specific regional concerns.

If you’d like to speak with someone from our team, schedule a demo today or send us your questions to

Get the latest news from Passbase

Passbase © 2022


Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.