What types of documents can Turing Verify check?

Turing Verify supports diplomas, university degrees, transcripts, professional certifications (AWS, CPA, CFA, PMP, CompTIA), government IDs (national IDs, driver licenses, healthcare IDs), insurance cards, employment verification letters, offer letters, and trade-association credentials.

How accurate is Turing Verify at detecting fake documents?

Turing Verify runs a 50-pattern forensic analysis framework called V50-MASTER+ID. It examines visual, typographic, metadata, data-integrity, and AI-generation signals, and returns a confidence score per pattern so reviewers can audit the verdict instead of getting a black-box answer.

How long does document verification take?

Most documents finish in under 30 seconds. The pipeline runs visual forensics, metadata inspection, internal data-logic checks, and registry cross-reference in parallel, far faster than the 3-to-14 days a manual registrar verification typically takes.

Is Turing Verify free to use?

Yes. The free tier includes 3 verifications per month. Paid plans start at EUR 9 per month (Personal, 15 verifications), EUR 29 per month (Pro, 150 verifications), and EUR 99 per month (Business, 500 verifications with API access). Enterprise pricing is custom.

Is Turing Verify GDPR-compliant?

Yes. Inference runs on EU-resident infrastructure. Documents are processed in memory and not retained unless the user explicitly opts in. The DPA and sub-processor register are public on the Trust page.

Who uses Turing Verify?

HR and talent-acquisition teams screening candidate credentials, university admissions and registrar offices verifying transcripts and foreign degrees, banks and fintechs running KYC, insurance teams detecting claims fraud, and licensing boards authenticating professional credentials.

Can Turing Verify detect AI-generated fake documents?

Yes. The pipeline targets diffusion-model and GAN signatures, synthetic-text patterns, and statistical anomalies in pixel distributions, failure modes that purely visual reviewers miss.

What documents satisfy KYC?

Most jurisdictions accept a government-issued photo ID (passport, driver’s license, national identity card) plus a proof of address dated within 90 days (utility bill, bank statement, government letter). Higher-risk onboarding requires additional documents: source-of-funds evidence, employer letters, or tax returns. The exact list is set by the regulator in the jurisdiction where the obliged entity operates.

How is KYC document verification done today?

Most regulated entities run an automated workflow: OCR extracts data from the document, forensic AI checks authenticity (MRZ checksum, template, ELA, metadata), a biometric liveness check matches the holder to the document portrait, and a sanctions/PEP screen runs in parallel. Edge cases escalate to a human compliance analyst. The whole workflow completes in a few minutes per customer.

What is KYB and how is it different from KYC?

KYB (Know Your Business) is the same control applied to organizations rather than individuals. It verifies the legal entity, its ownership structure (ultimate beneficial owners), incorporation documents, accreditations, and any sanctions exposure of the business and its directors. KYB layers on top of KYC for each beneficial owner.

Compliance · KYC & AML

What Is KYC Document Verification?

The working primer for compliance, fintech, and onboarding teams in 2026. Eight steps, the documents that satisfy each, the AML overlay, and where teams trip on enforcement.

A KYC onboarding workflow in 2026: identity document upload, biometric liveness match, real-time sanctions and PEP screen, and the audit trail that regulators ask for.Illustration · Turing Verify

The Turing Verify Forensic Team

May 11, 2026 · 11 min read

What KYC actually is, in working terms

Strip the acronyms and KYC means three things. First, confirm the customer is who they claim to be. Second, confirm the document they presented is a real government document, not a forgery. Third, confirm the person presenting the document is the legitimate holder, not somebody who found or bought it. Every regulation written in the last twenty years restates those three asks in different language.

The framework lives inside AML, anti-money laundering. AML is the regime; KYC is one control inside it. Other controls in the regime include sanctions screening, transaction monitoring, suspicious-activity reporting, and periodic re-verification. A bank’s compliance team owns all of them. Most enforcement actions hit AML programs that had KYC but failed at one of the others.

Who has to do KYC in 2026?

Every “obliged entity” under FATF guidance and its regional implementations. The list is longer every year. As of 2026 it includes:

Banks, credit unions, and payment institutions (the oldest category).
Fintechs that hold money on behalf of users (e-money, neobanks, prepaid cards, BNPL providers above thresholds).
Crypto-asset service providers (exchanges, custodians, qualified wallets under MiCA in the EU and FinCEN in the US).
Insurance carriers for life and investment products.
Real estate agents, dealers in high-value goods, certain legal and accounting professionals when acting in AML-triggering capacities.
Gambling operators in most jurisdictions.
Charities and NGOs above thresholds under terrorism-financing rules.

If an entity is on the list and skips KYC, the enforcement cost ranges from a regulatory letter to a multi-billion-dollar fine. The recent enforcement record makes this concrete rather than theoretical.

The eight-step workflow

The workflow every regulated entity ships in some form:

1. Collect customer information. Full legal name, DOB, residential address, nationality, tax ID or national ID. Captured at form submission.
2. Request a government-issued photo ID. Passport, driver’s license, or national identity card. Higher-risk segments add a second document.
3. Authenticate the document. OCR extraction, MRZ checksum, template recognition, ELA, font rendering, PDF metadata, AAMVA barcode payload for US licenses. The check confirms the document is genuine, unaltered, and currently valid.
4. Match the holder to the document. Biometric liveness: a short selfie video with active prompts (turn head left, blink, say a phrase). Defeats photo-substitution and deepfake injection.
5. Screen against sanctions, PEP, adverse media. Real-time check against OFAC, UN, EU consolidated lists, national equivalents, plus PEP databases (politically exposed persons) and adverse-media indexes.
6. Verify address. A utility bill, bank statement, or government letter dated within 90 days. Required for many tiers of onboarding under AMLD.
7. Risk-score the customer. Assign a rating (low / medium / high / EDD) based on geography, expected transaction profile, source-of-funds, and verification confidence. Drives ongoing monitoring.
8. Record the audit trail and start monitoring. Store every artifact (document, liveness video, screening result, decision rationale) immutably. Run transaction monitoring and periodic re-KYC by risk tier.

Eight steps in roughly three minutes. The forensic AI block (step 3) is the gate that catches forged documents before any human time is spent.

KYC without ongoing monitoring is not compliance. It is a snapshot. Regulators in 2026 grade on demonstrated effectiveness, not control presence.

Which documents satisfy KYC?

The base set, accepted in most jurisdictions:

Photo ID.Passport, driver’s license, national identity card. Some jurisdictions accept residence cards or military IDs. The 2026 recommendation is a passport plus one secondary for higher-risk segments.
Proof of address. Utility bill, bank statement, government letter, lease agreement. Dated within 90 days.
Source-of-funds evidence (enhanced due diligence). Pay slips, employer letters, tax returns, sale-of-asset documentation, inheritance paperwork.
For PEPs and high-risk jurisdictions. Reference letters, additional source-of-wealth analysis, ongoing media monitoring.

Our ID forgery field guide walks the specific authenticity checks for the photo ID rail.

The AML overlay: where KYC fits

KYC is one of five major AML controls. The others are customer risk rating (built on KYC output), transaction monitoring (runs continuously after onboarding), suspicious activity reporting (SAR or STR depending on jurisdiction), and sanctions screening (ongoing).

The enforcement record shows the same pattern. KYC programs get fined for missing the document forensics or skipping liveness. AML programs get fined for failing to act on what KYC already surfaced, or for letting transaction monitoring go silent after onboarding. The regulatory shift in 2026 is explicit: regulators grade on demonstrable effectiveness of controls, not on the existence of policies.

KYB: the same controls, applied to businesses

KYB (Know Your Business) is KYC for legal entities. The workflow:

Identify the legal entity through incorporation documents, business registry extracts, tax registration.
Identify and verify each ultimate beneficial owner (UBO) at or above the regulatory threshold (typically 25 percent of ownership or voting rights).
Run KYC on every UBO, every director, and any authorized signatory.
Screen the entity itself against sanctions and adverse media (entities can be sanctioned independently of their owners).
Verify accreditation or licensing documents where the business operates in a regulated sector.

The complexity multiplier is significant: a corporate customer with three UBOs and two directors is the equivalent of running five-plus KYCs. Forensic AI on the business documents (certificates of incorporation, memorandum of association, accreditation certificates) is a force multiplier.

Where KYC programs trip on enforcement

The recurring patterns, drawn from the enforcement record of the last several years:

No forensic check on the document. The team did OCR and a sanctions screen but never authenticated the document itself. Forgery rates in these programs run an order of magnitude higher.
Liveness skipped on remote onboarding. Without liveness, photo-substitution and deepfake attacks succeed. The 2026 deepfake injection rate is high enough that liveness is now the most-targeted control.
Sanctions screen runs once, then never. Sanctions lists update daily. A customer onboarded clean in January is on the list in March. Ongoing screening is the control regulators care about.
Risk score never updates. A customer whose transaction profile shifts dramatically is still rated low-risk because the score was set at onboarding. Dynamic risk re-scoring is the 2026 expectation.
Audit trail incomplete or mutable. A regulator asks for the verification artifacts six months after onboarding. The team can only produce the outcome, not the underlying evidence. Documentation is the cheapest control to get right and the most commonly fined when missing.

Frequently asked questions

What is KYC document verification in one sentence?

The regulated process of authenticating a customer’s identity by inspecting government-issued documents and matching the holder to the document.

What is the difference between KYC and AML?

AML is the regulatory regime; KYC is one control inside it. AML also covers transaction monitoring, suspicious activity reporting, and sanctions screening. KYC is specifically the identity check.

Is KYC the same in every country?

The principles are FATF-aligned. The specifics differ. EU AMLD, US BSA, UK MLR, and Singapore MAS share concepts but diverge on document lists, risk thresholds, and ongoing monitoring frequency.

How long does KYC take in 2026?

A clean retail KYC takes 90 seconds to 5 minutes. Edge cases that escalate to human review take 1 to 3 business days. Enhanced due diligence takes 5 to 20 business days.

Can KYC be done remotely?

Yes. Remote KYC is the dominant mode in 2026. The control that makes remote KYC defensible is biometric liveness paired with forensic document AI. Without those two, remote KYC fails to current AML guidance.

ShareX / Twitter LinkedIn

Authenticate every KYC document in seconds.

Forensic AI runs MRZ, AAMVA, template, ELA, and metadata checks before any human time is spent. EU-resident inference, GDPR-compliant, free for the first check.

Run a KYC check →

Keep reading

Compliance · KYC & AML

What Is KYC Document Verification?

The working primer for compliance, fintech, and onboarding teams in 2026. Eight steps, the documents that satisfy each, the AML overlay, and where teams trip on enforcement.

A KYC onboarding workflow in 2026: identity document upload, biometric liveness match, real-time sanctions and PEP screen, and the audit trail that regulators ask for.Illustration · Turing Verify

The Turing Verify Forensic Team

May 11, 2026 · 11 min read

What KYC actually is, in working terms

Who has to do KYC in 2026?

Every “obliged entity” under FATF guidance and its regional implementations. The list is longer every year. As of 2026 it includes:

Banks, credit unions, and payment institutions (the oldest category).
Fintechs that hold money on behalf of users (e-money, neobanks, prepaid cards, BNPL providers above thresholds).
Crypto-asset service providers (exchanges, custodians, qualified wallets under MiCA in the EU and FinCEN in the US).
Insurance carriers for life and investment products.
Real estate agents, dealers in high-value goods, certain legal and accounting professionals when acting in AML-triggering capacities.
Gambling operators in most jurisdictions.
Charities and NGOs above thresholds under terrorism-financing rules.

The eight-step workflow

The workflow every regulated entity ships in some form:

1. Collect customer information. Full legal name, DOB, residential address, nationality, tax ID or national ID. Captured at form submission.
2. Request a government-issued photo ID. Passport, driver’s license, or national identity card. Higher-risk segments add a second document.
3. Authenticate the document. OCR extraction, MRZ checksum, template recognition, ELA, font rendering, PDF metadata, AAMVA barcode payload for US licenses. The check confirms the document is genuine, unaltered, and currently valid.
4. Match the holder to the document. Biometric liveness: a short selfie video with active prompts (turn head left, blink, say a phrase). Defeats photo-substitution and deepfake injection.
5. Screen against sanctions, PEP, adverse media. Real-time check against OFAC, UN, EU consolidated lists, national equivalents, plus PEP databases (politically exposed persons) and adverse-media indexes.
6. Verify address. A utility bill, bank statement, or government letter dated within 90 days. Required for many tiers of onboarding under AMLD.
7. Risk-score the customer. Assign a rating (low / medium / high / EDD) based on geography, expected transaction profile, source-of-funds, and verification confidence. Drives ongoing monitoring.
8. Record the audit trail and start monitoring. Store every artifact (document, liveness video, screening result, decision rationale) immutably. Run transaction monitoring and periodic re-KYC by risk tier.

Eight steps in roughly three minutes. The forensic AI block (step 3) is the gate that catches forged documents before any human time is spent.

KYC without ongoing monitoring is not compliance. It is a snapshot. Regulators in 2026 grade on demonstrated effectiveness, not control presence.

Which documents satisfy KYC?

The base set, accepted in most jurisdictions:

Photo ID.Passport, driver’s license, national identity card. Some jurisdictions accept residence cards or military IDs. The 2026 recommendation is a passport plus one secondary for higher-risk segments.
Proof of address. Utility bill, bank statement, government letter, lease agreement. Dated within 90 days.
Source-of-funds evidence (enhanced due diligence). Pay slips, employer letters, tax returns, sale-of-asset documentation, inheritance paperwork.
For PEPs and high-risk jurisdictions. Reference letters, additional source-of-wealth analysis, ongoing media monitoring.

Our ID forgery field guide walks the specific authenticity checks for the photo ID rail.

The AML overlay: where KYC fits

KYB: the same controls, applied to businesses

KYB (Know Your Business) is KYC for legal entities. The workflow:

Identify the legal entity through incorporation documents, business registry extracts, tax registration.
Identify and verify each ultimate beneficial owner (UBO) at or above the regulatory threshold (typically 25 percent of ownership or voting rights).
Run KYC on every UBO, every director, and any authorized signatory.
Screen the entity itself against sanctions and adverse media (entities can be sanctioned independently of their owners).
Verify accreditation or licensing documents where the business operates in a regulated sector.

Where KYC programs trip on enforcement

The recurring patterns, drawn from the enforcement record of the last several years:

No forensic check on the document. The team did OCR and a sanctions screen but never authenticated the document itself. Forgery rates in these programs run an order of magnitude higher.
Liveness skipped on remote onboarding. Without liveness, photo-substitution and deepfake attacks succeed. The 2026 deepfake injection rate is high enough that liveness is now the most-targeted control.
Sanctions screen runs once, then never. Sanctions lists update daily. A customer onboarded clean in January is on the list in March. Ongoing screening is the control regulators care about.
Risk score never updates. A customer whose transaction profile shifts dramatically is still rated low-risk because the score was set at onboarding. Dynamic risk re-scoring is the 2026 expectation.
Audit trail incomplete or mutable. A regulator asks for the verification artifacts six months after onboarding. The team can only produce the outcome, not the underlying evidence. Documentation is the cheapest control to get right and the most commonly fined when missing.

Frequently asked questions

What is KYC document verification in one sentence?

The regulated process of authenticating a customer’s identity by inspecting government-issued documents and matching the holder to the document.

What is the difference between KYC and AML?

AML is the regulatory regime; KYC is one control inside it. AML also covers transaction monitoring, suspicious activity reporting, and sanctions screening. KYC is specifically the identity check.

Is KYC the same in every country?

The principles are FATF-aligned. The specifics differ. EU AMLD, US BSA, UK MLR, and Singapore MAS share concepts but diverge on document lists, risk thresholds, and ongoing monitoring frequency.

How long does KYC take in 2026?

A clean retail KYC takes 90 seconds to 5 minutes. Edge cases that escalate to human review take 1 to 3 business days. Enhanced due diligence takes 5 to 20 business days.

Can KYC be done remotely?

ShareX / Twitter LinkedIn

Authenticate every KYC document in seconds.

Forensic AI runs MRZ, AAMVA, template, ELA, and metadata checks before any human time is spent. EU-resident inference, GDPR-compliant, free for the first check.

Run a KYC check →

Keep reading