Choosing a KYC Vendor
A PM-flavored, engineer-readable playbook for selecting an Identity Verification / KYC vendor. Scorecards, an RFP template, due-diligence checklists, orchestration patterns, a pilot plan, and a go-live runbook. Use it; don't just read it.
This is a working artifact. Copy the tables into Notion / Coda / Google Sheets, fill in your weights and vendor responses, run the process. Each page is independently usable — start at 01 — Scorecard if you already have a vendor short-list, or read this hub first if you're still scoping the decision.
Why this decision matters more than people think
Choosing a KYC / IDV vendor looks like a procurement exercise. It isn't. It's a multi-year, multi-stakeholder decision that locks in user experience, unit economics, regulatory posture, and operational risk simultaneously. Most teams under-invest here, then spend the next 18 months working around the consequences.
1. Vendor lock-in is real and expensive
Migration costs are dominated not by integration (a few engineer-months) but by:
- Re-verification of the active user base — every user previously verified on Vendor A may need to be re-screened on Vendor B for regulator acceptance, at $0.50–$5 per check. For a 5M-user book that's $2.5M–$25M.
- Document retention obligations — most regulators require 5–7 years of retention. Switching vendors means either continued payment to Vendor A for archive access, or migrating encrypted PII, which is legally and technically nasty.
- Audit-trail continuity — examiners want to follow a single thread; mid-stream vendor changes invite questions you don't want.
2. Regulator implications travel with the vendor
Different jurisdictions explicitly approve, tolerate, or reject specific vendors. A vendor that's accepted by the FCA may not satisfy MAS, BaFin, or the NYDFS. Your vendor choice constrains your geographic expansion roadmap in ways the procurement team cannot evaluate alone.
3. False-positive economics dominate everything
A 2% false-reject rate on a funnel where IDV is 60% of the way down a 25% top-to-bottom conversion means you're losing real users at the most expensive moment. Vendors don't publish this. You have to measure it yourself, against your population.
If your blended CAC is $80 and your top-of-funnel cost per IDV-attempt is $1.50, every 1% of false-reject at IDV is roughly $80 of marketing spend wasted per user — before counting the brand damage of a legitimate user being told they're a suspected fraudster.
4. The real cost is rarely the per-check fee
Vendors price the IDV check. The actual P&L line item is: per-check fee + AML/sanctions hit fee + re-verification fee + minimum commitment overage + KYB sub-checks + edge-case manual review fees + dispute SLAs + data export fees. The headline price is 30–60% of total cost of ownership.
The decision framework
The whole playbook hangs on five questions, answered in order. If you can't answer 1–3 confidently, you're not ready to RFP.
| # | Question | What it determines | Where in the playbook |
|---|---|---|---|
| 1 | What are you actually verifying, against what regulatory regime, in which jurisdictions? | The shortlist. KYB-heavy needs differ from consumer IDV; EMI rules differ from MSB. | 01 § Scope |
| 2 | What are your non-negotiable kill-switch criteria? | Disqualifies vendors before you waste cycles on them. | 01 § Kill switches |
| 3 | What's your weighting across capability / performance / cost / compliance / integration / ops / commercial? | How you'll actually rank. | 01 § Weighting |
| 4 | Single vendor, waterfall, A/B, geo-routed, or decision-engine? | How many vendors you actually procure. | 04 — Orchestration |
| 5 | What does "good" look like at Day 30 / 90 / 365 post-launch? | Your exit criteria from pilot and your switch triggers. | 05 — Pilot & 06 — Runbook |
Vendor landscape (May 2026)
The market clusters into four buckets. Most teams need vendors from at least two of them. Pricing ranges are public-sourced and approximate; expect 20–60% off list with volume commitment.
Consumer IDV (document + selfie + liveness)
| Vendor | Sweet spot | Notes |
|---|---|---|
| Persona | US-heavy fintech, dynamic flows, configurability | Strong workflow builder; KYB acceptable; pricier at the high end |
| Onfido (Entrust) | UK / EU regulated, established | Acquired by Entrust 2024; document library is broad |
| Jumio | Enterprise, broad global coverage | Mature, enterprise pricing, slower iteration |
| Veriff | Crypto / high-risk verticals, EU base | Strong liveness; competitive on price; Travel Rule offering |
| Sumsub | Crypto, emerging markets, KYB | One-stop: IDV + KYB + AML + Travel Rule; deep coverage in CIS / MENA / LATAM |
| Socure | US — non-doc / data-only IDV | Data-network model; very strong on US consumer; not a doc vendor |
| Plaid IDV | US, when you already use Plaid for banking | Bundled economics; thinner outside US |
| AU10TIX | Document-forensics heavy | Strong on doc authenticity; enterprise sales motion |
| Incode | LATAM, biometrics-first | Strong in Mexico / Brazil; biometric authentication strength |
| IDnow | EU regulated, video-ident (DE / AT) | The default for German BaFin video-ident; niche outside DACH |
| Trulioo | Data-only IDV at global breadth | 200+ countries via aggregated data; weaker on doc / biometric |
Sanctions / PEP / adverse-media screening
| Vendor | Sweet spot | Notes |
|---|---|---|
| ComplyAdvantage | Modern API, fintech-friendly, ongoing monitoring | Doubles as a lighter IDV; preferred for greenfield builds |
| LSEG World-Check | Bank-grade, examiner-recognized | The "no one ever got fired for buying" option; expensive |
| Refinitiv (now LSEG) | Same family as World-Check post-merger | Strong adverse-media corpus |
| Dow Jones Risk & Compliance | PEP & adverse media depth | Strong PEP curation; enterprise pricing |
| Quantexa | Network / entity-resolution analytics | Not a pure screener; investigations / case management |
KYB (Know-Your-Business)
Pure-play KYB and combined IDV+KYB providers overlap. Common choices: Middesk (US), Sumsub, Persona, Onfido, Trulioo (Bizio), FullCircl (UK / EU), Kompany (now Moody's). UBO resolution quality varies enormously — test it on your real expected business profiles.
Specialty
- Travel Rule (crypto): Notabene, Sumsub, Veriff, TRP, Shyft, Sygna.
- Age verification: Yoti, AgeChecked, Veratad, Persona (age estimation).
- Attestation / re-KYC lite: Footprint, Stytch, Auth0 + IDV partner.
- SBA-style proof-of-business in US: Middesk, Baselayer, Persona KYB.
Vendor positioning and ownership shift quickly. Always validate the current state via Gartner's IDV Magic Quadrant, Liminal's Link Index, KuppingerCole, and recent G2 reviews — and ask candidate vendors directly whether they've been through (or are pursuing) acquisition, layoffs, or funding events in the last 12 months.
The playbook
Six chapters. You don't have to read them in order, but the numbering matches a typical procurement timeline (8–14 weeks from kickoff to signed contract).
38 weighted criteria across capability, performance, cost, compliance, integration, ops, and commercial. Worked example with four vendors. The kill-switch table.
02 RFP TemplateThe literal RFP document — sections, questions, response format, scoring rubric. Copy-paste into a Google Doc, edit your specifics, send.
03 Due DiligenceSecurity (SOC 2 / ISO 27001), GDPR / data-residency probes, financial health, reference-call script, legal / commercial gotchas.
04 Orchestration PatternsSingle vendor, waterfall, A/B, geo-routing, decision-engine — with pros, cons, and JSON / Python configuration shapes.
05 Pilot & RolloutPilot design, sample sizes, success metrics. The 0% → 1% → 10% → 50% → 100% phased rollout and the geo-staging playbook.
06 Go-Live RunbookDay -7, Day -1, Day 0, Day +1, Day +7, Day +30 checklist. On-call, dashboards, rollback triggers, post-launch monitoring.
Suggested timeline
From "we need an IDV vendor" to "verified production traffic flowing." Aggressive but realistic for a Series B+ fintech with a working compliance function.
| Week | Phase | Output | Playbook page |
|---|---|---|---|
| 1 | Scope & weighting | Kill-switch list, weighted scorecard skeleton, 8–12 vendor longlist | 01 |
| 2–3 | RFI / RFP issuance | RFP sent to 5–7 vendors; demo bookings | 02 |
| 4–5 | RFP scoring & demos | Shortlist of 3 vendors | 01 |
| 5–6 | Due diligence | SOC 2 reports reviewed, references called, legal review of MSA | 03 |
| 6–8 | Sandbox bake-off | Side-by-side test on a fixed sample set; performance metrics measured | 05 § Sandbox |
| 8–10 | Negotiation & signature | MSA + DPA + order form signed | 03 § Negotiation |
| 10–12 | Integration build | Production-ready integration in dark-launch mode | 04 |
| 12–14 | Phased rollout | 1% → 10% → 50% → 100%, with exit criteria checked at each gate | 05, 06 |
Anti-patterns
The mistakes that consume the most calendar time across the procurement teams I've watched run this process:
- Letting the vendor demo set the scorecard. Build your weights before the first demo. Otherwise the most charismatic AE wins.
- Optimizing for per-check price. A 30¢/check savings is irrelevant against a 3-point conversion swing or a manual-review queue blowing up.
- Skipping the sandbox bake-off. RFP responses are not measurements. They're vendor marketing. Always run the same sample set through the shortlist.
- Buying one vendor for everything. The best IDV vendor is rarely the best AML vendor is rarely the best KYB vendor. Composition is the norm.
- No exit clause. Sign a 3-year contract with no off-ramp and you've voluntarily surrendered your negotiating leverage forever.
- Compliance late. If your MLRO / CCO first sees the vendor at week 9, you'll restart the process at week 10.
- No baseline. If you can't articulate your current false-reject / completion / time-to-decision numbers, you can't measure improvement.
Bring your MLRO / compliance lead in at week 1. Bake-off in a sandbox before signing. Always negotiate an exit clause. Never sign a 3-year contract without a price-renegotiation trigger.