Introduction to Identity Verification

Plaid Identity Verification lets you verify the identity of your customers and seamlessly stitches together verification methods. Using Identity Verification, you can verify identification documents, phone numbers, name, date of birth, ID numbers, addresses, and more. Identity Verification also integrates directly with Monitor for an end-to-end verification and KYC solution.

Plaid Identity Verification can also be used together with Plaid Identity in a single workflow to provide full identity verification and fraud reduction. Identity Verification is used to verify that the user of your app is the person they claim to be, while Identity is used to confirm that the ownership information on their linked bank or credit card account matches this verified identity.

Identity Verification can be used to verify end users in nearly 190 countries. To integrate with Identity Verification, your company must be based in the US, Canada, or UK.

Plaid offers a variety of verification checks to choose from. You can combine multiple verification checks within a single Identity Verification template via the Workflow Management editor, and even run certain checks conditionally, such as only running a particular verification if another verification fails, or running different checks based on your user's country of origin.

For a more in-depth view of Identity Verification checks, including details on what each check verifies and how to handle failures, see Identity Verification Manual. After running your selected checks, Identity Verification will also display a set of granular risk scores (email risk, phone risk, etc.) in the Dashboard for each session, along with an overall risk score, helping you to understand which factors contributed to the session passing or failing and which sessions have been identified as the highest risk.

Data Source Verification (formerly known as Lightning Verification) verifies a user's name, address, date of birth, phone number, and ID number (such as SSN) against available records. These records are sourced from high-quality, trusted databases such as voter and driver registration records, property records, and credit bureau records. You can configure the level of matching required for each field in your template’s Identity Rules. The results of this check will be summarized in the kyc_check object in the API.

Document Verification prompts the user to upload an image of an identity document. Plaid will use anti-fraud checks to verify that the document appears to be legitimate and is unexpired. Plaid will also verify the date of birth and name on the document against the data provided by the user (other fields that may be present on the document, such as address or national ID number, will not be verified). You can review and configure which document types are supported for each country.

When Selfie Check is enabled, the user will be asked to take a selfie on their mobile device as part of the verification process. Plaid will verify that the selfie submitted is a live video of a real human. If Document Verification is enabled, Selfie Check will also verify that the selfie matches the photo in the document.

If the user is on a non-mobile device, Plaid will display a QR code that they can use to perform the Selfie Check on mobile. They will resume the computer-based flow once the Selfie Check is complete. This handoff process is automatic and does not require any integration work on your part.

SMS Verification will verify a user's phone number by asking them to enter a code sent via SMS.

If you're also using Monitor, AML Screening allows you to screen a user against government watchlists during an IDV session by incorporating one of your Monitor screening programs into an IDV template.

Plaid automatically runs anti-fraud checks in the background of a user’s verification session and summarizes the results into several categories. The data collected in each category is analyzed and assigned a risk level. Whether the overall risk check passes or fails is determined by the template’s Risk Rules, which you can configure. For more details on the risk check process, see Anti-fraud monitoring.

The steps below explain how to set up the standard Identity Verification flow. For details on other flow options, including the backend-only flow and hosted UI flow, see Integration options for Identity Verification.

Note that unlike other Plaid products, which are configured primarily via the API, most options for Identity Verification are configured on the web, via the Template Editor within the Identity Verification Dashboard. Detailed documentation on configuring Identity Verification templates is available via in-app help within the Template Editor. To request access to the Template Editor and Identity Verification Dashboard, contact your Plaid Account Manager, or file a Product Access request.

1. Visit the Plaid Dashboard and select Identity Verification from the left sidebar. If you don't see this option, you may need to talk to your Plaid Account Manager and ask them to enable this product for you, or file a Product access request.
2. Select or create the template you want to use, click the Integration button, and copy the template_id.
   • (Optional) If you plan to integrate with Monitor, make sure to enable the AML Screening option and select the appropriate Monitor program within the IDV template editor.
3. (Optional) Call /identity_verification/create if you already have information about your user that you can fill out on their behalf. See pre-populating user information for more details.
4. Call /link/token/create. In addition to the required parameters, you will need to provide the following:
   • For identity_verification.template_id, use the template_id you copied in step 2.
   • For products, use ["identity_verification"]. Identity Verification is mutually exclusive with other products.
   • Provide user.client_user_id and optionally user.email_address. See below for details on these fields.
5. On your web or mobile client, create an instance of Link using the link_token returned by /link/token/create; for more details, see the Link documentation.
6. When the user has successfully completed the client-side Link flow, you will receive an onSuccess callback and be able to review the session in the dashboard. The onSuccess callback will return a Link session ID that can be used as the identity_verification_id in the next step. Unlike some other Plaid products, Identity Verification will not return a public token in onSuccess.
7. To retrieve the status of your user's verification attempt, make a call to /identity_verification/get, passing in the verification session ID. You can retrieve this session ID from the metadata in the Link callbacks, from the /identity_verification/create response, or from the Identity Verification webhooks that Plaid sends during the process.
8. You can retrieve a list of all of your user's verification attempts by making a call to /identity_verification/list, passing in the client_user_id and the template_id.

You can optionally track the progress of users through the Link flow via client-side callbacks and events. For more information, see Link callbacks.

Identity Verification is fully supported by Plaid's mobile SDKs. Because the end user may need to use the camera during the Identity Verification flow, your app must request certain permissions in order to fully support Identity Verification flows on mobile. For more details, see the documentation for the Android and iOS SDKs.

The mandatory client_user_id field should be a unique and persistent identifier for your customer, such as the id field on your users table.

Identity Verification intelligently handles sessions being started with the same client_user_id multiple times. If your customer starts a Link session, closes it, reopens it, and reopens your Link integration, their session will resume from where they left off. Likewise, if your customer has completed their Link session in the past (by either failing verification or passing), Plaid will not serve them another session unless you've manually authorized another attempt from the dashboard or made a call to /identity_verification/retry.

Plaid indexes the client_user_id you provide, allowing you to look up users using your internal id.

If you do not want to expose your internal id to Plaid directly, you can symmetrically encrypt the identifier with a secret key that only your servers know.

During /link/token/create or /identity_verification/create, Identity Verification accepts email_address as an optional additional parameter. While the field is optional, we highly recommend providing it. Identity Verification will include the user's email in the Link session and perform a number of anti-fraud related checks, including analyzing social networks, abusive emails, and email address trustworthiness.

Identity Verification offers several options for streamlined flows.

If you already know some information about your user (such as their name, phone number, or address), you can simplify the verification process by making a call to /identity_verification/create, passing in any information you know about your user, including their client_user_id. When you open up a Link session against this same client_user_id, Identity Verification can make use of the information that you passed in. Any fields or screens requesting information you already provided will be skipped (not shown) in the UI. For data format specifications, see Hybrid Input Validation.

If you have already obtained a user's information and their consent to share it with Plaid, and do not need interactive capabilities such as Document Check, Selfie Check, or SMS verification, you can bypass the Identity Verification UI entirely and run an entirely programmatic verification:

1. Create a template that requires only Data Source (KYC) check and does not use SMS verification.
2. Call /identity_verification/create with all the user data required by this template and gave_consent: true.
3. Wait for the STATUS_UPDATED webhook to fire for the id returned by /identity_verification/create. Alternatively, you can poll /identity_verification/get with this id until the status is no longer active.
4. Call /identity_verification/get with the id returned by /identity_verification/create to retrieve the status of the verification.

When using the backend-only flow, the Network Risk, Device and IP Address, and Behavioral Analytics checks will be unavailable, as they require client-side input.

Identity Verification offers the option to generate Plaid-hosted verification links. These links can be used in scenarios where your user signed up for your service outside of an app or website -- for example if a user is opening a bank account or applying for a loan in person at a brick-and-mortar retail location. To generate a verification link, click Create verification from the Identity Verification template view in the dashboard. Alternatively, you can call /identity_verification/create with is_shareable: true; a verification link will be returned in the shareable_url field of the response. Once you have shared the verification link, the user can open the link and complete the verification on their phone or other device.

Note that verification links are intended to be sent directly to your users; hosting verification links via iframe will be blocked.

When auto-fill is enabled, Plaid will use the user's phone number and date of birth to attempt to auto-fill other fields. The user will be asked to confirm their auto-filled information is accurate before submitting. Auto-fill can only be enabled when using SMS Verification and Data Source Verification and is only available for US verifications.

If you want to give a user another attempt to verify their identity -- for example, if they failed verification due to a typo -- you can issue them a retry. This can be done from the dashboard when reviewing a verification by clicking Request Retry and selecting the steps to include, or via API by calling /identity_verification/retry with their client_user_id, template_id, and the strategy you want to use.

Retries can be issued from any verification check. Any steps included in the retry will be reset and cleared of any PII entered by the user or passed via API in previous verification attempts. Data Source data can be passed programmatically for a retry by calling /identity_verification/retry and passing the user’s data in the user object. /identity_verification/create should only be used to create an initial session for users who have never been verified before.

Each retry will generate a new session_id, with the same client_user_id and template_id used in the original session. Retries will use the most recent version of the template, which may be different from the version used in the original verification session. Retries are billed at the same rate as regular sessions.

Step-up verification

Retries can also be used as part of a "step-up" verification process. To use retries in this way, send the user through Identity Verification, and examine the results via the Dashboard or /identity_verification/get. If their risk results meet your criteria for requiring a step-up, you can issue a retry using a different template_id. For example, you might send users through a template that doesn't require documentary verification, but if their risk check failed, you might step them up to a new template that does require documentary verification.

If you are a customer of Identity or Assets, you can seamlessly compare a user's financial accounts with their Identity Verification profile. When a user verifies their identity and links their accounts with Plaid, we detect if they are linking a bank account that belongs to them. In the Plaid Dashboard, you’ll see "match" scores against the account owner’s name, email, phone number, and address.

To turn on this feature, you will need to enable it in the template editor and call /identity/get, /identity/match, or /asset_report/create with the same client_user_id that was used for Identity Verification. Financial Account Matching will only run if the client_user_id is associated with a successful (passed) Identity Verification session.

Identity Verification offers the ability to flag a session as fraudulent via the Dashboard. Labeling fraudulent sessions will allow Identity Verification to refine its fraud model, resulting in higher fraud detection accuracy for your integration.

Identity Verification currently supports flows in English, French, Spanish, Japanese, and Portuguese. Link will attempt to auto-detect the correct language based on the user's browser settings. Users can also manually change the language of their session through a dropdown in the Link UI. Unlike other Plaid products, Identity Verification does not use the language setting in /link/token/create.

Identity Verification supports end users in all countries, with the exception of North Korea, Libya, DR Congo, Iran, Cuba, and Syria.

Data Source checks are available in the following countries: Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Colombia, Czechia, Denmark, Finland, France, Germany, Gibraltar, Hong Kong, India, Ireland, Italy, Japan, Kenya, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Nigeria, Norway, Philippines, Poland, Portugal, Singapore, Slovakia, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States.

Selfie Checks and Documentary Verification are available in all supported countries.

Identity Verification will retain data about user sessions as long as you maintain an active Identity Verification contract with Plaid. To request that user personally identifiable information (PII) be redacted on a rolling basis, such as after 90 days, contact support or your Plaid Account Manager to request a custom retention period. Redaction is permanent, and once you have set up a custom retention period, you cannot regain access to redacted data. You can also redact data on an ad-hoc basis via the Dashboard.

You can export data relating to user sessions via the Dashboard or the API. If you end your contract with Plaid, you will lose access to the Identity Verification Dashboard and API, including access to information about previous sessions. If your use case requires that you retain user session data after your contract ends, export the data prior to the end of your contract.

For more information about testing Identity Verification in Sandbox, see Testing Identity Verification.

For a sample integration, see the Identity Verification Quickstart on GitHub.

The PDF resources below provide an in-depth view of IDV integration and configuration options. Note that they are not updated as frequently as the docs and may not reflect the most recent updates to Identity Verification capabilities.

• Identity Verification and Monitor solution guide: A detailed, step-by-step walkthrough for integrating and configuring Identity Verification and Monitor.
• Identity Verification and Monitor no-code guide: A walkthrough of setting up a Identity Verification and Monitor integration with no code, using the verification links option. This demo flow can help you quickly work with Identity Verification and Monitor and try out the end-user and admin experiences.
• Identity Verification Manual: Shows the different verification checks available, what each one checks, and how to handle failures.
• Anti-fraud monitoring: Shows details on how risk checks are performed.

Identity Verification has a base fee for every verification attempted, as well as separate fees for Data Source verification, Selfie checks, and Document checks. For more details, see the Identity Verification fee model. To view the exact pricing you may be eligible for, apply for Production access or contact Sales.

To learn more about building with Identity Verification, see the Identity Verification API Reference.

If you're ready to launch to Production, see the Launch Center.