225 End-to-End eKYC Systems: Architecture, Regulation, and Fairness

225.1 1. Introduction

The two preceding chapters built the components: reading an identity document, and verifying that a live person matches it. This chapter assembles them into a complete eKYC (electronic Know-Your-Customer) system, the remote, digital execution of the customer identity-verification obligations historically performed face-to-face by an officer inspecting physical documents.

The defining distinction from in-person KYC is unsupervised remote proofing: the user self-captures evidence on their own device, and automated systems, not a trained agent, resolve, validate, and verify identity. This unlocks global, low-cost onboarding but introduces threat vectors absent in attended settings (injection attacks, synthetic identities, deepfakes) that the architecture must explicitly defend against. eKYC is therefore the canonical example of an AI system that is only as good as its weakest link and its governance: the machine learning is necessary but not sufficient; regulation, risk policy, human review, and fairness obligations are first-class parts of the design.

225.2 2. The End-to-End Pipeline

A production eKYC system has six stages:

flowchart LR
    S1["1 Document capture and verify (OCR, MRZ, NFC)"] --> S2["2 Biometric face match plus liveness/PAD"]
    S2 --> S3["3 Data validation vs sources"]
    S3 --> S4["4 Screening: sanctions, PEP, media"]
    S4 --> S5["5 Risk score: aggregate signals"]
    S5 --> S6["6 Decision: approve / step-up / review"]

Document capture and verification, template/security-feature checks, MRZ checksum validation, and where available NFC chip passive authentication (the strongest signal, since chip contents are issuer-signed). (Chapter: Document AI.)
Biometric verification, 1:1 face match of the live selfie against the document/chip portrait, plus liveness/PAD to defeat photos, replays, masks, and injected deepfakes. (Chapter: Face verification.)
Data validation, extracted attributes (name, DOB, document number, expiry) validated against authoritative issuer or government databases where available.
Screening, the resolved identity checked against sanctions lists, Politically Exposed Persons (PEP) lists, and adverse media.
Risk scoring, biometric/document confidence, screening hits, device fingerprint, geolocation consistency, velocity, and behavioral signals aggregated into a single score.
Decision, a policy engine routes to auto-approve, step-up (additional verification), or manual review by a human analyst.

The architecture’s recurring principle is defense in depth: no single check is trusted absolutely, and the decision aggregates redundant, partially independent signals.

225.3 3. Identity Assurance Frameworks

Standards bodies formalize how much confidence a proofing process provides, which is what regulators and relying parties actually consume.

NIST SP 800-63 (US). The flagship US digital-identity guideline, with SP 800-63-4 now current (finalized 2025). It separates three orthogonal dimensions: IAL (Identity Assurance Level, confidence in identity proofing), AAL (Authentication Assurance Level, strength of the login authenticator), and FAL (Federation Assurance Level). The proofing levels: IAL1 validates core attributes against authoritative sources; IAL2 requires additional evidence and rigorous validation, remote or in-person; IAL3 is the highest, requiring an attended session with a trained representative plus biometric collection. A notable Rev 4 change: remote IAL2 proofing must implement presentation-attack detection and analyze media for AI-generated/deepfake signatures, the standard explicitly catching up to the injection threat.

eIDAS / EU. Regulation (EU) 910/2014 defines three Levels of Assurance, low, substantial, high. eIDAS 2.0 (Regulation (EU) 2024/1183, in force May 2024) establishes the European Digital Identity (EUDI) Wallet: a state-issued or state-certified mobile wallet for storing and presenting verified credentials, which each Member State must make available by late 2026. (Implementation timelines are slipping; treat the precise deadline as provisional.)

UK. The Digital Identity and Attributes Trust Framework, now the statutory Digital Verification Services framework under the Data (Use and Access) Act 2025, certifies identity providers against the GPG 45 (proofing) and GPG 44 (authentication) good-practice guides.

225.4 4. The AML/KYC Regulatory Context

eKYC does not exist for its own sake; it implements anti-money-laundering law. Understanding that law is part of understanding the system.

FATF and the risk-based approach. The Financial Action Task Force sets the global standard via its 40 Recommendations, organized around a risk-based approach. Recommendation 10 (Customer Due Diligence) is the core mandate: prohibit anonymous accounts, and (1) identify and verify the customer from reliable, independent sources; (2) identify and verify the beneficial owner; (3) understand the purpose of the relationship; (4) conduct ongoing due diligence. The approach permits Enhanced Due Diligence for higher-risk customers (including PEPs, per R.12) and Simplified Due Diligence for lower-risk ones. FATF’s 2020 Guidance on Digital Identity endorses reliable digital ID for remote CDD and states explicitly that non-face-to-face onboarding with trustworthy digital ID is not necessarily high-risk, the regulatory foundation that makes eKYC permissible.

United States. The Bank Secrecy Act, administered by FinCEN, is the statutory base. USA PATRIOT Act §326 mandates a Customer Identification Program verifying identity to a “reasonable belief.” The FinCEN CDD Final Rule (effective May 2018) codified the four CDD elements, added ongoing monitoring as a “fifth pillar,” and required identifying beneficial owners holding ≥25% equity plus a control person. OFAC sanctions screening operates separately via the SDN List. (The Corporate Transparency Act beneficial-ownership registry was sharply narrowed by a March 2025 interim rule; treat its status as in flux.)

European Union. The legacy AML directives are being superseded by the 2024 AML package: the directly applicable AML Regulation (EU) 2024/1624, AMLD6, and a new Anti-Money-Laundering Authority (AMLA, operational July 2025), with the substantive rules applying from July 2027. (Not yet in force; current operations follow national transpositions.)

225.5 5. Risk Scoring and Fraud Signals

Beyond document and biometric checks, modern eKYC layers passive, contextual signals:

Device fingerprinting, flagging emulators, virtual cameras, or reused devices.
IP / geolocation, proxies, VPNs, impossible-travel patterns.
Behavioral biometrics, typing cadence, navigation, and copy-paste patterns that distinguish humans from bots or coached fraud.
Velocity and duplicate checks, abnormal account-opening frequency, or recycled identity attributes across applications.

Synthetic identity fraud (SIF) is the hardest case: fabricating a person from a combination of real and fake PII (the Federal Reserve’s 2021 definition). It evades detection because there is no real victim to dispute the account, fabricated identities are aged before a “bust-out,” and individual PII fragments may be valid. (Widely cited loss figures are industry estimates, not official statistics.)

Machine learning drives three functions, applicant risk scoring, document-fraud/deepfake detection, and face-match/liveness, while human-in-the-loop review handles borderline scores, enhanced-due-diligence cases, and adverse-media hits. Governance constraints are not optional: model risk management (validation, drift and bias monitoring), explainability, and adverse-action law. Under the US Equal Credit Opportunity Act / Regulation B and the Fair Credit Reporting Act, a declined applicant must receive specific reasons, and CFPB Circular 2022-03 holds that model opacity is no excuse for failing to provide them, a direct constraint on using black-box models in the decision.

225.6 6. National Digital-ID Systems as Case Studies

National digital-ID programs are the substrate on which eKYC runs, converting a government identity assertion into a machine-readable, remotely verifiable credential. Their successes and failures are the field’s most instructive case studies.

India, Aadhaar (UIDAI). A 12-digit number tied to demographics and biometrics, the world’s largest biometric ID system (~1.4 billion numbers; cumulative authentications past 150 billion by 2025). Aadhaar anchors the “India Stack,” whose e-KYC API lets banks verify identity in seconds and collapsed account-opening costs. The 2018 Supreme Court judgment upheld Aadhaar but struck the provision letting private firms mandate it; a 2019 amendment reopened voluntary private use. Controversies are equally instructive: documented exclusion harms (welfare denial from authentication failures) and surveillance concerns.
Singapore, Singpass / Myinfo. A national digital identity (>4.5 million users) plus a government-verified “tell-us-once” data layer that pre-fills forms; combined with face verification, it powers private-sector eKYC with reported per-customer savings.
Estonia, e-ID. A PKI smartcard plus Mobile-ID issuing legally binding digital signatures over the X-Road data layer. Its defining security event, the 2017 ROCA chip vulnerability, which forced blocking ~750,000 certificates, is a cautionary tale about cryptographic supply-chain risk in national ID.
Nigeria, NIN. ~127 million enrolled by late 2025, with a SIM-NIN linkage mandate; a live example of building identity infrastructure mid-deployment, short of universal coverage.
Brazil, CPF / gov.br. The CPF taxpayer number is the de-facto onboarding identifier for fintech (including Pix), with gov.br providing tiered, biometrics-backed assurance.

225.7 7. Fairness, Inclusion, and Privacy

The obligations here are not add-ons; for a regulated, population-scale system they are design requirements.

Demographic bias. As the face-verification chapter documented, NIST found false-positive rates 10 to 100× higher for some demographic groups in 1:1 verification (the eKYC mode), with women and the elderly also affected. The two error types have different consequences in eKYC: a false match is a security breach (wrong person onboarded), while an elevated false non-match is an unfair rejection, a real person locked out of a bank account. A system measured only in aggregate can hide a group for whom it effectively does not work, so error rates must be monitored by demographic group.

Inclusion and exclusion. The World Bank’s ID4D program estimates that on the order of 800 to 850 million people lack official proof of identity, roughly half children, the majority in sub-Saharan Africa, and women systematically less likely to hold an ID. An eKYC flow requiring a government document or a successful biometric match risks excluding the undocumented, people whom biometrics misread for bias-related reasons, and those facing accessibility barriers (disability, age, low digital literacy, no smartphone). Financial inclusion and fraud control pull in opposite directions, and the threshold that resolves them is a policy choice with real human stakes, not a hyperparameter to be tuned on a validation set alone.

Privacy. Under GDPR Article 9, biometric data used to uniquely identify a person is special-category data, prohibited absent an explicit exception (operationally, consent). Article 5’s principles, data minimization, purpose limitation, storage limitation, translate into concrete engineering: store only the template the purpose requires, and delete raw images after extraction. In the US, Illinois’ BIPA imposes consent and retention duties with a private right of action that has produced nine-figure settlements. The defensible posture is to treat biometric data as a liability to be minimized, not an asset to be accumulated.

225.8 8. The Vendor Landscape

The commercial market clarifies the system boundaries. Document-plus-biometric verification specialists include Onfido (acquired by Entrust in 2024), Jumio, Veriff, Incode, and AU10TIX (document forensics). iProov specializes in liveness and injection-attack-resistant face authentication. Socure and Trulioo are data-centric, doing predictive or authoritative-data verification with less reliance on documents. Persona, Sumsub, IDnow, and Signicat are orchestration platforms that compose these checks and integrate national eID schemes. The market is consolidating around such orchestration layers, with the trend pointing away from any single check and toward configurable, policy-driven pipelines, exactly the architecture this chapter describes.

225.9 9. Conclusion

An eKYC system is a defense-in-depth pipeline, document authentication, biometric verification with liveness, data validation, screening, risk scoring, and a human-reviewable decision, implementing anti-money-laundering law under formal identity-assurance frameworks. Its quality is determined as much by governance as by models: by how error rates are monitored across demographic groups, how the inclusion-versus-fraud threshold is set, how biometric data is minimized and protected, and how decisions are made explainable and contestable. The machine learning is the easy part; the system, the regulation, and the fairness obligations are the engineering. The final chapter in this cluster turns from verifying identity, a checkable claim, to the far more contested business of inferring traits from faces and video, where the science gets shakier and the law gets stricter.

225.10 References

FATF. International Standards on Combating Money Laundering (The 40 Recommendations). https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html
FATF. Guidance on Digital Identity. March 2020. https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Guidance-on-Digital-Identity-report.pdf
NIST. SP 800-63-4: Digital Identity Guidelines. 2025. https://pages.nist.gov/800-63-4/sp800-63.html
Regulation (EU) 2024/1183 (eIDAS 2.0 / European Digital Identity). https://eur-lex.europa.eu/eli/reg/2024/1183/oj
FinCEN. Customer Due Diligence Final Rule. Effective May 2018. https://www.fincen.gov/resources/statutes-and-regulations/cdd-rule-faqs
CFPB. Circular 2022-03: Adverse Action and Complex Algorithms. https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements-in-connection-with-credit-decisions-based-on-complex-algorithms/
UIDAI (Aadhaar). https://uidai.gov.in/
World Bank. ID4D Global Dataset / Identity for Development. https://id4d.worldbank.org/
NIST. “FRVT Part 3: Demographic Effects” (NISTIR 8280). 2019. https://nvlpubs.nist.gov/nistpubs/ir/2019/nist.ir.8280.pdf
Federal Reserve. “Synthetic Identity Fraud Defined.” 2021. https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/synthetic-identity-payments-fraud/
EU. Anti-Money Laundering Regulation (EU) 2024/1624 and AMLD6. https://eur-lex.europa.eu/

# End-to-End eKYC Systems: Architecture, Regulation, and Fairness ## 1. Introduction The two preceding chapters built the components: reading an identity document, and verifying that a live person matches it. This chapter assembles them into a complete **eKYC (electronic Know-Your-Customer)** system, the remote, digital execution of the customer identity-verification obligations historically performed face-to-face by an officer inspecting physical documents. The defining distinction from in-person KYC is *unsupervised remote proofing*: the user self-captures evidence on their own device, and automated systems, not a trained agent, resolve, validate, and verify identity. This unlocks global, low-cost onboarding but introduces threat vectors absent in attended settings (injection attacks, synthetic identities, deepfakes) that the architecture must explicitly defend against. eKYC is therefore the canonical example of an AI system that is *only as good as its weakest link and its governance*: the machine learning is necessary but not sufficient; regulation, risk policy, human review, and fairness obligations are first-class parts of the design. ## 2. The End-to-End Pipeline A production eKYC system has six stages: ```{mermaid} flowchart LR S1["1 Document capture and verify (OCR, MRZ, NFC)"] --> S2["2 Biometric face match plus liveness/PAD"] S2 --> S3["3 Data validation vs sources"] S3 --> S4["4 Screening: sanctions, PEP, media"] S4 --> S5["5 Risk score: aggregate signals"] S5 --> S6["6 Decision: approve / step-up / review"] ``` 1. **Document capture and verification**, template/security-feature checks, MRZ checksum validation, and where available NFC chip passive authentication (the strongest signal, since chip contents are issuer-signed). *(Chapter: Document AI.)* 2. **Biometric verification**, 1:1 face match of the live selfie against the document/chip portrait, plus liveness/PAD to defeat photos, replays, masks, and injected deepfakes. *(Chapter: Face verification.)* 3. **Data validation**, extracted attributes (name, DOB, document number, expiry) validated against authoritative issuer or government databases where available. 4. **Screening**, the resolved identity checked against sanctions lists, Politically Exposed Persons (PEP) lists, and adverse media. 5. **Risk scoring**, biometric/document confidence, screening hits, device fingerprint, geolocation consistency, velocity, and behavioral signals aggregated into a single score. 6. **Decision**, a policy engine routes to auto-approve, step-up (additional verification), or manual review by a human analyst. The architecture's recurring principle is **defense in depth**: no single check is trusted absolutely, and the decision aggregates redundant, partially independent signals. ## 3. Identity Assurance Frameworks Standards bodies formalize *how much confidence* a proofing process provides, which is what regulators and relying parties actually consume. **NIST SP 800-63 (US).** The flagship US digital-identity guideline, with **SP 800-63-4** now current (finalized 2025). It separates three orthogonal dimensions: **IAL** (Identity Assurance Level, confidence in identity *proofing*), **AAL** (Authentication Assurance Level, strength of the login authenticator), and **FAL** (Federation Assurance Level). The proofing levels: **IAL1** validates core attributes against authoritative sources; **IAL2** requires additional evidence and rigorous validation, remote or in-person; **IAL3** is the highest, requiring an attended session with a trained representative plus biometric collection. A notable Rev 4 change: remote IAL2 proofing must implement presentation-attack detection and analyze media for AI-generated/deepfake signatures, the standard explicitly catching up to the injection threat. **eIDAS / EU.** Regulation (EU) 910/2014 defines three Levels of Assurance, low, substantial, high. **eIDAS 2.0** (Regulation (EU) 2024/1183, in force May 2024) establishes the **European Digital Identity (EUDI) Wallet**: a state-issued or state-certified mobile wallet for storing and presenting verified credentials, which each Member State must make available by late 2026. *(Implementation timelines are slipping; treat the precise deadline as provisional.)* **UK.** The Digital Identity and Attributes Trust Framework, now the statutory Digital Verification Services framework under the Data (Use and Access) Act 2025, certifies identity providers against the GPG 45 (proofing) and GPG 44 (authentication) good-practice guides. ## 4. The AML/KYC Regulatory Context eKYC does not exist for its own sake; it implements anti-money-laundering law. Understanding that law is part of understanding the system. **FATF and the risk-based approach.** The Financial Action Task Force sets the global standard via its 40 Recommendations, organized around a *risk-based approach*. **Recommendation 10 (Customer Due Diligence)** is the core mandate: prohibit anonymous accounts, and (1) identify and verify the customer from reliable, independent sources; (2) identify and verify the beneficial owner; (3) understand the purpose of the relationship; (4) conduct ongoing due diligence. The approach permits *Enhanced* Due Diligence for higher-risk customers (including PEPs, per R.12) and *Simplified* Due Diligence for lower-risk ones. FATF's 2020 Guidance on Digital Identity endorses reliable digital ID for remote CDD and states explicitly that non-face-to-face onboarding with trustworthy digital ID is *not necessarily high-risk*, the regulatory foundation that makes eKYC permissible. **United States.** The Bank Secrecy Act, administered by FinCEN, is the statutory base. USA PATRIOT Act §326 mandates a **Customer Identification Program** verifying identity to a "reasonable belief." The FinCEN CDD Final Rule (effective May 2018) codified the four CDD elements, added ongoing monitoring as a "fifth pillar," and required identifying beneficial owners holding ≥25% equity plus a control person. OFAC sanctions screening operates separately via the SDN List. *(The Corporate Transparency Act beneficial-ownership registry was sharply narrowed by a March 2025 interim rule; treat its status as in flux.)* **European Union.** The legacy AML directives are being superseded by the 2024 AML package: the directly applicable AML Regulation (EU) 2024/1624, AMLD6, and a new Anti-Money-Laundering Authority (AMLA, operational July 2025), with the substantive rules applying from July 2027. *(Not yet in force; current operations follow national transpositions.)* ## 5. Risk Scoring and Fraud Signals Beyond document and biometric checks, modern eKYC layers passive, contextual signals: - **Device fingerprinting**, flagging emulators, virtual cameras, or reused devices. - **IP / geolocation**, proxies, VPNs, impossible-travel patterns. - **Behavioral biometrics**, typing cadence, navigation, and copy-paste patterns that distinguish humans from bots or coached fraud. - **Velocity and duplicate checks**, abnormal account-opening frequency, or recycled identity attributes across applications. **Synthetic identity fraud (SIF)** is the hardest case: fabricating a person from a *combination* of real and fake PII (the Federal Reserve's 2021 definition). It evades detection because there is no real victim to dispute the account, fabricated identities are aged before a "bust-out," and individual PII fragments may be valid. *(Widely cited loss figures are industry estimates, not official statistics.)* Machine learning drives three functions, applicant risk scoring, document-fraud/deepfake detection, and face-match/liveness, while **human-in-the-loop review** handles borderline scores, enhanced-due-diligence cases, and adverse-media hits. Governance constraints are not optional: model risk management (validation, drift and bias monitoring), explainability, and adverse-action law. Under the US Equal Credit Opportunity Act / Regulation B and the Fair Credit Reporting Act, a declined applicant must receive specific reasons, and CFPB Circular 2022-03 holds that **model opacity is no excuse** for failing to provide them, a direct constraint on using black-box models in the decision. ## 6. National Digital-ID Systems as Case Studies National digital-ID programs are the substrate on which eKYC runs, converting a government identity assertion into a machine-readable, remotely verifiable credential. Their successes and failures are the field's most instructive case studies. - **India, Aadhaar (UIDAI).** A 12-digit number tied to demographics and biometrics, the world's largest biometric ID system (~1.4 billion numbers; cumulative authentications past 150 billion by 2025). Aadhaar anchors the "India Stack," whose e-KYC API lets banks verify identity in seconds and collapsed account-opening costs. The 2018 Supreme Court judgment upheld Aadhaar but struck the provision letting private firms *mandate* it; a 2019 amendment reopened *voluntary* private use. Controversies are equally instructive: documented exclusion harms (welfare denial from authentication failures) and surveillance concerns. - **Singapore, Singpass / Myinfo.** A national digital identity (>4.5 million users) plus a government-verified "tell-us-once" data layer that pre-fills forms; combined with face verification, it powers private-sector eKYC with reported per-customer savings. - **Estonia, e-ID.** A PKI smartcard plus Mobile-ID issuing legally binding digital signatures over the X-Road data layer. Its defining security event, the 2017 ROCA chip vulnerability, which forced blocking ~750,000 certificates, is a cautionary tale about cryptographic supply-chain risk in national ID. - **Nigeria, NIN.** ~127 million enrolled by late 2025, with a SIM-NIN linkage mandate; a live example of building identity infrastructure mid-deployment, short of universal coverage. - **Brazil, CPF / gov.br.** The CPF taxpayer number is the de-facto onboarding identifier for fintech (including Pix), with gov.br providing tiered, biometrics-backed assurance. ## 7. Fairness, Inclusion, and Privacy The obligations here are not add-ons; for a regulated, population-scale system they are design requirements. **Demographic bias.** As the face-verification chapter documented, NIST found false-positive rates 10 to 100× higher for some demographic groups in 1:1 verification (the eKYC mode), with women and the elderly also affected. The two error types have different consequences in eKYC: a **false match** is a security breach (wrong person onboarded), while an elevated **false non-match** is an *unfair rejection*, a real person locked out of a bank account. A system measured only in aggregate can hide a group for whom it effectively does not work, so error rates must be monitored *by demographic group*. **Inclusion and exclusion.** The World Bank's ID4D program estimates that on the order of 800 to 850 million people lack official proof of identity, roughly half children, the majority in sub-Saharan Africa, and women systematically less likely to hold an ID. An eKYC flow requiring a government document or a successful biometric match risks excluding the undocumented, people whom biometrics misread for bias-related reasons, and those facing accessibility barriers (disability, age, low digital literacy, no smartphone). Financial inclusion and fraud control pull in opposite directions, and the threshold that resolves them is a *policy* choice with real human stakes, not a hyperparameter to be tuned on a validation set alone. **Privacy.** Under GDPR Article 9, biometric data used to uniquely identify a person is *special-category* data, prohibited absent an explicit exception (operationally, consent). Article 5's principles, data minimization, purpose limitation, storage limitation, translate into concrete engineering: store only the template the purpose requires, and delete raw images after extraction. In the US, Illinois' BIPA imposes consent and retention duties with a private right of action that has produced nine-figure settlements. The defensible posture is to treat biometric data as a liability to be minimized, not an asset to be accumulated. ## 8. The Vendor Landscape The commercial market clarifies the system boundaries. Document-plus-biometric verification specialists include **Onfido** (acquired by Entrust in 2024), **Jumio**, **Veriff**, **Incode**, and **AU10TIX** (document forensics). **iProov** specializes in liveness and injection-attack-resistant face authentication. **Socure** and **Trulioo** are data-centric, doing predictive or authoritative-data verification with less reliance on documents. **Persona**, **Sumsub**, **IDnow**, and **Signicat** are orchestration platforms that compose these checks and integrate national eID schemes. The market is consolidating around such orchestration layers, with the trend pointing away from any single check and toward configurable, policy-driven pipelines, exactly the architecture this chapter describes. ## 9. Conclusion An eKYC system is a defense-in-depth pipeline, document authentication, biometric verification with liveness, data validation, screening, risk scoring, and a human-reviewable decision, implementing anti-money-laundering law under formal identity-assurance frameworks. Its quality is determined as much by governance as by models: by how error rates are monitored across demographic groups, how the inclusion-versus-fraud threshold is set, how biometric data is minimized and protected, and how decisions are made explainable and contestable. The machine learning is the easy part; the system, the regulation, and the fairness obligations are the engineering. The final chapter in this cluster turns from verifying *identity*, a checkable claim, to the far more contested business of *inferring traits* from faces and video, where the science gets shakier and the law gets stricter. ## References 1. FATF. *International Standards on Combating Money Laundering (The 40 Recommendations).* https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html 2. FATF. *Guidance on Digital Identity.* March 2020. https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Guidance-on-Digital-Identity-report.pdf 3. NIST. *SP 800-63-4: Digital Identity Guidelines.* 2025. https://pages.nist.gov/800-63-4/sp800-63.html 4. Regulation (EU) 2024/1183 (eIDAS 2.0 / European Digital Identity). https://eur-lex.europa.eu/eli/reg/2024/1183/oj 5. FinCEN. *Customer Due Diligence Final Rule.* Effective May 2018. https://www.fincen.gov/resources/statutes-and-regulations/cdd-rule-faqs 6. CFPB. *Circular 2022-03: Adverse Action and Complex Algorithms.* https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements-in-connection-with-credit-decisions-based-on-complex-algorithms/ 7. UIDAI (Aadhaar). https://uidai.gov.in/ 8. World Bank. *ID4D Global Dataset / Identity for Development.* https://id4d.worldbank.org/ 9. NIST. "FRVT Part 3: Demographic Effects" (NISTIR 8280). 2019. https://nvlpubs.nist.gov/nistpubs/ir/2019/nist.ir.8280.pdf 10. Federal Reserve. "Synthetic Identity Fraud Defined." 2021. https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/synthetic-identity-payments-fraud/ 11. EU. *Anti-Money Laundering Regulation (EU) 2024/1624 and AMLD6.* https://eur-lex.europa.eu/