Enrollment APIs
This guide explains how to enroll end users using the Enrollments APIs, including identity requirements, validation rules, and common enrollment scenarios.
For full request/response schemas, see the API Reference – Enrollments.
POST /programs/{programCode}/enrollments
Creates a new enrollment for a user and performs the following core operations:
- Creates a new user profile
- Creates an account
- Creates one or more payment instruments (virtual and/or physical)
- Supports instant issue (card‑in‑hand) enrollment
- Supports account upgrades (for example, GPR → DDA when upgradeFlag=true)
Important
If a valid enrollment request is submitted and processing fails during OFAC screening, the enrollment will automatically complete once OFAC is cleared.
Request and response field definitions and examples are documented in the API Reference.
Name Validation Rules
All name fields (firstName, middleName, lastName) must follow the rules below. These rules are enforced during enrollment and KYC execution.
Allowed Characters
- Alphabetic characters: A–Z, a–z
- Space
- Apostrophe (')
- Hyphen (-)
- Period (.)
- Supported diacritics:
- Grave: À à
- Acute: Á á
- Tilde: Ã ã Ñ ñ
- Cedilla: Ç ç
- Circumflex: Î î
- Diaeresis / Umlaut: Ü ü
Validation Rules
- Names must start and end with a letter (diacritics allowed)
- No consecutive special characters (spaces, apostrophes, hyphens, or periods)
- Diacritics must be paired with a letter
- Disallowed characters include numbers, emojis, and all other symbols
Length Requirements
| Field | Min | Max |
|---|---|---|
| First name | 1 | 25 |
| Middle name | 1 | 25 |
| Last name | 2 | 25 |
Suggested validation regex (example only):
^(?=.25$)[A-Za-zÀ-ÿ](?:[A-Za-zÀ-ÿ]|[ .'-](?![ .'-]))*[A-Za-zÀ-ÿ]$
❗ If any name field does not meet these requirements, enrollment fails with HTTP 400 – Bad Request.
Supported Identity Types
The Enrollments API supports two identity verification flows:
- SSN / ITIN (U.S. persons)
- Foreign‑issued identity documents
The identity type determines which identifying fields are required and how KYC is performed.
SSN / ITIN Enrollment Flow
This is the standard enrollment flow for U.S. customers.
Required Identifying Fields
- dateOfBirth (YYYY‑MM‑DD)
- One of the following (mutually exclusive):
- Full ssn (9 digits)
- ssnSuffix (last 4 digits)
Non‑U.S. SSNs will fail KYC verification.
KYC Execution
When executeKycFlag=true, the platform validates:
- Name
- Date of birth
- Address
- SSN or ITIN
- Phone number
Common SSN / ITIN errors include:
- Providing both ssn and ssnSuffix
- Invalid date‑of‑birth format
- Missing home address
- Multiple default phone numbers
Foreign ID Enrollment Flow
Foreign ID enrollment supports non‑U.S. persons using government‑issued identity documents.
Required Fields
- First and last name (middle name optional)
- Date of birth
- U.S. residential address
- Must be a physical address
- PO Boxes, PMBs, CMRAs, and foreign addresses are not supported
- Mobile phone number
- Foreign identity details:
- identityType
- identityValue
- identityCountryCode
- identityExpirationDate
Additional Compliance Fields
Source of funds (required):
- Salary or wages
- Business income
- Pension or retirement
- Investments or asset sales
- Inheritance or gifts
- Government benefits
- Legal settlements
- Lottery or gambling winnings
Occupation (required):
- Employed
- Self‑employed / business owner
- Student (employed or unemployed)
- Unemployed
- Retired
Foreign ID user data must be encrypted before calling the enrollment endpoint.
User Data Requirements (Unencrypted)
The following top‑level objects are required to successfully perform KYC:
- profileData
- identifyingData
- phoneNumbers
These objects are encrypted and passed as encryptedUserData in the enrollment request.
Enrollment Data Validation Rules
| Field | Required | Rule / Validation | Partner guidance & constraints |
|---|---|---|---|
| First name | Yes | Must meet allowed character and length rules | Use the user’s legal first name. Leading/trailing spaces and special characters may cause request rejection. |
| Last name | Yes | Must meet allowed character and length rules | Use the legal last name without suffixes (e.g., Jr, Sr) unless explicitly supported. |
| Date of birth | Yes | Must be formatted as YYYY-MM-DD | Requests with an invalid date format are rejected before KYC is executed. |
| Phone numbers | Yes | At least one phone number required | Only one default phone number is allowed. Missing phone numbers will cause enrollment failure when KYC is required. |
| Yes | Must be in a valid email format | Used for communication and fraud signals; invalid formats result in enrollment rejection. | |
| Addresses object | Yes | At least one address object required | Addresses must include a valid type and follow duplication and default rules. |
| Address types | Yes | Duplicate address types are not allowed | Only one of each type (home, work, billing, shipping) may be provided. |
| Default address | Yes | Only one address may be marked as default | If isDefault is omitted, the home address is treated as default. |
| Home address | Yes | Required when KYC is executed | Home address must be a physical residential address. PO Boxes, PMBs, and CMRAs are not supported. |
| Shipping address | Conditional | Required when issuing a physical card | Shipping address is not evaluated for KYC. Program and carrier rules determine eligibility. |
| Address line 1 | Yes | Must meet character and length rules | Street address is required. USPS‑compliant abbreviations are acceptable. |
| City | Yes | Must meet length and character rules | Required unless ZIP + state satisfy program rules. |
| State | Yes | Must be a valid 2‑character state code | Required for U.S. addresses. |
| ZIP code | Yes | Must be 5 digits only | Extended ZIP codes are not supported. |
| Country | Yes | Defaults to USA if omitted | Non‑U.S. countries may route the user into Foreign ID enrollment flows. |
KYC Identity Verification Rules
| Field | Required | Rule / Validation | Partner guidance & constraints |
|---|---|---|---|
| First name | Yes | Must match identity records | Should match the name on SSN or identity document. Nicknames may trigger KYC mismatches. |
| Last name | Yes | Must match identity records | Variations or suffixes may cause step‑up verification. |
| Date of birth | Yes | Must match identity records | Incorrect DOB frequently results in KYC failure or IDV. |
| Full SSN | Conditional | Required if kycPendingGate = kyc2 | Do not submit both ssn and ssnSuffix. Full SSN is mandatory for KYC2. |
| SSN structure | Yes | Certain SSN patterns are invalid | SSNs with 000, 666, or 900–999 prefixes, 00 group, or 0000 serial fail validation. |
| Residential (home) address | Yes | Used for identity verification | Must be a physical address. PO Boxes and commercial mail services are not accepted for KYC. |
| Address consistency | Yes | Must align with identity data | Address mismatches commonly trigger KYC step‑up or failure. |
| Phone number | Yes | Used as a supporting signal | Must be reachable. Multiple defaults are not allowed. |
| Yes | Used as a supporting signal | High‑risk or disposable emails may increase verification friction. | |
| Identity document (IDV) | Conditional | Required if kycPendingGate = idv | Partners must route the user through Socure document verification for new implementations. |
| OFAC screening | Yes | Performed automatically | OFAC matches may require manual review (kycPendingGate = manual). |
Enrollment Error Codes
| HTTP | Code | SubCode | Description |
|---|---|---|---|
| 400 | 700 | 0 | Date of birth must be YYYY‑MM‑DD |
| 400 | 630 | 0 | Cannot provide both SSN and SSN suffix |
| 400 | 101 | 0 | Phone number missing when KYC is required |
| 400 | 1020 | 0 | Duplicate address types are not allowed |
| 400 | 1040 | 0 | Multiple default addresses or phones provided |
| 400 | 1042 | 0 | Home address is missing |
| 400 | 640 | 5xx | Invalid characters in user data fields |
| 400 | 620 | 0 | Terms acceptance timestamp must be within 720 hours |
| 400 | 650 | 0 | Invalid or unsupported currency |
| 400 | 101 | 192 | Enrollment declined due to multiple existing accounts |
Enrollment Limits
SSN / ITIN limits:
- 1 active account per SSN / ITIN per program
- 3 lifetime accounts per SSN / ITIN per program
Phone number limits (default phone only):
- 2 active accounts per phone number per program
- 10 lifetime accounts per phone number per program
Requests exceeding these thresholds are rejected.
Idempotent Retries and Account Cycle Day
In some scenarios, enrollment may succeed without assigning an account cycle day (BCD). When this occurs:
- The account remains in a pending state
- Payment instruments are not created
Partners must retry the same POST /enrollments request idempotently. Once completed:
- The account cycle day is populated
- The account status transitions to normal
- Payment instruments are created
- An Account Updated webhook is sent
GET /programs/{programCode}/enrollments/accounts/{accountIdentifier}
Returns encrypted enrollment details for an account.
Notes:
- Joint accounts return two account holders
- GPR → DDA upgrades may include upgradeKycStateData
Refer to the API Reference for full request and response examples.
Example Enrollment Details Response (Joint Account)
For joint accounts, the enrollment details response contains multiple account holders.
Each account holder includes its own:
- user
- paymentInstruments
- accountHolderIdentifier
One account holder is marked as the primary account holder (isPrimaryAccountHolder=true).
{
"account": {
"accountIdentifier": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"accountReferenceNumber": "EXAMPLE12345",
"status": "normal",
"accountStatusChangedDateTime": "2099-01-01T00:00:00.000Z",
"statusReasons": [
"healthy"
],
"directDepositInformation": {
"accountNumber": "000000000000000",
"routingNumber": "000000000"
},
"purses": [
{
"purseIdentifier": "11111111-2222-3333-4444-555555555555",
"purseType": "primary",
"availableBalance": 0,
"ledgerBalance": 0,
"availableBalanceAsOfDateTime": "2099-01-01T00:00:00Z",
"ledgerBalanceAsOfDateTime": "2099-01-01T00:00:00Z",
"isHidden": false,
"status": "active"
}
],
"accountHolders": [
{
"paymentInstruments": [
{
"encryptedPrivatePaymentInstrumentData": {
"version": "EC_v1",
"ephemeralPublicKey": "BASE64_PUBLIC_KEY_PLACEHOLDER",
"publicKeyHash": "BASE64_HASH_PLACEHOLDER",
"data": "ENCRYPTED_DATA_PLACEHOLDER"
},
"paymentIdentifier": "pi-primary-0001",
"paymentInstrumentIdentifier": "card-primary-virtual-0001",
"paymentInstrumentType": "virtual",
"status": "activated",
"isPinSet": false,
"last4Pan": "1111",
"activatedDateTime": "2099-01-01T00:00:00Z",
"issuedDateTime": "2099-01-01T00:00:00Z",
"isPrivateDataViewable": false
}
],
"user": {
"firstName": "Primary",
"lastName": "ExampleUser",
"dobStatus": "matched",
"last4Identity": "1111",
"identityType": "ssn",
"userIdentifier": "user-primary-0001",
"status": "active",
"isPrimaryAccountHolder": true,
"kycStateData": {
"ofacStatus": "passed",
"kycStatus": "passed",
"kycPendingGate": "healthy"
}
}
},
{
"paymentInstruments": [
{
"encryptedPrivatePaymentInstrumentData": {
"version": "EC_v1",
"ephemeralPublicKey": "BASE64_PUBLIC_KEY_PLACEHOLDER",
"publicKeyHash": "BASE64_HASH_PLACEHOLDER",
"data": "ENCRYPTED_DATA_PLACEHOLDER"
},
"paymentIdentifier": "pi-secondary-0002",
"paymentInstrumentIdentifier": "card-secondary-virtual-0002",
"paymentInstrumentType": "virtual",
"status": "activated",
"isPinSet": false,
"last4Pan": "2222",
"activatedDateTime": "2099-01-01T00:00:00Z",
"issuedDateTime": "2099-01-01T00:00:00Z",
"isPrivateDataViewable": false
}
],
"user": {
"firstName": "Secondary",
"lastName": "SampleUser",
"dobStatus": "matched",
"last4Identity": "2222",
"identityType": "ssn",
"userIdentifier": "user-secondary-0002",
"status": "active",
"isPrimaryAccountHolder": false,
"kycStateData": {
"ofacStatus": "passed",
"kycStatus": "passed",
"kycPendingGate": "healthy"
}
}
}
],
"accountCycleDay": 1
},
"responseDetails": [
{
"code": 0,
"subCode": 0,
"description": "Success",
"url": "https://example.documentation"
}
]
}
Refer to the API Reference for additional response schema.
Updated 10 days ago