Guides
Start typing to search…

KYC

KYC (Know Your Customer) APIs can be used for identity verification purposes.

KYC Overview

Some Green Dot programs/products require users to pass an identity verification process before they can have an account. Regulatory mandates require identification to prevent activities, such as money laundering and fraud. The identity verification process is known as Know Your Customer (KYC).

KYC States

Possible KYC verification outcomes:

  • None: KYC failed with a hard decline and there is no cure
  • KYC2: Full 9-digit SSN required for KYC verification
  • IDV: Escalated for document verification
  • Manual: Referred for OFAC review
  • Healthy: Passed KYC successfully

KYC Social Security Number Validation (SSN)

In non-production environments, development teams may send certain SSN values that trigger particular paths in the KYC validation flow. The tables below lists those prefixes and the behaviors they generate.

The two tables below are separated for different implementations and use cases. The first being our newly improved process for IDV via Socure, and the second for our deprecated process for IDV via IDology provided for some existing partners who need to transition to the new Socure APIs and flow.

IDV via Socure Integration - SSN Validations

📘

The Socure SSN Validation is the latest version tied to our new IDV process and flow for any new partner implementations.

SSN PREFIXKYCOFACAccount StatusAccount ReasonNext Gate/CureResponse CodeSub-Code
451xxxxxxFailedPassedLockedRegistration FailedNone211 – KYC Fail
554xxxxxxFailedPendingPendingRegistration Not CompleteKyc2110 - KYC Cure required.
452xxxxxxFailedPassedLockedRegistration Failednone211 - KYC Failed. No cure available.
401xxxxxxPassedFailedLockedRegistration Not CompleteManual231 – OFAC Match
992xxxxxxFailedFailedLockedRegistration Not CompleteIDV134 - KYC and OFAC Failed. KYC is curable.
991xxxxxxFailedPassedPendingRegistration Not CompleteIDV110 – KYC Cure required.
10xxxxxxxPassedPassedNormalHealthyHealthy0-success

Social security numbers will be evaluated in production prior to validating identity during enrollment. Enrollment requests (POST /programs/{programCode}/enrollments) containing invalid social security numbers will be automatically declined with an Invalid SSN response. This enhancement can lead to higher enrollment success rates for Partners due to the ability to avoid enrollment attempts that will be declined.

Enforcement of these rules is NOT in place in non-production environments, in order to allow partners to use test pseudo-SSN’s.

Deprecated IDV via IDology Integration - SSN Validations

🚧

For any existing partners that are still using our IDology process for IDV through our deprecated IDV Request API, the following SSN Validations are applicable:

SSN PREFIXKYCOFACAccount StatusAccount ReasonNext Gate/CureResponse CodeSub-Code
451xxxxxxFailedPassedLockedRegistration FailedNone211 – KYC Fail
554xxxxxxFailedPassedLockedRegistration FailedNone240 - User must be at least 18 years of age.
452xxxxxxFailedPassedLockedRegistration Failednone211 - KYC Failed. No cure available.
401xxxxxxPassedFailedLockedregistrationNotCompleteManual231 – OFAC Match
992xxxxxxFailedFailedLockedRegistration Not CompleteIDV134 - KYC and OFAC Failed. KYC is curable.
991xxxxxxFailedPassedPendingRegistration Not CompleteIDV110 – KYC Cure required.
10xxxxxxxPassedPassedNormalHealthyHealthy0-success

Invalid Social Security Numbers

📘

This list is dynamic, so social security numbers may be added or removed in the future.

SSN Type Example

Generic

000000000

Generic

111111111

Generic

222222222

Generic

333333333

Generic

444444444

Generic

555555555

Generic

666666666

Generic

777777777

Generic

888888888

Generic

999999999

Generic

123456789

Generic

987654321

Invalid per Social Security Administration

Area, Group, or Serial digits cannot contain all zeros.

• Area: First three digits of SSN.

  • Example: 000-xx-xxxx
    • Group: Next two digits of SSN.
  • Example: Xxx-00-xxxx
    • Serial: Last four digits of SSN.
  • Example: xxx-xx-0000

Invalid per Social Security Administration

Area digits (first three digits) cannot be 666. Example: 666-xx-xxxx

Invalid per Social Security Administration

Group digits (next two digits) are not assigned sequentially. Therefore, they must follow the ordering sequence below:

• 01 – 09 are odd.

  • Example: xxx-01-xxxx, xxx-03-xxxx, xxx-05-xxxx, ….. xxx-09-xxxx
    • 02 – 08 are even.
  • Example: xxx-02-xxxx, xxx-04-xxxx, xxx-06-xxxx, ….. xxx-08-xxxx
    • 11 – 99 are odd.
  • Example: xxx-11-xxxx, xxx-13-xxxx, xxx-15-xxxx, ….. xxx-99-xxxx
    • 10 – 98 are even.
  • Example: xxx-10-xxxx, xxx-12-xxxx, xxx-14-xxxx, ….. xxx-98-xxxx

Invalid

002-28-1852

Invalid

042-10-3580

Invalid

062-36-0749

Invalid

078-05-1120

Invalid

095-07-3645

Invalid

128-03-6045

Invalid

135-01-6629

Invalid

141-18-6941

Invalid

165-16-7999

Invalid

165-18-7999

Invalid

165-20-7999

Invalid

165-22-7999

Invalid

165-24-7999

Invalid

189-09-2294

Invalid

212-09-7694

Invalid

212-09-9999

Invalid

306-30-2348

Invalid

308-12-5070

Invalid

468-28-8779

Invalid

549-24-1889

KYC and IDV Best Practices

📘

Please note we have updated our IDV and CIP processes. This will affect the enrollment process for NEW partners and requires a new Socure SDK Integration. However, many existing partners will still use the IDV best practices and info below.

KYC

Required data fields:

  • Full 9 SSN
  • First and Last Name
  • DOB
  • Residential Address – required fields:
    • Address1, City, State
    • or Address1, Zip Code
    • or Address1, City, State, Zip Code
  • Examples of KYC Hard Fail reasons:
    • Invalid SSN
    • SSN Mismatch
    • COPPA COPPA Alert
    • Address is P.O. Box
    • High Risk or Blacklisted Attribute, such as Email Address, Phone Number, and IP Address (if available)
  • Examples of KYC Soft Fail reasons (eligible for step-up verification via IDV):
    • Name Mismatch
    • DOB/YOB Mismatch
    • Address Mismatch

Potential CIP, OFAC, and IDV Responses

  • CIP Hard Fail
    • Response Code: 2, SubCode: 11 – CIP failed, no cure
    • SubCode: 33 – Same as above row except OFAC also partially matched and account requires manual review
  • CIP Soft Fail > IDV Eligible
    • Response Code: 1, SubCode: 10 – CIP failed, curable via IDV
    • SubCode: 34 – Same as above row except OFAC also partially matched and account requires manual review
  • CIP Soft Fail > IDV Eligible > IDV Pass
    • Response Code: 0 – IDV Pass
  • CIP Soft Fail > IDV Eligible > IDV Needs Resubmission
    • Response Code: 1, SubCode: 23 – ID Not Readable
    • Response Code: 1, SubCode: 21 – ID Invalid
    • Response Code: 1, SubCode: 24 – ID Name Mismatch
  • CIP Soft Fail > IDV Eligible > IDV Fail
    • Response Code: 2, SubCode: 22 – IDV Fail

IDV

  • Acceptable types of ID: Driver’s License and State-Issued ID
    • No need to have user select which ID type they will be submitting in the UI – Green Dot’s 3rd party vendor is able to validate.
  • Acceptable file format: Must be base 64 encoded JPEG.
  • User must submit ID in real-time and should not have the ability to upload photos from their library.
  • User must submit via mobile app for more enhanced security. If you (partner) want to allow via desktop, we ask that you provide fraudData within the Enrollment request (such as the below) for Green Dot to implement additional risk controls:
    • Device ID
    • IP Address
    • isPhoneVerified
    • isEmailVerified
    • Account Tenure
    • Any other data the partner finds helpful for fraud learning and decisioning
  • Definitions:
    • “ID Pass”: ID passed verification.
    • “ID Not Readable”: ID submitted cannot be detected due to blurriness and/or bad image quality; needs to be resubmitted.
    • “ID Invalid: Scenario”: ID submitted has been detected but triggered one or more of the following and needs to be resubmitted.
      • Document missing four corners
      • Document too small
      • Document border too small
      • Face image not detected
      • Barcode not detected
    • “ID Name Mismatch”: Name on ID submitted does not match name on the account and needs to be resubmitted.
    • “ID Fail”: ID failed verification.
  • Limits:
    • 10 IDV submission attempts allowed per account and only “ID Invalid” and “ID Name Mismatch” count toward this threshold, cumulatively. Once threshold is maxed out, the cure is set to ‘none’, and the account will fail registration (if onboarding) or remain blocked (if already passed onboarding).
    • “ID Not Readable” has its own threshold of 3 submission attempts per account. All subsequent attempts that are “ID Not Readable” would result in “ID Invalid” and count toward the above threshold that makes the account eligible for a hard fail.
  • Image Quality:
    • Most optimal image quality is 2048 x 1536 and 90% to allow for the best verification and response times; however, 90-94% image quality is also acceptable as some devices default to a higher percentage.
    • The image quality speaks to the accuracy that the original image is transmitted to Green Dot and our third-party verification vendor. Quality is comprised of attributes like coloration, tone, and sharpness. The larger and more accurate that a photo is, the longer the time it takes to transmit it from the device to Green Dot and our vendor. At the same time, if a photo is on the smaller side, we don’t recommend a higher quality like 96-98% because it will be too sharp.
  • Best Practices for Users:
    • Must submit front and back image of ID.
    • Leave a visible, dark, and solid border around the ID.
    • Take a flat photo. Do not angle or skew.
    • Take a clear picture. Avoid glares and shadows.
    • Disable flash.
    • Center the ID and confirm that all four corners of the document are clearly visible in the image. Note: Recommend partner to input borders into camera view to help user frame the image.

Office of Foreign Assets Control

The Office of Foreign Assets Control (OFAC) is a department of the US Treasury. Their regulations are in place in part to ensure that companies do not unwittingly do business with terrorist organizations or other unsanctioned entities. Compliance with OFAC is critical for US businesses working with overseas partners.

Note: If kycPendingGate is manual, then this will often mean that an OFAC review is required. Once this feature is implemented, accounts with a manual cure can be cleared. This doesn’t affect the API, but it would trigger an accountUpdate alert.

📘

When an account is cleared for OFAC and the account has also passed KYC, then the Account Status will be pending and the kycPendingGate will be healthy.

Top Level Response Codes

📘

The UTC format is the date/time standard that is used across all BaaS APIs.

Code HTTP Status Code Reference Name Description

0

2xx

SUCCESS

The operation was successful.

1

2xx

ACTION_RQD

Follow action or additional information provided. See the Business Rule Response Codes for further details.

2

2xx

ENROLLMENT_FAILED

The operation was successful, but the account is in terminal state.

3

2xx

TRANSFER_DISALLOWED

The transfer failed. See the Business Rule Response Codes for further details.

4

2xx

BUSINESS_OPERATION_FAILED (CARD MANAGEMENT)

The operation failed. See the Business Rule Response Codes for further details.

5

2xx

Account Management

The operation failed. See the Business Rule Response Codes for further details.

6

2xx

Guest Check Out

10

404

NOT_FOUND

Resource not found.

11

200

NO_DATA

Empty list returned.

50

406

DECRYPTION ERROR

An encrypted data block on the payload was not decrypted successfully.

100

400

MALFORMED SCHEMA

The payload could not be loaded.

101

400

INVALID REQUEST

The request was invalid. See the description for details.

200

400

REQUIRED PROPERTY MISSING OR MISSING A VALUE

A required property (object or scalar) is missing. The property must be provided and contain a value for the type.

300

400

INVALID DATA TYPE

The data type is invalid. Example: An integer was expected, but an alphanumeric string was provided.

350

400

INVALID FORMAT

The format of the string or number was invalid.

380

200

N/A

An identity can only be added to a Matricula based enrollment.

400

400

INVALID FIELD LEN

A value was provided that is shorter than the minimum supported length or longer than the maximum supported length.

409

409

CONFLICT

See the Business Rule Response Codes for the specific conflict reason.

500

500

DOWNSTREAM SYSTEM OFFLINE - DO NOT AUTO RETRY

A downstream system is unavailable. It may be offline for an extended or unknown period, so the client should not retry automatically.

503

503

DOWNSTREAM SYSTEM OFFLINE - RETRY

A downstream system is unavailable. It may be transient, so the client may retry automatically.

505

500

DOWNSTREAM SYSTEM HARD FAILURE - DO NOT AUTO RETRY

The transfer failed and the funds were credited back to the source.

506

500

N/A

The transfer failed and the funds have not yet been credited back to the source. Manual inspection required.

600

400

INVALID ENUM VALUE

A value was provided that is not in the set of allowable values.

602

400

N/A

A virtual card only account is not allowed for this product

603

400

N/A

Invalid combination of values in the request

610

400

INVALID AMOUNT

An amount was provided that is not valid.

620

400

INVALID DATE RANGE

A date was provided that is not in the allowable date range.

630

400

INVALID_PROPERTY

A property was provided that was not valid given the context of the request.

640

400

INVALID STRING CHARACTER

An invalid character was provided for a string field.

650

400

Invalid Currency Code

700

400

INVALID DATE FORMAT

Invalid date-format. Must be (ISO_8601): YYYY-MM-DD

720

400

INVALID UTC DATE TIME FORMAT

Invalid date-format. Must be (ISO_8601): YYYY-MMDDTHH:MM:SS.SSSZ

722

400

INVALID GUID

Identifiers must be in GUID format. Must be (RFC-4122): XXXXXXXX-XXXXXXXX-XXXX-XXXXXXXXXXXX where X is a hex digit.

725

400

INVALID DATE TIME FORMAT (non-UTC, timezone unknown)

Invalid date-format. Must be (ISO_8601): YYYY-MMDDTHH:MM:SS.SSS

730

400

INVALID DATE TIME FORMAT (non-UTC, timezone offset known)

Invalid date-format. Must be ISO_8601: YYYY-MMDDTHH:MM:SS.SSS>±hh:mm Timezone offset precision can be from HH to MM.

740

400

INVALID HTTP URL FORMAT

Invalid HTTP URL format. Must follow Internet standard.

750

400

INVALID EMAIL FORMAT

Invalid Email format. Must follow Internet standard.

760

400

INVALID SSN

Invalid SSN

761

400

INVALID ITIN

Invalid ITIN. Must be a 9-digit number that starts with 9.

800

400

Not Supported

Currently used by TestEventWebHook, if a live account is used.

901 to 920

201

MRDC Response Codes

See MRDC Response Codes for further details.

950 to 959

eCash Response Codes / Reference Name

See eCash for more information.

960 to 979

Legacy Disbursement Response Codes / Reference Name

960

2xx

Load Not Allowed

See subcodes below

961

2xx

Load Failed

962

2xx

Validation Failed

963

2xx

Operation Not Allowed

1000

200
201
202
400

VALUE_DOES_NOT_EXIST

Value does not exist in the system. This is usually because an invalid object identifier was provided.

1020

TBD

DUPLICATE TYPE

This type already exists. Example: A second home address was provided.

1040

400

MORE THAN ONE DEFAULT PROVIDED

More than one item in an array was identified as the default.

1041

400

INVALID DEFAULT PROVIDED

1042

400

HOME ADDRESS MISSING

1050

400

NO DEFAULT PROVIDED

isDefault was set to false for all items in an array but there must be at least one default.

1060

2xx

DUPLICATE RESOURCE

The resource already exists based on unique identifiers.

2100

4xx

FAILED TO ENCRYPT

The system failed to successfully encrypt the response payload.

3000- 4050

Bill Pay Response Codes

See Bill Payment Codes for more information.

KYC API Endpoints

Create Full KYC Request

The KYC API allows you to verify users through KYC for the enrollment process.

Endpoint

POST /programs/{programCode}/users/{userIdentifier}/kycGates/kyc2

Sample Response Parameters

FieldDescription
responseDetails,code, subCode,description,urlSee Response Details
kycGateContains the KYC and OFAC status of the User along with further action needed if KYC was not passed.
kycStateDataThe current OFAC and KYC status of the User.
ofacStatusThe last result of running an OFAC check against a User. Results can be pending, passed, or failed. See Office of Foreign Assets Control (OFAC) for details.
kycStatusThe last result of running a User through KYC gate. Results can be pending, passed, or failed. See Know Your Customer (KYC) for details.
kycPendingGatekycGate that the User must pass through to successfully complete the KYC process. Results can be none, kyc2, idv, manual, or healthy.

Business Rule Response Codes

Refer to Business Rule Response Codes for details.

Create IDV request

This endpoint is used to submit a user’s Identification verification information.

Note: When idvRequestType = AccountUpgrade, the KYC API performs some pre-DDA upgrade logic. After the KYC API passes the IDV upload verification, it sends a PN to the partner. After receiving the PN, the partner calls the createPaymentInstrument API, which performs the actual DDA upgrade logic.

🚧

Please note that this API is deprecated for all NEW partners, and is only being used for some existing partner flows. New partners and integrations should utilize the Socure SDK Integration for new IDV flow.

API Call Structure

POST /programs/{programCode}/accounts/{accountIdentifier}/users/{userIdentifier}/kycGates/idv

Request Parameters

FieldDescription
idvRequestTypeType of identity verification request. The default type is “default".
encryptedIdentityDocumentationContains an encrypted string of the User’s identityDocumentation (image of legal identification). See Unencrypted Identity Documentation, below, for details.
versionVersion of encryption algorithm used.
ephemeralPublicKeyBase64 encoded ephemeral public key. Needed for key agreement.
publicKeyHashBase64 encoded SHA-256 hash of the X509 encoded public key bytes used during encryption.
dataBase64 encrypted data of an object or property.

Unencrypted Identity Parameters

Field Description

documentFrontImage

Front image of User’s legal identification.

documentBackImage

Back image of User’s legal identification.

documentCountryCode

Optional. ID’s country of origin Default: USA

If field is populated, it must use the 3 character ISO country code.

documentType

Optional. Default is driversLicense. Type of legal identification submitted (i.e. driversLicense, stateIdCard)

Create ScanCapture Request

This feature allows Partners to submit a Matricula Consular ID image (front and back) for Green Dot to scrape (extract information) and verify. Once the Matricula ID is verified, an onboardingID will be returned.

📘

This API is being used for both new and old IDV flows. Please work with your green dot representative to ensure you are on the correct KYC and IDV flow for your business.

API Call Structure

POST /programs/{programCode}/kycGates/scanCapture

How it works:

  • Call POST programs/{programCode}/kycGates/scanCapture.
  • Include a front and back image of the Matricula ID.
  • Once received, Green Dot will extract information from the ID image, to verify.
  • Upon validation, an onboardingID will be included in the returned response.
  • Include this onboardingID in your POST Enrollments API call, to complete enrollment.

Sample Request Body

{
   "channel":"mobile",-- (Enums:mobile,web,or api)
   “productCode”":”100000”,-- (Optional,if a programCode has only one productCode. Required,
   if a programCode has multiple productCodes.)
   "encryptedIdentityDocumentation":{-- (See unencrypted Identity Documentation below)"
       "version":"string",
       "ephemeralPublicKey":"string",
       "publicKeyHash":"string",
       "data":"string"
   }
}

Unencrypted Identity Documentation

{
   "documentFrontImage":"base64 string",
   "documentBackImage":"base 64 string",
   "documentCountryCode":"MEX",-- (Optional.The default is USA.)
   “documentType"": ""matriculaIdCard" -- (Enums: driversLicense, matriculaIdCard, passport, nationalIdCard or stateIdCard) 
}
📘

Note: These values must be provided if a Mexican Matricula ID is being used. Also note that nationalIdCard is the document type for Passport Cards and Permanent Resident Cards.

Sample Response

{
   "responseDetails":[
      {
         "code":0,
         "subCode":0,
         "description":"string",
         "url":"string"
      }
   ],
   "documentData":{
   	"encryptedIdentityData":{-- (See Unencrypted Identity Data)
               “version": "string",
               "ephemeralPublicKey": "string",
               "publicKeyHash": "string", 
               "data": "string"
         }
        "onboardingID": "2489488423",
        "documentType": "string",
        "templateType": "string",
    }
}

Unencrypted Identity Data

{
   "dateOfBirth":"YYYY-MM-DD",
   "(Requires reformatting and is mapped from the dob included in the Fraud API response)""firstName":"Jack",
   "lastName":"Smith",
   "address1":"string",
   "address2":"string",
   "city":"string",
   "state":"string",
   "zipCode":"string",
   "country":"string",
   "issuanceState":"string",
   "issuanceDate":"YYYY-MM-DD",
   "expirationDate":"YYYY-MM-DD"
}

Response Codes

HTTP Status CodeCodeSubCodeDescription
4002000channel is missing
4002000documentFrontImage is missing
4002000documentBackImage is missing
4006000invalid documentType
2001530invalid front image
2001531invalid back image
2001532invalid country code
2001533bad image detected – retry
2001535onboarding document declined

Updated about 19 hours ago