KYC (Know Your Customer)
This guide explains how Know Your Customer (KYC) verification works in Green Dot Embedded Finance, how to interpret KYC/OFAC results, and what actions partners should take next. For full request/response schemas for KYC endpoints, use the API Reference for each endpoint.
What is KYC (and why it matters)
Some programs require end users to complete identity verification before they can have a fully activated account. This process is commonly referred to as Know Your Customer (KYC).
KYC results may require additional action (for example, collecting a full SSN or completing document verification) before the user is considered fully verified.
Key concepts and fields
KYC outcomes are represented using three related concepts. These are often returned together and should be interpreted as a set:
- KYC status: the result of identity verification (for example, pending, passed, or failed)
- OFAC status: the result of sanctions screening (for example, pending, passed, or failed)
- Pending gate (next step): what must happen next for the user to complete verification (for example,
kyc2,idv,manual, ornone)
Tip: In your integration, treat status fields as outcomes and pending gate as the next action.
KYC next‑step values (Pending Gate)
Partners will most commonly use the pending gate value (often returned as kycPendingGate) to determine what to do next.
| Pending gate value | Meaning for partners | Typical next action |
|---|---|---|
healthy | Verification complete | Continue the user journey (account can proceed) |
kyc2 | Additional identity info required (full SSN) | Collect full 9‑digit SSN and submit the full KYC request |
idv | Step‑up document verification required | Route the user into document verification (Socure for new implementations) |
manual | Manual review required (often OFAC‑related) | Do not prompt for more info; wait for status update or webhook |
none | Terminal decline (no cure) | Stop onboarding and present an appropriate decline message |
Note: The exact names and locations of these fields in API responses vary by endpoint. Always rely on the API Reference for authoritative field definitions.
How to interpret KYC / OFAC results
Use the following approach after enrollment or any KYC check:
- Read KYC status + OFAC status + pending gate.
- If the pending gate is
healthy, the user is verified. - If the pending gate is
kyc2oridv, route the user into the required next step. - If the pending gate is
manual, the user is under review. - If the pending gate is
none, the user is declined with no cure.
This model keeps your UI and workflows aligned even as verification rules evolve.
SSN validation: production vs non‑production
Production behavior (invalid SSN format)
In production, enrollment requests containing an invalid SSN format may be declined before identity verification is executed.
At minimum, SSNs are structurally invalid if any of the following are true:
- First three digits are
000,666, or in the900–999range - Middle two digits are
00 - Last four digits are
0000
Important: Since June 25, 2011, the SSA uses randomized assignment for SSNs. Do not attempt to validate SSNs using historical group ordering or geographic assumptions.
Non‑production behavior (test SSNs)
Non‑production environments may allow test pseudo‑SSNs to support partner testing, even when those values would not be acceptable in production.
Test SSN prefixes (non‑production only)
In non‑production environments, specific SSN prefixes may be used to trigger common verification outcomes for testing purposes.
These prefixes are for testing only. Do not use them in production.
Current flow: IDV via Socure (recommended for new implementations)
| SSN prefix | KYC | OFAC | Account status | Account reason | Pending gate | Response code | Notes |
|---|---|---|---|---|---|---|---|
10xxxxxxx | Passed | Passed | Normal | Healthy | healthy | 0 | Success |
554xxxxxx | Failed | Pending | Pending | Registration Not Complete | kyc2 | 1 | Cure required |
991xxxxxx | Failed | Passed | Pending | Registration Not Complete | idv | 1 | Cure required |
992xxxxxx | Failed | Failed | Locked | Registration Not Complete | idv | 1 | KYC & OFAC failed, curable |
401xxxxxx | Passed | Failed | Locked | Registration Not Complete | manual | 2 | OFAC match |
451xxxxxx | Failed | Passed | Locked | Registration Failed | none | 2 | No cure |
452xxxxxx | Failed | Passed | Locked | Registration Failed | none | 2 | No cure |
Legacy flow: IDV via IDology (deprecated)
If you are an existing partner still using the deprecated IDology IDV flow, your program may use different test SSN behaviors. Work with your Green Dot onboarding team to confirm applicability.
KYC data requirements (high level)
KYC generally requires:
- Full 9‑digit SSN (to resolve
kyc2) - Name
- Date of birth
- Residential address
Failures are commonly caused by mismatches across identity attributes or invalid SSN structure.
For exact required fields and formats, see the API Reference.
Document verification (IDV) guidance
If the pending gate is idv, the user must complete document verification.
For new partner implementations, document verification is performed via the Socure SDK integration.
- Guide users through an in‑session capture experience
- Avoid photo‑library uploads when possible
- Provide any fraud or risk context supported by your program
Full implementation details can be found in the guide for Socure SDK Integration.
OFAC manual review
The Office of Foreign Assets Control (OFAC) performs sanctions screening.
If the pending gate is manual, the user is under review.
- Do not retry or request additional info unless instructed
- Follow your program’s webhook or polling guidance for updates
Where to find KYC API details (API Reference)
This guide focuses on concepts and workflows.
For schemas, required fields, and full request/response examples, see the API Reference for:
- Create KYC Request
POST /programs/{programCode}/users/{userIdentifier}/kycGates/kyc2
Note on KYC1 vs KYC2: Green Dot supports multiple KYC gates. BaaS partner integrations must use KYC2, which requires a full 9‑digit SSN (or supported alternative identity) and may trigger step‑up document verification. The KYC1 gate is a legacy, limited‑verification flow and is not used for new BaaS onboarding.
- Add ScanCapture Request – Submits Matricula Consular ID images for verification.
POST /programs/{programCode}/kycGates/scanCapture
Related documentation
Please refer to our documentation on Socure SDK Integration for more details on IDV (document verification).
Updated 11 days ago