KYC
Know Your Customer (KYC) APIs can be used for identity verification purposes.
Overview
Know Your Customer (KYC)
Some Green Dot programs/products require users to pass an identity verification process before they can have an account. Regulatory mandates require identification to prevent activities, such as money laundering and fraud. The identity verification process is known as Know Your Customer (KYC).
KYC States
Possible KYC verification outcomes:
- None: KYC failed with a hard decline and there is no cure
- KYC2: Full 9-digit SSN required for KYC verification
- IDV: Escalated for document verification
- Manual: Referred for OFAC review
- Healthy: Passed KYC successfully
KYC Social Security Number Validation (SSN)
In non-production environments, development teams may send in certain SSN values that trigger particular paths in the KYC validation flow. The table below lists those prefixes and the behaviors they generate.
SSN PREFIX | KYC | OFAC | Account Status | Account Reason | Next Gate/Cure | Response Code | Sub-Code |
---|---|---|---|---|---|---|---|
451xxxxxx | Failed (no cure) | Passed | Locked | Registration Failed | None | 2 – Terminal | 11 – KYC Fail |
554xxxxxx | Failed (under age) | Passed | Locked | Registration Failed | None | 2 – Terminal | 40 – Under Age |
452xxxxxx | Failed (no cure) | Failed | Locked | Registration Failed | Manual | 2 – Terminal | 33 – KYC and OFAC Failed (No Cure) |
401xxxxxx | Passed | Failed | Locked | Registration Failed | Manual | 2 – Terminal | 31 – OFAC Failed |
992xxxxxx | Failed (cure) | Failed | Locked | Registration Not Complete | IDV | 1 – Action | 34 - KYC and OFAC Failed (KYC is curable) |
991xxxxxx | Failed (cure) | Passed | Pending | Registration Not Complete | IDV | 1 – Action | 10 – KYC Curable Fail |
10xxxxxxx | Passed | Passed | Normal | Healthy | Healthy | 0 – Success |
Social security numbers will be evaluated in production prior to validating identity during enrollment. POST /enrollments requests containing invalid social security numbers will be automatically declined with an Invalid SSN response. This enhancement can lead to higher enrollment success rates for Partners due to the ability to avoid enrollment attempts that will be declined.
Enforcement of these rules is NOT in place in non-production environments, in order to allow partners to use test pseudo-SSN’s.
Invalid Social Security Numbers
This list is dynamic, so social security numbers may be added or removed in the future.
SSN Type | Example |
---|---|
Generic | 000000000 |
Generic | 111111111 |
Generic | 222222222 |
Generic | 333333333 |
Generic | 444444444 |
Generic | 555555555 |
Generic | 666666666 |
Generic | 777777777 |
Generic | 888888888 |
Generic | 999999999 |
Generic | 123456789 |
Generic | 987654321 |
Invalid per Social Security Administration | Area, Group, or Serial digits cannot contain all zeros. • Area: First three digits of SSN. - Example: 000-xx-xxxx • Group: Next two digits of SSN. - Example: Xxx-00-xxxx • Serial: Last four digits of SSN. - Example: xxx-xx-0000 |
Invalid per Social Security Administration | Area digits (first three digits) cannot be 666. Example: 666-xx-xxxx |
Invalid per Social Security Administration | Group digits (next two digits) are not assigned sequentially. Therefore, they must follow the ordering sequence below: • 01 – 09 are odd. - Example: xxx-01-xxxx, xxx-03-xxxx, xxx-05-xxxx, ….. xxx-09-xxxx • 02 – 08 are even. - Example: xxx-02-xxxx, xxx-04-xxxx, xxx-06-xxxx, ….. xxx-08-xxxx • 11 – 99 are odd. - Example: xxx-11-xxxx, xxx-13-xxxx, xxx-15-xxxx, ….. xxx-99-xxxx • 10 – 98 are even. - Example: xxx-10-xxxx, xxx-12-xxxx, xxx-14-xxxx, ….. xxx-98-xxxx |
Invalid | 002-28-1852 |
Invalid | 042-10-3580 |
Invalid | 062-36-0749 |
Invalid | 078-05-1120 |
Invalid | 095-07-3645 |
Invalid | 128-03-6045 |
Invalid | 135-01-6629 |
Invalid | 141-18-6941 |
Invalid | 165-16-7999 |
Invalid | 165-18-7999 |
Invalid | 165-20-7999 |
Invalid | 165-22-7999 |
Invalid | 165-24-7999 |
Invalid | 189-09-2294 |
Invalid | 212-09-7694 |
Invalid | 212-09-9999 |
Invalid | 306-30-2348 |
Invalid | 308-12-5070 |
Invalid | 468-28-8779 |
Invalid | 549-24-1889 |
KYC and IDV Best Practices
KYC
Required data fields:
- Full 9 SSN
- First and Last Name
- DOB
- Residential Address – required fields:
- Address1, City, State
- or Address1, Zip Code
- or Address1, City, State, Zip Code
- Examples of KYC Hard Fail reasons:
- Invalid SSN
- SSN Mismatch
- COPPA Alert
- Address is P.O. Box
- High Risk or Blacklisted Attribute, such as Email Address, Phone Number, and IP Address (if available)
- Examples of KYC Soft Fail reasons (eligible for step-up verification via IDV):
- Name Mismatch
- DOB/YOB Mismatch
- Address Mismatch
Potential CIP, OFAC, and IDV Responses
- CIP Hard Fail
- Response Code: 2, SubCode: 11 – CIP failed, no cure
- SubCode: 33 – Same as above row except OFAC also partially matched and account requires manual review
- CIP Soft Fail > IDV Eligible
- Response Code: 1, SubCode: 10 – CIP failed, curable via IDV
- SubCode: 34 – Same as above row except OFAC also partially matched and account requires manual review
- CIP Soft Fail > IDV Eligible > IDV Pass
- Response Code: 0 – IDV Pass
- CIP Soft Fail > IDV Eligible > IDV Needs Resubmission
- Response Code: 1, SubCode: 23 – ID Not Readable
- Response Code: 1, SubCode: 21 – ID Invalid
- Response Code: 1, SubCode: 24 – ID Name Mismatch
- CIP Soft Fail à IDV Eligible à IDV Fail
- Response Code: 2, SubCode: 22 – IDV Fail
IDV
- Acceptable types of ID: Driver’s License and State-Issued ID
- No need to have user select which ID type they will be submitting in the UI – Green Dot’s 3rd party vendor is able to validate.
- Acceptable file format: Must be base 64 encoded JPEG.
- User must submit ID in real-time and should not have the ability to upload photos from their library.
- User must submit via mobile app for more enhanced security. If you (partner) want to allow via desktop, we ask that you provide fraudData within the Enrollment request (such as the below) for Green Dot to implement additional risk controls:
- Device ID
- IP Address
- isPhoneVerified
- isEmailVerified
- Account Tenure
- Any other data the partner finds helpful for fraud learning and decisioning
- Definitions:
- “ID Pass”: ID passed verification.
- “ID Not Readable”: ID submitted cannot be detected due to blurriness and/or bad image quality; needs to be resubmitted.
- “ID Invalid: Scenario”: ID submitted has been detected but triggered one or more of the following and needs to be resubmitted.
- Document missing four corners
- Document too small
- Document border too small
- Face image not detected
- Barcode not detected
- “ID Name Mismatch”: Name on ID submitted does not match name on the account and needs to be resubmitted.
- “ID Fail”: ID failed verification.
- Limits:
- 10 IDV submission attempts allowed per account and only “ID Invalid” and “ID Name Mismatch” count toward this threshold, cumulatively. Once threshold is maxed out, the cure is set to ‘none’, and the account will fail registration (if onboarding) or remain blocked (if already passed onboarding).
- “ID Not Readable” has its own threshold of 3 submission attempts per account. All subsequent attempts that are “ID Not Readable” would result in “ID Invalid” and count toward the above threshold that makes the account eligible for a hard fail.
- Image Quality:
- Most optimal image quality is 2048 x 1536 and 90% to allow for the best verification and response times; however, 90-94% image quality is also acceptable as some devices default to a higher percentage.
- The image quality speaks to the accuracy that the original image is transmitted to Green Dot and our third-party verification vendor. Quality is comprised of attributes like coloration, tone, and sharpness. The larger and more accurate that a photo is, the longer the time it takes to transmit it from the device to Green Dot and our vendor. At the same time, if a photo is on the smaller side, we don’t recommend a higher quality like 96-98% because it will be too sharp.
- Best Practices for Users:
- Must submit front and back image of ID.
- Leave a visible, dark, and solid border around the ID.
- Take a flat photo. Do not angle or skew.
- Take a clear picture. Avoid glares and shadows.
- Disable flash.
- Center the ID and confirm that all four corners of the document are clearly visible in the image.
Note: Recommend partner to input borders into camera view to help user frame the image.
Office of Foreign Assets Control
The Office of Foreign Assets Control (OFAC) is a department of the US Treasury. Their regulations are in place in part to ensure that companies do not unwittingly do business with terrorist organizations or other unsanctioned entities. Compliance with OFAC is critical for US businesses working with overseas partners.
Note: If kycPendingGate is manual, then this will often mean that an OFAC review is required. Once this feature is implemented, accounts with a manual cure can be cleared. This doesn’t affect the API, but it would trigger an accountUpdate alert.
When an account is cleared for OFAC and the account has also passed KYC, then the Account Status will be pending and the kycPendingGate will be healthy.
Top Level Response Codes
The UTC format is the date/time standard that is used across all BaaS APIs.
Code | HTTP Status Code | Reference Name | Description |
---|---|---|---|
0 | 2xx | SUCCESS | The operation was successful. |
1 | 2xx | ACTION_RQD | Follow action or additional information provided. See the Business Rule Response Codes for further details. |
2 | 2xx | ENROLLMENT_FAILED | The operation was successful, but the account is in terminal state. |
3 | 2xx | TRANSFER_DISALLOWED | The transfer failed. See the Business Rule Response Codes for further details. |
4 | 2xx | BUSINESS_OPERATION_FAILED (CARD MANAGEMENT) | The operation failed. See the Business Rule Response Codes for further details. |
5 | 2xx | Account Management | The operation failed. See the Business Rule Response Codes for further details. |
6 | 2xx | Guest Check Out | |
10 | 404 | NOT_FOUND | Resource not found. |
11 | 200 | NO_DATA | Empty list returned. |
50 | 406 | DECRYPTION ERROR | An encrypted data block on the payload was not decrypted successfully. |
100 | 400 | MALFORMED SCHEMA | The payload could not be loaded. |
101 | 400 | INVALID REQUEST | The request was invalid. See the description for details. |
200 | 400 | REQUIRED PROPERTY MISSING OR MISSING A VALUE | A required property (object or scalar) is missing. The property must be provided and contain a value for the type. |
300 | 400 | INVALID DATA TYPE | The data type is invalid. Example: An integer was expected, but an alphanumeric string was provided. |
350 | 400 | INVALID FORMAT | The format of the string or number was invalid. |
380 | 200 | N/A | An identity can only be added to a Matricula based enrollment. |
400 | 400 | INVALID FIELD LEN | A value was provided that is shorter than the minimum supported length or longer than the maximum supported length. |
409 | 409 | CONFLICT | See the Business Rule Response Codes for the specific conflict reason. |
500 | 500 | DOWNSTREAM SYSTEM OFFLINE - DO NOT AUTO RETRY | A downstream system is unavailable. It may be offline for an extended or unknown period, so the client should not retry automatically. |
503 | 503 | DOWNSTREAM SYSTEM OFFLINE - RETRY | A downstream system is unavailable. It may be transient, so the client may retry automatically. |
505 | 500 | DOWNSTREAM SYSTEM HARD FAILURE - DO NOT AUTO RETRY | The transfer failed and the funds were credited back to the source. |
506 | 500 | The transfer failed and the funds have not yet been credited back to the source. Manual inspection required. | The transfer failed and the funds have not yet been credited back to the source. Manual inspection required. |
600 | 400 | INVALID ENUM VALUE | A value was provided that is not in the set of allowable values. |
602 | 400 | A virtual card only account is not allowed for this product | |
603 | 400 | Invalid combination of values in the request | |
610 | 400 | INVALID AMOUNT | An amount was provided that is not valid. |
620 | 400 | INVALID DATE RANGE | A date was provided that is not in the allowable date range. |
630 | 400 | INVALID_PROPERTY | A property was provided that was not valid given the context of the request. |
640 | 400 | INVALID STRING CHARACTER | An invalid character was provided for a string field. |
650 | 400 | Invalid Currency Code | |
700 | 400 | INVALID DATE FORMAT | Invalid date-format. Must be (ISO_8601): YYYY-MM-DD |
720 | 400 | INVALID UTC DATE TIME FORMAT | Invalid date-format. Must be (ISO_8601): YYYY-MMDDTHH:MM:SS.SSSZ |
722 | 400 | INVALID GUID | Identifiers must be in GUID format. Must be (RFC-4122): XXXXXXXX-XXXXXXXX-XXXX-XXXXXXXXXXXX where X is a hex digit. |
725 | 400 | INVALID DATE TIME FORMAT (non-UTC, timezone unknown) | Invalid date-format. Must be (ISO_8601): YYYY-MMDDTHH:MM:SS.SSS |
730 | 400 | INVALID DATE TIME FORMAT (non-UTC, timezone offset known) | Invalid date-format. Must be ISO_8601: YYYY-MMDDTHH:MM:SS.SSS>±hh:mm Timezone offset precision can be from HH to MM. |
740 | 400 | INVALID HTTP URL FORMAT | Invalid HTTP URL format. Must follow Internet standard. |
750 | 400 | INVALID EMAIL FORMAT | Invalid Email format. Must follow Internet standard. |
760 | 400 | INVALID SSN | Invalid SSN |
761 | 400 | INVALID ITIN | Invalid ITIN. Must be a 9-digit number that starts with 9. |
800 | 400 | Not Supported | Currently used by TestEventWebHook, if a live account is used. |
901 to 920 | 201 | MRDC Response Codes | See MRDC Response Codes for further details. |
950 to 959 | eCash Response Codes / Reference Name | See eCash for more information. | |
960 to 979 | Legacy Disbursement Response Codes / Reference Name | ||
960 | 2xx | Load Not Allowed | See subcodes below |
961 | 2xx | Load Failed | |
962 | 2xx | Validation Failed | |
963 | 2xx | Operation Not Allowed | |
1000 | 200 201 202 400 | VALUE_DOES_NOT_EXIST | Value does not exist in the system. This is usually because an invalid object identifier was provided. |
1020 | TBD | DUPLICATE TYPE | This type already exists. Example: A second home address was provided. |
1040 | 400 | MORE THAN ONE DEFAULT PROVIDED | More than one item in an array was identified as the default. |
1041 | 400 | INVALID DEFAULT PROVIDED | |
1042 | 400 | HOME ADDRESS MISSING | |
1050 | 400 | NO DEFAULT PROVIDED | isDefault was set to false for all items in an array but there must be at least one default. |
1060 | 2xx | DUPLICATE RESOURCE | The resource already exists based on unique identifiers. |
2100 | 4xx | FAILED TO ENCRYPT | The system failed to successfully encrypt the response payload. |
3000- 4050 | Bill Pay Response Codes | See Bill Payment Codes for more information. |
KYC API Endpoints
KYC API
The KYC API allows you to verify users through KYC as well as submit user Identification verification (IDV) information to Green Dot for verification.
Request Body
{
"idvRequestType":"prerequisite",
"encryptedIdentityDocumentation":{
"version":"string",
"ephemeralPublicKey":"string",
"publicKeyHash":"string",
"data":"string"
}
Request Parameters
Field | Description |
---|---|
idvRequestType | Type of identity verification request. The default type is “default". |
encryptedIdentityDocumentation | Contains an encrypted string of the User’s identityDocumentation (image of legal identification). See Unencrypted Identity Documentation, below, for details. |
version | Version of encryption algorithm used. |
ephemeralPublicKey | Base64 encoded ephemeral public key. Needed for key agreement. |
publicKeyHash | Base64 encoded SHA-256 hash of the X509 encoded public key bytes used during encryption. |
data | Base64 encrypted data of an object or property. |
Unencrypted Identity Parameters
Field | Description |
---|---|
documentFrontImage | Front image of User’s legal identification. |
documentBackImage | Back image of User’s legal identification. |
documentCountryCode | Optional. ID’s country of origin Default: USA |
documentType | Optional. Default is driversLicense. Type of legal identification submitted (i.e. driversLicense, stateIdCard) |
Response Message
If the POST request is successful, the following response message is returned along with a 200 HTTP status code.
Created
Sample Response Body
{
"responseDetails":[
{
"code":0,
"subCode":0,
"description":"operation is successful",
"url":"http://tbd"
}
],
"kycGate":{
"kycStateData":{
"ofacStatus":"pending",
"kycStatus":"pending",
"kycPendingGate":"none"
}
}
}
Sample Response Parameters
Field | Description |
---|---|
responseDetails,code, subCode,description,url | See Response Details |
kycGate | Contains the KYC and OFAC status of the User along with further action needed if KYC was not passed. |
kycStateData | The current OFAC and KYC status of the User. |
ofacStatus | The last result of running an OFAC check against a User. Results can be pending, passed, or failed. See Office of Foreign Assets Control (OFAC) for details. |
kycStatus | The last result of running a User through KYC gate. Results can be pending, passed, or failed. See Know Your Customer (KYC) for details. |
kycPendingGate | kycGate that the User must pass through to successfully complete the KYC process. Results can be none, kyc2, idv, manual, or healthy. |
Business Rule Response Codes
Refer to Business Rule Response Codes for details.
Create IDV for a User
This endpoint is used to submit a user’s Identification verification information.
Note: When idvRequestType = AccountUpgrade, the KYC API performs some pre-DDA upgrade logic. After the KYC API passes the IDV upload verification, it sends a PN to the partner. After receiving the PN, the partner calls the createPaymentInstrument API, which performs the actual DDA upgrade logic.
API Call Structure
POST /programs/{programCode}/accounts/{accountIdentifier}/users/{userIdentifier}/kycGates/idv
KYC Scan Capture
This feature allows Partners to submit a Matricula Consular ID image (front and back) for Green Dot to scrape (extract information) and verify. Once the Matricula ID is verified, an onboardingID will be returned.
API Call Structure
POST /programs/{programCode}/kycGates/scanCapture
How it works:
- Call POST programs/{programCode}/kycGates/scanCapture.
- Include a front and back image of the Matricula ID.
- Once received, Green Dot will extract information from the ID image, to verify.
- Upon validation, an onboardingID will be included in the returned response.
- Include this onboardingID in your POST Enrollments API call, to complete enrollment.
Sample Request Body
{
"channel":"mobile",-- (Enums:mobile,web,or api)
“productCode”":”100000”,-- (Optional,if a programCode has only one productCode. Required,
if a programCode has multiple productCodes.)
"encryptedIdentityDocumentation":{-- (See unencrypted Identity Documentation below)"
"version":"string",
"ephemeralPublicKey":"string",
"publicKeyHash":"string",
"data":"string"
}
}
Unencrypted Identity Documentation
{
"documentFrontImage":"base64 string",
"documentBackImage":"base 64 string",
"documentCountryCode":"MEX",-- (Optional.The default is USA.)
“documentType"": ""matriculaIdCard" -- (Enums: driversLicense, matriculaIdCard, passport, nationalIdCard or stateIdCard)
}
Note: These values must be provided if a Mexican Matricula ID is being used. Also note that nationalIdCard is the document type for Passport Cards and Permanent Resident Cards.
Sample Response
{
"responseDetails":[
{
"code":0,
"subCode":0,
"description":"string",
"url":"string"
}
],
"documentData":{
"encryptedIdentityData":{-- (See Unencrypted Identity Data)
“version": "string",
"ephemeralPublicKey": "string",
"publicKeyHash": "string",
"data": "string"
}
"onboardingID": "2489488423",
"documentType": "string",
"templateType": "string",
}
}
Unencrypted Identity Data
{
"dateOfBirth":"YYYY-MM-DD",
"(Requires reformatting and is mapped from the dob included in the Fraud API response)""firstName":"Jack",
"lastName":"Smith",
"address1":"string",
"address2":"string",
"city":"string",
"state":"string",
"zipCode":"string",
"country":"string",
"issuanceState":"string",
"issuanceDate":"YYYY-MM-DD",
"expirationDate":"YYYY-MM-DD"
}
Response Codes
HTTP Status Code | Code | SubCode | Description |
---|---|---|---|
400 | 200 | 0 | channel is missing |
400 | 200 | 0 | documentFrontImage is missing |
400 | 200 | 0 | documentBackImage is missing |
400 | 600 | 0 | invalid documentType |
200 | 1 | 530 | invalid front image |
200 | 1 | 531 | invalid back image |
200 | 1 | 532 | invalid country code |
200 | 1 | 533 | bad image detected – retry |
200 | 1 | 535 | onboarding document declined |
Updated 9 months ago