By Alexey Chudinov, Head of Engineering, Zenoo
The average enterprise spends four to six months evaluating identity verification providers. They sit through dozens of demos, collect feature matrices that all look identical, and eventually pick the vendor whose sales team was most persistent. Six months later, they discover the coverage gaps, the hidden costs, and the integrations that only work in the demo environment. I have watched this cycle repeat for years, and it is getting worse, not better.
The IDV market is now worth over $12 billion globally, with more than 150 vendors competing for attention. Every one of them claims global coverage, sub-second response times, and industry-leading fraud detection. When everyone claims the same thing, the claims become meaningless. What you need is a framework for cutting through the noise and evaluating what actually matters for your specific operation.
This guide is that framework. Not a vendor ranking. Not a feature comparison chart. A practical method for understanding what you are actually buying, what questions to ask, and where the bodies are buried.
The market is full of noise, and that is by design
Identity verification vendors have a structural incentive to make comparison difficult. If you can easily compare providers on objective criteria, the market commoditises and pricing comes under pressure. So instead, every vendor develops its own terminology, its own metrics, and its own way of describing fundamentally similar capabilities.
One provider calls it "document authentication." Another calls it "ID validation." A third calls it "identity proofing." They are all describing the same basic process: checking whether a government-issued document is genuine. But the different terminology makes it harder to compare like with like, which is exactly the point.
The same obfuscation applies to accuracy metrics. Vendors quote pass rates, match rates, verification success rates, and acceptance rates. These sound similar but measure different things. A 98% pass rate might mean 98% of genuine documents are accepted. Or it might mean 98% of all submissions (including fraudulent ones) are processed without error. The difference matters enormously, but the marketing materials rarely clarify which definition is being used.
Here is what actually matters when you are choosing a provider: can you understand exactly what checks are being performed, what data sources underpin them, and how performance varies across the jurisdictions you care about? If a vendor cannot answer these questions clearly, that tells you something important about what happens after you sign the contract.
Every new vendor is another silo your team has to manage
Here is a cost that never appears in any vendor proposal: the operational overhead of running another platform. Every identity verification provider comes with its own dashboard, its own login, its own reporting format, its own alert structure, and its own way of presenting results. Your compliance team has to learn it, monitor it, and reconcile it against your other systems.
For a mid-market financial institution running three to four verification providers (document checks, biometrics, sanctions screening, address verification), that means three to four dashboards open at any given time. Three to four places to check when something goes wrong. Three to four data formats to normalise when producing regulatory reports.
The engineering cost is equally significant. Each provider integration requires dedicated API maintenance, webhook handling, error management, and version tracking. When a provider updates their API (which happens two to three times per year on average), someone on your team needs to assess the changes, update the integration, and test it. Multiply that by four providers and you have a permanent maintenance burden that was never in the original business case.
"We ended up with five different identity verification tools across the business. Each team picked what worked for their use case. Eighteen months later, we had five contracts, five integrations, five sets of credentials to manage, and no single view of a customer's verification status across the organisation. The consolidation project took seven months." — CTO, UK-licensed payments company
The operational cost of vendor sprawl is real, measurable, and almost never discussed during the sales process. When evaluating any new provider, ask yourself: what is the total cost of operating this, not just the per-transaction fee?
How to spot three vendors in a trenchcoat
One of the most persistent fictions in the IDV market is the "full-stack platform." Vendors position themselves as offering everything: document verification, biometric matching, sanctions screening, address validation, fraud signals, ongoing monitoring. A single platform for all your identity needs.
In practice, most of these platforms are composite products. The vendor has built one or two capabilities in-house and licensed or white-labelled the rest from third-party providers. Your document verification might be powered by one company, your biometrics by another, and your sanctions screening by a third. The vendor sits in the middle, adds a unified API, marks up the price, and calls it a platform.
This is not inherently bad. Composition can be a valid architecture. But it becomes a problem when the vendor obscures it. When you do not know which underlying providers are being used, you cannot assess their individual quality, you cannot evaluate concentration risk (you might be using the same underlying biometrics provider through two different vendors without knowing it), and you have no visibility into which component fails when something goes wrong.
There are tell-tale signs. If response times vary significantly between different check types, different providers are likely handling them. If error messages change in format or language between features, different systems are behind the scenes. If the vendor cannot give you detailed, check-level SLAs for each capability, they probably do not control the underlying infrastructure.
Ask directly: which components of your platform are built in-house, and which are provided by third parties? Any vendor worth working with will answer honestly. The ones that deflect or claim everything is proprietary when it clearly is not are the ones you should worry about.
Expensive liveness checks are propping up a broken model
The standard identity verification flow has been essentially unchanged for a decade: the user photographs a government document, takes a selfie, and the system checks whether the face on the document matches the face in the selfie. Layered on top of this are increasingly expensive additions: 3D liveness detection, passive liveness analysis, injection attack prevention, deepfake detection.
Each of these additions addresses a real threat. Deepfakes are now five times more effective at spoofing verification than traditional presentation attacks. Injection attacks bypass camera-based checks entirely. The threats are genuine and growing.
But step back and look at the underlying model. We are asking people to photograph government documents (which can be forged, stolen, or bought on dark web marketplaces for as little as $50) and then spending enormous sums trying to detect those forgeries after the fact. The entire edifice of liveness checks, biometric matching, and anti-spoofing technology exists to compensate for the fundamental weakness of a document-photograph-based verification model.
This is not a controversial observation within the industry. Most senior engineers and product leaders at IDV companies will acknowledge privately that document-based verification is a transitional technology. The question is what replaces it, and how quickly.
The direction is clear: direct authentication against authoritative sources. Government digital identity schemes (eID, digital identity wallets, verifiable credentials) allow verification against the issuing authority rather than against a photograph of a document. The check is: "Does this person's claim match the record held by the authoritative source?" rather than "Does this photograph of a document look genuine?"
When evaluating providers, look at their roadmap for registry-based verification alongside their document capabilities. The vendors that are investing heavily in government scheme integrations, bank-based identity verification, and verifiable credential support are the ones building for where the market is heading. The vendors whose entire innovation pipeline is better liveness detection are treating symptoms rather than causes.
The verification versus storage tension is real, and it is getting harder
The ideal future of identity verification involves minimal data retention. Authenticate against a trusted registry, confirm the result, discard the source data. The individual's biometric data stays with the issuing authority. The verifying organisation holds only a confirmation token. Clean, privacy-preserving, and aligned with the direction of data protection regulation globally.
The regulatory reality is different. AML regulations in most jurisdictions require organisations to retain identity verification records for five to seven years. Under the EU's 6th Anti-Money Laundering Directive and the incoming AMLA framework, firms must be able to demonstrate what checks were performed, what evidence was reviewed, and how the verification decision was reached. In practice, this means storing document images, selfie images, and in some cases biometric templates.
This creates a genuine tension. You are required to collect and store exactly the kind of sensitive personal data that best practice says you should minimise. And the data you are storing (facial images, document scans) is precisely the data that attackers target for identity fraud.
There is no clean resolution to this tension today. But there are better and worse ways to handle it. Providers that offer granular data retention policies (retain the verification decision and metadata, delete the raw biometric data after a configurable period) give you more flexibility to balance regulatory requirements against data minimisation principles. Providers that store everything indefinitely in their own cloud with no client control over retention are creating risk, not managing it.
When evaluating providers, ask specifically: where is biometric data stored, who controls the encryption keys, what are the retention and deletion options, and what happens to your data if you terminate the contract? The answers vary dramatically between providers, and they matter far more than pass rates or response times.
Initial verification is only half the problem
Most of the attention in the IDV market focuses on the onboarding moment: verifying identity when a customer first arrives. But identity risk does not stop at onboarding. People get added to sanctions lists. They become politically exposed. They get convicted of financial crimes. Their businesses get investigated. The identity that was verified as clean on day one can become a compliance exposure on day 100 or day 1,000.
In-life monitoring, the process of continuously checking your existing customer base against evolving risk signals, is where many organisations have significant gaps. The typical approach is periodic batch screening: re-running your customer database against sanctions and PEP lists on a daily or weekly cycle. This catches changes eventually, but the gap between a list update and your next screening run is a window of exposure.
"We had a client who was designated on a sanctions list on a Tuesday. Our weekly batch screening ran on Fridays. For three days, we were processing transactions for a sanctioned entity. The regulator was not impressed by our explanation that our screening schedule was industry-standard." — Head of Financial Crime, European neobank
Real-time monitoring, where your customer base is checked against list changes as they happen rather than on a schedule, is becoming the expected standard. But it is technically challenging and most providers charge significantly more for it. Some charge per customer per year for ongoing monitoring, which can make the economics prohibitive for businesses with large customer bases.
Beyond sanctions and PEP screening, consider adverse media monitoring, corporate structure change detection, and beneficial ownership updates. A customer's risk profile is not static. Your monitoring approach should not be either.
A practical framework for evaluating providers
After spending years building orchestration infrastructure that integrates with dozens of identity verification providers, we have developed a clear view at Zenoo of what separates good providers from good marketing. Here is the framework we use, and that we recommend to any compliance or engineering team running an evaluation.
Transparency over features. Can the provider explain exactly what data sources they use for each check type in each jurisdiction? Can they show you the underlying logic, not just the pass/fail output? Providers that treat their verification as a black box are asking you to trust them without evidence. That is not a compliance position.
Jurisdiction-level performance, not global averages. A 99% global accuracy rate is meaningless if accuracy drops to 85% in the three jurisdictions where you do most of your business. Demand performance data at the jurisdiction and document-type level. If the provider cannot supply it, they probably do not measure it.
Total cost of ownership, not per-transaction pricing. The per-check fee is the least important number in a provider evaluation. Integration cost, maintenance overhead, operational tooling requirements, data storage implications, and the cost of eventual migration if the relationship does not work out, these are the numbers that determine your actual spend.
Composability over comprehensiveness. A provider that does three things well and integrates cleanly with specialists for the rest is more valuable than a provider that claims to do everything but delivers mediocre performance across the board. Look for clean APIs, webhook support, and willingness to operate alongside other providers rather than demanding exclusivity.
Data sovereignty and retention control. Where is data processed and stored? Can you control retention periods? What happens to your data on contract termination? These questions are becoming regulatory requirements, not nice-to-haves.
Roadmap alignment. Is the provider investing in registry-based verification, digital identity schemes, and verifiable credentials? Or is their entire roadmap about incremental improvements to document-based checking? The former is building for the next decade. The latter is optimising for the last one.
Run this framework against any provider you are evaluating. The answers will tell you far more than any feature comparison matrix.
