Verifying a client’s identity online shouldn’t feel like a tug‑of‑war between compliance, fraud risk and customer experience. Yet many Australian organisations are stuck stitching together point tools, jumping between portals, and second‑guessing what actually satisfies AUSTRAC AML/CTF, TPB proof‑of‑identity, and internal risk policies. Add higher fraud rates, privacy expectations under the APPs, and the pressure to keep conversion high—and it’s easy to over‑engineer checks, under‑mitigate risk, or both.
This guide cuts through the noise. We compare five proven online identity verification methods used in Australia—integrated in‑CRM workflows, document verification with DVS checks, biometric face match with liveness, database and watchlist screening, and knowledge/possession‑based checks like KBA and OTP/MFA. For each, you’ll get a plain‑English explanation of how it works, where it fits against local compliance standards, the strengths and limitations to watch, plus typical costs and integration paths. We’ll also show how an integrated option such as StackGo’s IdentityCheck can streamline KYC/AML straight from your CRM. By the end, you’ll be able to pick a right‑sized, defensible mix for your risk profile and customer journey. First up: the integrated, in‑CRM verification workflow.
1. Integrated, in-CRM verification workflow (StackGo IdentityCheck)
What it is and how it works
An integrated workflow keeps verification inside your CRM, so staff trigger, track and evidence checks without swapping tools. StackGo’s IdentityCheck reads contact details from systems like HubSpot, Salesforce or Xero, runs the requested checks, and writes verified outcomes back to the record. Its Privacy Layer keeps PII out of the CRM and restricts access to MFA‑authenticated admins, with global coverage across 200+ countries and 10,000+ document types. In short, it pulls multiple online identity verification methods into one place.
- Initiate checks from the contact record.
- Verify identity and return pass/fail plus metadata.
- Store an audit trail while shielding raw PII.
Compliance and standards in Australia
IdentityCheck is designed to support AML/CTF and TPB proof‑of‑identity workflows by capturing consent, recording outcomes and timestamps, and reducing manual handling. The Privacy Layer helps teams align with the Australian Privacy Principles by minimising data stored in the CRM and tightly controlling access to sensitive PII.
Strengths and limitations
An integrated approach boosts adoption and consistency while cutting errors from copy‑paste and portal hopping. The level of assurance comes from the checks you select.
- Strengths: In‑CRM experience; auditability; privacy controls; global coverage; no new software to learn.
- Limitations: Dependent on source document quality and selected providers; initial configuration required; if a service mandates a specific credential (e.g., a Strong government digital ID), you must use that channel.
Typical costs and integration paths
Pricing is usage‑based per check, so you pay for what you run rather than per seat. Integration is “out‑of‑the‑box” with everyday SaaS CRMs, triggered via buttons, workflows or automations, with results written back to the record and sensitive PII kept behind the Privacy Layer.
2. Document verification (ID scanning and Australian DVS checks)
What it is and how it works
Document verification confirms whether a government ID is genuine and valid. A user scans a passport or driver licence with a smartphone or webcam; software extracts data, inspects security features (MRZ, barcodes, holograms/watermarks), and runs automated fraud checks. For Australian users, details can be checked back to issuer records via the government’s Document Verification Service (DVS) to validate what’s on the credential.
- Capture and extract data from the document (OCR, barcodes, MRZ).
- Inspect security features to detect tampering or fakes.
- Apply business rules (e.g., age, name/address consistency).
- Optionally confirm with issuer records through the DVS.
Compliance and standards in Australia
Document checks are a foundation of KYC/AML onboarding and TPB proof‑of‑identity. Many Australian workflows add a DVS “issuer check” to evidence that the credential details match government records. Always obtain express consent before verifying identity documents and retain an auditable trail of what was checked, when, and by whom.
Strengths and limitations
Done well, document verification is fast, consistent and highly scalable—ideal for first‑time/remote onboarding. Its core limitation is that it validates the document, not ownership, so it’s often paired with biometrics for higher assurance.
- Strengths: Rapid automation; strong fake‑ID detection; works with first‑time customers; issuer‑backed validation via DVS.
- Limitations: Impacted by poor image quality/lighting; requires frequent template/security updates; does not prove the presenter owns the document.
Typical costs and integration paths
Expect usage‑based pricing per document and per DVS query. Integration options include SDKs/APIs embedded in your web/app, or an in‑CRM connector (e.g., stacking ID scanning plus DVS inside your existing CRM workflow) with results and metadata written back while sensitive PII is access‑controlled.
3. Biometric face match and liveness detection
What it is and how it works
Biometric checks confirm the person presenting an ID is the rightful owner by comparing a live selfie to the document portrait and running liveness detection to ensure a real human is present. Using a phone or webcam, software analyses facial features and detects spoof attempts (e.g., photos, replays, masks).
- Capture selfie: User records guided selfie images/video.
- Match to ID: Face is compared to the document photo.
- Prove presence: Liveness checks confirm the face is real and live.
Compliance and standards in Australia
Biometrics uplift assurance for AML/CTF KYC when paired with document verification. Obtain express consent before capturing photo images and handle biometric data under the Australian Privacy Principles with tight access, minimal retention and audit trails. Note: some government digital identity journeys require a passport to verify a photo for “Strong” identity strength.
Strengths and limitations
Biometrics add ownership proof, closing the gap left by document-only checks, but they demand careful privacy controls and good capture conditions.
- Strengths: High assurance; non‑transferable; suitable for first‑time/remote onboarding; detects impersonation.
- Limitations: Needs strong security for biometric data; impacted by lighting/camera; not a standalone identity check—must be tied to an ID.
Typical costs and integration paths
Pricing is typically per biometric session. Integrate via SDKs/APIs in web or mobile apps, or trigger as part of an in‑CRM flow (e.g., alongside document checks) with results written back and raw biometric data restricted behind privacy controls.
4. Database and watchlist screening (KYC/AML)
What it is and how it works
Database screening cross‑checks a customer’s details against authoritative data sources and watchlists to assess financial crime risk. As one of the core online identity verification methods, it’s used for KYC onboarding and ongoing monitoring, comparing names and identifiers to sanctions, politically exposed persons (PEP) lists, adverse media, and government or commercial databases.
- Collect and normalise data: Name, DOB and identifiers from your CRM or onboarding form.
- Screen against lists: Sanctions, PEPs, adverse media and other risk databases.
- Resolve matches: Review potential hits, apply risk rules, and document decisions.
- Maintain evidence: Store results, reviewer notes and timestamps for audit.
Compliance and standards in Australia
Screening underpins AML/CTF customer due diligence and ongoing monitoring, and is widely recognised as essential for AML and KYC compliance in many industries. Obtain consent, minimise retention, and handle sensitive information in line with the Australian Privacy Principles. Be mindful that effectiveness depends on the availability and quality of regional datasets.
Strengths and limitations
- Strengths: Essential for AML/KYC; processes large datasets at scale; enables cross‑checking across multiple sources; supports ongoing monitoring.
- Limitations: Coverage and accuracy vary by region; possible false positives or outdated records; sensitive data handling obligations; can be costly and complex to set up.
Typical costs and integration paths
Pricing is usually per screening (per name, per list) with optional ongoing monitoring fees. Integrate via API/SDK into web or app flows, or trigger checks from your CRM using an in‑platform connector so outcomes and audit trails write back while sensitive data remains access‑controlled.
5. Knowledge- and possession-based checks (KBA, OTP/MFA)
Knowledge- and possession-based checks add quick, low-friction assurance to online identity verification methods. They’re often used as step-up security during risky actions (new device, high-value transfer) rather than as stand-alone identity proofing, and work well alongside document and biometric flows.
What it is and how it works
KBA asks users to answer pre-set or dynamic questions based on personal information, while possession checks prove control of a channel or device using one-time passwords (OTP) via SMS/email, authenticator apps, or hardware tokens. They also help verify contact details and secure account access, including for large transactions.
Compliance and standards in Australia
Obtain express consent before sending verification challenges and keep auditable records of prompts, attempts and outcomes. Treat responses and codes as sensitive, minimise retention, and control access under privacy obligations. KBA generally isn’t suitable for first-time or one-time identity proofing and is best combined with other methods.
Strengths and limitations
These checks are fast to deploy and familiar to users, but assurance is limited by data quality and disclosure risks.
- Strengths: User-friendly step-up security; verifies email/phone ownership; quick to roll out.
- Limitations: KBA is vulnerable to social engineering and breached data; not suitable for first-time or one-time identity proofing on its own.
Typical costs and integration paths
Typically usage-based per event (e.g., per OTP). Integrate via API/SDK in web or mobile, or trigger from CRM workflows so outcomes write back to the record while secrets and raw prompts aren’t stored in the CRM.
Pick the right mix for your risk profile
There’s no single “best” method—assurance comes from layering. Start with document verification (ideally with an Australian DVS issuer check) to validate the credential, add biometric face match with liveness to prove possession, screen databases/watchlists for AML/KYC risk, and use OTP/MFA or selective KBA for step‑up actions. Running this in‑CRM improves adoption, auditability and privacy controls, helping you meet AML/CTF, TPB and APP obligations without derailing conversion.
- New client onboarding: Document + DVS, add biometrics to confirm ownership, then screen sanctions/PEPs/adverse media.
- Higher‑risk services or flagged cases: All of the above plus stricter risk rules and ongoing monitoring.
- Ongoing access or profile changes: OTP/MFA for possession, with targeted re‑verification when risk signals arise.
If you want this without extra portals or manual handling, run it from your CRM. StackGo’s IdentityCheck provides usage‑based checks, a Privacy Layer to shield PII, and out‑of‑the‑box integrations. Explore how it fits your workflow at StackGo.
