22 min Read
June 3, 2026Key Takeaways
|
$6.6 billion in AML and KYC-related fines were levied against financial institutions in 2023 alone (Traders Magazine). The KYC software you’re evaluating sits directly in the compliance stack that’s supposed to prevent that exposure.
This guide covers nine kyc software providers, ranked by nothing, because the data doesn’t support a single winner. It’s grounded in KYC AML Guide’s independent testing across 13+ vendors. The real question is which platform fits your deployment requirements, risk tolerance, geographic footprint, and budget. The answer differs by buyer.
How KYC AML Guide Tested These Vendors?
KYC AML Guide independently tested 13+ KYC platform providers across four dimensions: fake document acceptance, genuine document acceptance, user experience (web and mobile KYC journeys), and support responsiveness. Support tests ran at odd hours and on public holidays to pressure-test real availability.
Fake document acceptance data reflects the percentage of fraudulent identity documents each vendor accepted as genuine. Compliance certification counts come from a 37-certification audit. Where figures originate from vendors themselves, they are labelled as such.
Feature Matrix: Top KYC Software Providers
| Vendor | Fake Doc Acceptance | Deployment | Document Types | Compliance Certs | Data Retention |
|---|---|---|---|---|---|
| GBG | 0% | Cloud | Not disclosed | Not fully audited | Not disclosed |
| Jumio | 0% | Cloud | 5,000+ | 15 | Not disclosed |
| Shufti | 0% | Cloud, On-Prem, Local Cloud, Hybrid | 10,000+ | 13 | 2 years |
| Onfido (Entrust) | 10% | Cloud | Not disclosed | Not audited (latest cycle) | ~3 years |
| Veriff | 30% | Cloud | 12,000+ | Not audited (latest cycle) | 3 years |
| Trulioo | 70% | Cloud | Not disclosed | Not disclosed | 72 hours |
| Sumsub | 80% | Cloud | 14,000+ | 15 | 5 years |
| Incode | Limited data | Cloud | Not disclosed | Not disclosed | Not disclosed |
| IDnow | Limited data | Cloud | EU-focused | Not disclosed | Not disclosed |
Fake document acceptance: KYC AML Guide testing. Document types, certs, and retention: vendor-reported or KYC AML Guide audit as noted.
KYC Software Providers: Vendor-by-Vendor Analysis
GBG (GB Group)
Founded in 1989 and headquartered in Chester, GBG achieved 0% fake document acceptance in KYC AML Guide testing, tied with Jumio and Shufti for the best result in the pool.
GBG’s primary competitive advantage is database verification depth in UK, EU, and APAC markets. Its enterprise track record spans banking, insurance, utilities, and public sector with a strong reference client base in UK and ANZ.
The structural limitation is geographic reach. GBG’s database-only architecture misses markets with thin bureau coverage: MENA, LATAM, and Southeast Asia, where a market estimate suggests 30–40% of addresses are not reliably covered by database-only approaches. There is no document forensics layer. Support testing returned the lowest rating in the KYC AML Guide vendor pool, with internal coordination failures observed between team members.
Best for: UK, EU, or APAC buyers where GBG’s database depth is the primary requirement and global expansion is not a near-term priority.
Jumio
Jumio achieved 0% fake document acceptance in KYC AML Guide testing, tied with GBG and Shufti. It holds 15 compliance certifications, the joint-highest count in the tested pool, and has processed 1 billion+ transactions (vendor-reported). Gartner Magic Quadrant Leader 2024 (vendor-reported). Notable client references include HSBC, Airbnb, FanDuel, and Binance.
The Identity Graph, 30M+ known identities (vendor-reported), is a genuine differentiator for fraud teams managing repeat fraudsters across merchant networks. Jumio Go provides fast-track verification for previously verified identities. The 360° predictive analytics and no-code rules engine add real value for risk teams running complex multi-signal decisioning.
Backoffice UX is among the most outdated in the tested pool. A steep developer learning curve is noted across multiple independent reviews. Localization issues in LATAM, particularly Brazil, appear in client reviews. Per-feature pricing fragments enterprise costs and makes total cost of ownership hard to forecast without a detailed scope. Language support at 40+ languages (vendor-reported) lags competitors claiming 100–150, which matters for multilingual market coverage.
Best for: Enterprise financial institutions where analyst recognition, deep compliance certification counts, and network-effect fraud intelligence are primary evaluation criteria.
Shufti
Shufti achieved 0% fake document acceptance in KYC AML Guide testing, tied with GBG and Jumio. Its 240+ country and territory coverage with 150+ language support (vendor-reported) is the highest geographic and language reach in the tested pool. It is the only vendor in the tested pool offering on-premises deployment, alongside cloud, local cloud, and hybrid options, a structural differentiator for buyers with data sovereignty requirements.
DHS RIVR 2025 ranked Shufti a top performer in the US federal government’s identity verification benchmark evaluation, with a 98.49% True Accept Rate (vendor-reported from the government evaluation). iBeta Level 3 conformance under ISO/IEC 30107-3 is the highest published presentation-attack detection standard in the tested pool (vendor-reported). KuppingerCole 2025 rated Shufti 79/100 on overall technical capability. Backoffice was ranked #1 in KYC AML Guide testing for transparency, billing visibility, and verification detail. A free tier with no monthly minimums is available (vendor-reported).
The weaknesses deserve the same directness. Data retention at 2 years is materially lower than Sumsub’s 5-year policy, a concrete structural disadvantage for buyers with long-cycle regulatory audit requirements. The 10,000+ active document types (vendor-reported, framed as actively verified in production monthly) falls below Veriff’s 12,000+ and Sumsub’s 14,000+ on raw catalogue count. Compliance certifications at 13 are below the 15 held by both Sumsub and Jumio. Mobile UX ranked below the top 5 in KYC AML Guide mobile journey testing, with responsiveness issues observed on some devices. Brand recognition in Western European and US enterprise procurement cycles lags Sumsub, Jumio, and Veriff. This is a commercial gap, not a technical one.
Shufti’s independently benchmarked non-Latin OCR figures (Arabic 92.17%, Vietnamese 96.79%, CJK 86.87% against Google Vision) are specific to those scripts and reflect a side-by-side benchmark for that vendor. No equivalent cross-vendor test exists in the KYC AML Guide dataset for the same scripts, so these figures describe Shufti’s performance on those languages. They don’t establish where Shufti sits relative to the full vendor pool on OCR.
Best for: Buyers with data sovereignty mandates that require on-premises or local cloud deployment. Also well-suited for global platforms operating in MENA or APAC where non-Latin script verification is a hard requirement, and for cost-sensitive buyers who need pay-as-you-go with no monthly minimums.
Onfido (Entrust)
Acquired by Entrust in 2024, Onfido accepted 10% of fake documents in KYC AML Guide testing, the second-lowest result in the tested pool. Its KYC mobile journey ranked top 3 in KYC AML Guide mobile UX testing. The feature set covers document verification, biometrics, liveness, and AML screening from a single platform.
Pricing scales fast at volume: mid-market buyers have reported significant cost jumps as verification volumes grow. Post-acquisition market uncertainty around product roadmap continuity and support structure is an open question. Verification flow averaged closer to the market mean of ~60 seconds in testing. Non-Latin OCR benchmark data is not publicly available.
Best for: Mobile-first consumer products where onboarding drop-off directly affects activation rates. Also relevant for established fintechs with existing Onfido contracts where switching cost is a real consideration.
Veriff
Founded in 2015 in Tallinn, Veriff accepted 30% of fake documents in KYC AML Guide testing, the third-highest acceptance rate in the pool. It covers 12,000+ document types (vendor-reported), the highest raw catalogue count in the tested pool outside Sumsub. The CrossLinks fraud network shares cross-merchant fraud patterns across Veriff’s client base, providing network-effect value for high-volume consumer platforms. UK DIATF certification is relevant for UK regulated businesses.
The structural weaknesses stack up. Cloud-only on AWS Ireland disqualifies Veriff for data sovereignty requirements. Non-Latin script extraction failures were observed in KYC AML Guide testing despite a claimed 48-language UI: non-Latin support is not reliably verified in production. Veriff blocks China, Vietnam, and Iran, a direct disqualification for global platforms that need those markets. Pricing at $0.80–$2.05/check plus monthly minimums (vendor-reported) carries a mid-contract repricing risk documented in client reviews. KYC AML Guide testing found Veriff’s verification flow to be the longest in the tested pool. CrossLinks creates data lock-in: fraud intelligence accumulated during the contract period is not portable if a client switches vendors.
Best for: Consumer platforms operating primarily in English-language markets where the CrossLinks fraud network adds compounding value over time. Also relevant for buyers where UK DIATF certification is a specific regulatory filter.
Trulioo
Trulioo accepted 70% of fake documents in KYC AML Guide testing, the second-highest acceptance rate in the pool. Its data retention policy is 72 hours (vendor-reported), the lowest of any tested vendor by a large margin. For buyers in jurisdictions requiring extended data preservation for AML audit purposes, 72-hour retention is a structural compliance problem that rules Trulioo out as a primary platform.
Despite these results, Trulioo rated #1 for support in KYC AML Guide testing. Ticketing response, self-initiated follow-ups, and mobile outreach outperformed all other tested vendors. Its database verification coverage across markets where document-based verification carries friction is a genuine differentiator for enterprise buyers running name/DOB-based identity programs.
Best for: Enterprise buyers where procurement support, account management depth, and global database verification coverage are the primary evaluation criteria, and where document forensics is not the primary fraud-detection mechanism.
Sumsub
Founded in 2015 in London, Sumsub accepted 80% of fake documents in KYC AML Guide testing, the highest acceptance rate in the tested pool. This is the most significant data point compliance teams should raise directly with the vendor before advancing a shortlist.
The breadth case for Sumsub is real. It covers 14,000 document types (vendor-reported), the highest raw catalogue count in the tested pool. It holds 15 compliance certifications, joint-highest with Jumio. Its 5-year data retention policy is the strongest in the pool. Gartner recognised Sumsub as a Magic Quadrant Leader for 2024–2025, and Forrester as a Wave Leader Q3 2025 (both vendor-reported). The reusable KYC feature allows verified identities to be reused across connected platforms. Crypto, Web3, iGaming, and neobanking verticals are well-served by the platform’s market depth and compliance posture.
Cloud-only on AWS EU creates the same data sovereignty disqualification as Veriff and Onfido. Non-Latin OCR accuracy is not independently benchmarked. Trustpilot at 1.6/5 at the time of testing was driven primarily by support-related complaints. Monthly minimums of $149–$299/month (vendor-reported) are a constraint for budget-sensitive buyers.
The 80% fake document acceptance rate sits at the top of the tested range. Whether that trade-off against document breadth and analyst validation is acceptable depends on the buyer’s fraud risk profile. For a crypto platform prioritizing reusable KYC and Gartner credibility in enterprise procurement, it may clear the bar. For a regulated bank in a high-fraud market, the same trade-off likely doesn’t.
Best for: Crypto and Web3 platforms that prioritize document breadth, reusable KYC architecture, and analyst-validated compliance posture. Also relevant for iGaming operators with multi-jurisdiction licensing requirements and enterprise procurement processes where Gartner and Forrester positioning is a baseline requirement.
Incode
Incode (founded 2017, San Francisco) rated #2 for support in KYC AML Guide testing, with notably thorough pre-sales due diligence. The vendor verifies the identity of contact form submitters before granting demo access. Strong LATAM market heritage with growing enterprise presence in North America. Biometric and liveness technology is the core architectural strength.
Incode relies on Microblink for document scanning, a third-party dependency that adds audit complexity when regulators probe specific decisions. Multi-year contract lock-ins have been reported in market. Independent performance benchmarks are limited.
Limited independent data available.
Best for: LATAM-focused operations and biometric-heavy use cases where liveness and face verification dominate. Also relevant for enterprise buyers where pre-sales relationship rigor is itself an evaluation signal.
IDnow
IDnow (founded 2014, Munich) is a European market specialist with video-ident capability for high-assurance identity proofing, specifically relevant for German regulated markets where video KYC carries compliance weight. Rated #3 for support in KYC AML Guide testing. Strong EU regulatory market positioning in DACH (Germany, Austria, Switzerland).
Coverage outside EU/DACH is limited relative to global kyc platform providers. Independent data outside European document types is not available in the KYC AML Guide test battery.
Limited independent data available outside EU documents.
Best for: Regulated businesses in Germany, Austria, or Switzerland where video-ident is a compliance requirement. Also relevant for EU financial institutions with eIDAS or DIATF compliance filters.
When to Choose Which Provider: 6 Buyer Profiles?
No vendor wins across all dimensions. These six profiles map the data to specific buyer contexts.
Global fintech with high fraud exposure Fake document rejection is the primary filter. GBG, Jumio, and Shufti all achieved 0% fake acceptance (KYC AML Guide testing). The secondary filter is coverage: GBG’s database architecture limits usefulness outside UK/EU/APAC. Shufti’s 240+ country reach extends further. Sumsub’s 80% fake acceptance is an explicit trade-off against its document breadth, one compliance teams should evaluate directly with the vendor rather than assume away.
European regulated bank with data sovereignty requirements Cloud-only vendors (Sumsub, Veriff, Onfido, Jumio, GBG, Trulioo, and Incode) are structurally disqualified. Shufti is the only vendor in the tested pool offering on-premises, local cloud, and hybrid deployment. IDnow’s EU/DACH depth and video-ident capability are relevant for high-assurance use cases within the EU.
Crypto or VASP platform, multi-jurisdiction Jumio’s Identity Graph accumulates fraud intelligence across merchants. The value compounds with transaction volume. Sumsub’s strong crypto vertical presence and Gartner/Forrester positioning will carry weight in enterprise procurement cycles, though the 80% fake acceptance figure is a risk the compliance function should formally assess. For platforms with MENA or APAC user bases, non-Latin script verification is a filter where the vendor landscape narrows.
Mobile-first consumer product Onfido ranked top 3 in KYC AML Guide mobile UX testing and accepted 10% of fake documents, the second-best result in the pool. For consumer products where onboarding drop-off directly affects activation rates, mobile UX performance matters alongside fraud detection accuracy.
LATAM-first operation Incode is the vendor with explicit LATAM market heritage in this pool. Jumio has documented localization issues in Brazil specifically. Veriff’s market blocks (China, Vietnam, Iran) and CrossLinks lock-in are secondary concerns for LATAM-focused deployments, but the Brazil friction and network lock-in are worth surfacing in procurement.
Enterprise procurement requiring analyst validation Sumsub (Gartner MQ Leader 2024–2025 plus Forrester Wave Leader Q3 2025) and Jumio (Gartner MQ Leader 2024) are the two vendors with named recognition in both major analyst programmes. Shufti’s DHS RIVR 2025 Top Performer result is a US federal government benchmark evaluation, independently validated and worth weighing for buyers whose procurement committees weight government evaluations alongside commercial analyst reports.
The Data Doesn’t Pick a Winner. Your Requirements Do.
Fake document acceptance, deployment flexibility, document catalogue breadth, language coverage, data retention, and compliance certification count don’t move in the same direction across vendors. A platform with 0% fake acceptance may lack the document depth or geographic reach your market requires. A platform with 14,000 document types may accept 80% of the fraudulent ones submitted in testing.
The right KYC software is the one that fits your specific risk profile, regulatory environment, and operational constraints, not the one with the longest feature list or the best analyst brand.
KYC AML Guide’s full testing methodology and individual vendor reviews are available at kycaml.guide.
FAQs
What is KYC software?
KYC (Know Your Customer) software automates identity verification by checking government-issued documents, biometric data, and watchlists against a customer’s claimed identity. Banks, fintechs, crypto platforms, iGaming operators, and other regulated businesses use it as a compliance and fraud-prevention requirement.
What should I look for when comparing KYC software providers?
Fake document acceptance rate, deployment model (cloud vs. on-premises), geographic and document-type coverage, data retention policy, compliance certifications, and UX quality across web and mobile. The relative weight of each factor depends on your regulatory environment and user base.
Which KYC platform providers have the most compliance certifications?
In KYC AML Guide’s 37-certification audit, Jumio and Sumsub hold 15 certifications each, joint-highest in the tested pool. Shufti holds 13. Certification count is a reasonable proxy for compliance program maturity, but it does not predict fake document detection performance: in this dataset, both vendors with the highest cert counts produced different fake acceptance results.
How long should KYC vendors retain verification data?
This varies by jurisdiction and use case. In the tested pool, Sumsub retains data for 5 years (vendor-reported), Shufti for 2 years (vendor-reported), and Trulioo for 72 hours (vendor-reported). Buyers with AML audit requirements should confirm the vendor’s retention policy against their regulatory obligations before signing a contract.
Is there a free KYC software option?
Shufti offers a free tier with no monthly minimums (vendor-reported). Most other KYC software providers in the tested pool charge monthly minimums ranging from $49 to $299 per month (vendor-reported figures, subject to change).
Share
