Sumsub — Identity Verification and KYC for UAE VASPs

Sumsub — Identity Verification and KYC Automation

Category: Compliance Technology Provider Product Focus: Identity verification, KYC automation, document verification, liveness detection, AML screening Relevance: Customer onboarding and verification infrastructure for UAE VASPs implementing KYC/CDD procedures

Platform Overview

Sumsub provides identity verification and KYC/AML compliance automation for financial services and virtual asset firms. The platform automates customer identity verification through document recognition, biometric checks, liveness detection, sanctions/PEP screening, and adverse media monitoring. Sumsub supports global identity documents and provides configurable verification workflows aligned with jurisdiction-specific regulatory requirements.

The platform serves a global client base spanning virtual asset exchanges, payment processors, neo-banks, and gaming companies. For UAE VASPs, Sumsub provides the customer identification and verification infrastructure that forms the foundation layer of the compliance technology stack — sitting alongside blockchain analytics tools (Chainalysis, Elliptic, Crystal Blockchain) that handle on-chain transaction monitoring.

UAE KYC Regulatory Requirements

UAE regulators impose specific KYC and customer due diligence (CDD) requirements that KYC platforms must support. Understanding these requirements is essential for evaluating whether a platform like Sumsub meets regulatory expectations.

VARA KYC Requirements: VARA’s Full Market Product Regulations and the March 2026 AML/CFT/CPF circular establish customer identification and verification requirements for licensed VASPs. These include verifying customer identity using reliable, independent source documents, data, or information; verifying the identity of beneficial owners for corporate customers; and conducting ongoing customer due diligence throughout the business relationship.

ADGM-FSRA Requirements: The ADGM financial services framework requires firms to implement KYC procedures aligned with the ADGM AML Rules. ADGM’s approach follows international best practices and requires identity verification before establishing a business relationship.

DFSA Requirements: The DFSA’s AML module requires authorized firms to verify customer identity and maintain records of identification documents. The DFSA authorization process evaluates the applicant’s KYC framework as part of the licensing assessment.

Federal Requirements: UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and its implementing regulations establish baseline KYC requirements that apply across all UAE jurisdictions, including customer identification, verification, beneficial ownership identification, and ongoing monitoring.

UAE Compliance Applications

Document Verification: Automated verification of Emirates ID, passports, national identity cards, and other government-issued identification documents. Document authentication technology detects altered, forged, or expired documents, supporting the verification requirements in our KYC/CDD procedures guide.

For UAE-based customers, Emirates ID verification is the primary identification method. The platform must be capable of reading and verifying the Emirates ID card, including extraction of the ID number, name, nationality, date of birth, and card expiry date. For international customers, passport verification across a wide range of issuing countries is essential, given the diverse customer base that UAE-based VASPs typically serve.

Liveness Detection: Biometric liveness checks prevent identity spoofing through photo/video replay, deepfakes, or physical masks. This is critical for remote onboarding of virtual asset customers where face-to-face verification is not conducted. Liveness detection technology analyzes facial movements, texture, depth, and other biometric markers to confirm that the person presenting for verification is physically present and matches the identification document.

The importance of liveness detection has increased as deepfake technology has advanced. UAE VASPs conducting remote onboarding must implement liveness checks that can detect sophisticated spoofing attempts, protecting against account opening using synthetic or stolen identities.

Sanctions and PEP Screening: Automated screening of customers against OFAC SDN, UN, EU, and other sanctions lists, plus politically exposed person (PEP) databases. This supports the sanctions screening obligations described in our AML program design guide. Sanctions screening must be conducted at customer onboarding and on an ongoing basis, as new sanctions designations can affect existing customers.

PEP screening is particularly relevant for UAE VASPs given the region’s concentration of high-net-worth individuals with political connections across Gulf Cooperation Council states. When a customer is identified as a PEP, the VASP must apply enhanced due diligence measures including senior management approval for the business relationship, establishment of the source of wealth and funds, and enhanced ongoing monitoring.

Ongoing Monitoring: Continuous monitoring of customer risk profiles against updated sanctions lists, PEP databases, and adverse media sources, supporting the ongoing monitoring obligations in the compliance calendar. Ongoing monitoring ensures that changes in a customer’s risk profile — such as new sanctions designations, PEP status changes, or adverse media coverage — are identified and actioned promptly.

Workflow Configuration: Verification workflows can be configured to match UAE-specific requirements, including Emirates ID verification for UAE residents, risk-based verification intensity calibration, and jurisdiction-specific document acceptance rules. The platform allows compliance teams to define different verification flows for different customer risk categories — for example, a simplified flow for low-risk UAE resident customers and an enhanced flow for customers from FATF high-risk jurisdictions.

Integration with UAE Compliance Programs

Sumsub operates alongside blockchain analytics platforms within the compliance technology stack. While blockchain analytics address on-chain transaction risk, Sumsub addresses the customer identification and verification layer that forms the foundation of the AML compliance program.

The platform supports compliance with travel rule requirements by verifying the identity of originators and beneficiaries in virtual asset transfers. Under the travel rule, VASPs must collect and verify originator information including name, account number, and either address, national identity number, or date and place of birth. KYC platforms provide the infrastructure for collecting and verifying this information at the point of customer onboarding.

A typical integration architecture includes:

1. Customer onboarding flow: Sumsub is embedded into the VASP’s customer registration process, conducting identity verification before the customer can begin transacting
2. Risk-based tiering: Verification results feed into the customer risk assessment, which determines ongoing monitoring intensity and transaction limits
3. Ongoing screening: Customer records are continuously screened against updated sanctions, PEP, and adverse media databases
4. Alert management: When screening identifies a match or risk change, alerts are routed to the compliance team for investigation
5. Record keeping: Verification records are maintained for the regulatory retention period, supporting audit preparation

Cost Context

KYC automation platform costs vary by verification volume, feature set, and document type coverage. For typical cost ranges, see our total cost of compliance model, which estimates KYC platform costs at USD 20,000 to USD 100,000 annually for UAE VASPs.

Cost drivers include per-verification pricing (typically charged per identity check), ongoing screening costs for the existing customer base, document coverage (some document types or countries may incur premium pricing), and enterprise features such as API access, custom workflows, and dedicated support. When evaluating KYC platform costs, VASPs should model their expected customer onboarding volume and ongoing monitoring requirements to generate accurate cost projections.

For the full cost framework, see the cost comparison dashboard and the jurisdiction-specific fee analyses for VARA, ADGM, and DFSA.

Enforcement Context

Enhanced due diligence triggers — PEP status, high-risk jurisdiction nexus, unusual transaction patterns — require robust identity verification infrastructure. The Morpheus Software (Fuze) case demonstrates that AML programme control failures, which include KYC deficiencies, trigger VARA enforcement. In that case, VARA cited failures in AML programme controls, related governance, compliance, and internal systems and controls — a broad category that encompasses KYC infrastructure.

The enforcement register also demonstrates that unlicensed entities — such as Vesta Prime Portal and UAEC Digital Fintech — that operate without any compliance infrastructure, including KYC systems, face cease-and-desist orders and financial penalties. For the full enforcement landscape, see our enforcement action dashboard.

For more information, visit Sumsub. For the licensing processes that establish KYC requirements, see our licensing process section. For regulatory context, see UAE Tokenization Regulations and Dubai Tokenisation.