KYC & compliance
What UR verifies during KYC, the data we collect, and the methods we use.
UR is a regulated financial product. Every end user must complete Know Your Customer (KYC) checks before they can access core banking features such as external transfers, IBANs, debit cards, and FX. This page explains what UR verifies and how each check works. It does not list the exact questionnaire text, which is managed by UR's compliance team and shown to users at runtime through the Sumsub SDK.
For the user-journey view of when each step happens, see The User Lifecycle. For implementation details, including endpoints, status enums, and webhooks, see the Developer Resources section.
What UR verifies
UR verifies five core areas: identity, domicile, account purpose and source of funds, beneficial ownership, and sanctions exposure. Each area is collected through a dedicated check described below.
Identity verification
UR offers three identity-verification methods. NFC is the primary path. Penny transfer and video verification support users who cannot complete an NFC scan.
NFC + liveness
Primary
NFC-capable mobile device
Penny transfer
Fallback for EU/FATF users
Any (bank account required)
Video verification
Reserved fallback
Any (camera required)
NFC scan + liveness check (primary)
The user scans the electronic chip in their biometric passport or national ID through the Sumsub mobile SDK. UR validates the chip data against the document's certificate chain and reads the identity details directly from the chip, including document number, issuing country, name, date of birth, gender, expiry date, MRZ, and photo.
The user then completes a liveness check, a short selfie capture in the SDK that confirms the person is physically present. The live photo is matched against the photo retrieved from the NFC chip. Verification only passes when both the liveness check and the photo match succeed.
NFC scanning requires an NFC-capable mobile device. Web-only platforms cannot complete this step through the Sumsub web SDK. See the note in The User Lifecycle.
Penny transfer (fallback for FATF-jurisdiction users)
For users who cannot complete an NFC scan, UR supports a penny transfer. The user sends a small bank transfer from their personal bank account to their UR IBAN. UR validates the inbound transfer details and uses them as proof of identity, together with the standard liveness check.
Constraints
Same name
Sender name must match the UR account holder. Family-member or business accounts are not accepted.
FATF country
The sender's bank must be in one of the 37 active FATF member jurisdictions, determined from the BIC/SWIFT country code.
Currency
EUR (primary) or CHF. USD is not supported because KYC must be completed before a USD IBAN can be issued.
Amount
Approximately 50 EUR is recommended. There is no enforced minimum; any received amount can be used for validation. Transfers above 250 EUR are accepted, but post-activation account limits may apply.
Eligibility. Penny transfer is only available to users whose bank is in a FATF jurisdiction. Users outside that scope are routed to the NFC flow.
Video verification (reserved fallback)
For users who cannot complete either NFC or penny transfer, for example because they have no NFC-capable device and no FATF-jurisdiction bank account, UR offers a video-verification path coordinated case by case with the support team. Contact UR when a user reaches this state.
Domicile verification (proof of address)
GPS check
Primary
The user confirms that they are at their declared home address. The device captures GPS coordinates, which UR reverse-geocodes and compares with the address provided in the questionnaire.
Document upload
Alternative
When GPS is not viable, the user uploads a document proving residential address.
The GPS check passes when the device location is within the expected proximity of the declared address.
Document type
Government-issued documents, utility bills
Document age
Issued within the last 3 months
Languages
English, German, French, or Italian
Account questionnaire
The questionnaire collects the information UR needs to operate a regulated bank account. The categories are listed below. The canonical question set is configured in Sumsub and presented to the user at runtime.
Eligibility: age (18+), citizenship in non-restricted jurisdictions, US Person status, PEP (politically exposed person) declaration, and acceptance of UR's Terms of Use and Privacy Policy.
Personal information: legal name, date of birth, gender, nationality, residential address, and verified email.
Employment: employment status, job category, and business sector.
Account purpose: the user's intended use of the UR account, such as crypto off-ramp, savings, or investment.
Source of funds: annual income range, total assets range, and source-of-funds category.
Declarations: address-accuracy declaration, deposit-protection acknowledgment, and other regulator-required attestations.
Beneficial ownership declaration (Form A)
A Beneficial Ownership Declaration (Form A) identifies the natural person or persons who ultimately own or benefit from the assets held in the UR account. UR generates the declaration from the user's KYC responses, and the user signs it as part of the KYC flow.
For most individual users, Form A confirms that the user is the beneficial owner of the assets. If another person is the beneficial owner, UR may need to collect that person's required identifying information. Depending on the partner UX, Form A can be handled inside the Sumsub process or integrated as a separate signing step. See Component 4 in The User Lifecycle.
AML & sanctions screening
UR runs automated AML (Anti-Money Laundering) screening throughout the user's lifecycle:
At onboarding: the user is screened against international sanctions lists, PEP lists, and adverse media.
Continuously: users are re-screened periodically to capture list changes after onboarding.
On transactions: specific transactions may trigger additional risk-based checks, such as a step-up liveness check before high-value off-ramps. See
needLivenessCheckin the API reference.
A user who fails sanctions screening, is from an unsupported country, or has an unsupported nationality is rejected during compliance review. The user remains in Tourist status and cannot access core banking features.
When KYC happens
UR runs KYC when a user opens a UR account and continues compliance monitoring throughout the user's lifecycle. After the initial KYC verification, UR may request additional information through ongoing KYC, client enhanced due diligence, or transaction enhanced due diligence depending on the user's profile, activity, and regulatory requirements.
Initial KYC verification
During account opening, before the user can access core banking features
Questionnaire, domicile verification, identity verification (NFC, penny transfer, or video), signed Beneficial Ownership Declaration (Form A), and AML/sanctions screening.
Ongoing KYC
Periodically, or when regulatory refresh rules require updated user information
Refreshed proof of address, updated questionnaire responses, refreshed identity documents, CRS self-certification, or a re-signed Form A.
Client enhanced due diligence
When the user's profile, country, occupation, source of funds, or other risk signals require deeper review
Additional information about account purpose, source of funds, source of wealth, expected activity, supporting documents, or compliance attestations.
Transaction enhanced due diligence
When a specific transaction or activity pattern triggers additional risk-based review
Transaction rationale, supporting documents, additional liveness checks, or other information needed to assess the transaction.
Verification outcomes
KYC results map directly to the user's URID status:
Initial eligibility completed
Tourist
Receive funds (up to 250 USD/EUR), receive partner off-ramp
KYC approved
Live
All banking features: external transfers, IBAN, debit card, FX
Compliance review failed or user rejected
Tourist
Core banking features unavailable
Pending ongoing KYC or enhanced due diligence, deadline missed
SoftBlocked
Money features locked until the open task is completed
For the on-chain status mapping (Tourist=2, Live=5, etc.), see Smart Contracts. For the KYC step machine (FormA -> IDScan -> SignFormA -> Review), see the API reference.
Vendors
Sumsub: primary KYC provider for the questionnaire, document scanning, NFC chip read, liveness check, and document upload.
UR sends the final compliance decision (Pass / Rejected) to you via the kyc_status webhook.
Additional KYC After a User Goes Live
KYC does not end at onboarding. After a user becomes Live, UR may request additional verification when regulatory refresh rules, risk signals, or compliance reviews require updated information. Examples include a proof-of-address refresh, passport re-scan, re-signed Form A, full re-verification, or CRS self-certification. These requests map to the ongoing KYC and enhanced due diligence reviews described in When KYC Happens.
If the user misses the deadline for an open additional KYC task, the user moves to SoftBlocked and money features remain locked until the task is completed.
For partners, additional KYC follows three integration steps:
1. Detect the required task
Poll the account/status endpoints and read kycRetryVerificationLevel, kycCurrentStep, and crsInfo (needCrs, restrictDate, url) to see what the user must complete and by when. Partners can also receive the compliance result proactively via webhook.
Fetch UR Account Information, including the KycRetryVerificationLevel and kycCurrentStep enum tables; per-mode account status with kycFlow and crsInfo in the External Wallet Access Mode API reference
2. Collect and submit the update
Re-initiate the Sumsub flow for the required retry level using isRetryVerification=true and the matching retryLevel, with optional stepType when needed. The user then completes the requested step in the Sumsub SDK. For CRS, direct the user to the crsInfo.url link returned by the status endpoint.
Get Sumsub SDK Token (/api/v1/sumsub/create-access-token) in the External Wallet Access Mode API reference; for external (non-Mantle) networks, Create Sumsub Access Token By Network
3. Receive the decision
UR sends the compliance decision (Pass / Rejected) to your webhook. Partners can also query status again to confirm the latest result.
The retry level in kycRetryVerificationLevel, such as ResetAll, ResetSign, ResetGPS, or RetryVerificationPassport, tells you which data points the user must provide again. See the enum tables in OpenAPIs for the full mapping.
Last updated