KYC.bd

Guide · 12 min read

eKYC Implementation Guide for Bangladesh

How to design, build, and deploy an electronic KYC flow that meets Bangladesh Bank and BFIU expectations. Architecture, vendor selection, and pitfalls.

Electronic KYC (eKYC) replaces paper-and-pen onboarding with a software-driven flow: the customer captures their identity document and selfie, an API verifies them against authoritative sources, and the result is stored with a signed audit trail. Done well, eKYC takes 30 seconds and produces a stronger compliance record than manual KYC.

Reference architecture

A production eKYC flow has five layers:

  1. Capture layer — web or mobile SDK that handles camera permissions, image quality scoring, and consent capture.
  2. Identity layer — NID verification against the Election Commission record.
  3. Biometric layer — liveness detection and face-match between the selfie and the NID photo.
  4. Risk layer — sanctions, PEP, adverse-media screening; device and IP risk scoring.
  5. Record layer — signed verification receipt, retained per regulatory retention period.

Regulatory checklist for Bangladesh

  • Explicit consent captured and stored with the verification record.
  • NID matched against a source of truth (not just OCR'd and trusted).
  • Liveness check sufficient to defeat printed photos and video replays.
  • Sanctions/PEP screening at onboarding and continuously thereafter.
  • Records retained for at least 5 years from end of relationship.
  • Data residency: sensitive personal data of Bangladeshi residents stored in-country where contractually required.

Vendor evaluation criteria

If you're buying an eKYC platform, score vendors on: NID source-of-truth access (not all vendors have it), liveness PAD level (insist on ISO/IEC 30107-3 testing), latency at the p95 (not just average), Bangla OCR accuracy on real Bangladeshi NIDs, audit-receipt format, and pricing model (per-verification vs subscription).

Pitfalls we see repeatedly

  • Trusting OCR as identity proof. OCR reads what's on the card; it doesn't prove the card is real or valid.
  • Skipping liveness. A photo of a photo defeats face-match alone.
  • One-shot screening. Sanctions lists change daily; one-time screening is insufficient.
  • No consent receipt. Examiners ask for proof of consent; "we showed them a checkbox" is not proof.

Ready to build? See the NID verification API and liveness detection.

Ready to verify Bangladeshi users in seconds?

Talk to our team about a sandbox account, pricing, or a compliance-focused walkthrough.

Related reading