Ready to Defeat Your AML Compliance Obstacles?
Citadel Brings Revolution with Secure Solutions to AML Compliance Problems
Summary Box: Liveness Check
Liveness Check forms a critical aspect without which AML Compliance remains incomplete. Integrating Liveness Check into the AML Compliance systems is crucial as it helps prevent fraud and other financial crimes.
Liveness Check forms the key to identifying the actual presence of a person during digital onboarding by using a combination of biometrics and other factors to ascertain the genuineness of a person to filter out spoof or deepfake attacks.
A Liveness Check is a step in the ID verification process that includes biometric verification, which is used to confirm that the person undergoing digital onboarding (e.g., KYC, AML checks) is a real, live human being and not a static image, video replay, or deepfake.
A liveness check usually uses AI-driven face recognition technology to:
• Detect micro-movements (e.g., eye blinking, head turning, smiling).
• Ensure the captured biometric data (like a live selfie or a face scan) belongs to a live, real person.
• Prevent spoofing attacks (e.g., use of photos, videos, masks, or synthetic identities).
A Regulated Entity (RE) might already have internal policies in place for conducting biometric verification through selfies or video capture. But are they truly sufficient for effective AML/CFT Compliance?
Some of the frequent challenges encountered during Liveness Checks are highlighted below:
The Federal Decree Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025 require REs to establish robust Customer Due Diligence (CDD), which increasingly relies on digital onboarding and remote verification.
Liveness Detection is an integral component used to ensure biometric verification is genuine and not a spoof or fake. Regulated Entities need to make sure that identity verification methods (including biometrics and Liveness Checks) are accurate, tamper-proof, and reliable.
In UAE, Regulated Entities are also required to follow international standards on customer identification and verification, including FATF guidance and global CDD measures. The FATF Guidance on Digital ID, 2020 emphasises the importance of liveness detection to ensure IDs are not being misused during remote onboarding.
It is pertinent to have a proper understanding of liveness detection as it plays a key role in compliance processes such as conducting CDD, digital onboarding, KYC processes, and frameworks.
The process integrates all the complexities of biometric intelligence, AI-driven analysis, and regulatory data protection to ensure that each verification represents a genuine, live, and real individual.
Liveness Check involves initiating the verification process, performing real-time liveness actions, using AI-driven biometric and pattern analysis, automating verification and risk evaluation, and securing the record-keeping process.
The following steps outline the key steps of an effective liveness detection workflow:
Step 1: Initiating the Verification Process
In the verification process, the customer is prompted to capture a live selfie or record a brief live video through a mobile or web interface.
This marks the start of biometric data collection and verification, during which facial landmarks, expressions, and surrounding environmental lighting conditions are captured securely.
Systems employing risk-based KYC typically adapt to the capture mode, such as passive or active Liveness, based on customer risk tier or transaction type.
Step 2: Performing Real-Time Liveness Actions
Once the capture is made, active liveness mode provides certain on-screen instructions for confirming that the biometric capture represents a live individual rather than a spoof attempt.
These prompts include blinking, smiling, or turning the head slightly to the left or right, etc. This helps in detecting natural micro-movements, correcting depth perception, and texture changes that cannot be replicated or manipulated by the use of photographs, masks, or pre-recorded videos.
In the case of passive liveness modes, these signals are captured automatically without requiring the user to perform any prompts. This enhances customer experience largely while also maintaining accuracy and assurance.
Step 3: Analysing AI-Driven Biometrics and Patterns
Once active or passive liveness mode is implemented, the visual data is captured. Advanced machine learning (ML) algorithms process the information further by verifying and identifying characteristics indicative of a live person.
Aspects such as movement, reflectivity, skin texture, and depth are analysed, which help in differentiating real human faces from fake, synthetic, or manipulated data.
Integrating anti-deepfake and spoof-detection features helps in strengthening accuracy by recognising anomalies such as uniform lighting, flat surfaces, or digital artefacts.
Step 4: Automating Verification and Risk Evaluation
The data obtained from the modes is then used to generate results in real time. The API generates a confidence score based on the detected biometric signals, indicating whether the individual is likely to be real.
The score is matched with the individual’s identification document or stored biometric template. If the score meets or exceeds the acceptance threshold, verification is approved automatically.
In cases of uncertain or inconsistent data, the system automatically initiates manual review, where compliance officers assess the captured evidence for authenticity and risk.
Step 5: Securing Record Keeping
Once the verification process is completed successfully, the system logs the outcome and confidence score in a secure audit trail. These logs are encrypted and stored safely in accordance with UAE data protection and AML regulations for further use.
Liveness detection has become an essential part of digital identity verification. There are several operational, technical, and compliance-related challenges faced by REs during implementation.
These challenges include accuracy and false rejection, environmental and device variability, spoofing and deepfake threats, regulatory and data compliance, integration and operational complexity, accessibility, monitoring, and audit preparedness.
The challenges are outlined as follows:
One of the major challenges is maintaining a balance between the False Rejection Rate (FRR) and the False Acceptance Rate (FAR).
High FRR can disrupt customer onboarding, while a high FAR may weaken fraud detection and control. Variations in lighting, facial expressions, and subtle differences can lead to mistaking genuine users and rejecting them, which can erode trust.
Poor lighting, low bandwidth, or low-quality cameras can often lead to unreliable results and repeated verification failures.
Implementing adaptive technology that can be consistent and reliable across varied environments and device types remains a technical issue.
Fraudsters continue to evolve and use advanced techniques such as photo replays, 3D masks, and deepfakes to bypass liveness detection. Basic motion or texture-based models alone may be insufficient.
Keeping up with such advancement requires ongoing training and advancement in detection technology.
UAE AML/CFT and data protection regulations demand strict handling of biometric data that includes consent, retention, encryption, and residency.
Ensuring vendor alignment with these regulatory requirements remains a persistent challenge.
Seamlessly integrating liveness detection with existing systems can be challenging and requires experts who can work on compatibility between the two.
Technical mismatches, identity theft, data loss/corruption, API issues, cyberattacks, or inconsistent decision logic can cause delays and increase manual review workloads.
While using Active detection, users with disabilities or limited digital literacy end up struggling with the prompts, requiring inclusive design and accessibility support to be incorporated.
Complex procedures can frustrate clients and become a barrier to authenticating and onboarding.
Many Regulated Entities lack robust monitoring systems or incident response mechanisms.
Incomplete logs and unstructured audit trails make it difficult to demonstrate compliance or investigate suspected spoofing/fraud cases efficiently.
Regulated Entities should ensure they are maintaining robust and compliant liveness detection systems as a strategic priority.
Liveness detection synchronises with AML/CFT/CPF measures by ensuring only genuine, live individuals are verified during digital onboarding and CDD.
The best practices for Liveness Check include adopting a risk-based verification, ensuring regulatory governance, monitoring performance metrics, strengthening anti-spoofing and fraud mechanisms, and enhancing accessibility and user mechanisms.
In addition to this, Regulated Entities must begin investing in compliance team training, establishing a robust monitoring and incident response system, and documenting and conducting audits at every stage.
Regulated Entities must ensure that the verification framework is designed based on customer risk profiles as part of the Risk-Based Approach.
This denotes that low-risk users must undergo passive liveness checks, while medium-risk clients and high-risk categories such as Politically Exposed Persons (PEPs) or large-value transactions should trigger active liveness verification.
AML, KYC, and data protection requirements issued by authorities such as the CBUAE, Ministry of Economy and Tourism (MoET) and the Ministry of Justice (MoJ) must be reviewed regularly for any amendments and updates.
Data Protection Impact Assessments (DPIAs) must be conducted under the . Maintaining clear consent records and conducting periodic security audits are essential to demonstrate compliance readiness.
Establishing measurable key performance indicators such as , etc., and tracking these indicators across customer segments and devices is necessary, as it helps in detecting anomalies.
Automated systems and alerts must be in place to support prompt corrective actions.
Multiple detection layers like texture, depth, motion, and device attestation must be combined and used to counter fraud/spoofing attempts. Anti-deepfake models must be updated regularly, and simulated attack tests should be conducted to validate system robustness.
Adaptive prompts and randomised challenges must be incorporated into the system. To ensure accuracy and effectiveness of the system, regular retraining and testing of liveness models against emerging threats such as deepfakes, synthetic IDs, and 3D mask attacks must be conducted.
An overly rigid liveness process can deter legitimate customers and hinder onboarding. There must be a balance between security and convenience. Providing clear on-screen guidance, localised prompts (Arabic and English), and retry support is necessary to reduce drop-offs.
Additional accessibility features for users with physical or cognitive limitations must be provided to enhance the user experience. Compatibility across diverse devices and bandwidth conditions must be ensured for ease of use.
Manual reviewers act as the second line of AML defense. Structured training should be provided to the compliance teams, which enables them to identify biometric inconsistencies, review audit trails, and escalate suspicious activities and patterns.
Clearly defined Standard Operating Procedures (SOPs) must be in place, which are aligned with the organisation’s AML policies, ensuring traceability and regulatory audit readiness. Training should cover fraud detection cases and red flags, documentation practices, and escalation protocols.
Additional accessibility features for users with physical or cognitive limitations must be provided to enhance the user experience. Compatibility across diverse devices and bandwidth conditions must be ensured for ease of use.
Liveness data should be integrated into an AML monitoring system, which could help in identifying unusual patterns such as multiple failed verifications from the same device, IP anomalies, or repeated spoofing attempts.
An Incident response framework for suspected fraud should be maintained, including evidence preservation, account freezing, and internal reporting to the MLRO or compliance officer. Such periodic drills are important to strengthen institutional readiness against emerging threats.
In case of audits and regulatory inspections, REs must maintain proper and detailed documentation of verification methods, vendor assessments, decision rules, and score logs.
Audit trails must be timestamped, encrypted, and stored securely. Such audit Readiness for regulatory inspection is important as it helps in building institutional credibility, resilience, and gains trust.
As digital onboarding and eKYC become more common, liveness detection becomes an essential tool for verifying a genuine customer’s identity and preventing identity fraud/spoofing.
However, despite regulatory expectations and available tools, there are several challenges that institutions continue to face, such as fragmented biometric verification frameworks and integration challenges that hinder overall AML/CFT/CPF compliance efficiency.
Citadel365 helps organisations with these operational and compliance pain points by promising to deliver intelligent, customisable, and regulatory-aligned liveness check solutions that enhance accuracy, efficiency, and user experience.
Regulated Entities in the UAE often end up missing out on incorporating Liveness Check due to variability in the environment and devices, complexities in integration and operation, and accessibility issues.
In order to overcome these challenges, Regulated Entities need to rely on tailored solutions and methodologies to conduct a comprehensive Liveness Check. This facilitates uncovering the risks associated with spoofing and deepfakes and ensures the genuineness of each customer or client, and applies the commensurate risk mitigation measures.
Arjun is the Co-founder and CEO of Citadel, where he leads the company’s vision across technology, business, and regulations. He brings over a decade of experience in building and scaling technology ventures. Arjun holds a B.Tech. in Information Technology and a Master’s in Management, supported by his certification as a Financial Crime Specialist, an uncommon combination that allows him to balance innovation with regulatory requirements.
Having advised leading banks and financial institutions on digital solutions and compliance technology, Citadel continues to grow with an ambition.
