Spain video KYC raises the bar for auditable onboarding controls

At a glance

What this is: This is a real-time identity verification capability for Spain that records the full onboarding session to create auditable, regulator-ready evidence.

Why it matters: It matters because IAM and compliance teams must now treat onboarding evidence, operator review, and retention controls as part of the identity control plane, not just a front-end UX step.

👉 Read Sumsub's announcement on SEPBLAC-aligned video KYC recording

Context

Spain’s video-based identity verification requirements turn onboarding into an evidence problem as much as an authentication problem. When identity checks must be recorded, reviewed, and retained, the control question shifts from whether the applicant passed to whether the organisation can prove how the decision was made.

For practitioners running financial services, crypto, payments, or trading onboarding, this creates a tighter link between identity verification, AML evidence, and audit readiness. The governance model now has to cover the recording itself, the operator review step, and the integrity of the stored verification trail.

Key questions

Q: How should teams govern recorded video KYC in regulated onboarding flows?

A: Teams should govern recorded video KYC as a regulated evidence process, not just an identity check. That means preserving the full session, controlling who can review or approve it, and proving the decision path during audit. The process needs retention, access control, and immutable logging aligned to the relevant regulator’s expectations.

Q: Why do human-in-the-loop approvals matter for identity verification?

A: Human-in-the-loop approvals matter because some onboarding regimes require a named reviewer to validate the recorded evidence before acceptance. This improves accountability, but only if the review criteria, reviewer identity, and approval outcome are all logged. Without that, the organisation has a recording but not a defensible governance control.

Q: What breaks when identity evidence is not recorded end to end?

A: When identity evidence is not recorded end to end, the organisation cannot prove how the onboarding decision was made. That weakens auditability, makes disputes harder to resolve, and increases the chance that operators rely on incomplete information. In regulated markets, a missing evidence chain can be treated as a control failure.

Q: What should compliance teams check before scaling video KYC?

A: Compliance teams should check whether the verification record is complete, retained correctly, and restricted to authorised reviewers. They should also confirm that the workflow matches the regulatory model in each market, because a reusable onboarding journey can still fail local evidence requirements if the governance rules do not travel with it.

How it works in practice

Audit trail integrity for identity evidence

An audit trail is only useful if it preserves the full context of the identity decision, including documents, liveness checks, timestamps, and review outcomes. For regulated onboarding, partial logs are not enough because they cannot demonstrate whether the identity test was applied consistently or whether the evidence was altered after submission. The key architectural issue is chain of custody for verification data, not simply data storage. That is what makes the process regulator-ready rather than merely recorded.

Practical implication: validate evidence integrity end to end, including storage permissions, timestamping, and immutable logging where required.

NHI Mgmt Group analysis

Spain’s video KYC requirement is an auditability problem first and an identity problem second. The real change is that onboarding now has to produce defensible evidence, not just a pass or fail outcome. That pushes identity verification into the same governance conversation as AML recordkeeping, operator oversight, and retention control. Practitioners should treat recorded verification as a regulated control surface, not an optional compliance enhancement.

Human review does not replace automation, but it does change where trust is placed. When a verification flow records the session and then asks an operator to approve it, the control objective shifts from algorithmic confidence to review accountability. The failure mode is not simply fraud detection weakness. It is the inability to show that the approval decision was informed by complete evidence and made by a designated reviewer.

Regulator-ready onboarding depends on evidence lineage, not just identity proofing. A recorded session, liveness test, and document capture only matter if the organisation can preserve the full chain of custody and prove the session reviewed is the session approved. That is a governance discipline, not a UI feature. The practitioner implication is to align verification records with audit expectations before scaling onboarding volume.

Recorded identity verification creates a new control boundary between user experience and compliance assurance. The process must remain seamless enough to support conversion, but the control logic cannot be invisible. The market signal is clear: identity verification is being evaluated on evidentiary quality as much as fraud resistance. Teams should expect more jurisdictions to require similar traceability and should design for audit-first onboarding now.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• That gap makes evidence-centric governance relevant beyond secrets, so read NHI Lifecycle Management Guide for the lifecycle controls that keep verification and access states auditable.

What this signals

Regulated onboarding is converging with identity evidence management. As jurisdictions push for recorded verification and named review, identity teams should expect auditability to become a default expectation rather than a special-case control. The practical lesson is to design evidence handling with the same discipline used for privileged access records and other high-risk identity events.

The broader signal is that identity programmes will be judged on traceability, not just fraud outcomes. Teams that can prove who reviewed what, when, and against which evidence will be better positioned when local regulators tighten onboarding requirements across Spain and other EU markets.

For practitioners

• Map verification evidence to audit requirements Identify exactly which artifacts must be retained for SEPBLAC-style review, including the recorded session, document images, liveness checks, timestamps, and reviewer identity. Confirm that the retained record can reconstruct the decision path without relying on operator memory.
• Separate capture, review, and approval duties Assign clear responsibility for the person who reviews the video, the person who approves the onboarding decision, and the team that administers the platform. Keep approval logs tied to named reviewers so oversight is demonstrable during an audit.
• Test evidence integrity before go-live Validate that recordings cannot be altered without detection and that access to stored identity evidence is restricted to authorised roles. Include deletion, export, and retention tests in the control validation process.
• Align onboarding rules across regulated markets Document which parts of the video KYC flow are Spain-specific and which parts are reusable across other jurisdictions. That prevents control drift when teams reuse the same identity journey in markets with different evidentiary expectations.

Key takeaways

• Recorded video KYC changes onboarding from a simple verification step into a governed evidence process that must survive audit scrutiny.
• The scale of the control challenge lies in preserving the full session, the reviewer decision, and the chain of custody for identity evidence.
• Teams that separate capture, review, and approval now will be better prepared for regulator-ready identity workflows across multiple markets.

Key terms

• Video KYC: Video KYC is a remote identity verification process that uses live video, document capture, and review to establish who a user is. In regulated environments, the control value comes from the quality of the evidence trail, not just the successful completion of the check.
• Human-in-the-loop approval: Human-in-the-loop approval is a governance pattern where an operator reviews automated evidence before a decision is finalised. It adds accountability and judgement, but only works when the reviewer sees the full record, the decision criteria are clear, and the approval is logged in a way auditors can verify.
• Chain of custody: Chain of custody is the documented path showing how evidence was collected, stored, accessed, and reviewed. For identity verification, it ensures the organisation can prove the recording has not been altered and that the decision made from it is traceable to the original session.

Deepen your knowledge

Recorded verification, review accountability, and audit-ready onboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governed identity verification flow for regulated markets, it is worth exploring.

This post draws on content published by SumSub: New real-time identification recording capability enables auditable, regulator-ready identity verification for businesses operating in the Spanish market. Read the original.