CANAFE identity verification: what changes for IAM teams now?

TL;DR: Recent CANAFE and LRPC/FAT changes expand identity verification obligations for in-person and online transactions, bringing new regulated sectors into scope while pushing established firms to rethink manual checks, audit trails, and customer onboarding speed, according to OneSpan. Compliance is now an operating model choice, not just a legal checkbox.

NHIMG editorial — based on content published by OneSpan: CANAFE identity verification strategy for going beyond compliance

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should organisations handle CANAFE identity verification without slowing onboarding?

A: They should separate the legal trigger from the user experience design.

Q: What breaks when CANAFE verification stays manual?

A: Manual review breaks at scale because it creates inconsistent decisions, longer onboarding, and weak evidence continuity.

Q: How do you know if identity verification is working for compliance?

A: You should measure completion rates, abandonment rates, manual review volume, exception handling, and the quality of retained evidence.

Practitioner guidance

• Rebuild verification around trigger-based policy Define identity checks by transaction type, suspicion signal, and recordkeeping need so the workflow changes when the regulatory context changes.
• Separate authenticity checks from capture checks Use document authenticity controls, biometric match controls, and liveness detection as distinct decision points.
• Treat audit evidence as part of the control itself Keep consent records, verification logs, and retention rules in one governed workflow so an examiner can reconstruct the decision path without manual stitching across systems.

What's in the full article

OneSpan's full research covers the operational detail this post intentionally leaves for the source:

• Document-level guidance on comparing photo ID features, holograms, watermarks, and other authenticity markers
• Implementation detail for passive and active liveness detection in remote identity verification flows
• Operational guidance on consent capture, audit evidence, and record retention for regulated transactions
• Examples of white-label and multichannel identity verification flows for mobile onboarding

👉 Read OneSpan's analysis of CANAFE identity verification and compliance →

CANAFE identity verification: what changes for IAM teams now?

Explore further

View Full Forum →  |  NHI Foundation Course →