Notifications
Clear all
Topic starter
22/06/2026 10:04 am
TL;DR: Proof of address checks remain a core KYC and AML control, but the article shows how document fraud, synthetic addresses, and app-based manipulation are making manual review less reliable, according to Sumsub. That shifts PoA from a paperwork exercise to a broader identity assurance problem that demands stronger automation and risk-based decisioning.
NHIMG editorial — based on content published by Sumsub: Proof of Address: Accepted Documents, Verification Methods, and KYC Best Practices (2026)
Questions worth separating out
Q: How should security teams verify proof of address in high-risk onboarding flows?
A: Use a risk-based model that combines document checks, source reliability, and cross-signal validation.
Q: Why do fake addresses still pass KYC review?
A: They pass when review focuses on visible formatting instead of provenance and consistency.
Q: What breaks when proof of address is treated as a box-ticking exercise?
A: The organisation loses the ability to distinguish real residency from manipulated evidence, which weakens onboarding decisions and downstream risk scoring.
Practitioner guidance
- Define jurisdiction-specific PoA acceptance rules Map which documents are valid in each market, which sources are preferred, and when separate identity and address evidence must be used.
- Correlate PoA with other identity signals Compare address evidence against device location, phone country code, tax residency, prior account history, and transaction patterns.
- Inspect provenance before content Check whether the file is an original PDF, a flattened image, a screenshot, or a document with stripped metadata.
What's in the full article
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- Regional document examples for the US, UK, EU, and APAC that help compliance teams tune acceptance rules
- Detailed examples of accepted and rejected proof-of-address documents, including why some documents fail
- Step-by-step guidance on automated PoA verification, including non-doc checks and geo-based validation
- Practical handling guidance for rejected documents when the issue is genuine versus when fraud is suspected
👉 Read Sumsub's full guide to proof of address documents and KYC checks →
Proof of address verification: are KYC controls keeping up?
Explore further
22/06/2026 10:48 am
Proof of address has become an identity assurance control, not a formality. The article shows that PoA now affects whether a customer can be trusted at all, because address evidence feeds KYC, AML, and jurisdictional risk decisions. That means the control has to be treated as part of the identity lifecycle, not a one-off onboarding checkbox. Practitioners should govern PoA as a risk signal with defined decision thresholds.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how often identity evidence persists after it should have been retired.
A question worth separating out:
Q: When should organisations use non-document proof of address instead of bills?
A: Use non-document verification when trusted data sources are available and the organisation has clear rules for source quality, exception handling, and audit evidence. It is most useful where paper documents are weak, inaccessible, or easily forged, but it must still be governed like any other identity decision.
👉 Read our full editorial: Proof of address verification is becoming a fraud-control issue
