AML Screening (enhanced)

Available via API	Available via SDK	Needs configuration on Veriff’s side	Needs a separate integration	Needs a separate webhook
✅	✅	✅	✅	✅*/❌

This article covers the enhanced AML Screening solution.
If you are using the previous PEP & Sanctions solution, contact your Solutions Engineer to upgrade to the enhanced solution.
Compared to the legacy solution, the enhanced AML Screening offers more customization options regarding which lists to screen against, how strictly names are matched and how results are filtered.

These solutions can be used to meet and comply with Know-Your-Customer (KYC) and Anti-Money Laundering (AML) requirements. The enhanced solution allows more customization regarding:

which lists to screen against,
how strictly names are matched,
how results are filtered.

It is available via API, web flow, and native SDKs.

*The solution can use two webhooks:

decision webhook when the solution is used with the document or document+selfie identity verification (IDV) solution
watchlist-screening webhook when the solution is used as standalone.

Contact your solutions engineer for info and configuration.

Prerequisites

You have an integration set up with Veriff
You have the PEP & Sanctions feature configured by your Solutions Engineer
You have webhook(s) configured to get responses from Veriff (see the Webhooks section for info)
You can also opt in to use optional adverse media checks and ongoing monitoring solution

End-user data sources

The “end-user data sources” refer to different origins from which the end-user’s information can be collected for database verification. There are two data sources: initData and document data.

InitData

This is data that you provide when creating a verification session, i.e. the parameters you specify in the POST /sessions request.

Parameters that can be sent via initData are:

first name (required) in verification.person.firstName
last name (required) in verification.person.lastName
date of birth (optional) in verification.person.dateOfBirth
end-user’s country (optional) in verification.document.country

Date of birth and country info is used as part of screening data sent to do person search.

Document data

This is data that is extracted from the end-user’s document. Includes information like names, date of birth, country data etc.

Flow overview

The flow is a bit different, depending on whether you are using an IDV or non-IDV integration for the checks.

Using an IDV integration

This means that it is possible to run the identity verification checks related to document or document+selfie, and the PEP and Sanctions, Adverse Media and Ongoing Monitoring checks.

End-user’s data can be sent via both Veriff end-user flow and the API endpoints.

Once the IDV integration is set up, generate a verification session using the regular POST /sessions[↗] endpoint
After the end-user’s data has been passed and the session has been verified:
1. The identity verification results are sent via decision webhook,
2. The AML result will be sent in the Watchlist-screening webhook
  1. Veriff will send a new webhook if the ongoing monitoring reveals that the status of a verified person has changed
You can:
1. Query the results of AML checks from GET /sessions/{sessionId}/watchlist-screening[↗] endpoint
2. Query the results of IDV checks from GET sessions/{sessionId}/decision[↗] endpoint
3. Or view them in the Veriff Customer Portal

Using a non-IDV integration

This means that it is possible to run only the PEP and Sanctions, Adverse Media and Ongoing Monitoring checks. End-user’s data can be sent only via the API endpoints.

Create a new session using the API keys and the baseURL of the integration you are (see the API Documentation and reference[↗] how to find these). Include the following fields in the request:
1. Ensure you send mandatory verification.person.firstName
2. Ensure you send mandatory verification.person.lastName
3. You can also send optional verification.person.dateOfBirth
4. You can also send optional verification.document.country

Click to see the minimum request payload sample needed to start a session

1.1 Include the API URL and mandatory headers

POST {baseURL}/v1/sessions
Type: object
Headers:
       X-AUTH-CLIENT: string (required) = API key
       Content-Type: application/json

1.2 Add the following data into the minimum payload

verification: object Verification object
- person: object
  - firstName: string*
  - lastName: string*
  - dateOfBirth: string
- document: object
  - country: string

*Required parameter

Request payload sample

curl -X POST \
  --url '/v1/sessions/' \
  -H 'Content-Type: application/json' \
  -H 'X-AUTH-CLIENT: API-KEY' \
  -d '{
    "verification": {
        "person": {
            "firstName": "Eva",
            "lastName": "Nováková",
            "dateOfBirth": "1980-02-21"
        },
        "country": {
            "document": "PL"
        }
    }
}'

Change the status of the session to submitted using the PATCH /sessions/{sessionId}[↗] endpoint.
- This endpoint requires endpoint level authentication via x-hmac-signature header. See HMAC Authentication and Endpoint Security article for general info about signature creation.
Receive the results from Veriff via Watchlist-screening webhook, query the results from GET /sessions/{sessionId}/watchlist-screening[↗] endpoint, or view them in the Veriff Customer Portal
1. If you have set up the decision webhook, it will return session info, for example decision time, attempt id, and session status; but as no IDV checks were made, most of the fields will be null

Screening configuration

The screening parameters (which lists to check, match sensitivity, country filters, and other options) are configured on Veriff's side. The table below describes the available options.

To enable or adjust any of them, contact your Solutions Engineer.

You can see which configuration was applied to a specific check in the searchTerm object returned in the watchlist-screening webhook.

Option	Description	Parameter inside `searchTerm` object
List selection	Which watchlists to screen against, for example: Sanctions, PEP Class 1–4, Adverse Media. See table below for more info about the categories. At least one list must be always selected.	`lists`
Match threshold	Name match sensitivity on a 0–100 scale, indicates how much variation should be allowed from the end-user's data in the results. Higher values require a closer match before a result is returned.	`matchThreshold`
Exact match	Requires an exact name match, meaning that the screening will happen on the data as it is. This bypasses name normalisation, e.g., titles are not removed.	`exactMatch`
Country filter	Filters search results by country, meaning that the results presented in the webhook/API response will only include the hits from the selected countries (ISO 3166-1 Alpha-2 codes). The countries selected here will be merged with the countries present in initData or the document.	`countries`
Exclude deceased	Filters out deceased individuals from results.	`excludeDeceased`

`lists` categories and category descriptions

Value	Description
`SANCTIONS`	Global sanctions lists, including OFAC SDN, OFAC Consolidated, European Union, UK (OFSI), United Nations and other national sanction programmes that have regulatory requirements to screen for connected entities.
`PEP_CLASS_1`	Heads of state Members of the national executive Members of the national legislatures Senior officials of military and law enforcement Senior officials of national agencies Board members of central banks Senior judiciary officials (national level) Top-ranking officials of political parties
`PEP_CLASS_2`	Board members of International Organisations (HIOs) & International Sports Federations Ambassadors, high commissioners and other top diplomatic positions Members of the regional executive Members of the regional legislatures Senior judiciary officials (regional level)
`PEP_CLASS_3`	Senior management and board of directors of state-owned businesses and organisations
`PEP_CLASS_4`	Mayors and members of local, county, city and district assemblies
`ADVERSE_MEDIA`	Adverse media coverage
`FITNESS_PROBITY`	Lists of individuals and legal entities which have been disqualified or otherwise restricted from holding certain positions or participating in certain activities such as publicly-funded contracts due to regulatory or code of conduct breaches.
`WARNINGS`	Lists of individuals, legal entities, issued by relevant law enforcement or regulatory bodies.

About `matchStatus` field

The matchStatus field is the primary outcome indicator of the AML/PEP screening itself. It directly answers the compliance question "Is this person flagged on any watchlist?"

The field has two possible values:

possible_match: the person was found in one or more listings/databases. The data.hits array is populated with data about the person.
no_match: the person was not found. The data.hits array is empty.

This is independent from the session decision (approved/declined), which is driven by IDV checks.

The confidence in the matchStatus is higher when combined with IDV, because the screening data was extracted from a verified document. In standalone mode, the accuracy of the screening depends on the quality of the data you input.

If you require more data, you can use the relevant sessionId and query the GET sessions/{sessionId}/person[↗] endpoint to find more detailed info about the match. Look for data in the person.pepSanctionMatches array.

Possible session outcomes

Session approved + matchStatus: no_match

This is the ideal outcome. The end-user’s identity was verified successfully and they were not found on any PEP/Sanctions/Adverse Media lists. You can proceed with onboarding, no further AML action needed.

Session approved + matchStatus: possible_match

The end-user’s identity is verified (the document and selfie are genuine), but they were found on one or more watchlists. Veriff only flags potential matches, you retain decisioning responsibility. Therefore, you need to perform manual review:

Review the hits array to examine the matched listings (source names, URLs, match types, etc.).
Determine whether the hit is a true match or a false positive (e.g., common name coincidence).
Apply your own risk-based decision depending on your regulation and requirements (decline the end-user, apply enhanced due diligence, or escalate).

You can get the data from three sources:

Receive the webhook. The webhook is different, depending wether you are using the AML solution with or without an IDV integration
Poll the results via GET /sessions/{sessionId}/watchlist-screening[↗] API endpoint
View the session in Veriff Customer Portal > All Verifications > session > Webhooks tab

Webhook payload

With IDV integration

Non-IDV integration

Check the decision webhook for the identity verification results
Check the watchlist-screening webhook for AML checks results

Check the watchlist-screening webhook for AML checks results
If you have set up the decision webhook, you can check it for session info (note that as no IDV checks were made, most of the fields will be null)

API call response payload

You can use the GET /sessions/{sessionId}/watchlist-screening[↗] endpoint, which contains the same data as the watchlist-screening webhook.

Veriff Customer Portal

You can find the verification session related info, including the decision, in the Veriff Customer Portal, under the Verifications tab.

→ See Review verification in Veriff Customer Portal about how to view the session info in the Veriff Customer portal

Status and reason codes

For an approved session, see the verification.code and verification.status parameters.

If the session was declined or resubmission_requested, you can find additional information by checking the verification.status, verification.code, verification.reason and verification.reasonCode data objects.

For more info about the codes you are seeing, refer to:

Disabling ongoing monitoring for a specific end-user

It is possible to use the API to disable the ongoing monitoring feature for a specific end-user. For the API requests, the end-user is identified by the sessionId.

Steps

If unsure if the feature is enabled for them, check the monitorStatus parameter in GET sessionId/watchlist-screening response payload.
If the monitorStatus is enabled or empty, you can set it to disabled using the PATCH sessionId/watchlist-screening endpoint.
If you wish to re-enable ongoing monitoring for an end-user, contact your Solutions Engineer

Additional info

→ Log in to your Veriff account to see the PEP, Sanctions, Watchlists, and Adverse Media & Information checks[↗] article in Veriff Knowledge Base for more information about the Anti-Money Laundering solutions

→ Log in to your Veriff account to see What is PEP?[↗] article in Veriff Knowledge Base for more detailed insight into Politically Exposed Persons

Changelog

Date	Description
May 19, 2025	Documentation published