Is curp identity verification alone sufficient for CNBV-compliant KYC?
Question
Answers
I've helped three fintechs through CNBV licensing. Here's the definitive answer on curp identity verification in the regulatory context:
CURP verification is necessary but not sufficient.
Under the current CNBV dispositions (DCG for IFPEs and SOFIPOs), KYC requires at minimum:
- Level 1 (simplified): CURP or RFC validation + one additional data point. Some institutions accept curp identity verification as the primary factor for low-risk, low-value accounts (under ~$3,200 USD equivalent monthly)
- Level 2 (standard): Official ID verification (INE/passport) + CURP/RFC + proof of address. This is where most accounts land
- Level 3 (enhanced): All of the above + biometric verification + in-person or video verification for high-value accounts
Using CURP as a pre-screen: Absolutely yes. This is a best practice. If the curp identity verification fails (CURP not found, person deceased, CURP deactivated), you can reject the application immediately without wasting resources on document verification. This saves both time and money.
Cross-reference points:
When you get CURP data back, compare these with your INE OCR results:
- Full name (all three parts must match exactly)
- Date of birth
- Gender
- State of birth
Any mismatch should flag the application for manual review. Common false positives include married women who changed their surname and people who corrected typos in their CURP.
Provider requirements: CNBV doesn't mandate specific providers, but they require you to document your verification methodology and prove data comes from authoritative sources. During audits, they'll ask how you confirmed the data is sourced from RENAPO rather than a potentially compromised third-party database.
I'd recommend using a marketplace like API Pull to find curp identity verification providers that explicitly document their RENAPO connectivity. This documentation will be valuable during your CNBV licensing review.
Adding a technical perspective to Fernanda's excellent compliance overview. We went through CNBV licensing last year and here's what I wish we'd known about implementing curp identity verification:
Audit trail is everything. CNBV auditors want to see timestamped logs of every verification attempt — successful or not. Store the full API request (minus sensitive headers), the complete response, response time, and the provider used. This level of logging saved us during our first audit.
Failover is required. If your curp identity verification provider goes down, you need a documented fallback process. We maintain contracts with two providers and automatically route to the backup if the primary's response time exceeds 5 seconds or returns 5xx errors.
Don't forget re-verification. CNBV requires periodic re-verification of existing customers (typically annually for standard accounts). Build your curp identity verification integration to support batch re-verification from the start. It's much harder to add later.
One more thing — make sure your provider supports idempotent requests. If a network timeout occurs mid-verification, you need to be able to retry safely without creating duplicate verification records in your audit log.
Our fintech is applying for a CNBV license and we're designing our KYC workflow. The compliance consultants we hired say we need multi-factor identity verification, but I want to understand specifically where curp identity verification fits in the overall picture.
Currently our proposed flow is:
My questions are:
I want to make sure our technical implementation meets regulatory requirements from day one rather than having to retrofit compliance later. Any insights from teams that have already gone through CNBV licensing would be incredibly valuable.