eKYC Applications: Digital Identity Verification That Stops Onboarding Drop-Off

Rina, a freelance graphic designer in Malang, needed a Rp8 million loan to buy a new laptop so she could take on bigger client projects. She found a loan app from a fintech company called KreditKilat, headquartered in Surabaya. The application felt fast — until she reached identity verification. The system asked her to visit the nearest branch office, which turned out to be in Surabaya, a four-hour trip from Malang, to show her original ID card and sign a wet-ink signature on stamped paper.
Rina closed the app and looked elsewhere. Two days later she had already received a loan from a competitor that verified her identity with nothing more than a photo of her ID card and a selfie, finished in seven minutes from her boarding house room.
Rina's story is not an isolated case. KreditKilat's internal team later discovered that out of every 100 users who started filling out a loan application, only 34 actually completed the process because they got stuck at the manual verification step. The remaining 66 either went to a competitor or gave up entirely. That's when KreditKilat's management realized their problem wasn't the loan product — it was how they verified who was borrowing.
What eKYC Actually Is
eKYC, or electronic Know Your Customer, is the process of verifying a customer's identity entirely digitally, without any face-to-face meeting or physical branch visit. Many people assume eKYC is just "upload a photo of your ID," but what happens behind the scenes is far more involved — and that complexity is exactly what makes it trustworthy enough to hold up legally and commercially.
A system that genuinely deserves to be called eKYC typically runs four layers of processing at once. First, OCR (Optical Character Recognition) on the identity card — the system reads the text on the ID, extracts the ID number, name, date of birth, and address, and cross-checks that data against the official format of a national ID to flag forgeries or edited cards. Second, liveness detection, technology that confirms the person in front of the camera is a live human completing the verification in real time, not a photo held up to another screen or a replayed video. Third, face matching, which compares the selfie against the ID photo using facial recognition algorithms and produces a confidence score, not a simple yes-or-no answer. Fourth, cross-checking against government databases — in Indonesia this means integration with Dukcapil (the civil registry) to match the ID number and personal data against the official population registry, confirming the ID card is genuinely registered and not fabricated.
It's the combination of these four layers that separates real eKYC from a simple document-upload form. Without liveness detection, for example, someone could use a stolen photo of an ID card paired with another person's face pulled from social media and still pass verification. Without a Dukcapil cross-check, the system would never know whether the submitted ID number is actually registered in the state's population database.
The Hidden Cost of Manual Verification
Businesses still relying on manual or in-person identity verification often don't realize how much it's actually costing them. Some of the most tangible costs:
- High onboarding abandonment. Every extra step in an onboarding flow — especially one requiring a physical visit — reduces completion rates. Internal studies across Southeast Asian fintechs show completion rate drops of 40-60% when verification requires a branch visit.
- Losses from fake IDs slipping through. Human staff visually inspecting ID cards, especially when rushed or fatigued, are far easier to fool than a system that automatically reads security patterns and data consistency.
- Staff time wasted on repetitive checks. Every manually reviewed ID card consumes minutes of customer service or branch staff time — time that could go toward higher-value work.
- Losing prospects to faster competitors. In digital markets, users directly compare onboarding experiences. If a competitor can verify identity in five minutes and your business takes a full business day, customers will leave.
- Compliance risk quietly piling up. Manual processes often lack a clean audit trail — it becomes hard to prove to a regulator that every customer actually went through adequate KYC when an examination happens.
- Undetected identity duplication. Without a system that can match faces and data across the entire customer base, one person could register multiple times under different identities to exploit promotions or run layered fraud.
Must-Have Features of a Real eKYC System
Not every "ID scanning app" deserves to be called an eKYC system. Here are the features a system needs to be genuinely reliable for business use, especially for businesses regulated by OJK (Indonesia's Financial Services Authority):
- ID card OCR with auto-fill. The system reads data off the ID card and automatically populates the registration form, reducing manual input errors and speeding up the process without forcing users to retype data already printed on their card.
- Anti-spoofing liveness detection. Detects attempts to trick the system using printed photos, videos replayed on another screen, or even deepfakes — usually by asking users to blink, turn their head, or perform spontaneous movements that are hard to fake.
- Face-match with confidence scoring. Not a simple "match" or "no match," but a numeric score that can be tied to different thresholds depending on the product's risk level — a large loan needs a stricter threshold than a free account signup.
- Government/Dukcapil database verification. Confirms the submitted ID number is genuinely valid and matches the name and birth date registered in the official civil registry, not just a number that looks correctly formatted.
- Duplicate and fraud detection across the customer base. The system should recognize when the same face or ID number has already been registered under a different identity anywhere in the customer database, not just check each registration in isolation.
- Complete audit trail. Every verification step — when it happened, what result came out, what score it received — needs to be stored cleanly and retrievable at any time for internal audits or regulatory examinations by OJK or Bank Indonesia.
- Multi-document support. Beyond a national ID card, the system should ideally handle passports, driving licenses, or other identity documents to serve segments like foreign customers or corporate clients with different document types.
- API integration into your existing onboarding flow. A good eKYC system blends seamlessly into your existing app or website rather than forcing users onto an unfamiliar, suspicious-looking third-party system.
Build vs. Buy: Vendor API or Custom Pipeline
This question comes up almost as soon as a team decides it needs eKYC. There are two main paths.
The first is using an API or SDK from an eKYC vendor that already holds licensed Dukcapil integration and a mature liveness detection model. The advantage is clear: implementation time is much shorter, typically two to six weeks for basic integration, and the business doesn't need to worry about maintaining AI models or handling technical compliance with Dukcapil directly. The downside is an ongoing per-verification cost that scales with transaction volume, plus dependency on a third party's uptime and policies.
The second path is building a custom verification pipeline fully integrated into the business's own application, with full control over data flow, custom risk scoring, and the option to combine multiple OCR/liveness vendors for redundancy. This suits businesses with high long-term verification volume, very specific compliance needs, or those wanting to build a competitive edge from their own verification data. The trade-off is longer development time and the need for an engineering team that understands data security and government API integration.
Most businesses just starting out find a hybrid approach makes the most sense: vendor API integration for core features like OCR and liveness detection, built on top of a custom backend that handles business logic, internal risk scoring, and data storage tailored to the company's specific compliance needs.
Realistic Cost and Timeline Ranges in Indonesia
For businesses choosing to build a custom eKYC system integrated into their app, cost ranges in Indonesia look roughly like this:
MVP tier (basic OCR, simple liveness check, single face-match vendor integration, no direct Dukcapil cross-check) typically runs Rp80 million to Rp180 million (around USD 5,000-11,500), with a 6-10 week development timeline. Suited for startups validating a product before a larger investment.
Mid-tier (accurate multi-document OCR, stronger anti-spoofing liveness, Dukcapil integration, an admin dashboard for manual review of suspicious cases, full audit trail) runs Rp250 million to Rp550 million (around USD 16,000-35,000), with a 3-5 month development timeline. This is the most common range for lending fintechs and mid-sized e-commerce platforms.
Enterprise tier (custom machine-learning-based fraud detection, multi-vendor integration for redundancy, full compliance with OJK regulations including fintech-specific POJK rules, scalability for millions of verifications per month, strict SLAs) can reach Rp700 million to over Rp1.5 billion (USD 45,000-100,000+), with a 6-12 month development timeline.
As an alternative or complementary cost model, many businesses also pay a per-verification fee to an API vendor, typically ranging from Rp2,500 to Rp15,000 per verification depending on complexity (OCR alone is cheaper than OCR plus liveness plus a Dukcapil check). For businesses with low initial volume, the per-verification model is often more cost-effective than a large upfront custom build. It's worth noting that for OJK-regulated fintechs specifically, eKYC integration also needs to factor in additional compliance costs such as data security audits and adjustments for personal data protection requirements.
Case Study: KreditKilat Builds eKYC From Scratch
Back to KreditKilat, the Surabaya-based P2P lending fintech that lost Rina at the manual verification step. After analyzing a quarter's worth of data, the product team found some sobering numbers: onboarding completion rate of just 34%, average manual verification time of 18 hours (bottlenecked by branch staff working hours), and a fraud rate of 2.3% from fake IDs that slipped through visual review among approved applications — enough to worry the risk division.
KreditKilat then worked with a development team to build an integrated eKYC system: ID card OCR with auto-fill, three-step liveness detection (blink, turn left, turn right), face-match at a 92% confidence threshold, real-time API integration with Dukcapil for ID validation, and a fraud monitoring dashboard that flagged suspicious registration patterns like the same face appearing under different ID numbers.
The project took about 4 months at an investment level in the mid-tier range described above. The results, within three months of launch: onboarding completion rate rose from 34% to 81%. Average verification time dropped from 18 hours to 4 minutes 20 seconds. The fraud rate from fake IDs fell from 2.3% to 0.3%, largely thanks to the combination of liveness detection and Dukcapil cross-checking filtering out fake identities before they reached loan approval. Monthly loan application volume grew 2.4x, driven mostly by users outside Surabaya who had previously abandoned the process because of the branch visit requirement — exactly the situation Rina faced.
Metrics to Track After Launch
Building eKYC isn't a one-and-done project. Once the system is live, several metrics need ongoing monitoring to make sure it's actually working as intended:
- Onboarding completion rate — the percentage of users who start the verification process and actually finish it.
- Average verification time — from ID upload to an approved or rejected status.
- False rejection rate — how often genuine users get rejected due to poor photo quality or lighting, a signal that UX needs improvement.
- False acceptance rate — how often a fake identity successfully passes verification, ideally monitored through periodic sample audits.
- Detected identity duplication rate — the number of duplicate registration attempts the system successfully catches.
- Cost per successful verification — total system cost divided by successful verifications, to monitor cost efficiency as volume grows.
- Audit trail compliance rate — the percentage of verifications with a complete, retrievable data trail for regulatory examination.
These metrics should be reviewed monthly by product and risk teams together, since a drop in one metric (say, completion rate) is often an early signal of a problem in another (say, an overly strict liveness detection UX).
Time to Build eKYC That Doesn't Burn Your Prospects
Businesses still relying on manual verification are burning two things at once: prospective customers who give up mid-process, and undetected fraud risk from relying on human eyes that can get tired and careless. eKYC isn't just a nice-to-have feature — it's trust infrastructure that determines whether your digital business can grow safely and fast.
Our team at AFSS has built identity verification systems for a range of business needs, from lending fintechs to e-commerce, rental platforms, and co-working spaces. If you want to know what investment range fits your business's scale, check out our pricing, or go ahead and submit a project to discuss it with our technical team.
Have a similar project?
Free consultation, no commitment. Tell us what you need — we'll help you find the best solution.
Free Consultation

