
KYC Selfie Verification: Liveness plus Provenance for Financial Services
Definition: KYC selfie verification with provenance attaches device attestation and a signed receipt to an onboarding selfie, so a replayed or injected synthetic face is identified by a missing or invalid capture chain rather than by liveness scoring alone.
TL;DR: Signicat reported deepfake attacks up over 2,000% across three years. Liveness alone is defeated by injection. Capture-time attestation plus a signed, verifiable receipt closes the gap. Capture-side flows arrive with the Original Pictures capture app on the Q3 2026 roadmap; verification of submitted media is available today.
Why liveness is not enough
Liveness checks assume the camera sees a real face. Injection attacks bypass the camera entirely, feeding synthetic video into the pipeline, and replay attacks resubmit captured footage. Both defeat liveness scoring because the model never sees the manipulation, only the manipulated input.
Attestation at capture
The durable fix is to attest the capture environment: bind the selfie to a genuine device session using platform attestation, so an emulator or injected stream fails the check. The capture produces a signed receipt that a verifier can later confirm. This capture-side flow is part of the Q3 2026 capture app, not an SDK we sell today.
What you can do now
Today, Original Pictures verifies submitted media against provenance: confirm whether an inbound selfie carries a valid manifest and recover a watermark if metadata was stripped. Pair that with your existing liveness vendor while the capture-side attestation lands, and keep biometric handling inside BIPA's consent and retention rules.
The incident behind this
Arup's US$25.6M loss and a Florida AI-voice kidnap scam that extracted about $15,000 show the range of identity-impersonation fraud. Signicat reported deepfake-driven attacks up more than 2,000% over three years.
Regulatory mapping
| Regime | Effective | Bite | Why it applies |
|---|---|---|---|
| Illinois BIPA | In force | $1,000-$5,000/violation | Face-geometry consent |
| EU AI Act Art. 50(4) | 2 Aug 2026 | EUR15M or 3% | Synthetic-media disclosure |
| FFIEC guidance | Live | Enforcement action | Identity verification controls |
FAQ
Can I get capture attestation today?
Capture-side attestation ships with the Q3 2026 capture app. Today you can verify submitted media against provenance and pair it with your liveness stack.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Liveness alone loses to injection. Verify submitted selfies against provenance now and add capture-time attestation when the capture app ships in Q3 2026, all within BIPA's consent rules.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.