February 19, 2026

Proof of address requirements for KYC compliance

Proof of address (POA) verification is a mandatory step in know your customer (KYC) processes. Regulators across the world require businesses in financial services, fintech, crypto, and other regulated sectors to confirm that a customer's stated residential address is genuine and current. Getting it wrong means compliance failures, regulatory fines, and exposure to money laundering risk.

This guide covers what regulators actually expect, which documents qualify, how old they can be, why reviews get rejected, and how automation can make the process faster and more consistent.

Why proof of address is part of KYC

KYC exists to prevent money laundering, terrorist financing, and fraud. Customer due diligence (CDD), the process of verifying a customer's identity, requires confirming three things: who someone is, where they live, and that they aren't on any sanctions or watchlists.

Address verification serves several purposes in this framework:

• Establishing residency: confirms the customer lives where they claim to, which determines jurisdictional obligations and risk profiles
• Cross-referencing identity: the name and address on a POA document should match the identity documents already provided, adding a second layer of verification
• Detecting fraud: fraudsters often use fabricated or stolen addresses; requiring a recent, independently issued document makes this harder
• Meeting regulatory obligations: most AML frameworks explicitly require address verification as part of standard or enhanced due diligence

Without reliable address verification, the entire KYC process has a gap that regulators will flag during audits.

Regulatory landscape

POA requirements vary by jurisdiction, but the core principles are consistent across major regulatory frameworks:

• EU Anti-Money Laundering Directives (AMLD): the 4th, 5th, and 6th AMLDs require obliged entities to identify and verify customers using reliable, independent sources. Address verification is part of standard CDD. The upcoming AMLD package (AMLR) will further harmonise requirements across member states.
• US Bank Secrecy Act / AML: under the BSA and FinCEN's Customer Identification Program (CIP) rule, financial institutions must verify customer identity, which includes address. The specific documentary requirements vary by institution and risk profile.
• UK FCA guidance: the FCA requires firms to verify customer identity to a standard commensurate with the money laundering risk. The Joint Money Laundering Steering Group (JMLSG) guidance specifies acceptable address verification documents and methods.
• Other jurisdictions: Singapore (MAS), Hong Kong (HKMA), Australia (AUSTRAC), and Canada (FINTRAC) all have analogous requirements, each with jurisdiction-specific nuances on acceptable documents and recency.

The practical takeaway: if you operate in any regulated sector, you need a defensible, documented process for verifying customer addresses.

What regulators expect from a POA document

Across jurisdictions, a valid proof of address document must generally meet these criteria:

1. Confirm residential address: the document must show the customer's home address, not a PO box, workplace, or registered agent address (unless explicitly permitted)
2. Be recent: typically issued within the last 3 months, though some regulators allow up to 6 months
3. Show the customer's full name: the name on the POA document must match the name on the identity document provided during KYC
4. Be issued by an independent third party: the document must come from a utility company, bank, government body, or similar institution, not from the customer themselves
5. Be legible and complete: all relevant information (name, address, date, issuer) must be clearly readable

Accepted document types

The following document types are widely accepted for KYC address verification:

• Utility bills: gas, electricity, water, landline telephone, and internet/broadband bills. These are the most universally accepted POA documents.
• Bank or building society statements: monthly or quarterly account statements showing the customer's name and address.
• Government-issued letters: tax notices, benefits letters, voter registration confirmations, council tax bills, or social security correspondence.
• Insurance documents: home or life insurance policy documents or renewal letters with the insured's address.
• Mortgage statements: statements from a mortgage provider confirming the property address.

The following are typically not accepted:

• Mobile phone bills (considered less reliable for address verification in many jurisdictions)
• Screenshots of online accounts or apps
• Delivery receipts or shipping confirmations
• Printed web pages
• Documents the customer has created or self-issued
• Business address documents (unless the customer is a sole trader and the address is also residential)

When in doubt, check the specific guidance from your regulator. Some jurisdictions are more permissive than others, for example, certain regulators now accept digital bank statements downloaded as PDFs, while others still require original paper documents or certified copies.

Document age limits

Document recency is one of the most common requirements and one of the most common reasons for rejection:

• 3 months: the most common requirement. The EU AMLD framework, UK FCA/JMLSG guidance, and many Asian regulators require documents issued within the last 3 months.
• 6 months: some jurisdictions and lower-risk scenarios allow documents up to 6 months old. Certain document types (like annual tax assessments) may also get longer validity windows.
• 12 months: rare, but some regulators allow annual statements (e.g., annual tax notices) that are up to 12 months old.

The date that matters is typically the document's issue date or statement date, not the date the customer uploaded it. A bank statement dated January 15 that's uploaded on April 20 is more than 3 months old, even if the customer only just found it.

Common rejection reasons

If you're reviewing POA documents manually or receiving rejections from an automated system, these are the most frequent causes:

• Expired document: the document is older than the allowed threshold (usually 3 months). This is the single most common rejection reason.
• Name mismatch: the name on the POA document doesn't match the identity document. This can be a genuine discrepancy (maiden name, transliteration difference) or a fraud indicator.
• Partial or incomplete address: the document shows a city or postcode but not the full street address, or the address is cut off in the scan.
• Illegible scan or photo: blurry images, poor lighting, or low resolution make it impossible to read the document reliably.
• Wrong document type: the customer submits a document that doesn't qualify (e.g., a delivery receipt, a mobile phone bill, or a screenshot).
• Document is not addressed to the customer: a utility bill in a spouse's or landlord's name, even at the correct address, typically doesn't qualify.
• PO box or commercial address: the document shows a non-residential address.

For compliance teams, having clear rejection reason codes, and communicating them to customers, reduces back-and-forth and speeds up re-submission.

The cost of manual review

Many organisations still review proof of address documents manually. A compliance analyst opens each document, reads the name and address, compares it against the application, checks the date, and records a decision. This approach has real costs:

• Slow onboarding: manual review creates a bottleneck. If your team processes hundreds or thousands of applications per day, even a few minutes per review adds up to days of cumulative delay.
• Human error: analysts miss expired dates, overlook name discrepancies, or misread addresses, especially in unfamiliar languages or scripts.
• Inconsistent decisions: two analysts reviewing the same document may reach different conclusions about whether a name match is close enough or whether a document type qualifies.
• Compliance risk: inconsistency is itself a compliance problem. Regulators expect documented, repeatable processes. "It depends on who reviews it" is not a defensible position in an audit.
• Scaling problems: hiring more analysts to handle volume growth is expensive and slow. Training new staff on POA review standards takes time.

How automation helps

Automated proof of address verification addresses each of these problems:

• Consistent thresholds: every document is evaluated against the same rules. A name match score of 0.85 is either above your threshold or it isn't, there's no subjective judgment.
• Configurable rules: set your own thresholds for name matching, address matching, document age, and accepted document types. Adjust them as regulatory requirements change.
• Audit trails: every verification produces a detailed record: what was extracted, what was compared, what scores were calculated, and what decision was reached. This is exactly what regulators want to see.
• Faster turnaround: automated checks complete in seconds, not hours. Customers get onboarded faster, and your team only reviews edge cases.
• Multi-language support: AI-powered extraction handles documents in any language and script, with transliteration for cross-script matching. No need for specialist language reviewers.
• Scalability: processing 10 documents or 10,000 documents takes the same infrastructure. Volume growth doesn't require proportional headcount growth.

Automating POA checks with trusqo

trusqo automates proof of address verification with configurable match thresholds, date validation, and PDF audit reports. Submit a document via API with the expected name and address, and trusqo extracts structured data, runs fuzzy matching, validates document age, and returns a verdict with detailed scores and reasoning.

Key capabilities for KYC compliance teams:

• Configurable name and address match thresholds, set the strictness level that matches your regulatory requirements
• Automatic document age validation, reject documents older than your configured limit (3 months, 6 months, or custom)
• Document type detection, automatically classify and optionally restrict which document types are accepted
• PDF audit reports, downloadable reports showing extracted data, match scores, and decision reasoning for your compliance records
• Multi-language and multi-script support, documents in any language, with Latin transliteration for non-Latin scripts

Full API documentation is available at trusqo.com/docs.