← Back to Blog
Use Cases5 min read

Digital Onboarding in Southeast Asian Banking: The Role of Face Biometrics

How banks and fintechs across Indonesia, the Philippines, Vietnam, and Thailand use face verification and liveness detection to onboard customers remotely.

The Region That Onboards by Selfie

Southeast Asia is home to one of the world's largest unbanked and underbanked populations — and one of its fastest-growing digital finance markets. Digital banks, e-wallets, and lending apps across Indonesia, the Philippines, Vietnam, and Thailand acquire customers who may never visit a branch, may not have a fixed address, but almost certainly have a smartphone with a front camera.

That combination made face-based eKYC the region's default onboarding pattern: photograph an ID document, take a selfie, prove the selfie is live, match the selfie to the document. Minutes instead of days, no branch required.

This article looks at how that flow works, what regulators expect, and how to build it well.

The Standard eKYC Flow

Across the region's digital banks and e-wallets, remote onboarding converges on the same pipeline:

  • Document capture — the customer photographs a government ID (KTP in Indonesia, PhilID in the Philippines, CCCD in Vietnam)
  • Data extraction — OCR pulls the identity fields; some markets add checks against government registries
  • Selfie capture with livenesspassive liveness detection verifies a live human is present, not a photo or screen replay
  • Face matching1:1 verification compares the live selfie against the ID document photo
  • Risk scoring — device, velocity, and watchlist signals decide auto-approve, step-up, or manual review
  • Steps 3 and 4 are where face biometrics carry the fraud burden. Skip liveness and the flow is trivially defeated by a photo of a stolen ID's owner — which is exactly the fraud pattern that pushed liveness detection into regional KYC expectations.

    What Regulators Expect

    Each market frames eKYC differently, but the direction is consistent:

  • Indonesia — OJK regulations permit fully electronic customer due diligence for banks and fintech lenders; verification against national identity data and biometric checks are established practice. Data handling falls under UU PDP, which classifies biometrics as specific personal data.
  • Philippines — BSP guidance permits electronic KYC with robust identity assurance; the PhilSys national ID accelerated selfie-based verification.
  • Vietnam — the State Bank mandated biometric authentication for high-value electronic transactions, moving face verification beyond onboarding into everyday payments.
  • Thailand — the Bank of Thailand's e-KYC framework under NDID established facial recognition with liveness as an accepted identification method for account opening.
  • Two engineering consequences follow. First, liveness is table stakes — regulators increasingly name spoof resistance explicitly. Second, data protection laws apply to the biometric artifacts: Indonesia's UU PDP, the Philippines' Data Privacy Act, Thailand's PDPA, and Vietnam's data decrees all treat biometric data as sensitive, with consent and retention obligations similar to GDPR's treatment of face data.

    The Fraud Reality

    Onboarding fraud in the region is industrialized: stolen ID photo sets sold in bulk, "selfie farms" that recruit people to pass verification on others' documents, and increasingly deepfake and camera-injection attacks aimed at high-value accounts. Regional fraud reports consistently rank identity fraud among the top attack vectors for digital financial services, with deepfake-assisted attempts growing fastest.

    Defense follows the layered model:

  • Passive liveness on every selfie — removes the cheap attacks (prints, screens) at zero UX cost
  • Active liveness for step-up — server-generated head-movement challenges defeat pre-rendered media on high-risk applications
  • Calibrated match thresholds — a strict similarity threshold tuned for a false-accept-averse flow
  • Re-verification at sensitive moments — device changes, dormancy, large transfers; Vietnam's transaction-level biometrics point where the region is heading
  • Beyond Onboarding: The Face as an Ongoing Credential

    Once a verified face embedding exists, banks reuse it: face login for account recovery, biometric confirmation for transfers above thresholds, and branchless service at agent locations — an agent's phone camera plus 1:N recognition can authenticate a customer without cards or PINs. Each reuse compounds the return on getting onboarding biometrics right the first time.

    Build Considerations for the Region

    Teams shipping eKYC across Southeast Asian markets deal with constraints that developed-market playbooks miss:

  • Device diversity — verification must work on low-end Android cameras in poor lighting; capture guidance and multi-photo registration matter more than model brilliance
  • Bandwidth — image-based passive liveness (one JPEG upload) is far more reliable on 3G-quality connections than video-heavy flows; reserve video for step-up
  • Data residency — Indonesia's financial sector rules and Vietnam's data localization push toward in-region processing or self-hosted deployment
  • Cost per verification — at e-wallet scale, per-check pricing dominates vendor selection; see our API pricing comparison
  • Where ARSA Fits

    ARSA Technology builds face recognition from Indonesia for exactly these conditions. The Face Recognition API covers the full eKYC biometric layer — 1:1 verification, passive and active liveness, and 1:N recognition for returning-customer flows — with transparent per-plan pricing, isolated per-tenant face databases, and a self-hosted option for residency-bound deployments.

    Prototype the full selfie-verification flow on the free tier with our Node.js or Flutter tutorials, or talk to us about on-premise deployment.

    Ready to get started?

    Try ARSA Face Recognition API free with 100 API calls/month.

    Start Free Trial