Identity Verification (IDV) Rollout FAQ

Answers to your questions about IDV for individuals with access to Criminal History Report Information (CHRI).

When does IDV become a requirement?

On August 16, 2025, state regulators and NMLS support users with access to CHRI were required to complete the IDV process to access NMLS. On May 9, 2026, all federal institution NMLS users with access to CHRI will be required to complete the IDV process to access NMLS.

Who will be impacted by this change?

Only users who have access to Criminal History Information Record (CHRI) will be impacted. The two roles in NMLS that grant access to CHRI are View Rap Sheet and View Criminal Background Check Result Status. All NMLS Account Administrators for federal institutions have these roles. Organization Users for federal institutions may be assigned one or both roles at the discretion of the Account Administrator.

What information do I need to enter to successfully verify my identity?

IAL2 verification has standards for how a user should be verified. The following information will be requested to adhere to the IAL2 protocols:
  • Name,
  • Email Address,
  • Cell Phone Number,
  • Home Address,
  • Social Security Number,
  • Date of Birth,
  • a government-issued ID (US passport or driver license)
  • a biometric characteristic (such as a live selfie photo).

Will I have access to NMLS if I don’t go through the IDV process, and I have a CHRI role?

No. An impacted user may login and accept the Terms of Use but will be unable to access their account until the IDV process is successfully completed.

If you have multiple consolidated accounts, you will be able to access the accounts that do not have CHRI access. However, you will be prompted every time you login to go through the IDV process until you have been successfully verified.

Why is this being implemented?

NMLS must comply with the Federal Bureau of Investigation’s (FBI) Criminal Justice Information System (CJIS) Security Policy, which states that all users with access to criminal history be verified at the Identity Assurance Level 2 (IAL2) per NIST SP 800-63A. This requirement took effect on October 1, 2024.

Identity verification is commonplace and an essential component of our modern digital ecosystem. It serves as a critical safeguard for ensuring trust, protecting sensitive information, and enabling secure access online.

What is IDV IAL2?

IDV stands for Identity Verification. It is evidence that supports the real-world existence of the claimed identity and verifies that the user is appropriately associated with this real-world identity. This includes collecting and verifying key identity attributes (e.g., SSN, DOB, facial image) using trusted, standards-based methods.

IAL2 defines a level of assurance with a high degree of confidence in the claimed identity. It requires the user to provide key identity attributes along with a valid government-issued document and selfie photo to verify the user is appropriately associated with this real-world identity.

IDV at IAL2 can be achieved through an entirely online remote process.

Who is Socure?

Socure is a leading identify verification and fraud prevention company that is trusted by the largest enterprises and government agencies. Socure’s customer base includes 18 of the top 20 banks, the largest HR payroll providers, 13 U.S. states, 30+ state agencies, two federal agencies and more than 500 fintech companies.

Unlike more well-known vendors that offer branded identity and authentication services, Socure operates as a white-label solution, seamlessly integrated into platforms like NMLS. As a result, millions of citizens interact with Socure’s technology.

CSBS has partnered with Socure to deliver a streamlined and secure identity verification (IDV) process within the NMLS platform. More information on Socure can be found on their website at www.socure.com/company.

Why was Socure selected?

CSBS selected Socure following a rigorous requirements-based review, including very strong data security protocols, while maintaining an extremely high verification success rate. Also, their solution is:
  • FedRAMP Authorized at FIPS 199 Moderate Impact. FedRAMP is a U.S. government program that requires cloud service providers to meet rigorous cybersecurity standards based on federal information security requirements, ensuring suitability for use by federal agencies.
  • Kantara IAL2 Certified, ensuring compliance with the NIST identity proofing standards required by the FBI.
  • Provides white-label integration for seamless alignment with NMLS, enabling secure identity verification.
  • Trusted by federal agencies and regulated industries for secure identity verification.
  • Socure is unique in the identity verification space in that they perform all verifications within their own ecosystem. They do not share your data with any other 3rd parties.
  • Socure is integrated as a component of the NMLS platform, which is assessed, authorized, and continuously monitored in collaboration with the Consumer Financial Protection Bureau (CFPB) to ensure compliance with Federal cybersecurity and privacy requirements.

Does my Username have to match my legal name?

No. The IDV process only uses the name listed in your NMLS User Profile.

Do I need an account with Socure?

No. The IDV process is integrated with NMLS. No separate account is necessary to complete the IDV process.

Do I have to use a mobile device?

Yes. The document upload and selfie must be done on a mobile device with a camera (cell phone or tablet). A computer with a camera is not sufficient. If you do not have your own personal device, you may use a device that does not belong to you.

Will the information I enter for the IDV process be saved?

Any data entered by the user that is not already in NMLS will not be saved there and will be deleted once the identity verification (IDV) process is complete. Socure, like any IDV provider, retains personal information for identity verification purposes, including:
  • Name,
  • Address,
  • SSN,
  • Date of Birth,
  • Phone Number,
  • Geolocation,
  • IP address,
  • Ddentity document images,
  • Selfie photo

This data is retained to support decisions, audits, and investigations, and may be reviewed in cases of suspected fraud or when an IDV request is rejected.

Is my Data protected?

Yes, the information shared in the Socure IDV process is safe. Socure does not sell or share any personal information (including biometric data or other personal information).

How often do I have to do the IDV process?

Once. However, if you change your name (marriage, divorce, etc.) in NMLS, then you will need to go through the IDV process again. Security concerns or suspected fraudulent activity may also require users to repeat the IDV process.

What if I refuse to provide my SSN?

SSN is required for IAL2 verification. If you do not want to provide this information, the CHRI related role should be removed from your profile.

Am I exempt if I’ve been a victim of identity theft?

The CJIS policy does not exempt users from IAL2 requirements due to identity theft. In fact, strong identity verification helps protect victims of identity theft against fraud and misuse of their personal information.

Socure applies enhanced safeguards for high-risk cases and ensures all personal data is encrypted, limited in use, and protected by strict controls.