Design a System for Identity Verification (KYC)
Design a Know Your Customer (KYC) service to verify user identity. Focus on document processing, integration with third-party verification APIs, and data security.
Why Interviewers Ask This
Interviewers at Stripe ask this to evaluate your ability to balance high-scale system architecture with critical compliance and security requirements. They specifically test if you can design a robust pipeline for document ingestion, OCR processing, and third-party API orchestration while prioritizing data privacy, auditability, and fault tolerance in a financial context.
How to Answer This Question
1. Clarify requirements immediately: define scope (real-time vs batch), latency SLAs, and specific regulations like GDPR or AML. 2. Define the high-level architecture: sketch a flow from user upload through a load balancer to an object store. 3. Detail the processing pipeline: explain how you handle image normalization, OCR extraction, and heuristic validation before calling external APIs. 4. Discuss integration strategy: describe circuit breakers and retry logic for third-party verification services to ensure resilience. 5. Address security deeply: mandate encryption at rest and in transit, PII masking, and strict IAM policies suitable for fintech standards.
Key Points to Cover
- Explicitly mention handling third-party API failures with circuit breakers and retries
- Demonstrate knowledge of specific regulations like GDPR or AML in the data retention strategy
- Detail the separation of concerns between ingestion, processing, and storage layers
- Propose encryption standards for both data at rest and in transit
- Include an audit logging mechanism for compliance traceability
Sample Answer
To design a KYC service for a platform like Stripe, I would start by defining non-functional requirements: 99.99% availability, sub-second response for simple checks, and strict adherence to PCI-DSS and GDPR. The archite…
Common Mistakes to Avoid
- Focusing only on the OCR technology while ignoring the orchestration and error handling of the system
- Neglecting to discuss data privacy and compliance regulations which are central to KYC systems
- Designing a synchronous flow that blocks users when waiting for slow third-party API responses
- Overlooking the need for immutable audit logs required for financial regulatory compliance
Sound confident on this question in 5 minutes
Answer once and get a 30-second AI critique of your structure, content, and delivery. First attempt is free — no signup needed.