Proof of Address Verification Online: Methods & Documents

Proof of Address (PoA) verification is the process of confirming that a document issued by a credible third party — a bank, a utility company, or a government authority — shows a user's declared residential address and is recent enough to be meaningful. It is not the same as collecting an address field: anyone can type a street name. PoA verification checks that the address is backed by official evidence.

When regulators require address evidence, they mean exactly this: a dated, issuer-verified document linking a named individual to a physical location. Automating that check at scale is the challenge.

Key takeaways

• Proof of Address (PoA) verification confirms residential address using an official third-party document, not just a field the user typed.
• Accepted documents — utility bills, bank statements, government-issued letters — must typically show the user's full name, address, and be dated within 90 days.
• Automated extraction reads name, address, issuer, and issue date from an uploaded document, then cross-checks against identity data already on file.
• The most common PoA fraud vectors are edited PDFs, fabricated bill templates, recycled old statements with altered dates, and name-field substitutions.
• Didit Proof of Address runs inside the same session as document and biometric checks at $0.20 per check, with 500 free checks per month and no minimums.

What proof of address verification does

PoA verification works in three stages:

1. Document classification — identify the document type (electricity bill, bank statement, tax letter, etc.) and the issuer's jurisdiction.
2. Data extraction — use optical character recognition (OCR) to pull the name, residential address, issue date, and issuer name from the document.
3. Cross-validation — compare the extracted name and address against the identity data from the same session, flag recency failures, and surface signs of tampering.

Done manually, this process is slow and produces inconsistent results across reviewers. Automated PoA verification returns a decision in under two seconds and applies the same logic to every document.

Why it matters

Address data carries real regulatory weight. Anti-Money Laundering (AML) obligations under the EU's Fifth AML Directive, the UK Money Laundering Regulations, and equivalent frameworks in Latin America and Asia-Pacific all require businesses to establish and document a customer's residential address. An unverified address is an open compliance gap — and auditors find them.

Beyond compliance, address verification closes an easy entry point for fraud. A bad actor who clears an identity document check and a biometric liveness test but submits someone else's address — or a doctored bill — would otherwise be onboarded without detection. Catching that at the PoA stage is far cheaper than discovering it during a transaction investigation.

Accepted documents and recency rules

Not all documents carry equal weight. The most commonly accepted categories are:

Utility bills — electricity, gas, water, and broadband invoices showing the account holder's name and residential address. Mobile phone bills are frequently excluded because SIM registration data is comparatively easy to manipulate.

Bank statements — official statements from regulated financial institutions, showing the account holder's name and address. A screenshot of a mobile banking app screen is generally not accepted; a formatted statement issued by the bank is.

Government-issued letters — correspondence from tax authorities (HMRC, Hacienda, IRS), social security administrations, local councils, or equivalent bodies. These carry the highest evidential weight because the issuer holds a verified postal database.

Recency — most regulatory regimes require PoA documents to be dated within the last 60–90 days. A utility bill from fourteen months ago establishes where someone used to live, not where they live now. Recency rules are configurable per workflow in Didit's Workflow Builder.

How fraudsters abuse PoA checks

PoA is one of the most frequently tampered document types in identity fraud. Unlike passports or national ID cards, utility bills and bank statements lack overt security features — no holograms, no polycarbonate layers, no embedded chips. That makes them easier to fabricate.

Edited PDFs. An attacker downloads a genuine bill template, substitutes the target address or name, and re-saves as a PDF. Automated analysis looks for metadata inconsistencies, font rendering differences, compression artifacts, and layer structures inconsistent with legitimate issuer output.

Fabricated bills. Entirely synthetic documents generated using online tools — correct logos, plausible layout, invented account numbers. Detection relies on issuer template matching: a real energy company produces recognizable, consistent formatting across thousands of genuine submissions; a fabricated one does not match anything in the classifier's knowledge base.

Recycled documents with altered dates. A genuine old statement with the issue date modified. Modification metadata — when the file was last saved and by which application — typically exposes this without visual inspection.

Name-field substitution. A legitimate customer's real bill submitted with someone else's name edited into it. Integrity checks on the relationship between name-field typography and surrounding text catch most of these substitutions.

How Didit helps

Didit Proof of Address runs as a module inside a verification session — the same session that can collect an identity document and a biometric liveness check. There is no separate integration required: add the PoA step to your workflow in the Business Console, and classification, extraction, and validation run automatically.

The module accepts uploaded images and PDFs, extracts name, address, issuer, and date via OCR, and cross-references against the identity data from the same session. The session decision includes PoA results alongside document and biometric outcomes — one response, not several.

# Create a session with PoA enabled via your configured workflow
curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "your-workflow-id",
    "vendor_data": "user-9876",
    "callback": "https://your-backend.com/webhook"
  }'

The session URL opens a hosted flow where the user uploads their PoA document. After submission, the session decision includes address extraction results and any validation flags.

Price: $0.20 per PoA check. Combine with ID Verification ($0.15) and Passive Liveness ($0.10) for a complete residential KYC flow at $0.45, with 500 free checks per month and no minimums. Didit is 3–5× cheaper than legacy providers.

Use cases

Neobank and EMI account opening — regulators require address evidence before activating a payment account. Automated PoA after liveness lets users complete onboarding from their phone without visiting a branch.

Lending and credit — mortgage originators, buy-now-pay-later providers, and consumer lenders need to confirm residential address as part of creditworthiness assessment and fraud prevention. PoA is typically the last KYC step before a credit decision.

iGaming age and residence verification — sports betting and online casino platforms in regulated markets must verify both age (document + biometric) and residency (PoA) to enforce jurisdiction-specific compliance rules and geolocation restrictions.

Marketplace seller onboarding — platforms disbursing payments to individual sellers face AML obligations that include address verification. PoA is commonly the trigger for elevated transaction or payout limits.

Frequently asked questions

How much does Proof of Address verification cost?

$0.20 per check. Combine it with ID Verification ($0.15) and Passive Liveness ($0.10) for a complete residential KYC flow. 500 free checks per month, no minimums.

What document types does Didit accept?

Didit accepts utility bills (electricity, gas, water, broadband), bank statements from regulated financial institutions, and government-issued correspondence. Mobile phone bills are typically excluded. Accepted types are configurable per workflow in the Business Console.

How old can a PoA document be?

The standard recency window is 90 days from the document's issue date, consistent with most AML guidelines. This threshold is configurable in the Workflow Builder.

Does Proof of Address replace identity document verification?

No. PoA confirms an address; it does not verify identity. It runs alongside ID document verification and liveness checks, not instead of them.

Can edited PDFs be detected automatically?

Yes. Automated PoA analysis checks metadata integrity, font consistency, compression artifacts, and template matching against known legitimate issuer formats — catching the most common PDF-editing approaches without requiring a human reviewer on every case.

Ready to get started?

Proof of Address is one module in Didit's composable identity and fraud platform — pair it with ID Verification, Passive Liveness, AML Screening, and Database Validation in a single no-code workflow.

• Read the docs → docs.didit.me
• See it in the platform → User Verification product page
• Check the price → Pricing — Proof of Address at $0.20, 500 free checks/month
• Start free → business.didit.me