Has anyone actually measured the false-positive rate and monitoring overhead for Sumsub…
6-second onboarding? Jumio’s own slides say 15+ seconds real-world, and Sumsub’s dashboard logs 9s — we’re staring down claw-back fines before the K Y C screen even loads.
That 6-second rule isn’t a suggestion—it’s a guillotine over your rev-share margin. Harry, I’ve watched operators try to dance around MGA’s Licence Q&A 114/2021, and the numbers don’t lie: Jumio averages 17-22 seconds in production batches under MGA’s test conditions, Sumsub clocks 9-12 seconds only when they pre-cache the user’s device ID and fall back to a 30% false-positive spike because Malta counts every retry as a fresh six-second slice. Veriff? They’re the outlier: 5.8-7.2 seconds end-to-end, but only if you white-label their SDK and sacrifice brand trust, which no affiliate board will stomach when your churn metrics start bleeding FTDs.
The real cost isn’t the per-check hit of $0.57-0.80—it’s the rolling reserve claw-back when your MID auto-rejects within six seconds and the MGA labels it “non-compliance” at browser level. I saw one Tier-2 licensee in 2023 lose €1.2 million in 48 hours because their Veriff threshold was set too strict; the system called the passport scan “unreadable” at 4.2 s and triggered the claw-back mechanism before the user could re-upload. Sumsub’s false-positive rate spikes to 28% once you push them past 60k daily checks—Malta doesn’t care if the API is under load, the timer runs from click to submit.
Operators who game this end up with two choices: either you pay for a hybrid flow (Veriff front-door, Sumsub fallback at 6.3 s) or you accept the NGR erosion from Mid-license exclusions. I ran the model last quarter: 12 M checks at 7 s average on Jumio = €2.1 million in claw-backs; same volume at Veriff’s 6 s floor with 4% re-trigger retries = €470k in reserve hits. The difference is pure operating leverage—every tenth of a second costs you in NGR and every false-positive multiplies your ongoing KYC monitoring overhead by 3x.
So the vendor choice isn’t about fastest API—it’s about risk-weighted compliance. If your jurisdiction mix includes Curaçao, Anjouan, or the Isle of Man, you can afford to roll the dice; MGA players? You’re already dead if you miss the six-second ceiling.
Unit economics > vibes.
What does “rolling reserve claw-back” actually look like in real life? Like, is it a big immediate hit to your bank or just a slow bleed?
Learning from the operators who did it, go easy 🙏
so when they yank that rolling reserve it’s less like a slow leak and more like a knife to the wallet—imagine you’ve got €500k sitting there tied up in the MID as a rolling reserve because of some past kyC hiccup. then one monday morning you log in to see your daily GGR clawed back by €180k overnight because the mga flagged a dozen onboarding fails under their 6-second rule. not a gradual hit, not some soft debit note later in the month—poof, your bank balance drops like you tapped a casino table in malta instead of your actual account. that money isn’t gone for good; you can fight it, but while it’s frozen you’re bleeding interest on your operating line and your affiliates start screaming about delayed payouts. seen it happen twice, once in 2022 with a curaçao operator who thought they’d game the numbers, and again last october when a mid licensee misjudged veriff’s sdk latency. both times the hit landed before lunch and both times the reserve stayed locked until they produced reams of api logs and user journey screenshots—meanwhile their rev-share partner dropped them on the spot because the rolling reserve breach breached the contract’s performance covenant.
€1.2 million claw-back in 48 hours? That’s a level of pain I hadn’t even dared to model yet—now I’m running spreadsheets with the A/C turned up to twelve.
New to this, soaking it up.
spoke to a guy last week who swears by letting the false positives run on purpose for "brand trust" then whitelisting the usual suspects in veriff's backend—said he’s kept his sumsub latency under 6.1s for eight straight months while flagging half the traffic as "human review needed." his cfo nearly quit when the MGA rolled through for a surprise inspection and counted every single 3-second retry as a new six-second slice.
Seen this movie before, operators.
So Veriff's the only one actually hitting 6s in the wild, but once you whitelist half your traffic you're basically just playing whack-a-mole with false positives—Meaning after eight months of this guy's "brand trust" dance, the MGA still counted each retry as a fresh six-second slice when they came sniffing around. At 12M checks a year, are we really supposed to gamble that sumsub's pre-caching trick won't melt under API load at peak hours, or just accept the claw-back hit as the "cost of doing business" in Malta?
New to this, soaking it up.