What’s coming

View upcoming releases, events, and major announcements.


Sigma v1 Sunset Notice

Effective on Tuesday, November 30, 2021, at 8:00 AM Eastern Time, all custom and standard Sigma v1 models will no longer be available in Production. To avoid gaps in coverage, contact your Account Manager to discuss options for migrating to the current Sigma Identity Fraud model (v2).

What does this mean?

Socure continuously works to improve product performance in order to deliver world-class fraud and compliance solutions. Although we support older versions of products for long periods of time, there are instances when model obsolescence is unavoidable. This transition will ensure that you have access to the most effective, up-to-date tools to drive revenue, mitigate fraud, and reduce friction.

Certification for iOS 15

iOS 15 is scheduled to be released in the coming week. We are actively preparing for the release and will provide an update once we've certified iOS 15 support for our Device Risk and Document Verification SDKs.


The following items are tentatively scheduled to be released in the next two weeks:

Admin Dashboard

  • A bug fix to correct an issue with webhook configurations being retrieved from the parent account by default, instead of the specified sub-account.


  • An update to the transaction linkage feature will allow you to view the ID+ response from the first transaction in the response of the second API call.

Note: This update is intended for informational purposes only. The results of the first transaction will not affect the results of the second API call.


  • New reason codes to cover scenarios in which the user does not provide a SSN or ITIN, but Socure finds one for the best-matched identity.
    • R912: Input SSN missing but found on record
    • R914: Input ITIN missing but found on record

The following items are tentatively scheduled to be released in the next two weeks:

Admin Dashboard

  • A bug fix to correct an issue that prevents you from creating Watchlist transactions when the transaction-level settings include the country Kosovo.

Document Verification

  • We're working on a new Android SDK that will include both Document Verification and Device Risk. In the meantime, you can use the standalone Android SDKs to integrate both products into your app. Instructions for integrating the two SDKs are available on Github. Additionally, a best practices guide will be posted on DevHub in the coming days.

Note: The iOS SDK includes both Document Verification and Device Risk.


  • A bug fix to correct an issue with reason code R934 being returned when a nickname matches an identity but not the SSN.
  • Improved logic for reason codes R941, R955, and R956 to reduce the number of false positives.

The following items are tentatively scheduled to be released in the next two weeks:

Admin Dashboard

  • A bug fix to correct an issue that prevents IPv6 addresses with CIDR notation from being added to the list of allowed domains.

Device Risk

  • A new tokenFormat query parameter will allow you to specify if the deviceSessionId should be Base64 encoded. This parameter will be optional and, if not specified, will default to JWT.
  • An update to replace the placeholder values in the new Device Risk API response schema with device data.
  • A bug fix for the Android SDK to ensure that accessibility data is collected as expected.

The following items are tentatively scheduled to be released in the next two weeks:

Device Risk

  • The previously announced upcoming change to the Device Risk API response has undergone some recent modifications:
    • deviceIdentityCorrelation and deviceRisk will now be returned as separate objects in the response.
    • A new deviceData object will contain information, geolocation, and velocityMetrics data.
    • firstSeen and lastSeen will be returned in a new observations object.

For more information on these changes, see Upcoming Changes to Device Risk API Response.

Note: As a reminder, the new response schema will be enabled for your account only after we receive confirmation that your integration has been updated. Contact your Account Manager for more information.


We're excited to offer eCBSV soon. The latest update from the Social Security Administration is that they've received approval from the Office of Management and Budget to release eCBSV. More information will be provided in the coming days.


  • Several deprecated reason codes will be removed from the sandbox environment.
  • API responses for Device Risk test cases will be updated to match the new response schema.

The following items are tentatively scheduled to be released in the next two weeks:

Device Risk

  • An update to change the description of reason code R405 from "Session ID was not provided" to "The Device Risk module was called, but a device token was not provided".

Global Watchlist

  • An update that will enhance the quality of data in Watchlist PEP hits.

Note: This feature could increase the number of Watchlist PEP hits and must be enabled for your account. Contact your Account Manager for more information.


  • An update to enrich the data sources used for KYC to increase auto-acceptance rates.

Sandbox Environment

  • A bug fix to correct an issue with the mobileNumber parameter not behaving as expected in the Sandbox environment.

The following items are tentatively scheduled to be released in the next two weeks:

Device Risk

  • Customers have reported that the format of the encoded deviceSessionId can trigger web application firewall rules, resulting in the request being blocked. To ensure compatibility, we’re changing the encoding format from JWT to Base64.
  • To ensure compatibility with privacy focused browsers, such as Brave, the Device Risk WebSDK code will no longer transmit the deviceSessionId in an image. This change will fix an issue that impacted less than 1% of users. No action is required for customers who request the device code from our server, or who use the WebSDK as part of the Document Verification process.

Document Verification

  • A new reason code for scenarios in which there’s a discrepancy between the user’s predicted age based on the selfie image they provided and the age listed on the document.
    • R858: The age on the document doesn't correlate with the selfie predicted age
  • NIST PAD Level-2 Liveness Detection will soon be available for Document Verification. NIST Liveness Detection provides enhanced biometric verification and increased accuracy in detecting fraudulent spoofing attacks. Contact your Account Manager for more information.
  • NIST Liveness Detection will use existing reason code R834, as well as the following new codes:
    • R856: Face not fully captured in selfie due to obstruction
    • R835: More than one face was detected in the selfie
    • R857: No face found in the selfie frame
    • I856: Facial liveness could not be determined


  • The Social Security Administration (SSA) is currently awaiting approval from the Office of Management and Budget before eCBSV can be officially released. We expect to receive an update from the SSA on June 25.

Sandbox Environment

  • A bug fix to correct field validation issues with the Feedback endpoint.
  • A bug fix to ensure the error message received when trying to call multiple Watchlist modules in a single API call matches the error message in the Production environment.

The following items are tentatively scheduled to be released in the next two weeks:

Global Watchlist

  • An update for Adverse Media to ensure each article has a corresponding publication date listed in the API response. If no publication date is available, the article date will be listed as 0000-00-00T00:00:00Z.
  • A bug fix for an issue that causes errors for certain users for whom only the date of birth year is on file.


  • An update to improve ID+ address validation capabilities.


  • An update to improve KYC name matching for hyphenated last names.

Sandbox Environment

  • A bug fix to correct an issue with the fullName and userConsent parameters not behaving as expected in the Sandbox environment.

The following items are tentatively scheduled to be released in the next two weeks:

Device Risk

  • An update to enable Device Risk code to work correctly in iframes while a browser is in incognito mode.

Global Watchlist

  • An update to the fullName parameter will remove the restriction that requires two strings to be passed in the request body. This change will address issues with single name business entities, and will allow you to pass a single string in the API call.


  • An update to allow the userId and customerUserId parameters to be returned in the error message response when included in the initial API call.


  • A new reason code to cover scenarios in which a first name or last name is identified as possibly referring to a commercial business entity.
    • I931: First name or last name may refer to a non-person entity

KYC, Fraud, Address Risk

  • Additional data will be added for the R972 and R707 reason codes to enable more accurate identification of commercial mail receiving agencies.

The following items are tentatively scheduled to be released in the next two weeks:

Device Risk

  • Firewall rules designed to reduce the risk of SQL-injection attacks may reject deviceSessionIds that contain two consecutive dashes (--). To address this issue, we will no longer be generating deviceSessionIds that contain two consecutive dashes.
  • A new method will be added to the iOS SDK that will enable you to manually refresh device data before calling Device Risk using the ID+ endpoint.
  • A bug fix for the Android SDK will address issues with the locale function causing apps to crash when running on Android 7.

The following items are tentatively scheduled to be released to Production in the next two weeks:

First Name Matching for Document Verification

An upcoming update will improve our ability to match a first name extracted from a document to a nickname manually entered by a user. This functionality will be enabled via a new check box on the Document Verification section of the Account Settings page in Admin Dashboard.

Additionally, a new reason code will added:

  • I855: Input First Name matches a known Nickname or Alias.

This complements the existing test that matches the input first name against the document extracted first name (I822/R822), which will now be matched to known nicknames to avoid false rejects.

Device Risk API Response Placeholders

To help prepare for new device outputs to be delivered via our API, we'll be adding placeholders in the Device Risk API response. The placeholder elements will represent data that will be added to the API in the coming months.

To prepare for these changes, you can update your integration to accommodate parsing and storing the new data. The full scope of the planned additions and changes to the API will be documented in DevHub shortly. We'll post a link to the article in the Release Notes once it's available.

Along with the changes to the API response, we'll also begin the process of separating reason codes that are specific to risk or correlation in preparation for equivalent scores to be included. You’ll see two sets of reason codes after this change is released to production. We'll be adding a control to switch between the current and new output formats, and will enable it for each account only after we receive confirmation that your integration has been updated. There are no changes to the reason codes themselves, just their placement in the API response.

Global Watchlist Adverse Media Filters

New functionality on the Admin Dashboard will enable you to filter adverse media articles by country and date range.


The following items are tentatively scheduled to be released to Production in the next two weeks:

API Rate Limit Update

We’re updating the default rate limits for the API from 600 transactions per minute to 10 transactions per second for each API key. If you need to increase rate limits for your account, contact Technical Support.


The following items are tentatively scheduled to be released to Production in the next two weeks.

Device Risk Session ID in ID+ API Calls

API calls made to the ID+ endpoint that include Device Risk along with other modules will no longer fail when the Device Risk deviceSessionId is missing, but all required parameters for the other modules are included.

Note: API calls that only include the Device Risk module will continue to fail when the deviceSessionId is missing.

New Device Risk Reason Code

We’re adding a new reason code for Device Risk to cover scenarios in which the Device Risk module is called, but no deviceSessionId is provided in the request body.

  • R405: The Device Risk module was called, but a device token was not provided

New KYC Reason Code

We’re adding a new reason code for KYC that will be returned when a user’s name and date of birth matches that of a celebrity.

  • I930: The name and DOB of the identity matches a notable personality/celebrity

Age Related Reason Codes

We’ll be adding the following new age related reason codes:

  • I352: DOB indicates an age over 25
  • R354: DOB indicates age is correlated with higher fraud rates

Note: I352 and R354 will not be available globally and must be configured for your account. Contact your Account Manager for more information.

Additionally, we’ll be deprecating the following risk code:

  • R355: DOB indicates an improbable age

First Name Match Results for KYC

An upcoming update will improve our ability to match nicknames to first names.

Global Watchlist

We’ll be releasing the following enhancements for Global Watchlist:

  • An update to improve Watchlist date of birth (DOB) match results to account for scenarios where a full date of birth (DOB) is entered, but only a partial DOB is on file.
  • An enhancement for Global Watchlist and KYC customers that will reduce the number of false positives for exact matches by using the resolved identity from KYC to search Watchlist.

Name to Address Correlation score updates

On March 1st, we'll be releasing an update for Name to Address Correlation scores that will significantly improve Socure's ability to match names to addresses. The update includes integration of additional data sources and improvements to search and resolution techniques.

Android SDKs

A new version of the Document Verification Android SDK (v2.0.6.28) will be released in the coming weeks. The release will include the following enhancements and bug fixes:


  • Device Risk integration (toggle on or off)
  • Folder structure changes to prevent conflicting folder paths with client implementations
  • Library size optimization

Bug Fixes

  • Fixes issues with bubble tooltip and selfie button dimensions

New IP Address Reason Codes

In the first week of February, we’re going to release 14 new reason codes. These codes provide information about IP addresses, and are applicable to multiple modules. Examples of these codes include R646: IP proxy is VPN-based and I634: Proxy is an educational institution.

Reason codes represent data points that ID+ uses to determine scores, meaning the scores returned already reflect the codes. Unless you decision based on specific codes for regulatory compliance (e.g. KYC), these codes are provided to help with manual review and provide information in part how ID+ determined a score. Reach out to your account manager with any questions.

DocV WebSDK New Designs

At the end of February, the DocV team is planning to release updates to our WebSDK capture app. This includes a redesigned user interface, with additional updates to the embedded plugin for the desktop-to-mobile hand-off, a redesigned user interface, and additional instructions to aid in image processing and capture. This migration will be managed through the Socure Admin Dashboard, and will not disturb your current Android and iOS integrations. As we get closer to release, your account manager will be in touch to answer any questions.

eCBSV Scheduled for Q2 Release

The Electronic Consent Based Social Security Number Verification (eCBSV) module is scheduled to be released in Q2 of 2021. The eCBSV module enables you to verify if an individual’s social security number, name, and date of birth match the Social Security Administration’s records. For more information, contact your account manager.


The Code Freeze is Over

In December, Socure put in place a code freeze, to ensure stability and consistent operation through the always high-traffic Q4.

New Certificate in January

At the end of the month, we’re going to rotate the certificate for service.socure.com. This is a semi-annual maintenance task, and it only affects customers who pin their integrations to our certificate. Those of you who do should have been contacted by a TAM to confirm the new certificate number and chain. And if you’re pretty sure but not 100% sure, reach out and double check.

New IP Address Reason Codes

Towards the end of January, we’re introducing new specificity around IP addresses. These codes will appear in the 600 range, and can apply to multiple modules:

  • R638: IP address originates from the US or US territories
  • R639: IP address originates from outside of the US or US territories
  • R640: IP address originates from an OFAC sanctioned country
  • I631: IP address is provided by a mobile carrier
  • I632: IP Connection is consumer
  • I633: IP Connection is business
  • I634: Proxy is an educational institution
  • I635: Proxy is registered to a corporation
  • R641: Proxy is from services that change location to beat DRM,TOR points, temporary proxies and other masking services
  • R642: IP address is associated with a cloud hosting provider and is likely a proxy. Users are not usually located in a hosting facility
  • R643: IP address is associated with a location allowing public internet access
  • R644: IP proxy is cloud-based
  • R646: IP proxy is VPN-based
  • R647: IP proxy is cloud-security-based

New Device Risk React SDKs

Customers who use the React JavaScript library will soon have access to a version of the Device Risk SDK that will integrate seamlessly into mobile apps that use it on both Android and iOS. A standalone version will be available soon. Customers will also have an option to use it together with Document Verification.

Reason Code Clean Up For Document Verification

Over the past few months, we’ve worked with our customers to roll out our Document Verification v2 platform, which includes new reason codes, improved algorithms, and self service configurations via Socure’s Admin Dashboard.

All of our DocV customers are now using v2, so we will begin deprecating our v1 environment. Certain reason codes will no longer be returned in production, and will be removed from the Reason Code API as of Feb 16, 2021.

Please note that all the tests associated with the soon-to-be-deprecated reason codes have been combined or translated into one of the existing/new reason codes.

  • I803: Document check digit integrity test passed
  • I806: Document image is not in focus
  • I807: Document image glare obscures the document details
  • I835: Self-portrait contains one face
  • R803: Document check digit integrity test failed
  • R805: Document submitted is a paper copy
  • R806: Document image processed with editing software
  • R807: Document image capture integrity failed
  • R809: Document text has been modified
  • R817: Document image has been altered
  • R821: Document text has been modified
  • R828: Expiration date inconsistent with DOB and issue dates
  • R829: Issue date inconsistent with DOB and expiration dates
  • R830: DOB is not valid
  • R835: Self-portrait must contain one face
  • R846: Expired document is within expiration grace period
  • R847: Document is going to expire out of the set grace period
  • V806: Document image resolution is insufficient
  • V818: Document image is not in focus
  • V819: Document image glare obscures the document details
  • V827: Document is within six months of expiration
  • V836: Self-portrait was not considered in decision

New Certificate in January

It’s not technically in December, but this is important, so we’re announcing it now. In January 2021, we’re going to rotate the certificate for service.socure.com. The good news is, this is a semi-annual maintenance task. The other good news is, it isn’t applicable to all customers—only those who pin integrations to our certificate. For those of you who do, you’ll need to add our new public certificate to your keystore, then validate it with a new fingerprint. However, it’s important to confirm whether this is applicable to your integration, so if you aren’t sure, start asking now.

Now, on to the the features scheduled for the upcoming release in December:

iOS and Android SDK Updates

On the heels of last month’s iOS update, we’re planning to release an update to the Android SDK this month. Both are available in our GitHub repository. And if you have questions, or need access to our GitHub repositories, please reach out to your account manager.

New Capture Interface for December

The new capture interface we wrote about last month will be released in December. We’re excited to announce a new slate of features, including an improved capture experience for our DocV webSDK.

Native SDK and Reason Codes

Support for native iOS and Android applications is coming to the Device Risk product by mid-December. At that point we will provide SDKs that can be used to collect device metadata from mobile apps and support risk lookups, expanding our coverage beyond the browser. We are introducing reason codes to indicate whether the device being used to access your service is real or virtual (I423: “Device is a physical device” and R403: “Device is a virtual device”).


New Feedback Endpoint Coming In November

The Feedback Endpoint is scheduled for release on November 15. This endpoint provides an alternate method for customers to send feedback data, following the same authentication and security protocols as the ID+ API. Uses industry standard models published by the Federal Reserve Fraud Classification labels.

ID Plus General Updates

Decision Logic Details Parameter

We’re adding a new node under the Decision Module that shows additional information. When users call the Decision module, the Details node will contain information such as codes and scores that influenced the decision. Reach out to your account manager to enable this feature.

New Reason Code for High-Profile Personalities

We’re adding a new code (I930) to KYC for notable names. People in the public eye, such as celebrities, politicians, and high-profile individuals, are at a higher risk of identity fraud because of the public availability of PII. KYC will check identities against a list of notable personalities and alert you to any matches.

New Parameters in Watchlist Webhooks

Watchlist will support passing userId and customerUserId in the request. These parameters will be returned in subsequent Watchlist Monitoring webhooks and snapshot endpoints. This gives customers another method to manage traceability among transactions, besides using the referenceId.

Additional KYC and Watchlist DOB Filters

We’re constantly improving both our reg-tech capabilities, and the features that make our solutions the best in the industry. This month, we’re releasing additional DOB filters for the KYC and Watchlist modules. In addition to the new filters released last month, the additional filters include:

  • One Year Radius YYYY: match up to one year from the year submitted
  • One Year Radius YYYY/MM: match up to 12 months +/- from the YYYY/MM submitted
  • One Year Radius YYYY/MM/DD: match up to 365 days from the YYYY/MM/DD submitted
  • Two Digit Transposition Match: match if two digits are transposed. For example, 1978 will match 1987, but not 1897.

These configuration options will be available on the Settings page of the Admin Dashboard.

Document Verification

We’re doing a significant amount of work on our image capture workflow. While these are primarily code and backend changes—you won’t see new features or options—you should see small, steady improvements in speed, capture accuracy, and overall experience this month. We's also released a minor improvement to the DocV Event manager, in which we notify customers when the capture app session is expired. This information is returned in the Event Manager Webhook response.

New Capture Interface for December

Finally, we’re working on a new and more intuitive WebSDK Capture interface. It won’t be ready this month, but it’s on our roadmap for December. We’re pretty excited, and can’t wait to share the improvements. Look for more information in the coming weeks.

Device Risk

Device Risk Support in Sandbox

We’re going to expand support for Device Risk in Sandbox. Customers will be able to utilize our Sandbox to send Device Risk requests and receive responses with reason codes I401 (“Device token previously encountered”) and I414 (“Session connected using a proxy”). See the Sandbox User Guide for instructions on how to trigger these scenarios.

New Reason Codes and Signals for Devices

As we refine our Device Risk module, we’re adding new reason codes that provide additional user insight. These codes will specify the device category, type, and model.


Global Watchlist and KYC

Additional DOB Tolerances for Global Watchlist and KYC Settings

Both Global Watchlist and KYC customers will receive new DOB fuzziness tolerance match settings. When matching DOB, customers select one of four options (e.g. “Exact YYYY”). The new release will bring the total number of match options to nine, adding additional choices such as 1 Year Radius, 2 Digit Transposition YYYY/MM, 2 Digit Transposition YYYY. The release will not change your existing defaults.

Military Lending Act

KYC will have the ability (with particular contractual requirements in place) to verify active duty military and dependents. Submit a KYC request, and the module will return the reason code R975: MLA covered borrower status to indicate status. Contact your Account Manager to learn how to take advantage of this new service.

Four-Digit SSN Reason Code in KYC

KYC will return a new reason code if the SSN/ITIN provided contains only four digits. Reason code I905: SSN/ITIN provided at input contained only 4 digits provides extra awareness, in case you do not have front end validation for nine digits, but expect a match on the full nine.

Name and AKAs added to the Global Watchlist Response

In Global Watchlist, we're adding a new response parameter that explains how names you submit match the names on the watchlist. The matchType field in your Watchlist response will explain how the names match (e.g. nameExact, akaPhonetic). Look for the new fields in the comments object of the response.

New Reason Codes for Global Watchlist

Two new Global Watchlist reason codes will show if the address is in a High-Intensity Drug Trafficking Area (HIDTA) or an or High Intensity Financial Crime Area (HIFCA) county:

  • R187: Address resolves to a High-Intensity Drug Trafficking Area
  • R188: Address resolves to a High-Intensity Financial Crime Area

Sandbox Support for the Event Manager

Socure’s Event Manager monitors names and proactively pushes out Add, Change, and Delete events for the Global Watchlist. Sandbox will now support Event Manager, enabling users to receive notifications from the test environment.

Document Verification Updates

Lots of changes in Document Verification (we call it DocV). Also, make sure you check out the recently released section for more DocV updates.

Decision Logic-Based Dynamic Strategy Changes

DocV can now shift strategies on the fly, from lenient to strict, based on decision logic and risk threshold. Specific thresholds can trigger this strategy shift; see the WebSDK guides for configuration options.

New Reason Code and Description Changes

DocV will return a new reason code when the user does not submit an image of the back of the license. The new code is I854: The back of the license was not passed; no barcode to extract information.

Document Verification Step-Up Transaction ReferenceID

Document Verification is often a step-up authentication option, such as when KYC fails or the Fraud Score is high. Now, customers who use Document Verification can link the two transactions by passing the original referenceID as a parameter in the step-up transaction. This creates better traceability.

Device Risk

New Early Access Program Support: Device Risk integration with Doc Verification WebSDK

Document Verification customers who use the WebSDK, and are part of Socure’s early access Device Risk Intelligence program, will receive additional Device Risk parameters in their API responses. If you are not part of the Device Risk Program but still use the WebSDK, the API behavior will not change. For more information, or to learn about our Device Risk Intelligence program, reach out to your account representative.

Input and Response Parameters for Device Risks

Device Risk is introducing two new parameters this month, one input and one in the response:

  • Device Risk will accept a new input parameter that specifies the type of page where the Device Risk JavaScript page is located (login page, landing page, etc.). This optional parameter helps our engine understand where a customer is in the account workflow.
  • In the response, Device Risk will return a reason code that indicates the IP Geolocation of the device.

Admin Dashboard

Dashboard Transaction History Export

Users will export transaction history into a CSV file. We’re also offering configuration options for the exports. Contact Socure to enable this feature.

Socure Dashboard and Watchlist Monitoring Email Option

Users will select email as a notification method for Watchlist Notifications, instead of receiving the notifications via webhooks. Configure this option on the Event Manager Tab in the Admin Dashboard.