TL;DR: Webull Brazil moved from 75.7% to 92.5% auto-approvals by layering device intelligence underneath traditional KYC. Manual reviews collapsed from 19.2% to 2.5%. They caught 7,650+ remote-access fraud devices in a single quarter. Here is the technical breakdown, the TypeScript patterns, and why your document-first flow is optimising for the wrong threat model.
The problem nobody wants to quantify
Last quarter, a crypto platform called Drift lost $285 million because their verification focused on identity documents rather than access patterns. North Korean hackers used legitimate credentials on compromised devices. Perfect KYC, catastrophic outcome.
Meanwhile, most compliance teams are still burning analyst hours confirming that obvious legitimate users are, in fact, legitimate. At 200 daily applications with a 19.2% manual review rate, you are burning 38 analyst hours every single day on cases that device intelligence could resolve in seconds. Scale that to a quarter and the operational drag is brutal.
Webull Brazil decided to measure it. Then they fixed it.
What Webull Brazil actually changed
The traditional KYC flow looks like this:
interface TraditionalKYCFlow {
documentUpload: PassportData | DriverLicenceData;
videoInterview?: SelfieComparison;
nameScreening: SanctionsCheck;
manualReview: boolean; // binary: yes or no
}
type PassportData = {
documentNumber: string;
expiryDate: Date;
nationality: string;
ocrConfidence: number;
};
type DriverLicenceData = {
licenceNumber: string;
issuingAuthority: string;
expiryDate: Date;
ocrConfidence: number;
};
type SanctionsCheck = {
sanctionsList: string[];
pepsStatus: boolean;
adverseMedia: MediaResult[];
};
type MediaResult = {
source: string;
severity: 'low' | 'medium' | 'high';
datePublished: Date;
};
type SelfieComparison = {
matchScore: number;
livenessCheck: boolean;
};
The problem is not data quality. Passport OCR works fine. Name screening catches obvious matches. But sophisticated fraudsters do not use their real names on sanctions lists. They use clean documents, often genuine ones, obtained through identity theft or document mills.
Worse, this creates a binary decision: approve or manually review. No middle ground, no risk scoring based on behaviour. That is exactly why 19.2% of Webull's applications needed human review before the upgrade.
Their new approach layers device and location signals underneath the traditional checks:
interface DeviceProfile {
deviceFingerprint: string;
isEmulator: boolean;
hasRemoteAccess: boolean;
locationSpoofing: boolean;
deviceAge: number;
appIntegrity: IntegrityCheck;
}
interface LocationData {
gpsCoordinates: [number, number];
networkLocation: [number, number];
locationConsistency: number; // 0 to 1
velocityCheck: boolean;
geofenceStatus: 'inside' | 'outside' | 'unknown';
}
interface IntegrityCheck {
isRooted: boolean;
hasVPN: boolean;
suspiciousApps: string[];
screenRecording: boolean;
}
interface EnhancedKYCFlow {
deviceIntelligence: DeviceProfile;
locationVerification: LocationData;
traditionalKYC: TraditionalKYCFlow;
riskScore: number;
autoDecision: 'approve' | 'review' | 'reject';
}
This changes the question from "Is this person who they claim to be?" to "Is this person behaving like a legitimate user from a trusted environment?"
The numbers that matter
Here is what Webull Brazil achieved in three months:
| Metric | Before | After | Change |
|---|---|---|---|
| Auto-approval rate | 75.7% | 92.5% | +16.8 percentage points |
| Manual review rate | 19.2% | 2.5% | -16.7 percentage points |
| Remote-access devices flagged | Not tracked | 7,650+ | New capability |
| Manual review reduction | Baseline | 87% drop | Operational savings |
The compound effect is significant. If your compliance team handles 1,000 applications weekly, that is 167 fewer manual reviews per week. At £50 per review (conservative estimate for analyst time), you are saving £435,000 annually on operational costs alone.
And those 7,650 flagged devices? Traditional document checks would have missed them entirely. Better security and lower costs. Not opposing forces.
Progressive risk scoring in practice
Instead of binary approve/reject, implement layered scoring:
interface RiskWeights {
deviceIntegrity: number; // 40% weight
locationConsistency: number; // 30% weight
traditionalSignals: number; // 30% weight
}
function calculateRiskScore(profile: EnhancedKYCFlow): number {
let risk = 0;
// Device integrity (40% weight)
if (profile.deviceIntelligence.isEmulator) risk += 40;
if (profile.deviceIntelligence.hasRemoteAccess) risk += 35;
if (profile.deviceIntelligence.appIntegrity.isRooted) risk += 15;
// Location consistency (30% weight)
if (profile.locationVerification.locationConsistency < 0.7) risk += 30;
if (!profile.locationVerification.velocityCheck) risk += 20;
// Traditional signals (30% weight)
if (profile.traditionalKYC.nameScreening.pepsStatus) risk += 25;
if (profile.traditionalKYC.documentUpload.ocrConfidence < 0.95) risk += 15;
return Math.min(risk, 100);
}
interface Decision {
action: 'auto_approve' | 'enhanced_review' | 'reject';
confidence: number;
flaggedSignals: string[];
}
function makeDecision(riskScore: number): Decision {
if (riskScore <= 15) {
return { action: 'auto_approve', confidence: 0.95, flaggedSignals: [] };
}
if (riskScore <= 45) {
return {
action: 'enhanced_review',
confidence: 0.75,
flaggedSignals: ['moderate_risk'],
};
}
return {
action: 'reject',
confidence: 0.90,
flaggedSignals: ['high_risk'],
};
}
The key insight: catch fraud at device level, not document level. Remote access tools, emulators, and location spoofing are immediate red flags that no amount of document verification can overcome.
The compliance workflow that ties it together
Implementing this approach means rethinking your compliance architecture:
interface RiskSignal {
type: 'device' | 'location' | 'behavioural' | 'document';
severity: 'low' | 'medium' | 'high' | 'critical';
timestamp: Date;
detail: string;
}
interface DeviceFlag {
deviceFingerprint: string;
flagReason: string;
flaggedAt: Date;
associatedUsers: string[];
}
interface VerificationDecision {
applicationId: string;
autoApproved: boolean;
riskScore: number;
deviceFingerprint: string;
flaggedReasons?: string[];
reviewRequired: boolean;
}
interface ComplianceWorkflow {
processApplication: (data: DeviceProfile & LocationData) => VerificationDecision;
updateRiskProfile: (userId: string, newSignals: RiskSignal[]) => void;
flagSuspiciousDevices: (threshold: number) => DeviceFlag[];
}
Document verification workflows that include manual review average 3.2 hours per check. Device intelligence APIs typically return risk scores in under 200ms. That is the difference between a 47 second onboarding and a 3.2 hour one.
Three things to do differently
Instrument device behaviour from day one. Collect device fingerprints, location data, and network analysis during onboarding. This data becomes more valuable over time as patterns emerge. Retrofitting it later is painful.
Design for false positive optimisation. Traditional KYC optimises to avoid false negatives (missing bad actors). Device intelligence lets you optimise for false positives (reducing manual review) without compromising security. Webull's 87% reduction in manual reviews proves this is not a trade-off.
Measure operational metrics alongside security metrics. Track manual review rates, analyst hours per decision, and automated approval percentages. If 90% or more of your applications can be auto-approved safely, why are your analysts reviewing 75% of them manually?
Before you rebuild everything
Device intelligence requires mobile SDK integration, real-time risk scoring APIs, fraud signal databases, and location verification services. Most teams underestimate the engineering effort. Webull's 92.5% auto-approval rate took three months to achieve, not three weeks.
You do not have to build all of this in-house. Platforms like Zenoo orchestrate these checks across multiple providers, so your team can implement device intelligence without rebuilding the entire compliance stack. The goal is better signals, not more infrastructure.
The identity verification landscape is shifting from document theatre to behavioural analysis. The brutal maths: at $0.47 per automated check versus 3.2 hours of analyst time for manual review, the economics are not even close.
Teams that recognise this shift early will build sustainable advantages. Those that cling to manual processes will find themselves overwhelmed by threats they cannot scale to meet.
Stuart Watkins is CEO of Zenoo, the compliance orchestration platform for fintechs and regulated businesses across Europe and the Middle East.
Top comments (0)