Welcome to

The Hive

At The Hive, we bring together a dynamic community of HR leaders, compliance experts, technologists, and thinkers who care about getting identity, hiring, and trust right.

Expect practical insights, bold ideas, and real-world stories from across the employment and identity landscape. Not just from ZipID, but from people like you. Because when we swarm together, we build smarter.

a bee writing a blog

You Cannot Verify Status Without Verifying Identity: What Executive Order 14406 Actually Requires

Executive Order 14406 reads like an immigration order, but its core is identity verification. Why banks may soon face an I-9-like duty to verify the person.

zipid-blog-styles

On May 19,2026, the President signed Executive Order 14406, Restoring Integrity to America's Financial System. Most of the early commentary from the consumer finance bar has focused on one feature of the order: its instruction that regulators treat immigration status and work authorization as risk factors in banking and lending. That focus is understandable. It is also incomplete in a way that matters, because it skips the question the entire order rests on.

You cannot assess anyone's immigration status until you have verified their identity. Status is an attribute of a person. If you have not established who the person is, any determination about their status, their work authorization, or their risk profile is a determination about an unverified claim. The order's drafters understood this. Much of the commentary has not.

What the order actually says

Read Section 3 closely and the sequence is unmistakable. Section 3(b) directs Treasury and the federal banking regulators to propose rules requiring institutions to verify customer identity before anything else follows. Here is the operative language:

Executive Order 14406, Section  3(b)(i)

institutions collect and verify sufficient  customer identity information to reasonably identify the nominal and  beneficial owners of accounts in order to assess risks related to illicit  finance, sanctions evasion, fraud, or other unlawful activity

That is an identity verification mandate, full stop. Now read where immigration status appears in the very next clause. It does not lead. It follows, and only when identity-based risk indicators justify it:

Executive Order 14406, Section  3(b)(ii)

institutions maintain the authority, where  warranted by other risk indicators or supervisory concerns, to obtain  additional information necessary to resolve material compliance concerns,  including information relevant to whether account holders possess lawful  immigration status and employment authorization in the United States when  such information is relevant to assessing risks associated with fraud,  identity misrepresentation, sanctions evasion, or other illicit financial  activity, as part of a risk-based customer due diligence program

Read those clauses in order. Identity verification comes first, as the baseline requirement. Immigration status and employment authorization come second, conditioned three times over: only where warranted by other risk indicators, only when relevant to assessing risk, and only as part of a risk-based program. The status inquiry is downstream of, and dependent on, a completed identity determination. You cannot reach the immigration clause until you have satisfied the identity clause. The order is built in exactly that order.

Then Section3(c) turns to the documents themselves, singling out one category by name:

Executive Order 14406, Section  3(c)

the Secretary of the Treasury and the  appropriate Federal functional financial regulators shall consider changes to  applicable implementing regulations of the Bank Secrecy Act to strengthen  risk-based customer identification program requirements for covered financial  institutions. Any changes considered should account for the risks foreign  consular identification cards pose to the integrity of the United States  financial system

Notice what every one of those directives has in common. Verifying nominal and beneficial owners is an identity verification question. Detecting identity misrepresentation is a document authentication question. Consular ID treatment is a document forensics question. The order is an identity verification mandate wearing an immigration headline. The clocks are short: within 60 days of the May 19 signing, mid-July, Treasury must issue a red flags advisory. Within 90 days, mid-August, come the proposed Customer Due Diligence changes quoted above. Within 180 days, mid-November, the Customer Identification Program review of consular cards.

Why this is the I-9, arriving at the bank

I have spent two decades inside the one federal identity regime that already works this way, and the resemblance is not casual. Since 1986, every U.S. employer has carried a dual burden on the Form I-9: verify that the person is who they claim to be, and authenticate that the documents they present are genuine. Executive Order 14406 asks financial institutions to do the same two things. Collect and verify identity information to identify the real account owner. Detect identity misrepresentation and fraudulent documents, consular cards included. Verify first; assess status only if identity-based risk warrants it.

When Treasury's proposed rules land in August, covered institutions may find themselves holding an I-9-shaped obligation: a standing duty to verify the person and authenticate the document at defined moments in the customer relationship, with records a regulator can later demand. The employment world has lived under that duty for nearly forty years. The financial world is about to meet it. Institutions that already understand the I-9 model have a head start on reading these rules, because the structure is the same: person plus document, verified and documented, on pain of examination.

The gap the order is aimed at

Here is the part I know from the inside. The existing Customer Identification Program framework, like the E-Verify system I have worked alongside for two decades, checks whether information matches a record. Does this name and number exist in a database? That is a useful question, and it is not the same question as: is the person in front of me the person this document describes, and is this document genuine?

Neither CIP norE-Verify answers those two questions. That is not a criticism of either program; it is what they were built to do and not do. But the gap between record-matching and person-verification is exactly where synthetic identity fraud, nominee accounts, and fraudulent document schemes live. Executive Order14406 is the federal government saying, for the financial system, that record-matching is no longer enough. The order demands detection of identity misrepresentation, which by definition requires examining the identity itself:the document, the face, the live presence of the person.

Why the status conversation is premature

The order stops short of requiring institutions to verify every customer's immigration status, and the commentary has correctly noted that it reinforces a risk-based approach instead. But follow that logic one step further. A risk-based approach requires a risk determination, and a risk determination about an identity requires identity signals: does the document validate, does the face match, is the person live, has this face or document number appeared across other applications, does the capture show manipulation. Only after those questions are answered does a status inquiry mean anything. An institution that leaps to status questions on unverified identities has not managed its risk. It has documented its guesswork.

There is also a fairness dimension that the identity-first sequence protects. Status inquiries triggered by appearance, surname, or accepted-document type walk straight into fair lending and discrimination exposure. Status inquiries triggered by objective identity signals, a failed document authentication, a liveness failure, a face reused across applications, stand on documented, neutral, risk-based ground. Identity verification is not just the technical predicate of this order. It is the legal safe path through it.

What institutions should be doing in the window

Between now and the proposed rules, financial institutions face a familiar bind: a compliance obligation is coming, and its technical pathway is undefined. The answer is not to wait for final rules and then build under examination pressure. The capabilities the order describes are knowable today: forensic document authentication including foreign and consular documents, biometric matching of the live person to the document, liveness detection that defeats photos and replays, a documented risk score that can serve as the neutral trigger for enhanced due diligence, and an audit trail a regulator can walk through step by step.

That is the architecture we built at ZipID for employment verification, where federal law has required exactly this dual burden, verify the person and authenticate the document, since 1986. Our ID Fraud Intelligence Dashboard will extend it to any organization that needs to know whether the person in a transaction is real, without storing biometric data in the institution's own infrastructure. Institutions and their vendors who want to see what’s next can reach us atzipidinfo@zipidapp.com.

I spent my career on the government side of this problem, as border counsel to the 9/11 Commission, as the drafter of the federal identity theft criminal statute, and as the author of REAL ID. Every hard lesson in that career reduces to one sentence, and it is the sentence this executive order is built on: you cannot answer any question about a person until you have answered who they are. Please connect with me on LinkedIn.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Frequently Asked Questions

COMPLIANCE and LEGAL

Is ZipID ICE-compliant I-9 software?

Yes. ZipID satisfies all five federal electronic I-9 system requirements under 8 CFR § 274a.2 — including compliant audit trails, electronic signature protocols, and secure storage standards. It is specifically designed to meet the March 2026 ICE reclassification that elevated common errors to substantive violations.

What are the fines for I-9 violations in 2026?

As of January 2025, I-9 paperwork violations carry fines of $288 to $2,861 per form under 8 CFR § 274a.10(b)(2). Knowingly hiring unauthorized workers carries fines up to $28,619 per worker for repeat offenses. ICE audit rates in 2025 ran at least ten times higher than the prior year.

Is ZipID integrated with E-Verify?

ZipID is pursuing certified E-Verify third-party agent status by August 2026. Currently, after the employer signs the I-9, ZipID redirects to E-Verify and automatically populates the resulting case data into the Additional Information field — preserving the complete record for audit purposes.

Still Got Questions on Your Mind ?
Ask a Question
TECHNOLOGY and ACCURACY

What is NIST and why does it matter for I-9 verification?

NIST — the National Institute of Standards and Technology — is the federal agency that sets accuracy benchmarks for biometric identity technologies. For I-9 compliance, NIST validation matters because it provides an independent government-verified measure of whether a facial recognition system is reliable enough to trust. ZipID uses NIST-tested algorithms rated at 99.998% accuracy.

What is ZipID's biometric accuracy for 1:1 selfie-to-ID matching?

ZipID's 1:1 facial recognition is rated at 99.998% accuracy using NIST-validated algorithms — fewer than 2 mismatches per 100,000 verifications. Liveness detection is built in to confirm the selfie is from a real, present person rather than a photo or deepfake.

What is OCR and how does ZipID use AI-powered OCR for I-9 verification?

OCR — Optical Character Recognition — reads and extracts text from government-issued IDs. ZipID uses AI-powered OCR to instantly capture a new hire's ID data and automatically populate the required Form I-9 fields, eliminating manual entry and typos. The AI layer also cross-checks extracted data for logical consistency and flags tampered, synthetic, or spoofed documents.

How does ZipID verify a new hire?

ZipID uses NIST-validated biometric facial recognition to match a live selfie to the photo on the new hire's government-issued ID. AI-powered OCR extracts and autofills document data. Fraud detection runs in the background checking for tampered, synthetic, or spoofed documents.

Do you recommend using face recognition?

Facial authentication is entirely the employer's choice. It confirms that the new hire is who they say they are and that the ID they present matches their live self — especially valuable for remote hires, high-security roles, or industries with elevated identity fraud risk.

USING ZipID

How long does it take to complete an I-9 with ZipID?

ZipID completes the entire Form I-9 process — including identity verification, document capture, and E-Verify redirect — in under 8 minutes, for both remote and in-person new hires.

What is ZipID?

ZipID is an I-9 compliance and identity verification platform that combines facial recognition, OCR document capture, and fraud detection to verify new hire identities and complete Form I-9 in under 8 minutes — with a legally compliant audit trail built in. It is the only I-9 platform built by the person who helped write the federal identity doctrine behind the law.

ABOUT

Who built ZipID?

ZipID was founded by Janice Kephart, former counsel to the 9/11 Commission and a national security identity expert with 25 years of federal and private sector experience, including designing border biometric workflows at MorphoTrak, now Idemia. Kephart authored the federal identity doctrine and biometric entry-exit recommendations underlying today's I-9 compliance framework, and has testified before Congress 19 times.