メルペイのID基盤 — eKYC・本人確認の技術

Merpay is a financial service supporting payments, remittance, deferred payment ("Merpay Smart Pay"), and bank account integration within Mercari. Unlike general e-commerce, financial services are premised on identity verification and strict compliance with laws and ordinances. This article gives an overview of Merpay's identity infrastructure and eKYC (electronic Know Your Customer) technology.

In Japan, the Act on Prevention of Transfer of Criminal Proceeds (commonly called "hanshū-hō") obligates identity verification for specified transactions such as fund transfers and bank account linkage. As a registered fund-transfer operator, Merpay must satisfy these requirements.

eKYC (electronic Know Your Customer) is a mechanism that completes the previously postal- or counter-based identity verification process on a smartphone. Japan's Anti–Criminal Proceeds Act enforcement rules define several permitted methods; many operators including Merpay are reportedly based on the so-called "Method Ho," which combines a photo-bearing identity document with a live face image of the user.

Users photograph their driver's license, My Number card, or similar document, and are also required to take an angled shot showing thickness. On the server side, forgery is detected by combining OCR-based extraction of card information, font consistency checks, and feature detection of holograms and card patterns.

The face photo on the document is matched against a live image of the user taken on the spot to determine whether they are the same person. Furthermore, liveness detection is combined to prevent spoofing using printed photos or video playback, requesting actions like gaze movement, blinking, and changes in face orientation. While dedicated SDKs and vendor services are typically used, final decisions are commonly thought to be made through an internal review flow.

Merpay's ID infrastructure handles both Mercari-wide authentication (login, two-factor authentication) and Merpay-specific authorization (fund-transfer eligibility, credit status). It is reportedly common to distribute tokens to internal services based on OAuth 2.0 / OIDC, with each service receiving necessary statuses (KYC complete, age verified, etc.) as claims and making authorization decisions on that basis.

Charging the Merpay balance and withdrawing funds require bank account linkage. This is seen to use the Japanese Bankers Association's Zengin EDI system, APIs exposed by individual banks, and Open Banking–equivalent mechanisms. Furthermore, Merpay performs credit assessment for its "Smart Pay" deferred-payment feature based on user history, in what is thought to be a configuration combining internal behavioral data with external scoring.

Identity verification data and transaction history must be retained long-term, and tamper prevention and traceability are strongly required. WORM storage (Write Once Read Many), tamper detection via hash chains, and encryption-key management using KMS are thought to be combined as common financial-infrastructure practices. In addition, retaining audit trails that can withstand internal and external third-party audits is essential.

There are many specialized vendors for eKYC component technologies (OCR, face matching, liveness detection), and combining in-house development with outsourcing is common. At the same time, outsourcing partners are also subject to safety-management measures under the Act on the Protection of Personal Information, so governance over contracts, audits, and log sharing becomes important.

Merpay's ID infrastructure is integrated infrastructure for balancing the often-conflicting elements of convenience (everything completed on a smartphone), legal compliance, and security. eKYC should be viewed not as a single technology but as a stack-wide design problem encompassing document recognition, face matching, liveness detection, tamper prevention, and the authorization flow.