Skip to main content
Rinne runs Know Your Customer (KYC) checks automatically whenever a merchant company is created or has its identification data updated. The checks compare the merchant’s registration data against trusted data sources and evaluate a set of verification rules. Results are delivered to the parent organization through the kyc.completed webhook.
KYC results are informational. They never block company creation or updates—the merchant resource is created or updated regardless of the outcome. Your organization decides how to act on the findings (for example, pausing onboarding or requesting corrected data).

When KYC runs

There are no KYC endpoints to call. Checks are triggered automatically for merchant companies:
  • On creation: every new merchant is checked.
  • On update: a new check runs only when a KYC-relevant field changes—the tax document type, the legal/full name, or the contact information. Other updates do not trigger a re-check.
Organization-type companies are not checked. Each qualifying create or update produces a new, independent check and its own kyc.completed webhook.

Check types

The set of rules evaluated depends on the merchant’s document type, reported as kyc_type in the webhook:
  • NATURAL_PERSON_COMPANY: the merchant is an individual (CPF).
  • LEGAL_PERSON_COMPANY: the merchant is a legal entity (CNPJ). Rules also cover the registered contact person and the company’s ownership structure.

Rule results

Each rule execution reports a status: Every rule execution includes the expected values required to pass and, unless the underlying data was unavailable, the received values actually observed. A human-readable description is included whenever the rule does not pass.

Rules for natural persons

For legal entities, the registered contact person (CPF) is also verified with contact-scoped counterparts of the natural-person rules: CONTACT_DOCUMENT_NUMBER_VALID, CONTACT_DOCUMENT_STATUS_VALID, CONTACT_FULL_NAME_CORRECT, CONTACT_DATE_OF_BIRTH_CORRECT, CONTACT_IS_ALIVE, and CONTACT_HAS_SANCTIONS.
The exact set of rules executed comes from the KYC policy applied to the check, identified by policy_id and policy_name in the webhook payload. Handle the rule_executions array dynamically rather than expecting a fixed list.

The kyc.completed webhook

The webhook is delivered to the parent organization using the same envelope, Svix signatures, and retry behavior as every other Rinne event (see Webhooks). In the envelope, company_id is the merchant that was checked and correlation_id equals the kyc_check_id.

Payload fields

  • kyc_check_id: Unique ID of this check run
  • company_id: The merchant company that was checked
  • policy_id / policy_name: The KYC policy that defined the rules
  • kyc_type: NATURAL_PERSON_COMPANY or LEGAL_PERSON_COMPANY
  • rule_executions: One entry per rule in the policy—rule_name, status, expected, and received (omitted only if the underlying data was unavailable); description is included when the rule does not pass
Delivery is at-least-once. Use the event id for idempotency, and kyc_check_id to group rule results belonging to the same check when a merchant is checked more than once.

Next steps

Webhooks

Endpoint setup, Svix signature verification, and retries

Organizations and merchants

How merchants relate to your organization

Affiliations

Provider onboarding and document requirements

API reference

Full kyc.completed event schema under Webhooks → Events