Guest Identity Verification for Vacation Rentals: How to Screen Guests Before Check-In

How to verify guest identity before check-in for vacation rentals

Airbnb finished its global rollout of guest identity verification in June 2023. The EU's DAC7 directive took effect in January 2023. France's Loi Le Meur passed in November 2024 with fines up to €10,000 for unregistered hosts and €50,000 per non-compliant listing for the platforms that host them. Italy's CIN regime took full effect in January 2025. Spain's NRUA followed in July 2025 with fines up to €500,000. The cumulative effect is unambiguous: running a vacation rental in 2025 means verifying identity, yours as the host, and increasingly the guest's, to platforms, regulators, and your own risk-management bottom line.

The platforms have moved fast on the host side. The guest side is still catching up. Direct bookings, Booking.com bookings, and VRBO bookings in regulated cities are now all places where the host carries the verification responsibility, and the GDPR-non-compliant pattern of emailing passport photos to a Gmail inbox is no longer acceptable. This guide covers the regulatory shift, the categories of risk that proper verification mitigates, and the tools available, Stripe Identity at $1.50 per verification, Persona, Onfido, Veriff, and concierge services like Superhog and Know Your Guest, for hosts who want to get this right without burdening the legitimate guest.

Why identity verification has become non-optional

Multiple forces converged in 2023-2025 that make formal verification a hard requirement for most hosts:

Airbnb's global ID verification rollout

Airbnb extended 100% guest identity verification globally by end of June 2023, with non-compliant hosts having calendars blocked. The platform's own party-prevention data shows the result: a 55% global drop in party report rate over the two years following the permanent party ban (codified June 28, 2022), and just 0.02% of reservations led to property-damage reimbursement of $1,000+ in 2022. Airbnb's AirCover provides up to USD 3M in host damage protection but only when verified-guest documentation is in place.

EU DAC7 directive

DAC7 (Council Directive 2021/514, in force since January 1, 2023) requires digital platforms, Airbnb, Booking.com, VRBO, to collect and report seller (host) identity, tax residency, and revenue to EU tax authorities. The reporting threshold is 2,000 EUR or 30 transactions per platform per year. Non-compliance can freeze payouts. Hosts now must provide TIN/SIREN, address, DOB, and bank account details to remain on these platforms.

National registration requirements

France's Loi Le Meur (enacted November 19, 2024) requires every meublé de tourisme to register via the national portal "Declaloc" by May 20, 2026, with a 13-digit ID (5-digit INSEE + 8 digits) displayed on every listing. Fines: up to EUR 10,000 for no registration, EUR 20,000 for false declaration, and up to EUR 50,000 per listing for platforms hosting non-compliant properties. Italy's CIN (registration opened September 1, 2024, full compliance from January 1, 2025) requires every STR to display a unique national code in every advertisement; fines: EUR 500-5,000 for missing CIN, EUR 600-6,000 per safety-device violation. Spain's Ventanilla Única / NRUA (effective July 1, 2025) requires registration for all rentals under 31 days; platforms must remove non-compliant listings within 48 hours; fines up to EUR 500,000.

US state-level rules

NYC Local Law 18 (effective September 2023) reduced active STR listings from ~38,000 in early 2023 to ~3,000 registered: a 90%+ drop in available short-term inventory by early 2025, with the Mayor's Office approving only 40% of applications. San Francisco, Los Angeles, Seattle, New Orleans, and Honolulu have similar registration regimes. Booking platforms must verify the registration number before accepting bookings.

The combined effect: a vacation rental host operating in any major EU or US city now needs to (1) verify their own identity to the platforms and authorities, and (2) increasingly, verify the guest's identity for security and party-prevention reasons.

The categories of risk that identity verification mitigates

• Property damage from anonymous guests. Bookings made under fake names with stolen payment cards. The host has no recourse when the platform investigates.
• Unauthorized parties. Airbnb's anti-party policy made permanent in 2022 cut party report rates 55% in two years per Airbnb's own data; in 2022 just 0.039% of reservations had a party allegation, and 6,600+ guests were suspended in 2021 for party-ban violations. Enforcement still depends on host-side guest verification on direct and other channels.
• Identity fraud / chargebacks. Guests using stolen identities for direct bookings. Travel & hospitality industry chargeback rates run 1-2% per Chargeflow; >1% triggers card-network monitoring. Verified guests cut chargeback rate materially.
• Unscreened sub-letters. Bookings made under one name, occupied by another. Higher damage probability and higher chargeback risk.
• Regulatory complaints. A neighbor reports a noisy property; the city fines the host; the host has no record of who was actually there. Identity records reduce liability exposure.

What the standard manual approach looks like

1. Booking arrives. Platform shares first name and partial last name only.
2. Host emails the guest requesting passport or ID.
3. Guest emails back a JPEG of their passport. The host stores it in their email or a folder.
4. Host eyeballs the document and decides if it looks legitimate.
5. Host emails the access code.

The problems: passport JPEGs in email inboxes are GDPR violations in the EU (raw ID data isn't supposed to live in unstructured Gmail/Outlook archives). The eyeball check catches obvious fakes but not sophisticated ones. There's no record of the verification decision tied to the booking. And the back-and-forth annoys legitimate guests who already verified on the platform.

Common solutions hosts use today

Platform-native verification (Airbnb, Booking.com)

Airbnb requires identity verification for many bookings (the policy expanded in 2023 across most major markets). Booking.com has stricter requirements for properties in regulated cities. The verification flow is platform-side; the host sees a "verified" badge but doesn't get the underlying record. Useful but inconsistent across markets and not transferable to direct bookings.

Manual passport collection by email

The default and the worst option from a compliance standpoint. Free, simple, GDPR-non-compliant, no audit trail.

Dedicated identity verification platforms

Stripe Identity, Persona, Onfido, Veriff, SumSub, and Jumio specialize in document verification + selfie matching + AML/sanctions screening. Stripe Identity's pricing for short-term rentals is typically USD 1.50-2.50 per verification; the host gets a verified-or-not result plus the underlying record stored in compliance with PCI/GDPR. Best fit for hosts who do direct bookings.

PMS-native verification

Some PMS embed Stripe Identity, Onfido, or a similar provider directly. The verification trigger fires automatically on booking confirmation, the result is stored against the booking, and the host doesn't manage the workflow manually. Cost: typically included in the PMS subscription or a small per-verification fee.

Third-party concierge services

Specialty services like Superhog and Know Your Guest (formerly Autohost) bundle identity verification with damage waivers, deposit protection, and chargeback insurance. Cost: USD 3-10 per booking, often billed to the guest as a "guest verification fee." Common in higher-end vacation rental management companies.

Smart-lock-based proof

Some hosts treat smart-lock entry events as identity proof, "the guest who knew the code entered the property." Useful as a complement, not a replacement: it doesn't verify identity, only access.

What full identity verification automation requires

1. Auto-trigger on booking confirmation: the verification request is sent the moment the booking lands, not days before check-in.
2. Guest-friendly flow: mobile-first, takes under 2 minutes, accepts passport / ID card / driver's license depending on jurisdiction.
3. Name matching against the booking name with fuzzy logic for nicknames, transliterations, married names, and OTA-truncated names.
4. Compliant storage: the underlying ID document is stored at the verification provider, not in your email; the host gets a verified-or-not result with no PII liability.
5. Workflow integration: verified-or-not status feeds into the booking record. Verified bookings auto-flow; unverified bookings escalate to host or block check-in code generation.

How Nowistay handles identity verification

Nowistay integrates Stripe Identity natively for guest KYC. The verification trigger fires automatically when a booking is confirmed (direct or OTA), with a configurable delay so it doesn't fire instantly during the booking flow. The guest receives a link via the welcome message and completes verification in under 2 minutes from their phone. Stripe Identity captures the ID document, runs a selfie match, screens against AML lists, and returns a verified-or-not result. Nowistay matches the verified name against the booking name with fuzzy logic and stores the verified status against the booking. Smart-lock code generation can be gated on verified status, i.e., the access code only generates after KYC passes. Whether you build this through Nowistay, a separate Stripe Identity integration plus your existing PMS, or a third-party concierge service, the criteria above are the test for any KYC workflow.

When to skip identity verification

Three scenarios where running KYC adds friction without proportionate benefit:

• Repeat guests with prior verification. Don't make the guest re-verify if they already passed in the last 12 months.
• Long-stay corporate bookings with a verified business contract.
• Specific Airbnb bookings in markets where Airbnb's verification is already strong: the marginal value of doubling up is low. Document the policy in your house rules so guests aren't surprised.

Setting up KYC in 30 minutes

1. Sign up for a verification provider (Stripe Identity is the most common; Persona and Veriff are good alternatives).
2. Connect your account in your PMS (or via API directly to the provider).
3. Configure when the verification trigger fires, typically 1-2 days before check-in for direct bookings, day-of-booking for high-risk markets.
4. Set up the welcome-message variable so the guest receives the verification link automatically.
5. Configure the gating rule, auto-allow on verified, escalate to host on failed or skipped verification, and decide whether to block smart-lock code generation.
6. Test with a fake booking and verify the flow end-to-end.

Compliance considerations by jurisdiction

European Union

GDPR requires explicit consent before collecting ID documents, a documented retention period (typically 1-3 years depending on local law), and the right to erasure on request. Stripe Identity, Onfido, Persona, and Veriff are GDPR-compliant by default if you use them via their APIs.

United Kingdom

UK GDPR plus the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (as amended) require basic identity verification on certain transaction sizes. Most hospitality bookings fall below the threshold but the documentation should still meet UK GDPR.

United States

No federal KYC requirement for STRs. State-level requirements in NYC, San Francisco, and a few other cities require host registration. CCPA in California governs ID document handling. Most providers (Stripe, Persona) handle CCPA compliance natively.

What to do when verification fails

Three failure modes and the right response:

• Document doesn't match. Wrong country, expired ID, blurry photo. Send the guest a friendly retry message explaining what's needed.
• Selfie doesn't match. Possible identity fraud or just a bad photo. Escalate to host for human review.
• Guest refuses to verify. Some guests refuse on principle. The right response depends on the channel: Airbnb requires you to honor the booking unless safety concerns; on direct bookings you can cancel and refund.