Ogowkey v1
← All articles
10 min read Ogowkey team

How to verify a Somali national ID: documents, security features, red flags

A complete technical guide to verifying the Somali national ID card - layout, security features, MRZ parsing, NIRA verification, and how to spot forgeries.

identitysomaliadocument-verificationnira

The Somali national ID card is the highest-quality identity document the country has ever issued, and it is rapidly becoming the standard credential for KYC, mobile-money onboarding, SIM registration and cross-border remittance. If you're building a fintech, telco or government-adjacent service that operates in Somalia, you will be looking at thousands of these cards a week. Verifying them properly - not just doing OCR, but actually checking that the card is genuine and the holder is the person on the photo - requires understanding both the document itself and the verification infrastructure behind it.

This is a deep dive on the Somali national ID. We cover the layout, the security features, how to parse the MRZ, how to query NIRA, and the common forgery patterns we see in the wild.

The issuing authority

The card is issued by the National Identification and Registration Authority (NIRA), established by parliamentary act in 2020 and operationally rolled out from late 2022. NIRA operates the national register, captures biometrics at enrolment, and runs the verification infrastructure that licensed entities can query.

Critically, the card is not the source of truth. The NIRA register is. The card is a derivative artefact - a portable credential - but the authoritative answer to "is this person who they claim to be?" lives in NIRA's database.

This matters for fintechs. A card OCR alone tells you what the card says. Querying NIRA tells you whether the card is real and whether the data on it matches the register.

The card layout

The card is a polycarbonate ID-1 format (the same size as a credit card). Both sides carry information.

Front side

  • Country emblem (Somali star) embossed top-left.
  • "REPUBLIC OF SOMALIA" and "JAMHUURIYADDA SOOMAALIYA" headers.
  • "IDENTITY CARD" / "KAARKA AQOONSIGA" sub-header.
  • Portrait photograph of the holder, centre-left, typically 25×33 mm.
  • Full name (surname / given names) in printed text.
  • National ID number - a 10-digit alphanumeric, prefixed with a region code.
  • Date of birth in DD-MM-YYYY format.
  • Sex marked M or F.
  • Place of birth - typically a district name.
  • Date of issue and date of expiry.

Back side

  • Address - usually neighbourhood and city.
  • Holder signature captured at enrolment.
  • Machine-readable zone (MRZ) - three lines, 30 characters each, conforming to ICAO 9303 specification for ID-1 cards (TD1 format).
  • Issuing officer identifier.
  • Card serial number (distinct from the national ID number).

Security features you should be checking

A good document verifier doesn't just OCR; it confirms the security features are present and correct.

Visible features

  • Microprinting - fine-line text around the photograph and along the bottom edge, legible only at 10× magnification or higher. Cheap forgeries are pixelated when zoomed.
  • Guilloché patterns - interwoven curves printed in the background. Genuine cards have multi-colour, mathematically-generated curves; forgeries often use a static raster image.
  • Optically Variable Ink (OVI) on the country emblem - colour shifts as the card tilts.
  • Tactile relief - the holder's name and ID number are slightly raised, detectable by touch.
  • UV-reactive fluorescence - a Somali star, NIRA logo and additional security text glow under 365 nm UV light. Forged cards almost always fail this test because UV-reactive inks are hard to source.

Machine-readable features

  • MRZ - three lines of 30 characters conforming to ICAO TD1. The check digits over the document number, date of birth, expiry and composite must validate.
  • 2D barcode on the reverse - a PDF417 or QR variant carrying a signed copy of the cardholder's core data, signed with NIRA's private key. A verifier with NIRA's public certificate can confirm the signature.
  • Contactless chip on newer issuances (post-Q3 2024) - an ISO 14443 chip carrying signed data groups equivalent to an ICAO ePassport. NFC-capable phones can read it.

Parsing the MRZ

The MRZ is the most reliable parser-friendly element on the card. The three lines (line 1, line 2, line 3) follow the ICAO 9303 TD1 specification:

Line 1 (30 chars): I<SOM<<<<<DDDDDDDDD<CCCCCCC<<<<<
Line 2 (30 chars): YYMMDD<sexYYMMDD<SOM<<<<<<<<<C
Line 3 (30 chars): SURNAME<<GIVEN<NAMES<<<<<<<<<<

Where:

  • I is the document type code (ID).
  • SOM is the issuing-country code (ISO 3166-1 alpha-3 for Somalia).
  • DDDDDDDDD is the document number, padded with <.
  • The < after the document number is a check digit over the document number.
  • YYMMDD is the date of birth (line 2 start) and expiry (after the sex).
  • The check digit after each date validates that field.
  • The final character on line 2 is a composite check digit over multiple fields.

Always validate the check digits. A common forgery pattern is a card with the right visual layout but invalid MRZ check digits - the forger didn't know how to compute them. Real cards pass every check.

A reference implementation:

def mrz_check_digit(value: str) -> str:
 weights = [7, 3, 1]
 total = 0
 for i, c in enumerate(value):
 if c == "<":
 v = 0
 elif c.isdigit():
 v = int(c)
 else:
 v = ord(c.upper()) - 55 # A=10, B=11, ..., Z=35
 total += v * weights[i % 3]
 return str(total % 10)

If your computed check digit doesn't match the one on the card, treat it as a hard fail before going any further.

Querying NIRA

For licensed entities (commercial banks, mobile-money operators, some fintechs), NIRA exposes a verification API. The flow is:

  1. You submit the holder's national ID number and a recent biometric (fingerprint or selfie) captured during your onboarding.
  2. NIRA returns one of: match, no_match, not_found, or revoked.
  3. The response is signed by NIRA's private key, so the answer is non-repudiable.

This is a different operation from OCR. OCR tells you what the card says. NIRA tells you whether the card is genuine and the holder is the registered person.

You should be doing both. OCR is your first line of defence (it lets you catch typos, expired cards, mismatched fields). NIRA is your final answer.

Common forgery patterns

In our work with Somali fintechs we see four forgery types repeatedly. Knowing them helps you tune your detection.

Photographic substitution

A genuine card with the original holder's photograph replaced. Detectable by:

  • Looking for inconsistent lamination edges around the photograph.
  • Comparing the photograph's microtext to the surrounding microtext (forgers rarely reproduce both perfectly).
  • Querying NIRA - the register has the genuine biometric, which won't match the substituted photo.

Full reprint

A blank card reprinted with the forger's chosen identity data. Detectable by:

  • Failed MRZ check digits (most common giveaway).
  • Absent or incorrect UV fluorescence.
  • Solid-colour guilloché patterns (real ones are multi-coloured).
  • Microprinting that pixelates under magnification.

Genuine card, edited

A genuine card with fields physically altered - common targets are date of birth (to claim majority) and address. Detectable by:

  • Surface inconsistencies around the altered field - slight discoloration, scratches, raised relief that doesn't match the rest of the card.
  • MRZ-vs-VIZ mismatch: the visual zone says one thing, the MRZ says another. The MRZ is harder to alter.

"Borrowed" card

Not a forgery of the card itself - the card is genuine, but the person presenting it is not the holder. This is what biometric face-match exists for. A selfie captured at onboarding, compared against the card photograph, will catch this - provided your face-match is tuned for the relevant demographic. We cover this in Face match accuracy across skin tones.

A defensible verification pipeline

If we were building a Somali ID verification pipeline from scratch, this is the sequence:

  1. Guided capture of both card sides with on-device quality gates.
  2. OCR of the front, with field validation (date formats, ID number length, name character set).
  3. MRZ parse of the back, with all check digits validated.
  4. Cross-field consistency between front VIZ and back MRZ - surface a hard fail on any mismatch.
  5. Visual security feature checks where available - microprint detection, guilloché pattern matching, UV fluorescence if capture supports it.
  6. NIRA verification for licensed flows.
  7. Selfie capture with liveness, then face match against the card portrait.
  8. AML / sanctions screening on the verified name + DOB.
  9. Signed audit record of every step, with images and decisions stored for the retention period.

Every step is a useful signal on its own; together they make forgery economically uninteresting.

Ogowkey's approach

Ogowkey's identity verification is built around this exact flow for Somali documents. Our OCR is tuned on thousands of NIRA cards including older variants from the 2022–2023 issuance, our MRZ parser validates against the ICAO 9303 TD1 specification, and our face-match is benchmarked specifically on Somali demographic data. The decision JSON gives you the full breakdown - OCR fields, MRZ validity, face-match score, AML status - in one call.

If you're already verifying Somali IDs in production and want a second opinion on a tricky case, send it through the playground and compare. Or [talk to us](mailto:olow304@gmail.com?subject=Ogowkey%20 - %20Somali%20ID%20verification).

For the broader compliance picture, our KYC in Somalia guide puts this in context.