Identity verification – when valid signals become a fraud vector

Henry Patishman, Executive VP at Regula, discusses how modern fraud outpaced verification systems, exposing vulnerabilities and solutions.

Financial organisations are facing identities that pass verification checks but may not belong to a real person. Here is how AI is pushing KYC to its limits - and forcing identity systems to evolve.

Regula's 2025 research found that one in three firms is already dealing with AI-driven impersonation at scale. Do these numbers surprise you? Or does it feel like an undercount?

Honestly, it feels like an undercount - and that's precisely what makes the situation so concerning. The 33% figure reflects confirmed cases and anomalies detected across identity verification systems (manipulated documents and biometrics, suspicious devices, and behavioural patterns). It doesn't account for the attacks that went unnoticed, or the synthetic profiles that sailed through onboarding without triggering a single alert.

Our latest research into financial services specifically tells a more complete story. Nearly four in ten fraud prevention decision-makers at financial institutions suspected the use of synthetic or AI-generated identity evidence in the past twelve months. And suspected is the operative word: it means the signals were ambiguous enough to raise concern but not conclusive enough to confirm. That's the signature of a well-constructed synthetic profile.

The real concern is that many organisations are still measuring fraud by detection rates, while the more important question is how many fabricated identities are being consistently treated as legitimate users.

Synthetic profiles built from legitimate components are hard to catch. Can you walk us through what that attack looks like from the inside? How does a fraudster assemble the pieces, and where does the current system fail to detect them?

The elegance of synthetic identity fraud is that it doesn't look like fraud. It looks like a new customer. A real government-issued document scanned and submitted. A face that matches the photo on that document - because it was generated to match. Behavioral patterns that mirror those of a legitimate user because the attacker has studied what legitimate looks like.

Each signal, in isolation, passes. The document is authentic. The biometric check clears. The device fingerprint is clean. There are no known fraud indicators in the databases. The session’s behaviour looks normal. And so, the identity gets approved.

The system approves the verification because every checkpoint succeeds individually, even though the identity itself may never have existed as a real person.

Increasingly, the challenge is less about whether an identity signal looks authentic in isolation but whether its origin and relationship to other evidence can be trusted. Where current systems fail is in asking the next question: are these signals genuinely connected to a single, real person? That's a fundamentally different question from 'is each signal valid?', and it's one question most verification infrastructure wasn't designed to answer.

KYC was built to verify. It was not built to detect fabrication at the assembly level. Modern identity fraud is increasingly compositional: attackers assemble believable identities from individually valid components.

When fraudsters are constructing identities rather than stealing them, they've moved the attack upstream of where the defenses are positioned. They're not trying to fool the document check. They're trying to create something that the document check was never designed to question.

KYC was built for regulatory compliance, not adversarial conditions. At what point did that become a structural vulnerability, and how is the industry responding?

KYC became a structural vulnerability the moment AI made it cheap to produce high-quality synthetic materials on a scale. That's a relatively recent shift - two, maybe three years - but it happened faster than most compliance frameworks could adapt to.

The original design assumption of KYC was that genuine documents and biometrics were difficult to fake. Verification was essentially a gatekeeping exercise: checking that what the customer presents is real. That assumption held for a long time. It no longer holds.

The deeper issue is that traditional verification architectures were designed to validate independent signals, not to continuously assess whether those pieces of identity evidence describe the same real-world entity.

The industry is responding, but unevenly. A slim majority of financial services firms have explicitly incorporated AI-driven identity risks into their identity strategy. But a significant share is still catching up. And even among those who have updated their strategy, implementation lags intent. Having a policy that acknowledges AI risk is not the same as having controls that address it. The more revealing picture is about detection capability: most organisations report established capabilities to detect AI-generated or manipulated content, but a substantial minority do not. In a sector with this level of regulatory exposure, that gap is significant.

What the industry needs to do - and what the better-prepared organisations are already doing - is move from isolated signal verification to correlated evidence assessment. Not ‘is this document genuine?’ but ‘does this document, this biometric, this device signal, and this session’s behaviour together describe a coherent, real individual?’ In practice, this means treating identity not as a collection of passed checks but as an evidence system in which consistency, provenance, and continuity matter as much as authenticity. That’s a different architecture, and it requires a different approach.

You work across financial institutions, fintechs, and other sectors. Is the exposure distributed evenly, or are certain types of organisations particularly vulnerable to synthetic identity fraud?

Exposure is not evenly distributed, and the pattern is somewhat counterintuitive. The organisations most at risk are often not those with the weakest security - they’re the ones with the highest transaction volumes, the most streamlined onboarding, and the strongest competitive pressure to minimise friction.

Large fintechs and digital-first financial services companies face a structural challenge: their growth model depends on frictionless customer acquisition. Every additional verification step is a potential drop-off point. That commercial pressure creates an incentive to optimise for conversion, which can inadvertently create openings for synthetic identities. In many onboarding environments, the operational focus has historically been on reducing friction between checkpoints. The problem is that attackers now exploit the gaps between those checkpoints.

Traditional financial institutions face a different version of the problem. They often have legacy infrastructure that was never designed for AI-era threats. They have more people, more processes, and more regulatory oversight - but also more complexity, more potential for gaps between systems, and more inconsistency in how controls are applied across channels.

Stronger verification can mean more friction, and friction costs customers. How do you find the right balance between tightening identity controls and keeping the experience optimal enough that people don't abandon the process?

This is the central design tension in identity verification, and I'd push back slightly on the framing. The assumption that stronger verification necessarily means more friction was true when verification was sequential and manual. It doesn't have to be true now.

The smarter approach is risk-adaptive verification: apply friction proportionally to the risk signal, rather than uniformly across every interaction. A returning customer with a consistent device, known behaviour, and a clean history should have a very different experience from a new account opening with mismatched identity signals and an unusual session profile. If you apply the same level of scrutiny to both, you’re over-verifying the former and potentially under-verifying the latter.

Identity verification is gradually evolving from a one-time gatekeeping event into a continuous trust assessment process. Financial services organisations are increasingly moving toward dynamic verification - triggering additional checks only when anomalous signals are detected. That allows institutions to strengthen security without introducing friction uniformly across every interaction.

The second part of the answer is about evidence quality rather than process length. A verification process that takes the same amount of time but generates richer, more correlated evidence - linking document, biometric, device, and session data - is both more secure and more defensible. 

For a financial institution that wants to move from isolated signal checks to a more connected verification approach, what does implementation with Regula look like, and how long does it take to see results?

The starting point is always an honest assessment of where the gaps are. Most financial institutions are not starting from zero - they already have document verification, biometric checks, and fraud monitoring systems in place. The question is whether those systems are talking to each other, and whether the outputs from each are being correlated to build a coherent picture of the individual.

The issue isn't the absence of signals but rather that these signals often remain fragmented across separate systems, workflows, and vendors.

Regula’s approach is built around preserving identity signal integrity across the entire verification flow. That means going beyond formal verification to assess the physical and digital integrity of documents, cross-referencing biometric data against multiple ground-truth sources, and building an evidence chain that links every signal in the verification journey.

The Regula IDV Platform combines document verification, biometric authentication, and identity lifecycle management in a single enterprise system, ensuring trust not in documents but in the underlying identity evidence.  

In practice, implementation typically begins with document verification, since identity documents remain the primary trust anchor in most onboarding environments.

From there, we integrate biometric liveness and face matching against the verified document, then layer in session-level signals and behavioural data. The goal is to reach a state where every approved identity comes with a complete, auditable evidence chain - not just a pass/fail outcome generated by disconnected systems.

As for timeline: meaningful improvements in synthetic identity detection are typically visible within weeks of deployment, because the baseline shifts immediately once forensic-grade document analysis is in place. Building out full, correlated evidence capability across all channels takes longer - typically three to six months for a complex institution - but the risk reduction starts from day one.

Importantly, this is not a rip-and-replace exercise. Our research shows that 31% of financial services firms are already using a mix of vendors and in-house components for identity verification. Regula integrates within existing architectures, optimising current flows without requiring a complete rebuild.

About Henry Patishman

 

Henry Patishman is Executive Vice President, Identity Verification Solutions at Regula. Henry drives Regula’s strategic initiatives across different industries in the field of identity verification and biometrics. He has extensive experience across the IT industry, particularly in digital transformation, security, and data storage. He is a recognised voice on the intersection of AI, synthetic identity, and the evolution of KYC infrastructure.

 

About Regula

Regula is a global developer of identity verification solutions and forensic devices, trusted by over 2.000 organisations across regulated industries worldwide. Built on 34 years of document forensics expertise, Regula delivers end-to-end document verification, biometric authentication, and identity lifecycle management, backed by the world’s largest template library of 16.000+ IDs from 254 countries. Recognised in the 2025 Gartner® Magic Quadrant™ for Identity Verification.

Learn more at www.regulaforensics.com.