Synthetic identity fraud in banking: anatomy of a real case and KYC countermeasures
European banks now process record volumes of digital onboarding requests. According to the Europol IOCTA 2025 report, synthetic identity fraud in financial services has grown over 40% year over year, with an estimated cost of 6 billion euros in Europe alone. This is no longer classic identity theft: today attackers build identities that never existed, combining real stolen data with AI-generated faces and photorealistic fabricated documents.
The problem is that traditional banking KYC controls still treat the document and the face as standalone evidence. But a synthetic identity attack does not forge anything in the classical sense: it produces a perfect artifact that passes OCR, template matching and even second-generation liveness detection. The operational question fraud teams ask is concrete: what does a real attack on a bank actually look like, and which KYC countermeasures can be added to an existing workflow without rewriting everything?
The answer requires two moves. First, reconstruct the anatomy of a real case to see where the control chain breaks. Second, translate that failure into a countermeasure set that shifts defence from "detecting the fake" to "guaranteeing the genuine", aligned with AMLD6 obligations for enhanced customer due diligence and evidentiary retention.
This insight is part of our guide: Synthetic identity fraud: defending onboarding from AI-driven attacks
Anatomy of a real case: how a synthetic credit ring hits a bank
The case reconstructed here follows a pattern documented across several public investigations, including the FSI Brief 26 from the Bank for International Settlements on synthetic identity fraud. Specific figures are anonymised, but the operational sequence mirrors three cases where European banks publicly disclosed losses between 3 and 12 million euros per cluster of accounts.
The fabricated profile: real data plus generated faces
An organised group buys tranches of tax codes and utility records on the dark web, often from minors or deceased individuals not yet flagged with credit bureaus. On top of this real data, the group layers faces generated with the latest GAN models and identity documents rebuilt pixel by pixel, including simulated holograms and coherent MRZ backgrounds. The resulting profile has a clean credit history, a plausible legal name, and a face that exists in no photographic database. Passing OCR checks becomes trivial: the fields are all correct because the underlying data is real. Passing a second-level liveness test is feasible: a few seconds of synthetic video are injected directly into the acquisition channel through a virtual camera.
The entry vector: mobile onboarding and document capture
The preferred channel is self-service mobile onboarding for current accounts or revolving credit lines with low thresholds. The attacker does not target large loans: dozens or hundreds of accounts are opened with medium-sized limits. Coordinated bots distribute requests across days, regions and virtualised devices. The first payment of a few hundred euros is made normally to build history. Three or four months later, the cluster activates the bust-out: maximum drawdown, full credit line utilisation, disappearance. Banks discover the fraud only retrospectively, by correlating defaults, never at the KYC gate.
KYC countermeasures: from certified capture to decisioning
The effective countermeasure is not another detection layer trying to tell a real face from a synthetic one: academic research on deepfake detection in financial contexts shows double-digit error rates under real conditions. The effective countermeasure is to shift control from the content to the acquisition process itself.
Certified capture of documents and biometrics
The operating principle is simple: rather than receiving a photo of a document and a selfie that "claim" to be authentic, the bank captures both through a certified channel that records, moment by moment, the origin of the data. The document is captured with environmental metadata (device fingerprint, GPS coordinates, qualified timestamp) sealed cryptographically at the source. The selfie is captured with a server-side dynamic challenge, reproducible only by whoever holds the seed. If someone tries to inject a synthetic video stream, the metadata chain breaks: the bank no longer needs to "recognise" the deepfake, because the seal is missing or tampered with.
Fraud signals that integrate into the existing workflow
This logic does not require discarding the current KYC pipeline. Signals emitted by certified capture (seal presence, metadata integrity, device-session coherence) are additional features that feed fraud scoring engines via API. A team can start with a targeted deployment on the mobile onboarding channel, measure blocked onboardings against prevented fraud, and then expand. The comparison with other approaches (multimodal biometrics, behavioural analysis) shows three concrete trade-offs, summarised in the table below.
| Approach | Effectiveness on synthetics | User friction | Evidentiary value |
|---|---|---|---|
| OCR plus classic liveness | Low | Low | Limited |
| AI-based deepfake detection | Medium, declining against new models | Low | Limited |
| Multimodal biometrics | Medium-high | Medium-high | Medium |
| Certification at the source | High and stable over time | Low | High (QTSP seal) |
AMLD6 compliance: what changes for bank fraud teams
The sixth European anti-money-laundering directive (AMLD6), with national transposition being consolidated through 2026, introduces personal liability for AML officers in cases of systemic KYC control failures. Proving that "the check was performed" is no longer enough: teams must show the check was adequate to known risks, including those tied to synthetic identities.
Enhanced CDD and evidentiary retention obligations
Three concrete operational implications. First, enhanced customer due diligence requires evidence retained in tamper-evident form for at least ten years, admissible before a supervisory authority. A document image stored on standard corporate storage has no inherent evidentiary value: what matters is a chain of custody proving who, when and how that data was captured. Second, the directive requires tracking not only the outcome of the check but also the signals that were discarded: if a certified capture system emits a warning and the operator ignores it, that event must be retained. Third, in the event of litigation, the bank must be able to deliver a forensic reconstruction of onboarding: certification at the source for KYC processes is the only way to make that reconstruction defensible in court.
How TrueScreen supports fraud-resistant bank onboarding
TrueScreen is the platform that enables certified capture of documents, biometrics and interactions with legally admissible value. It is not a deepfake detection tool: it does not try to recognise the fake. It guarantees data authenticity at the source through a forensic methodology combining controlled capture, integrity verification and certification with a QTSP seal and qualified timestamp.
For a bank, integration relies on three components. The TrueScreen API plugs into the existing onboarding workflow and returns a sealed evidence bundle for each session. The TrueScreen mobile app or embedded SDK handles document capture and biometrics with dynamic challenge. Evidence is preserved in an attestation database queryable during audit or disputes. A typical case is a retail bank that, after piloting certified capture on a mobile account-opening channel, reduced detected synthetic onboarding attempts by 70% post-activation, while keeping conversion rates stable.
FAQ: synthetic identity fraud in banking
The most common questions from bank fraud and compliance teams on defending against synthetic identity attacks.
