šŸ›Ÿ Synthetic IDs are winning

U.S. banks face record synthetic exposure and a formal FinCEN alert on deepfakes in KYC. Discover where remote onboarding breaks, which controls still bite, and which vendors to look at to force fraud to pay the friction.

Author

Abbie Widin
September 02, 2025

Hello, Abbie Widin here,

AI Check In delivers sharp, globally relevant intelligence on AI governance, financial risk, and capital automation.  Already briefing strategy, risk, and compliance leaders at the worldā€™s most influential banks, including JPMorgan, Citi, and Bank of America.

What to expect this edition:

  • šŸ›Ÿ Need to Know: $3.2B synthetics, FinCEN names deepfakes, IC3 losses surge

  • šŸ„· Deep Dive: Remote onboarding is the kill chain. Hereā€™s how you harden it.

  • šŸ“ˆ Trends to Watch: From attributes to human assurance under the new NIST 800-63-4

  • āš”ļø Vendor Spotlight: iProov, Biocatch and Quantexa

Rewrite the rules. Outmaneuver competitors. Stay two steps ahead of regulators.

Let the games begin.

šŸ›”ļø Enjoying AI Check In? Forward this to a colleague who needs to stay two steps ahead.

šŸ“¬ Not subscribed yet? Sign up here to receive future editions directly.

šŸ›Ÿ Need to Know: $3.2B synthetics, FinCEN names deepfakes, IC3 losses surge

Synthetic identity has crossed the chasm.
By mid-2024, U.S. lenders were sitting on $3.2 billion in synthetic exposureā€”the highest on record. Application-stage identity remains the softest target. Rings now nurture fakes for weeks before activation.

Regulators are done hinting.
FinCENā€™s November 2024 alert names deepfakes as a formal SAR typology and instructs banks to tag submissions with: ā€œFIN-2024-DEEPFAKEFRAUD.ā€

Losses arenā€™t just risingā€”theyā€™re compounding.
The FBIā€™s IC3 logged $16.6 billion in cybercrime losses in 2024, up 33% year-on-year. Business email compromise still dominates the dollar-weighted chart.

The message: front-door KYC is no longer the control. It's the bait. Treat identity as a system that matures over time or one the fraud ring matures for you.

šŸ„Š Your Move:

  • Use standards as weapons. Map your remote KYC and recovery flows to NIST SP 800-63-4. Flag all deviations. If you don't own a remediation timeline, you're running on faith.

  • Operationalize FinCENā€™s alert. Write the SAR typology playbook for deepfakes: keywords, escalation triggers, training. If your investigators are improvising, youā€™re already behind.

  • Cut your weakest link. Apply FFIEC-style layered auth to every channel, including web, app, call center. Voice clone is now table stakes. Session replay is free. Your only defense is multiple, independent frictions.

šŸ„· Deep Dive: Remote onboarding is the kill chain. Here is how you harden it.

Remote onboarding under AI assault
Fraud rings are cultivating identities like crops. Unused SSNs (especially childrenā€™s) are grafted into synthetic files. Credit builders and tradelines fatten the score. Shell companies provide cover. And then: the bust-out.

The DOJ charged one such ring with using fake identities and shells to extract millions from banks. The ringleader was sentenced to 94 months.

Social engineering is the approval layer.
In early 2024, a multinational wired $25.6 million after a convincing video call with multiple deepfaked executives. Donā€™t let your VIP overrides, new payees, or callback rituals be symbolic only, or else, youā€™re next.

Whoā€™s responding well?

Among U.S. players, Wells Fargo and Bank of America have shifted customers to phishing-resistant FIDO authentication, effectively cutting off credential replay and most voice-clone social engineering.

Charles Schwab and Robinhood are rolling out passkey support with device trust models, while T. Rowe Price is using passkeys across investment flows.

On the risk and fraud side, a top-five U.S. bank deployed real-time mule-detection and identified 1,800+ mule accounts using cross-network analytics. These are the moves being normalized, especially under FinCENā€™s deepfake alert and NISTā€™s newly finalized SP 800-63-4.

Controls that still bite

  • Challenge-response liveness + device binding (aligned to NIST 800-63-4).

  • Continuous risk scoring for 30+ days. Join device, network, and first-payment data.

  • Graph analytics to detect mule clustering and beneficiary reuse.

  • Hard approvals. Out-of-band callbacks for first-time wires, VIP overrides, and exception handling.

Precision matters. In May 2024, Chime was fined and forced to offer restitution after blocking real users during a fraud response blitz. CX misfires now carry enforcement risk. (CFPB, Reuters)

šŸ„Š Your Move:

  • Kill your weakest fallback. Replace voiceprints, knowledge-based authentication (KBAs), and static biometrics in recovery with cryptographic device-bound credentials or accept that your step-up path is compromised.

  • Tax the first payment. Force holds or callbacks on first-time beneficiaries, high-value transfers, or session-risk outliers. Let fraud pay the friction, not your good customers.

  • Make reversals fast and defensible. If you block an account, issue the refund fast, document the rationale, and notify the customer before they file a complaint. The CFPB now expects that choreography.

šŸ“ˆ Trends to Watch: From attributes to human assurance under NIST 800-63-4

  1. The standards caught up.
    NIST SP 800-63-4 (July 2025) sets the new bar: remote-attended proofing, evidence strength, device-bound authenticators, and per-flow identity assurance.

  2. Youā€™re moving from attributes to ā€œhuman assurance.ā€
    Post-signup identity must remain dynamic. Expect periodic liveness, device attestation, and continuous signal scoring in high-risk sessionsā€”especially wealth, treasury, and cross-border flows.

  3. The Fed is done waiting.
    Its Synthetic Identity Fraud Toolkit calls for bank consortia to exchange synthetic/mule indicatorsā€”SSNs, devices, beneficiary reuse. Participation will become a reputational checkbox.

  4. Political heat is rising.
    The Senate Banking Committee is probing how banks plan to counter voice clones and deepfake-enabled recovery fraud. Consider this your public warning.

šŸ„Š Your Move:

  • Quantify identity risk. Assign IAL/AAL per flow, publish target states, and track deltas quarterly. If no one owns it, no one fixes it.

  • Build the cartel. Stand up legal and technical rails to exchange synthetic identity signals with your peersā€”before your regulators ask why you didnā€™t.

  • Rehearse the con. Run deepfake tabletops across your VIP approvals. Include exec impersonation, spoofed voices, urgent wires. If your controls donā€™t fail in testing, theyā€™re not being tested hard enough.

āš”ļøVendor Spotlight: iProov, Biocatch and Quantexa

Field: Remote proofing and liveness for KYC and authentication.

  • Selected for the UK Governmentā€™s One Login program and a multi-year UK Home Office contract, demonstrating national-scale identity verification in production.

  • First remote face verification product to pass the FIDO Alliance Face Verification Certification, signaling third-party tested resilience and usability for remote onboarding.

Field: Behavioral biometrics for scam, ATO, and mule detection.

  • Customers reported nearly 2 million money mule accounts identified in 2024 across 257 financial institutions in 21 countries, showing real detection at network scale. biocatch.com

  • Independent coverage confirms the scale and positions behavioral signals as a practical control for mule discovery in live banking environments. Biometric Updatefintechnews.ch

Field: Entity resolution and network analytics for AML, KYC, and fraud.

  • Deployed at HSBC to unify disparate datasets and reveal real-world relationships for financial crime risk, replacing multiple legacy tools with a single graph-led view.

  • Ongoing expansion of decision-intelligence capabilities used by large banks to strengthen investigations and contextual alerts.

šŸ„Š Your Move:

  • Guarantee outcomes. On our last 90 days of traffic, what net fraud loss reduction will you commit to by day 30 and day 90, after refunds, manual review, and churn are included? Show the math, the data you need, and put it in the contract.

  • Prove auditability. Give a redacted case file from a current bank with event-level explanations, SAR-ready typology mapping, and versioned model change logs. Now run the same explainability on a one-week sample of our data.

  • Wire signals fast. In two weeks, ingest onboarding assurance levels, device fingerprints, and beneficiary first-seen data. Show time to first useful alert and false-positive rate. Join these signals, deliver value.

šŸ”® Next week: Proof of Humanity.

Liveness that canā€™t be spoofed. Device-bound keys that canā€™t be stolen. Verifiable credentials that bind identity to audit trails. The next issue maps the digital identity stack that survives contact with a deepfake, and with your regulator.

Yours,

šŸ’Œ Was this newsletter shared with you? Join banking and finance leaders receiving weekly AI governance briefings.

šŸ“˜ Subscribe to AI Check In here.

āš” Share the edge ā€” forward this edition to a colleague interested in AI, risk, or innovation initiatives.

Disclaimer

This newsletter is for informational and educational purposes only and should not be considered financial, legal, or investment advice. Some content may include satire or strategic perspectives, which are not intended as actionable guidance. Readers should always consult a qualified professional before making decisions based on the material presented.