Fraudsters Build Synthetic Identities That Fool Traditional KYC Checks

In the early days of digital banking, identity fraud largely meant stolen credentials: a breached password, a compromised Social Security number or a copied credit card.

But digital banking is no longer early innings, and the growing category of identity fraud firms are facing is fundamentally different. Instead of stealing identities, criminals are manufacturing them.

“Synthetic identity fraud is different because the identity itself is engineered, not stolen,” Henry Patishman, executive VP, identity verification solutions at Regula, told PYMNTS.

“Frauds combine real data elements, like real SSNs for instance, with fabricated attributes and increasingly AI-generated artifacts. It’s a combination of some real and some fake data, and that creates a synthetic identity,” Patishman said.

This blending of legitimate and fabricated signals allows synthetic identities to pass through verification systems designed to confirm individual data points. The fraud doesn’t happen in a single moment. Instead, it unfolds slowly.

The delayed nature of the fraud makes it particularly difficult to detect. Unlike traditional identity theft, there is often no immediate victim whose complaint triggers an investigation.

“That’s why we describe it as a structural issue,” Patishman said. “It exploits how our identity systems are designed, not just a single control failure.”

AI Acceleration Effect

While synthetic identity fraud was once a niche problem, artificial intelligence has accelerated it dramatically. AI tools can now generate convincing identity artifacts at a cost and a scale that would have been impossible even a few years ago.

Regula’s 2025 research shows that AI-driven identity manipulation is becoming as common as traditional document fraud, with one in three surveyed organizations reporting this type of attack. The economics of fraud have shifted in favor of attackers.

“Synthetic identities don’t break identity systems, they exploit how those systems are designed to trust signals,” Patishman said.

That shift requires organizations to rethink the goal of fraud prevention.

“The controls need to focus on raising the cost of fraudulent attempts, not just adding friction. It’s smart verification that raises the cost of fraud for criminals, not slower onboarding,” Patishman said.

“Strong orchestrated signal validation can reduce manual review and improve the customer experience,” he added.

Systemic, Not Institutional, Problem

Another challenge is that synthetic identity fraud rarely occurs within a single company.

Fraudsters often nurture synthetic identities across multiple institutions — opening accounts at FinTech startups, applying for credit at banks and building transaction histories across payment platforms. Each successful interaction increases the credibility of the identity.

“Synthetic identity fraud rarely happens within a single institution,” Patishman said. “A synthetic persona may move across banks, FinTechs, lenders and payment platforms before the losses actually appear.”

By the time fraud surfaces, the identity may have accumulated years of seemingly legitimate activity. That dynamic makes synthetic identity fraud fundamentally an ecosystem problem rather than an isolated institutional risk.

And if the threat spans the entire financial system, the solution must as well. Patishman believes meaningful progress will require collaboration across industry players, regulators and technology providers.

“Effective collaboration means sharing risk intelligence signals, not personal data,” he said, noting that standardizing identity verification practices across industries could also help prevent fraudsters from exploiting weaker entry points in the financial system.

Traditional Compliance Thinking Fails

The problem can be compounded by the way in which many financial institutions approach identity verification, which can tend to be as a regulatory requirement rather than a risk management system.

The reason is rooted in how most know-your-customer (KYC) systems function. They verify data attributes individually, confirming that a name matches a database entry or that a document number exists in government records. But synthetic identities are deliberately constructed so that each element appears legitimate in isolation.

“Fraudsters assemble identities so that every individual signal passes independently, and traditional systems rarely evaluate how those signals relate to each other. That’s really the crux of the problem,” Patishman said.

Without the capability to view signals contextually, organizations may lack the ability to evaluate identities holistically.

And a holistic approach is central to Patishman’s philosophy of identity verification. Rather than validating signals individually, systems must analyze them by looking at how documents, biometrics, device data and behavioral signals interact.

Because the future of financial identity will not be defined by whether a single data point is real. It will be determined by whether the entire identity makes sense.

The post Fraudsters Build Synthetic Identities That Fool Traditional KYC Checks appeared first on PYMNTS.com.