Synthetic identity fraud: addressing a growing threat

The idea that personal identity data may already be circulating across the dark web is unsettling, yet increasingly grounded in reality. In the UK alone, around 3.9 million fraud incidents were recorded in a single year, while individuals have been affected by multiple data breaches, with hundreds of millions of UK accounts compromised. This steady exposure of personal information creates an environment where identity data can be reused, repurposed and exploited, contributing to the growing threat of synthetic identity fraud.

The fraudulent use of passport details, addresses and phone numbers is not new, but this more sophisticated and less visible form of financial crime represents a significant shift in how identity is exploited. Built from a blend of real and fabricated information, these identities are harder to detect and are quietly impacting financial institutions’ anti-financial crime controls, as well as the lives of consumers.

Despite the scale of the threat, synthetic ID fraud remains under-recognised by both financial institutions and the individuals affected by its financial and societal consequences, as many cases go undetected or are misclassified as credit losses rather than fraud.

Advances in technology have allowed these methods to develop rapidly, often outpacing regulatory frameworks and increasing the need for synthetic identity fraud prevention. As data becomes more accessible through breaches and illicit networks, fraudsters are increasingly able to exploit gaps in traditional detection systems.

Against this backdrop, growing calls for initiatives such as International Identity Day highlight the importance of protecting identity as a fundamental human right. At the same time, AI-driven anti-money laundering (AML) solutions present a path forward, offering financial institutions the tools to detect and respond to these evolving risks, provided they are implemented effectively.

What are synthetic identities?

Synthetic identities are fabricated identities created using a combination of real and false personal information. Rather than stealing a complete identity, fraudsters construct a new profile using elements such as a genuine address or National Insurance number alongside invented details, allowing the identity to appear legitimate while not belonging to a real individual.

Traditional identity theft, by comparison, involves impersonating a real person using stolen personal details. It is something many are familiar with, either through personal experience or its portrayal in popular culture. Films such as The Talented Mr Ripley and Punch-Drunk Love illustrate how identity can be misused, whether through direct impersonation or manipulation, often with clear victims who can eventually detect and report the fraud.

Synthetic identities, however, operate differently. True to their name, they are constructed. Often referred to as ‘Frankenstein’ entities, the process involves creating an entirely new identity using a blend of genuine and fabricated information. In some cases, one part of the identity may include real personally identifiable information (PII), such as a valid home address, while other details are subtly altered, making detection more difficult.

Either way, criminals may use these synthetic identities to open accounts and gradually build credit over time before exploiting available limits and disappearing. It is incredibly difficult for lenders to discredit these profiles, particularly when a fraudster has carefully cultivated an appearance of legitimacy. In cases of synthetic identity theft, there is no real individual to flag suspicious activity, as the identity itself does not truly exist.

The perfect environment for the threat to grow

According to the Deloitte Centre for Financial Services, synthetic identity fraud is expected to generate $23 billion (approximately £18 billion) in losses for the industry by 2030, while Experian has found that only a quarter of 500 financial services companies are confident in addressing this particular issue.

Given the sector is still catching up to this risk, these figures are likely to increase as criminal methods continue to evolve. The availability of data on the dark web through hacking and data breaches remains high, operating in areas that are largely unseen outside of specialist digital crime agencies.

Deepfaking is possible using this stolen data, and AI-generated biometric information can bypass identification checks at the integral know your customer (KYC) stage to open an account at a bank, fintech or lender. In advanced uses, criminals can also ‘inject’ fake information into the very identification verification technology itself. Legacy rules-based systems, which already struggle to detect anomalies, are not equipped to identify these threats in real time.

The misuse of personal data can bankrupt consumers, ruin their credit scores and lending capabilities, and these acts make even strengthened digital onboarding processes at financial institutions (FIs) vulnerable, not just per customer, but for business relationships. Synthetic identities have been used to obscure beneficial ownership, including in cases involving sanctioned individuals, increasing the risk exposure associated with third-party vendors and partners.

How AI & automation must adapt

With effectively ‘ghost’ entities operating constantly, financial institutions (FIs) cannot rely on a defrauded customer coming forward to be compensated; their AML strategies must evolve to detect and prevent these sophisticated methods, as they are already contributing to reduced trust and integrity within the financial system. Ineffective AML systems can damage institutional reputations and result in significant regulatory fines. The costs of implementing high-quality digital identity verification (IDV) software can ultimately be passed on to customers, increasing fees and slowing down account-opening experiences.

Essentially, FIs must be able to identify fake and genuine identities and transactions almost instantaneously. That’s a tough ask, but the ‘good side’ of artificial intelligence allows for significantly more accurate monitoring and synthetic identity fraud detection:

• Pattern Analysis: across vast, complex and diverse datasets, AI can identify anomalous behaviours that may indicate fraudulent or money laundering activity.
• Predictive Capability: following a compliance team’s pre-determined risk criteria for individuals or businesses, AI can flag potentially high-risk profiles for further investigation. 
• Continuous Learning: by training on historical datasets and known criminal typologies, AI can anticipate emerging risks while allowing legitimate customers to transact and onboard efficiently.
• Integrated Intelligence: within a unified AML system, IDV checks can be validated through multi-tier AI-driven authentication.

Of course, AI technology is not a panacea for synthetic identity fraud. However, it is a critical enabler of more advanced IDV adoption, which can be calibrated to an organisation’s risk appetite and significantly improve detection capabilities.

Proactive steps for banks

With AI-based tools offered by and supported by compliance platforms, identity verification (IDV) is becoming more effective at identifying the patterns and behaviours associated with synthetic identity fraud. This enables financial institutions to stay ahead of evolving criminal methods, provided that RegTech partnerships are adopted, regulatory frameworks continue to develop, and knowledge is shared across the ecosystem.

As a start, platforms need to offer layered IDV: document validation and data enrichment against trusted and authoritative sources; multi-factor authentication; facial recognition technology; and liveness checks. At the first stage of onboarding, this sets a precedent for safe customer experiences through the AML process, where risk models attuned to synthetic-specific risk can work around the clock to monitor transactions for fraudulent behaviour and raise alerts for enhanced due diligence.

Just as AI-driven monitoring is continuous in identifying risk factors, Perpetual KYC (pKYC) is becoming an integral part of post-account creation. Initial checks and periodic reviews are no longer sufficient to meet regulatory expectations, where pKYC allows for customer risk profiles to be updated in real time as new information is identified, ensuring data remains accurate and up to date.

The responsibility does not sit solely with financial institutions, but also with regulators and global organisations to raise awareness of synthetic identity risks. There are already great strides here with the call for September 16 to be recognised as International Identity Day, aligning with a UN initiative to recognise legal identity as a fundamental human right by 2030.

Support has been shown from global organisations such as the World Bank Group, the Biometric Institute, humanitarian organisations such as UNICEF, and financial networks including Visa and Mastercard, among others. Data privacy concerns have fast become law, and going further will ensure responsibility surrounding identity online and offline.

An end to silence is vital

The unfair use of personal data is a direct and harmful practice that is not being taken seriously enough. Before it gets worse, there is an urgent need to recognise warning signs and adopt risk-based protocols within an AI-driven compliance platform, not just to stave off the threat of regulatory fines, but to protect the names, lifestyles and rights of customers all around the globe. Synthetic identity fraud is another pointed reminder of KYC and AML as a crucial safeguard and not a checklist afterthought – the time to act is now.

For more insight into identity verification, pKYC, and the emerging threat of deepfakes, talk to the RelyComply team today, or delve into our resources on the power of advanced RegTech to combat synthetic identity fraud across the evolving digital landscape.

Disclaimer

This article is intended for educational purposes and reflects information correct at the time of publishing, which is subject to change and cannot guarantee accurate, timely or reliable information for use in future cases.