KYC: Does Your Onboarding Process Really Detect Deepfakes?

Does your KYC process really detect deepfakes?

Introduction

A customer opens an online account from their smartphone. They upload an identity document, proof of address, and record a short video to confirm their identity. Everything seems correct. The documents are clear, the information consistent, and the verification tool approves the file. Yet a few hours later, this account is already used to transfer fraudulent funds. The documents were fake — generated by artificial intelligence.

The real scale of document fraud in KYC processes

AI-powered document fraud is progressing rapidly in the financial sector.

Synthetic content known as deepfakeImage, video, or document fabricated or modified by artificial intelligence software to appear authentic to an untrained eye. now makes it possible to produce fake identity documents, fake faces, or fake proof of address with a level of realism that is hard to perceive.

According to several analyses in the financial sector, these attacks directly target customer identification steps.

Deepfake-related incidents in European financial services increased by 780% in 2023. [Clifford Chance — Financial services face up to deepfake risks (2024)]

These fake contents can weaken key steps such as KYCKnow Your Customer: regulatory procedure requiring financial institutions to verify customers' identities before entering any business relationship. verification or controls designed to prevent money laundering.

Deepfakes are now among the most concerning threats to identity verification in the financial sector. [RegTech Analyst — How deepfake-proof ID checks protect against financial crime (2023)]

In some cases, fraudsters use AI to generate convincing banking or administrative documents in a few seconds, then use them to bypass AMLAnti-Money Laundering: the set of procedures implemented by financial institutions to detect and prevent money laundering and terrorist financing. controls.

Classic verification systems, designed to spot simple falsifications, are not always able to identify these more sophisticated manipulations. [ComplianceHub — FinCEN Deepfake Alert (2024)]

Why banks and fintechs are particularly targeted

Account-opening processes that are largely automated

Most account openings now rely on fully digital customer journeys. Documents are processed automatically to speed up account activation. This automation reduces delays for legitimate customers, but it also creates an opportunity for fraudsters who leverage generative AI tools.

Controls that show their limits against new threats

Many systems still rely on technologies such as OCROptical Character Recognition: technology that automatically extracts text from a scanned document or a photo, without analyzing its visual structure or detecting alterations.. These tools read the text of a document, but they examine neither its visual structure nor any modifications. A document can therefore be perfectly readable while being entirely falsified.

Growing regulatory pressure

Compliance teams must reconcile onboarding speed with strict regulatory requirements. Any failure to identify a customer can expose the institution to significant legal consequences.

Why current defenses can be challenged

KYC processes still largely rely on two types of checks.

The first is human: an operator quickly reviews a document on screen. Deepfakes are precisely designed to deceive the human eye.

The second is automated: these systems check image quality or text readability, but they are generally not equipped to detect advanced manipulations such as a face-swapTechnique that substitutes one person's face with another in an image or video using artificial intelligence software. or a document generated entirely by AI.

Result: a visually credible document can pass every control step without being flagged.

Legal and compliance framework: what matters most

The legal consequences of a forged document always depend on the facts, the sector involved, the applicable qualification, and the competent jurisdiction. In practice, the main issue for an organization is to be able to demonstrate a proportionate, traceable, and well-documented verification process, with human review whenever a decision may have a significant effect.

The controls described here should therefore be understood as risk-management, compliance, and evidence-preservation measures. Any final blocking decision, report, contractual sanction, or legal action should still be validated by the relevant legal or compliance teams.

What compliance teams gain in concrete terms

• Earlier detection of documents showing anomalies during onboarding journeys
• Full traceability of documentary checks performed
• Technical elements that can be archived for internal audits and regulatory investigations
• Reduced exposure to identity fraud risks

Conclusion

Deepfakes are turning document fraud into a threat that is harder to identify using traditional tools alone. Financial institutions are facing fake content capable of bypassing controls that were not designed for this level of sophistication.

At the same time, European regulations — NIS2, DORA, AI Act — are strengthening cybersecurity, traceability, and documentation obligations for systems used in KYC processes.

DeepForgery integrates into these processes, via API or on-premise, to add an extra layer of analysis on critical documents — and provide compliance teams with the technical elements they need to document their controls and justify their decisions.