Generating a synthetic identity that passes standard KYC checks costs less than EUR 50 in 2026. Running the KYC check to detect it costs more. This asymmetry is not a fraud problem. It is a CDD architecture problem: a verification process whose cost exceeds the cost of the attack it is designed to prevent is not a deterrent. It is overhead.
GenAI lowered the cost of synthetic identity creation by an order of magnitude. A fraudster can now generate a complete digital persona (government-issued document images, biometric-consistent selfie photographs, a constructed financial history, and synthetic behavioral signals) using off-the-shelf models available for under EUR 50 per identity. The Aviel Intelligence system, which won the Money20/20 Europe 2026 Start-Up Pitch Competition, demonstrated the inverse application: using the same synthetic persona generation technology to create live mule accounts and map fraud networks in real time. The technology is dual-use. The defensive application lags the offensive one.
Only 2% of global financial crime flows are detected despite a 10% annual increase in compliance spending. The spending is going into processes that the threat has already outpaced.
How GenAI Breaks Document-Based Verification
Traditional KYC verification rests on three pillars: document authenticity, biometric consistency, and database cross-reference. Each pillar was designed for a pre-generative-AI threat model.
Document authenticity checks verify that a document image matches the expected layout, microprint, and security features for its claimed jurisdiction and document type. These checks operate on visual pattern matching: they compare the submitted document against known templates. GenAI-generated document images are synthesized at pixel level, not scanned from physical documents. The pattern matching logic detects anomalies in scanned documents (inconsistent fonts, missing security features, incorrect MRZ checksums). It does not reliably detect a document that was generated to match the pattern from the beginning.
Biometric consistency checks compare the selfie photograph submitted at onboarding against the face printed on the document. If both the document image and the selfie are generated by the same model with consistent facial parameters, they match. The check confirms consistency between two synthetic artifacts and produces a pass result that is indistinguishable from a legitimate match.
Database cross-reference checks query credit bureaus, address registries, and identity databases to confirm that the name, address, and date of birth in the submitted documents correspond to a real person. Synthetic identities are increasingly built by "piggybacking" on legitimate thin-credit individuals (children, recent immigrants, elderly people with minimal financial history) who have real records but negligible fraud detection exposure. The database query returns a legitimate record. The check passes.
All three pillars fail against a sophisticated synthetic identity because they were designed to detect fraud in the physical document world. The threat model changed. The architecture did not.
What Real-Time CDD Changes
A point-in-time identity check at onboarding was sufficient when building a synthetic identity required weeks of effort and physical document forgery. At EUR 50 per identity with a two-hour generation time, the economic constraint on synthetic identity fraud no longer exists. Volume is no longer a limiting factor.
Real-time CDD changes the detection model from verification-at-onboarding to continuous-risk-assessment-over-time. A synthetic identity passes document and biometric checks at onboarding because those checks evaluate a single point in time. Synthetic identities fail over time because their behavioral signals diverge from the patterns of real customers.
A real customer opening an account exhibits a behavioral pattern: they interact with customer service, they use the account from consistent devices and locations, they transact with counterparties that have a coherent social and commercial relationship to their profile, and their transaction amounts and frequencies are consistent with their stated income and purpose. A synthetic identity used for account takeover or money muling exhibits a different pattern: rapid onboarding with minimal subsequent service interaction, transactions that do not fit the profile (large amounts immediately after account opening, counterparties with no clear commercial relationship, device and location changes that do not correspond to plausible travel patterns).
Continuous behavioral monitoring detects these divergences over days and weeks. Point-in-time KYC does not.
The Architecture of Real-Time CDD
Three capabilities are required for real-time CDD that document verification cannot provide.
Risk scoring at onboarding, not document scoring. The output of the onboarding process should be a risk score for the customer, not a binary pass/fail from the document check. The risk score incorporates: document and biometric check results, device fingerprint and IP intelligence signals, cross-reference results from credit bureaus and address registries, velocity checks (how many accounts have been opened from the same device, IP range, or document set in the last 24 hours), and behavioral signals from the onboarding flow itself (time spent on each step, navigation patterns, form field correction patterns).
AI-augmented risk scoring reduces false positives by 40-60% compared to rule-based systems, according to analyses presented at Money20/20 Europe 2026. The reduction comes from replacing binary threshold rules (flag all applications where the document check score is below 0.8) with probabilistic models that weight multiple signals simultaneously. A legitimate customer from a high-risk jurisdiction with a lower document scan quality should not be blocked if their device, IP, behavioral, and cross-reference signals are all clean. A synthetic identity with a perfect document check score and anomalous behavioral signals should be reviewed even if the document passed.
Continuous monitoring as a first-class compliance process. CDD does not end at onboarding. AMLD5 Article 13 requires ongoing monitoring of customer transactions and periodic review of CDD records at a frequency proportional to the customer's risk level. For high-risk customers, this means transaction-by-transaction review against behavioral baselines. For medium-risk customers, this means periodic review at defined intervals plus trigger-based review when transaction patterns change materially.
The system must track behavioral baselines per customer: what is this customer's typical transaction frequency, average amount, counterparty set, and device profile? A transaction that falls outside the baseline by more than a defined threshold triggers a CDD review event. The review is automated for low-severity deviations and escalated to the compliance team for high-severity ones. The escalation threshold is a policy parameter, not a code branch.
Deterministic audit trails for every CDD decision. The European Anti-Money Laundering Authority (AMLA), now operational with expanded enforcement powers, requires that financial institutions can reconstruct the exact compliance decision made for any customer at any point in time. This means: which risk score was calculated, which signals contributed to it, which policy was in effect, what decision was made, and who (human or automated process) made it.
Audit trails that satisfy AMLA examination are not application logs. They are structured, immutable records tied to a customer ID and a timestamp, with explicit reference to the policy version that governed the decision. A log file is a debugging tool. A compliance audit record is a legal document.
The AMLA Mandate
AMLA, established by Regulation (EU) 2024/1620 and operational from 2025, has jurisdiction to directly supervise the 40 largest cross-border financial institutions in the EU and to coordinate with national supervisors for the remainder. Its mandate explicitly covers AI-augmented compliance systems: if an institution uses AI for AML decision-making, AMLA expects the decision logic to be explainable, the training data to be documented, and the outcomes to be auditable.
The operational implication is not that AI cannot be used for CDD. It is that the AI system's decisions must be recorded with sufficient detail that a regulator can reconstruct the logic after the fact. A model that produces a risk score without explaining which features contributed to it, and by what weight, fails the explainability requirement. A model that produces a score with a feature contribution breakdown (this document check contributed 0.3, this velocity signal contributed 0.4, this behavioral anomaly contributed -0.2) satisfies it.
This requirement also applies to decisions that the model gets wrong. When a legitimate customer is incorrectly flagged and their account is restricted, the record must show why. The customer's right to explanation under GDPR Article 22 and the regulator's right to audit under AMLA both point to the same architectural requirement: every automated compliance decision must be explainable from a stored record, not reconstructed from model parameters.
Trade-offs
Real-time CDD with AI-augmented risk scoring introduces costs that point-in-time document verification avoids.
False positive management. A risk scoring system that weighs behavioral signals will produce false positives: legitimate customers whose behavioral patterns fall outside the baseline for non-fraud reasons (business travel, unusual transaction due to a one-time event, device change after phone replacement). Each false positive requires a review process, creates friction for the customer, and must be resolved quickly to avoid regulatory exposure under PSD2's account access provisions.
Model maintenance. An AI risk scoring model trained on historical fraud patterns will drift as fraud patterns change. GenAI-powered synthetic identity fraud is itself changing rapidly: the techniques available in 2026 are different from 2024. The model must be retrained periodically against current threat signals. Retraining requires labeled training data, which requires fraud cases to have been identified and correctly classified in the first place, creating a bootstrap dependency.
Latency in the onboarding flow. Real-time risk scoring adds latency to the onboarding process. A score that weighs device intelligence, velocity checks, cross-reference calls, and behavioral signals will take longer to compute than a binary document check. For consumer onboarding where completion rate is a business metric, latency matters. The acceptable latency budget for risk scoring is a product decision, not a compliance one, but it constrains the depth of the scoring model.
Fernel Context
Fernel's CDD architecture models compliance policies as versioned records resolved at evaluation time. The risk scoring pipeline accepts a normalized customer event (onboarding submission, transaction, periodic review trigger) and evaluates it against the applicable policy for the customer's jurisdiction and risk level. Every evaluation produces an immutable audit record: the policy version in effect, the signals evaluated, the score produced, and the decision made. The record is delete-protected at the database level. AMLA examination of any compliance decision returns a structured record from a single query, not a forensic reconstruction from distributed logs.
Read more: Compliance Infrastructure | Automating Customer Due Diligence | Security & Compliance
Sources:
- Aviel Intelligence: Money20/20 Europe 2026 Start-Up Pitch Competition winner, synthetic persona technology for fraud network detection
- Synthetic identity fraud ranked #1 financial crime threat in 2026 (Money20/20 Europe analyst reports)
- Only 2% of global financial crime flows detected despite 10% annual compliance spending increase (Money20/20 Europe keynote data)
- Agentic AI reducing AML false positives by 40-60%: analysis presented at Money20/20 Europe 2026
- AMLA, Regulation (EU) 2024/1620, establishment of the Anti-Money Laundering Authority with direct supervisory powers
- AMLD5, Directive 2018/843, Art. 13 (Customer due diligence), Art. 14 (Timing of verification), Art. 20 (Ongoing monitoring)
- GDPR, Regulation 2016/679, Art. 22 (Automated decision-making and profiling, right to explanation)
- PSD2, Directive 2015/2366, Art. 63-66 (Account access rights and restrictions)