Synthetic identities are harder because they can pass individual checks while still being fake in aggregate. A real document, a convincing selfie, or a valid contact detail does not prove the identity exists as a coherent person. That is why KYC now needs layered signals, not a single pass or fail test.
Why This Matters for Security Teams
Synthetic identities make KYC harder because they exploit the gap between document-level validation and person-level trust. A passport number, selfie match, phone number, or address can each look legitimate while still belonging to a fabricated profile assembled from stolen, invented, or mixed attributes. That creates risk for onboarding, credit exposure, account takeover, mule activity, and downstream fraud monitoring. The control problem is not whether a single data point looks valid, but whether the identity is coherent across time and channels.
This is why modern KYC is shifting toward layered assurance, where document checks, device intelligence, behaviour analysis, liveness, and ongoing monitoring are combined rather than treated as isolated gates. The broader policy direction is consistent with the FATF Recommendations – AML and KYC Framework, which expects risk-based controls instead of single-point verification. For digital identity programmes, the move toward reusable credentials in eIDAS 2.0 – EU Digital Identity Framework also reinforces the need to distinguish a credential from the real-world subject behind it. In practice, many security teams discover synthetic identity risk only after fraud patterns, chargebacks, or account abuse have already begun, rather than through intentional identity assurance design.
How It Works in Practice
Effective KYC for synthetic identity risk starts with treating identity as a graph, not a single record. Teams should correlate onboarding signals with existing identity history, device reputation, IP and geolocation consistency, contact reuse, and behavioural patterns. A valid document is only one input. Liveness checks, selfie-to-document comparison, and proof-of-control over email or phone help, but they do not prove a person is real on their own.
Operationally, the best practice is to score risk across the full lifecycle:
- At onboarding, look for attribute combinations that are individually plausible but collectively unusual.
- During verification, confirm that identity artefacts, device context, and session behaviour align.
- After approval, continue monitoring for link analysis, velocity spikes, credential reuse, and mule-like activity.
- When risk increases, step up to stronger checks rather than relying on the original pass/fail decision.
This also has a strong security-and-identity intersection. Synthetic identities often become the front door for fraud rings and can later be used to acquire accounts, payment instruments, or even privileged access into platforms that accept weak onboarding evidence. The issue is not confined to consumer finance. NHIMG research on JetBrains GitHub plugin token exposure and Hard-Coded Secrets in VSCode Extensions shows how stolen secrets and compromised workflows can amplify identity abuse once trust has been established. These controls tend to break down when onboarding is optimised for conversion without enough post-approval monitoring, because the organisation stops checking coherence after the initial pass.
Common Variations and Edge Cases
Tighter identity verification often increases friction and abandonment, so organisations have to balance fraud reduction against customer experience and regulatory thresholds. There is no universal standard for every use case yet, and current guidance suggests a risk-based approach rather than one rigid verification path for all applicants.
High-risk segments usually need stronger evidence than low-risk ones. For example, a consumer banking account, a remittance service, and a low-value loyalty profile should not all use the same assurance level. Synthetic identity risk also looks different across jurisdictions, because data availability, privacy rules, and legal identity systems vary. In some cases, a strong national digital identity can improve assurance, but only if the relying party validates provenance and does not treat possession of a credential as proof of current legitimacy.
Two common edge cases deserve attention. First, legitimate applicants can have thin files, name variations, or limited digital footprints, which makes overblocking a real risk. Second, advanced fraud rings may slowly age synthetic identities so they appear normal over months. That means KYC teams need periodic re-verification, anomaly detection, and case management, not just an onboarding workflow. NHIMG’s broader NHI guidance is also relevant here: only 5.7% of organisations have full visibility into their service accounts, a reminder that hidden identities of any kind become dangerous when they are not continuously governed. The hard part is building controls that catch synthetic identities without treating every unusual applicant as malicious.
Related resources from NHI Mgmt Group
- Why do synthetic identities make trust and safety programmes harder to run?
- Why do non-human identities make access certification harder than human identities?
- Why do non-human identities make privileged access governance harder?
- Why do non-human identities make Zero Standing Privilege harder to achieve?