By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: Prove IdentityPublished September 25, 2025

TL;DR: Prove says Synchrony has completed 25 million digital credit card applications using pre-fill and identity verification, while reducing required form fields by 80% and reporting that 93% of digital customers choose autofill. The signal is clear: faster onboarding still depends on stronger identity proofing and fraud control, not simpler forms alone.


At a glance

What this is: This customer story says digital identity pre-fill and cryptographic authentication helped Synchrony process 25 million credit card applications while cutting application friction and supporting fraud controls.

Why it matters: It matters because identity verification teams, fraud leads, and IAM practitioners need to balance onboarding speed with stronger proofing, especially where account opening is a fraud target.

By the numbers:

👉 Read Prove Identity's customer story on 25 million digital credit card applications


Context

Digital credit onboarding often fails when organisations treat speed and proofing as competing objectives. In practice, the governance problem is not just form design, but how identity evidence is collected, authenticated, and reused without opening account-opening fraud gaps.

That is where digital identity, fraud prevention, and IAM intersect. When an application can be pre-populated from authenticated data, the verification model shifts from manual review to continuous trust decisions, which makes lifecycle control and evidence quality more important than the number of fields on a form.


Key questions

Q: How should organisations speed up customer onboarding without weakening identity assurance?

A: They should automate the primary verification path and reserve manual review for exceptions. The combination of document authentication, liveness detection, and authoritative data checks reduces waiting time while preserving assurance. The goal is not fewer controls, but a control chain that completes fast enough to support digital conversion and compliance.

Q: Why do pre-filled applications still create fraud risk?

A: Because convenience does not prove identity. Pre-fill can reuse accurate data, but attackers can still exploit weak data binding, stolen attributes, or synthetic identities if the workflow assumes completeness equals trust. Security teams need controls that validate the person behind the data, not just the presence of the data.

Q: What do identity teams get wrong about instant approvals?

A: They often focus on transaction speed and ignore whether the approval path still has enough decision points to detect fraud. Instant approvals can be safe only when upstream proofing, consent, and anomaly detection are strong. Without those controls, the organisation may be optimising for conversion while weakening assurance.

Q: Who is accountable when synthetic identity fraud inflates onboarding growth?

A: Accountability should sit across identity verification, fraud operations, and product growth leadership because the harm is both security-related and financial. If synthetic users consume biometric spend, manual review time, or incentives, the issue is not only fraud prevention. It is also governance of the onboarding workflow and the metrics used to judge success.


Technical breakdown

How pre-fill changes identity proofing in onboarding

Pre-fill works by using previously verified data to populate an application before the customer completes it. That reduces user effort, but the security value depends on whether the source identity evidence is sufficiently bound to the applicant. In this model, the control objective is not merely data convenience. It is to confirm that the supplied attributes are linked to a real person and then reuse them without weakening assurance. If the assurance layer is weak, pre-fill becomes a fraud accelerator rather than a control.

Practical implication: treat pre-fill as an identity assurance workflow, not a user experience feature.

Why cryptographic authentication matters in account opening

Cryptographic authentication gives the verifier stronger confidence that the identity claim has not been altered in transit and that the submitted data belongs to the same party across steps. For financial onboarding, that matters because synthetic identity fraud often succeeds where attribute checks are shallow or disconnected. The technical point is that cryptographic proofing narrows the gap between claimed identity and verified identity, but it still needs policy logic, consent handling, and fraud scoring around it.

Practical implication: align cryptographic authentication with fraud decisioning and consent controls, not standalone identity checks.

Where friction reduction can hide governance risk

Reducing fields by 80% can improve conversion, but it also compresses the number of explicit user checkpoints. That makes governance more dependent on backend trust sources, data lineage, and exception handling. When a system can approve applications almost instantly, teams must ensure the model still detects spoofed identities, reused synthetic data, and anomalous application patterns. Otherwise, lower friction can simply move the attack surface from the form into the trust pipeline.

Practical implication: review the trust pipeline, not just the customer journey, when onboarding gets faster.


Threat narrative

Attacker objective: The attacker wants to obtain approved financial accounts by presenting a fraudulent identity that looks sufficiently authenticated to pass onboarding controls.

  1. Entry occurs through a digital application workflow where an attacker attempts to submit or enrich a fabricated identity using low-friction onboarding controls.
  2. Escalation happens when weak proofing or poor data binding allows synthetic identity data to pass as authenticated applicant information.
  3. Impact is account opening fraud, including fraudulent credit access and downstream losses that are harder to unwind once approval is near-instantaneous.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Digital onboarding is now an identity-governance problem, not just a conversion problem. The article shows that reducing application friction can be paired with better proofing, but only if the underlying identity evidence is trustworthy. For IAM and identity verification teams, the question is whether the workflow preserves assurance when customers move faster through it. Practitioners should treat onboarding design as part of the identity control plane.

Synthetic identity fraud is the clearest risk when pre-fill becomes the default path. Pre-populated applications create efficiency, but they also reward attackers who can assemble credible attribute sets from fragmented data sources. That means fraud controls must evaluate the binding between the identity claim and the person, not just whether fields are complete. Practitioners should strengthen proofing where the data source is reused across multiple application steps.

Verification trust gap: the core failure mode is assuming that authenticated attributes are automatically safe to reuse in a new transaction. They are not. The more the business relies on instant decisions, the more the governance model needs lineage, consent, and exception handling around every reused identity signal. Practitioners should map where trust is inherited rather than re-established.

Financial onboarding teams should think in terms of controlled automation, not full automation. The article suggests a model where identity authentication can accelerate decisions, but only within defined policy boundaries. That aligns with broader IAM and fraud governance: high-assurance digital onboarding should still trigger step-up review when evidence quality drops or patterns drift. Practitioners should make policy boundaries explicit before expanding automated approval rates.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • Only 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to NHI Mgmt Group research.
  • The 52 NHI Breaches Analysis shows how exposed credentials and poor lifecycle controls turn trust shortcuts into incidents.

What this signals

Digital identity programmes are increasingly judged on whether they can preserve assurance while reducing customer effort. That means verification teams should measure not just approval speed, but how often the workflow falls back to stronger evidence when risk increases. The governance lesson is that friction reduction only works when exception handling is deliberate and visible.

Verification trust gap: organisations should assume that any reusable identity signal can become a control weakness if its lineage is not traceable. That is true across onboarding, fraud prevention, and IAM-adjacent workflows. Where personal data is involved, teams should also align evidence handling to standards such as eIDAS 2.0 and, where applicable, ISO/IEC 27001:2022 Information Security Management.

As onboarding becomes more automated, the practical signal to watch is whether fraud review still sees the right cases early enough to intervene. If exception queues are shrinking while loss rates rise, the system may be over-trusting its identity inputs. Teams that connect verification with lifecycle governance will be better placed to contain that drift.


For practitioners

  • Define proofing thresholds for pre-fill workflows Set minimum assurance rules for any pre-populated field set, including when the system must fall back to manual review or step-up verification. Tie those thresholds to identity evidence quality, not to conversion targets.
  • Validate identity binding before data reuse Check that the data source, consent trail, and applicant binding are all intact before a reused attribute can auto-complete an application. This is especially important where multiple channels feed the same onboarding flow.
  • Instrument synthetic identity detection in the onboarding path Look for repeated attribute patterns, reused device signals, and anomalies across multiple applications to identify fraud rings earlier in the process. Feed those signals into the decision engine before approval is issued.
  • Review exception handling for near-instant approvals Document what happens when the automation approves too quickly, misses a signal, or cannot verify consent. That path should be visible to fraud operations and identity governance owners, not hidden inside the application stack.

Key takeaways

  • Digital onboarding can improve customer experience, but it also moves more security responsibility into the identity verification layer.
  • The important control question is not how many fields disappear, but whether the reused identity evidence remains trustworthy and traceable.
  • Fraud and IAM teams should govern pre-fill as a policy-bound identity workflow, not as a simple interface optimisation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and enrolment are central to the onboarding flow described here.
NIST CSF 2.0PR.AC-1Access and identity assertions underpin account opening decisions in digital onboarding.
ISO/IEC 27001:2022A.5.15Access control governance applies to reusable identity evidence and applicant verification paths.
GDPRArt.32The flow processes personal data and needs appropriate security of processing.

Assess whether personal data reuse, consent, and authentication controls are proportionate to onboarding risk.


Key terms

  • Identity proofing: The process of verifying that a person is who they claim to be before granting or restoring access. In higher-risk recovery paths, proofing can include stronger evidence checks such as government ID validation or liveness-based facial verification so the assurance level matches the sensitivity of the request.
  • Pre-Fill: Pre-fill is the automatic population of an application form using previously verified data. It can reduce user effort and abandonment, but it only strengthens security when the underlying identity evidence is bound to the applicant and governed by clear policy and consent rules.
  • Synthetic Identity: A synthetic identity is a software-based actor that can authenticate, request access, and execute actions without being a human user. In practice, this includes AI agents, bots, service accounts, tokens, and other machine identities that need clear ownership, scope, and revocation.
  • Cryptographic Authentication: Authentication that relies on cryptographic proof rather than easily copied or guessed factors. In consumer identity, it binds the user or device to a verifiable trust signal, which improves assurance, reduces replay risk, and makes transaction decisions easier to audit.

What's in the full analysis

Prove Identity's full article covers the operational detail this post intentionally leaves for the source:

  • How Prove Pre-Fill binds verified attributes to an applicant before auto-populating fields.
  • Why Synchrony reports 93% autofill adoption in its digital customer flow and how that affected the application journey.
  • How cryptographic authentication is positioned to support faster approval decisions while reducing account-opening fraud.
  • The customer-story context behind the 25 million application milestone and the wider fintech onboarding use case.

👉 The full Prove Identity article covers the pre-fill workflow, fraud controls, and Synchrony's onboarding experience in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners who need to connect access control with operational risk. It gives identity and security teams a common language for governing human and non-human trust decisions.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org