Journal of FinTech and Sustainable Finance

Articles

Vol. 2 (2026)

Deepfakes in Onboarding, KYC, and Financial Fraud: Authenticity Standards and Liability Framework for Digital Banks and FinTech

DOI:
https://doi.org/10.31875/2755-8398.2026.02.01
Submitted
February 18, 2026
Published
2026-02-19

Abstract

Deepfakes and synthetic media have evolved from reputational threats to direct financial exploitation tools, enabling sophisticated impersonation during remote onboarding, evasion of biometric verification systems, and the creation of synthetic identity accounts at industrial scale. Yet most countermeasures remain fragmented, relying on ad hoc vendor controls or intrusive surveillance mechanisms that undermine both user trust and financial inclusion objectives. This article advances an integrated legal-technical framework for FinTech institutions and digital banks structured around four core contributions: (i) a FinTech-specific taxonomy of deepfake-enabled fraud vectors spanning onboarding, KYC refresh, and account takeover scenarios; (ii) a normative mapping of duties grounded in risk-based customer due diligence and security obligations, anchored in Mexican law but internationally interoperable; (iii) a Tiered Authenticity and Traceability Standard (TATS) that calibrates verification intensity with transaction risk while enforcing data minimization and auditability principles; and (iv) a pragmatic liability allocation model distributing responsibility among deployers (FinTech), users, and verification vendors based on control capacity, foreseeability, and evidentiary capability. By integrating digital identity assurance standards with transparency-by-design principles and secure capture/provenance mechanisms, TATS operationalizes a privacy-preserving trust infrastructure that supports safer digital finance and, ultimately, sustainable financial inclusion in emerging markets.

References

  1. AI Act Service Desk. (2024). Article 50: Transparency obligations for providers and deployers of certain AI systems. European Commission. https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-50 (Accessed: January 15, 2025).
  2. Barrington, L., et al. (2025). Research confirms humans cannot consistently identify AI-generated voices. Journal of Experimental Psychology: Applied. [Cited in UNESCO, 2025].
  3. Bateman, J. (2020). Deepfakes and synthetic media in the financial system: Assessing threat scenarios. Carnegie Endowment for International Peace. https://carnegieendowment.org/research/2020/07/deepfakes-and-synthetic-media-in-the-financial-system-assessing-threat-scenarios (Accessed: December 10, 2024).
  4. C2PA. (2024). Content Credentials: Technical specification for content provenance and authenticity. Coalition for Content Provenance and Authenticity. https://c2pa.org/specifications/ (Accessed: January 20, 2025).
  5. Cámara de Diputados (México). (2025). Ley para Regular las Instituciones de Tecnología Financiera (última reforma DOF 14-11-2025). https://www.diputados.gob.mx/LeyesBiblio/pdf/LRITF.pdf (Accessed: January 25, 2025).
  6. Carpenter, P. (2025). AI, deepfakes, and the future of financial deception. Testimony before the U.S. Securities and Exchange Commission. KnowBe4. https://www.sec.gov/files/carpenter-sec-statements-march2025.pdf (Accessed: January 28, 2025).
  7. Chen, H., & Magramo, K. (2024, February 4). Finance worker pays out $25 million after video call with deepfake 'chief financial officer'. CNN. https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk (Accessed: December 15, 2024).
  8. Chesney, R., & Citron, D. K. (2019). Deep fakes: A looming challenge for privacy, democracy, and national security. California Law Review, 107, 1753-1819. https://doi.org/10.2139/ssrn.3213954
  9. Comisión Nacional Bancaria y de Valores (CNBV). (2024). Circular Única de Bancos (Anexo 72: Disposiciones en materia de identificación). CNBV.
  10. Deloitte Center for Financial Services. (2024). Deepfake banking fraud risk on the rise. Deloitte Insights. https://www2.deloitte.com/us/en/insights/industry/financial-services/financial-services-industry-predictions/2024/deepfake-banking-fraud-risk-on-the-rise.html (Accessed: December 20, 2024).
  11. Entrust. (2025). 2025 Identity fraud report: The deepfake threat landscape. Entrust Corporation.
  12. European Commission. (2024). Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.
  13. Experian. (2025, March 18). 'Synthetic fraud' reaches record levels [Press release]. Experian. https://www.experianplc.com/newsroom/press-releases/2025/-synthetic-fraud--reaches-record-levels (Accessed: January 22, 2025).
  14. FATF. (2020). Guidance on digital identity. Financial Action Task Force (FATF/OECD). https://www.fatf-gafi.org/en/publications/Financialinclusionandnpoissues/Digital-identity-guidance.html (Accessed: December 5, 2024).
  15. Federal Reserve Bank of Boston. (2025, April 17). Gen AI is ramping up the threat of synthetic identity fraud. Boston Fed News. https://www.bostonfed.org/news-and-events/news/2025/04/synthetic-identity-fraud-financial-fraud-expanding-because-of-generative-artificial-intelligence.aspx (Accessed: January 25, 2025).
  16. FIDO Alliance. (2023). Biometric component certification requirements (v3.0). FIDO Alliance. https://fidoalliance.org/certification/ (Accessed: January 10, 2025).
  17. Fortune. (2024, May 17). A deepfake 'CFO' tricked the British design firm behind the Sydney Opera House in $25 million fraud. Fortune. https://fortune.com/europe/2024/05/17/arup-deepfake-fraud-scam-victim-hong-kong-25-million-cfo/ (Accessed: December 18, 2024).
  18. FS-ISAC. (2024). Deepfakes in the financial sector: Understanding the threats, managing the risks. Financial Services Information Sharing and Analysis Center. https://www.fsisac.com/hubfs/Knowledge/AI/DeepfakesInTheFinancialSector-UnderstandingTheThreatsManagingTheRisks.pdf (Accessed: January 5, 2025).
  19. iBeta Quality Assurance. (2024). ISO 30107-3 presentation attack detection test methodology and confirmation letters. https://www.ibeta.com/iso-30107-3-presentation-attack-detection-confirmation-letters/ (Accessed: January 12, 2025).
  20. ISO. (2023a). ISO/IEC 30107-1:2023 Information technology — Biometric presentation attack detection — Part 1: Framework. International Organization for Standardization. https://www.iso.org/standard/83828.html
  21. ISO. (2023b). ISO/IEC 30107-3:2023 Information technology — Biometric presentation attack detection — Part 3: Testing and reporting. International Organization for Standardization. https://www.iso.org/standard/79520.html
  22. Javelin Strategy & Research. (2024). 2024 Identity fraud study: Resolving the shattered identity crisis. https://javelinstrategy.com/research/2024-identity-fraud-study-resolving-shattered-identity-crisis (Accessed: December 22, 2024).
  23. Lucinity. (2025). AI-enabled fraud trends 2024-2025: Annual threat assessment. Lucinity Research.
  24. Monetary Authority of Singapore (MAS). (2024). Technology risk management guidelines. MAS.
  25. NIST. (2023). NIST AI 100-1: Artificial intelligence risk management framework (AI RMF 1.0). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.AI.100-1.jpn
  26. NIST. (2024). NIST SP 800-63Bsup1: Incorporating syncable authenticators into NIST SP 800-63B. National Institute of Standards and Technology.
  27. NIST. (2025a). NIST SP 800-63-4: Digital identity guidelines. National Institute of Standards and Technology.
  28. NIST. (2025b). NIST SP 800-63B-4: Digital identity guidelines — Authentication and authenticator management. National Institute of Standards and Technology. https://csrc.nist.gov/pubs/sp/800/63/b/4/final (Accessed: January 30, 2025).
  29. Signicat. (2025, March 28). Fraud attempts with deepfakes have increased by 2137% over the last three years [Press release]. Signicat. https://www.signicat.com/press-releases/fraud-attempts-with-deepfakes-have-increased-by-2137-over-the-last-three-year (Accessed: January 28, 2025).
  30. Socure. (2022). The state of synthetic fraud: Evolution, trends, and how we will eradicate it by 2026. https://www.socure.com/news-and-press/socure-estimates-financial-losses-from-synthetic-fraud-to-reach-nearly-5-billion-by-2024 (Accessed: January 8, 2025).
  31. Sumsub. (2024). Global deepfake incidents surge tenfold from 2022 to 2023. https://sumsub.com/newsroom/sumsub-research-global-deepfake-incidents-surge-tenfold-from-2022-to-2023/ (Accessed: December 28, 2024).
  32. Suprema Corte de Justicia de la Nación (SCJN). (2021). Tesis 1a./J. 17/2021 (10a.). Transferencias electrónicas. Carga de la prueba en casos de reclamación por operaciones no reconocidas. Semanario Judicial de la Federación, Décima Época.
  33. TransUnion. (2025). Money 20/20: What's behind the rise in synthetic identity fraud. https://www.transunion.com/blog/money-2020-whats-behind-rise-synthetic-identity-fraud (Accessed: January 18, 2025).
  34. Trend Micro. (2024, February 7). Deepfake CFO video calls result in $25MM in damages. Trend Micro Research. https://www.trendmicro.com/en_us/research/24/b/deepfake-video-calls.html (Accessed: December 12, 2024).
  35. UNESCO. (2025, October 27). Deepfakes and the crisis of knowing. UNESCO. https://www.unesco.org/en/articles/deepfakes-and-crisis-knowing (Accessed: January 30, 2025).
  36. Veriff. (2025). Identity fraud report 2025: Global trends in synthetic identity and deepfake attacks. Veriff.