/KYC in Banking: Why Biometrics Alone Are No Longer Enough in Today’s Identity Verification Landscape

When we began building identity technology a decade ago, our ambition wasn’t just to be another provider in a fast-growing market. We set out to do something much deeper: build trust in KYC in banking. Back then, the mission seemed straightforward yet demanding—distinguishing the real from the fake across any channel. Today, however, that trust is under an unprecedented, direct assault.

Securing digital identity in today’s financial sector no longer depends on a single factor, but on an unbreakable combination: verifying the person and the legitimacy of the device they are using. Over the last decade, facial biometrics became the gold standard for digital onboarding, based on the premise that a biometric match was synonymous with absolute security. But in an environment where identity is the primary attack surface, relying solely on a user’s biometric factor is insufficient if the channel itself has been compromised.

This need for change arises because generative AI has flipped the script. Today, 41% of cyberattacks already employ AI to fabricate synthetic identities in seconds, plunging us into a “fraud pandemic” with a global impact. Traditional biometrics were designed for a world of presentation attacks—like photos or masks—but today’s KYC fraud in banking is invisible, automated, scalable, and occurs directly within the data stream.

Attackers have evolved toward injection attacks, which bypass physical sensors and alter the digital flow between the device and the server, making even the most sophisticated liveness detection irrelevant if the integrity of the environment isn’t verified.

For Banks and Neobanks, this paradigm shift reveals an uncomfortable truth: “seeing is no longer believing.” Consequently, the question is no longer whether AI is smarter, but whether your assumptions about identity are still fit for purpose. If a system can be fooled by something that simply “looks” real, it’s because it was never truly verifying the reality of the interaction.

This forces a rethink of critical processes, such as bank account verification, to move from “Presumed Identity” to Trusted Digital Identity. The future of financial trust depends on a disciplined architecture that doesn’t just verify a face, but guarantees real human presence, channel integrity, and identity continuity throughout the entire customer lifecycle.

The End of “Presumed Identity” in KYC in Banking: Toward Channel Integrity

The sector’s great mistake has been inheriting identity signals from opaque consumer environments. Many banks rely on device-based biometrics (like FaceID), but these were designed to protect a phone, not to verify a legal or financial identity.

This new positioning suggests that trust does not lie in detecting ever-better fakes, but in proving two simultaneous pillars:

• Proof of Real Human: Ensuring there is a physical person on the other end, not a synthetic data injection.
• Proof of Device Integrity: Ensuring the channel between the user and the bank has not been tampered with.

Comprehensive Trusted Digital Identity Strategy in the Customer Journey: Beyond Onboarding

For the financial institutions we partner with in highly regulated markets—such as the United States, Mexico, Spain, or Argentina—digital onboarding is no longer an isolated process. Our experience managing identity in these complex environments has allowed us to develop over 60 different use cases covering the entire customer lifecycle. This proves that today’s market demands that banking KYC evolves from a one-time check at the front door to an active defense architecture at every stage of the journey.

1. Account Opening and Bank Account Verification

The first point of friction, and arguably the most critical, is account creation. A robust verification process must absorb regulatory complexity without sacrificing user experience.

• Injection Detection: While traditional systems focus solely on the camera, Veridas protects the data flow to neutralize injection attacks that attempt to spoof identity using synthetic media.
• Proven Accuracy: Technology must be backed by international standards; our solutions offer leading performance in NIST testing (1:1 FRTE), ensuring the user is who they claim to be with minimal friction.
• iBeta PAD Certification (Level 1 & 2): In an environment of industrialized fraud, liveness detection is a non-negotiable requirement. We hold the most demanding certifications (ISO 30107-3), ensuring the system accurately distinguishes between a real person and any physical or digital spoofing attempt.
• Auditable Compliance: We enable banking KYC to meet global regulations such as GDPR, PSD3, and AMLR, providing explainable and auditable systems that align with supervisory expectations.

2. Facial Authentication for Transactional Operations

Security cannot end after registration. “Presumed identity,” based on unverified device signals, is one of the greatest vulnerabilities in modern banking.

• Identity Continuity: Implementing Facial Authentication for high-value transfers or credential changes ensures that the person operating the account is the same person verified during onboarding.
• Replacing Legacy Methods: The future of the sector lies in eliminating dependence on easily intercepted passwords or SMS, replacing them with proof of real presence and channel integrity.
• Trusted Device Securization: This is a pillar we are already deploying with massive success at leading institutions like BBVA. The goal is to secure native device unlock patterns linking them directly to a real identity previously verified by the bank.
• Reusable Trust via Verifiable Credentials: The true qualitative leap lies in removing the need to constantly re-verify the user through Sovereign Identity (SSI).

Regulatory Adaptation and Global Reach: Compliance as a Business Driver

Operating in a global financial environment requires an architecture that not only understands but anticipates the regulatory particulars of each region.

• Europe (Spain, Italy, UK, etc.): Total alignment with GDPR, PSD3/AMLR, and ready for eIDAS2.
• North America (USA and Canada): Aligned with FinCEN standards and NIST accuracy criteria.
• Latin America (Mexico, Brazil, etc.): Proven track record with CNBV regulations and emerging Open Finance ecosystems.

Technical Innovation for Compliance: Renewable Biometric References (RBR)

A key technical differentiator is our adoption of ISO standards through Renewable Biometric References (RBR):

• Revocability and Reissuance: References can be revoked and reissued if an identity is compromised.
• Privacy by Design: Prevents user tracking across different contexts.
• Data Governance: Empowers organizations to own the identity they manage.

Critical Infrastructure and Mass Processing Capability

• High-Demand Performance: Capable of managing over 190,000 verification processes per day for a single client.
• Resilience Against Operational Peaks: Prepared for peaks of over 600 validations per minute.
• High Availability and Speed: Validations completed in less than thirty seconds.

Reality as a Non-Negotiable System Requirement

The future of banking does not belong to those who simply accumulate disconnected defense tools, but to those who adopt a Trusted Digital Identity architecture. This involves moving from a presumed identity to an established identity, protected end-to-end against injection attacks.

In an environment where “seeing is no longer believing,” the ability to verify human presence and channel integrity in real-time will mark the difference between fragility and operational resilience.

• Global and Regional Banking: BBVA, CaixaBank, Banco BPM, Scotiabank, Sumitomo Mitsui Banking, and Ameriabank.
• Fintech and Credit: IDFinance, Aplazame, Ford Credit, Sunstate Bank, and Afirme.
• Inclusion and Financial Services: Financiera Confianza and Carrefour.

Veridas technology establishes the foundations for a financial ecosystem where identity is sovereign, auditable, and, above all, real.