Proof that the Single-Verification Model is Breaking

The FATF’s Digital Identity Guidance instructs regulated entities that identity assurance should be risk-proportionate and it should be subject to reassessment across the customer lifecycle, not just specifically  fixed at onboarding. Synthetic identity fraud routinely passes first-time KYC because every separate individual data point checks out. It only fails when someone looks at the pattern of behaviour afterward.

Onboarding with the assistance of deepfake adds more to the pressure.  Even biometrically strong verification can be defeated without liveness checks against already known presentation attacks. The US Department of Homeland Security’s Remote Identity Validation Technology Demonstration has shown that many systems which clear paper certifications still fail in the end.

A customer’s “verified” status at onboarding tells you almost nothing about their risk, one year in.

Where do most already existing solutions fall short in identifying fraud?

Three patterns come up repeatedly in fraud post-mortems:

1. Static KYC scoring. Scored once, flagged green, never updated unless a human has made an effort to reset it. Shared devices, compromised credentials as well as behavioural drift don’t show up.
2. Compliance tools and Siloed fraud. The KYC system says the customer is legitimate; the fraud engine says the session looks wrong. Nothing stitches the two views together.
3. No feedback loop from ongoing AML. A PEP status changes, a sanction is added, a new adverse media hit appears and the data sits in a batch report nobody reads until quarterly review.

Reassurance closes such gaps by treating identity confidence as a live variable, not a line item in the KYC file.

What signals build an identity confidence score?

An identity confidence score condenses signals into a number or band (Low / Medium / High / Very High, following GPG 45, or a 0–100 score) that downstream systems are able to act on.

Five signal groups feed it:

1. Document and biometric evidence from the original verification type, issuer, tamper checks, selfie-to-document match.
2. Database and eID corroboration. eIDV checks against government registries, credit bureaus, and national eID schemes return a confirmation in seconds.
3. Behavioural and device signals login geography, device fingerprint, session velocity. A sudden shift from a Frankfurt iPhone to a Lagos Android at 3 am is a reassurance event, not just a fraud alert.
4. Ongoing screening results sanctions, PEP, and adverse media updates from continuous AML screening.
5. Re-verification triggers step-up biometric checks at high-risk moments (new beneficiary, large transfer, credential reset).

No single signal is decisive. Reassurance is the weighting that reflects real risk without punishing legitimate customers for a new phone.

Which industries need this most?

Digital banks and fintechs onboard remotely and face the full weight of payments fraud. Crypto exchanges deal with irreversible transactions under MiCA and the FATF Travel Rule. Gambling operators face age-assurance obligations that can shift mid-session. Insurers and lenders have long relationships where identity attributes drift.

The EU’s eIDAS 2.0 regulation and its incoming Digital Identity Wallet already treat identity as a reusable, continually attested credential. Reassurance is where regulation is moving.

How Shufti builds reassurance into a single platform

Shufti’s identity verification platform was designed for the lifecycle, not just the front door. Businesses can start with onboarding and extend into reassurance without replatforming.

• Initial proofing. Document verification, biometric selfie match, and face verification with liveness detection establish an IAL2 or IAL3-equivalent starting assurance. Shufti’s biometric engine is iBeta Level 1 and Level 2 certified and was a DHS RIVR 2025 Top Performer.
• Database and eID corroboration. eIDV Pro covers 85+ countries passively and 30+ national eID schemes actively, returning a sub-3-second confirmation.
• Ongoing AML Continuous screening against 3,500+ watchlists, 2.6 million PEP profiles, and 50,000+ adverse media sources keeps the confidence score current.
• Step-up verification. FastID handles reusable identity for returning users, and risk-triggered re-verification fires a biometric or document check when an event warrants it — not on every login.
• Risk scoring. User Risk Assessment rolls the signals into one score that plugs into downstream fraud, transaction monitoring, and KYC workflows.

Compliance and fraud teams stop arguing over which system “owns” the customer. They share one score, updated in near real time, with a full audit trail of which signals moved it.

Measuring reassurance, and where to start

You don’t need to rebuild your identity stack. Three questions tell most teams where the gaps are:

6. If a customer’s PEP or sanction status changed tomorrow, how long until your systems reflect it?
7. When a user logs in from a new country and initiates a large transfer, does any system combine their KYC status with the session risk?
8. If a regulator asked why you still trust a two-year-old verification, what evidence would you hand over?

If the honest answers are “weeks,” “no,” and “not much,” reassurance is the next investment, not another point solution.

Shufti’s platform answers all three with a single integration. To see what a live confidence score looks like against your own onboarding flow, request a demo or discuss a tailored assessment for your banking or fraud prevention use case.