The most expensive fraud is often seeded at onboarding, where a believable applicant can sit quietly until the profile is ready to cash out.
WASHINGTON, DC. Synthetic identity fraud remains one of the most expensive and least intuitive threats in modern financial services because it rarely begins with the obvious signs people associate with fraud. There is no frantic customer calling to report that an account was hijacked. There is no immediately disputed payment, no glaring mismatch that forces an urgent investigation, and often no single victim who can explain what went wrong. Instead, the fraud arrives wearing the uniform of normal business. It looks like a new applicant.
That is the core reason banks and fintechs are still struggling with it in 2026. Synthetic identity fraud does not usually barge into the system. It is welcomed in.
The profile may include a real Social Security number or another genuine identity element mixed with a false name, a fresh email address, a working phone number, a plausible mailing address, and just enough coherence to survive standard checks. It may be thin, but it is not obviously broken. It may be unfamiliar, but it does not necessarily look suspicious. At onboarding, that is often enough.
As the Boston Fed has warned in its discussion of synthetic identity fraud and generative AI, this type of fraud is fast-growing and costly precisely because criminals use fake but believable identities to open accounts and gain access to the banking system itself. That is what makes the threat different from more traditional forms of identity theft. The fraudster is not always trying to break into an existing relationship. Very often, the fraudster is trying to build one from scratch.
The fraud works best when it behaves like a cautious customer.
That is the part financial institutions still find hardest to manage.
A synthetic identity is not always designed for an immediate smash-and-grab. In many cases, it is built for patience. The account opens quietly. Activity starts small. Payments may be timely. Credit use may be restrained. The profile may look exactly like the kind of thin-file or newly established customer a lender or fintech would normally want to cultivate. For a while, the synthetic identity can appear healthier than some legitimate customers.
That patience is not a side effect. It is the strategy.
The fraudster is trying to move the profile from unknown to trusted. Once that happens, the economics change. A quiet account can later support a larger credit draw, a linked product, a payment flow, a deposit relationship, a digital wallet, or a cluster of connected transactions that would not have been available at the beginning. By the time the institution realizes the customer was never fully real, the losses may already be spread across multiple channels.
This is why synthetic identity fraud so often becomes one of the costliest fraud categories. It does not just exploit a single transaction. It exploits the trust-building process itself.
Onboarding remains the weakest moment because the institution knows the least.
Banks and fintechs are under pressure to approve legitimate customers quickly. That pressure is commercial, competitive, and operational. Nobody wants a friction-heavy onboarding experience that drives away real users, especially in markets where signup speed, app adoption, and seamless approval are treated as part of the product. But that same urgency is what makes onboarding such fertile ground for synthetic fraud.
At the moment of application, the institution knows very little about the person in front of it. The applicant has not yet developed a transaction history with that institution. There is no internal relationship record. There may be limited third-party data, limited behavioral context, and limited time for deeper review. The bank or fintech is being asked to decide, very quickly, whether a profile that looks coherent is also genuine.
That is a dangerous moment to rely too heavily on static checks.
A fake identity built from mixed real and invented data can pass those checks more easily than many executives would like to admit. The phone number works. The address resolves. The name format looks normal. The device behavior does not immediately trigger a block. The document image appears usable. Nothing may be perfect, but nothing may look broken enough to justify rejection.
The institution sees a possible new customer. The fraudster sees a possible long-term revenue extraction point.
Synthetic identity fraud hides in the gap between identity verification and intent verification.
This is one of the most important distinctions in the current fraud environment.
A bank can verify that an applicant has provided information that appears structurally valid. It is much harder to verify whether the identity behind that structure should exist in the way it is being presented. That is where synthetic fraud thrives. It can satisfy form without satisfying truth.
This is also why the problem has become more difficult in the age of AI-assisted fraud. Criminals no longer need to improvise every element by hand. They can standardize applications, produce cleaner narratives, build more plausible digital footprints, and reduce the clumsy mistakes that once exposed fake applicants early. A synthetic identity no longer has to look rough around the edges. It can look polished, ordinary, and commercially promising.
That change matters because many onboarding systems were built to catch inconsistency, not sophistication. They are still strong against crude fraud. They are less comfortable when the fraud arrives tidy, disciplined, and patient.
The most expensive losses often appear late enough to be misread.
By the time a synthetic identity finally fails, the case may no longer look like onboarding fraud at all.
It may show up as a credit loss. It may show up as collections. It may show up as a defaulted card, a drained deposit product, or a money-movement pattern that seems suspicious only in hindsight. In some organizations, those outcomes are still classified more like bad credit or portfolio deterioration than fraud. That accounting habit can hide the true scale of the problem.
When synthetic identity risk is mislabeled, institutions end up studying the wrong part of the event. They focus on the default instead of the admission. They focus on the charge-off instead of the approval. They focus on the late-stage loss rather than the moment the fake applicant first entered the system.
That is one reason the problem can look smaller on paper than it feels in practice. The fraud often sits inside ordinary business metrics until it is already expensive.
Banks and fintechs share the same exposure, but they feel it differently.
Traditional banks often experience synthetic identity fraud through credit cards, unsecured lending, deposit accounts, and downstream collections. Fintechs often feel the pressure through rapid onboarding, remote account opening, instant payment products, digital wallets, and a higher tolerance for user-growth friction trade-offs. But the weakness underneath is the same.
Both sectors are being asked to make trust decisions quickly. Both are operating in environments where remote verification is now standard. Both are trying to balance fraud prevention with conversion. And both are increasingly dealing with applicants who are not merely using stolen details, but manufacturing believable customer identities that can survive long enough to mature.
In some ways, fintechs have a harder version of the problem because the customer journey is built around speed. In other ways, banks face a more expensive version because a well-seeded synthetic profile can gain access to deeper credit exposure over time. But neither side has a clean escape from the risk.
The front door is digital for everyone now. That means synthetic identity risk is, to a significant degree, universal.
The fraud does not rely on one fake element. It relies on a believable package.
This is why stronger document checks, by themselves, have not solved the problem.
A synthetic profile may be supported by breached personal data, a credible contact trail, a low-friction device pattern, staged activity, and a document image or account behavior that looks ordinary enough to keep moving. Fraudsters do not always need every piece to be flawless. They need the entire package to appear coherent long enough to clear the right thresholds.
That makes synthetic identity fraud especially resilient. If one institution strengthens document review, the fraud can lean more heavily on better data. If another institution becomes more skeptical of thin-file borrowers, the fraud can age accounts longer before acting. If a platform adds more friction to onboarding, the attackers can move to targets that still prioritize speed.
The problem keeps shifting because it is adaptive.
Recent financial-sector warning signs point in the same direction.
Even outside the narrow synthetic identity conversation, the broader fraud climate has been moving against financial institutions. As a recent Reuters analysis of rising legal and compliance pressure on U.S. financial institutions over modern scam losses made clear, banks are facing growing scrutiny not only for direct unauthorized fraud but for the warning signs they miss before losses metastasize. That article focused on a different fraud category, but the lesson travels. Hidden intent is becoming a larger liability problem for banks.
Synthetic identity fraud fits that pattern almost perfectly.
The account may look fine while it is being cultivated. The transaction pattern may not trigger immediate alarms. The institution may tell itself that everything appears green. Then the fraud ripens, and suddenly the question is not just how the loss occurred, but why the profile was accepted and trusted for so long in the first place.
That is where synthetic identity cases become uncomfortable. They force institutions to confront the fact that many of their strongest controls are still designed around known customers, not unknown applicants.
Why patient fraud keeps beating reactive controls.
Most financial institutions still investigate best when there is an event. A dispute. A complaint. A flagged transaction. A clear anomaly. Synthetic identity fraud often wins because it delays that event until the profile is stronger.
By the time something visibly bad happens, the fake identity may already have accumulated internal credibility. It may have crossed multiple product lines. It may have been scored, reviewed, and re-reviewed as a good customer. Every month that passes without a problem becomes part of the fraudster’s leverage.
This is what makes the threat so psychologically effective. Institutions are conditioned to trust relationships that appear stable over time. Synthetic identity fraud turns that instinct against them.
The fraud does not need to outrun every control forever. It only needs to get through the most uncertain stage, then act normal long enough for the institution to start trusting its own earlier decision.
The rise of believable fraud is changing the economics of approval.
That is where the next real challenge lies.
Every additional control at onboarding can reduce conversion. Every softer experience can increase fraud exposure. Every request for more proof can lose a legitimate customer. Every effort to make the signup process frictionless can make the platform more attractive to synthetic applicants. The commercial tension is not going away.
What has changed is that the cost of a false approval has become harder to ignore.
A bad application used to mean a bad account. Now it can mean a future cluster of losses, linked products, downstream compliance problems, and long-lived financial exposure. The approval decision is no longer just about revenue opportunity. It is also about whether the institution is quietly admitting a fabricated customer into its trust system.
That is why synthetic identity fraud is now as much a strategy problem as a fraud problem. It sits at the intersection of risk, growth, product design, and customer experience.
The legal distinction still matters as the market gets more sophisticated.
As more people search online for ways to “start over,” “get a new identity,” or find some kind of workaround to financial or personal pressure, it becomes even more important to distinguish criminal identity fabrication from lawful identity planning. Synthetic identity fraud is built on deception, false linkage, misused personal data, and hidden intent. A lawful change of name, a legitimate second citizenship process, or a compliant restructuring of civil status is something very different.
That difference matters because criminal sellers increasingly borrow the language of privacy, reinvention, and fresh starts to market illegal shortcuts. A lawful advisory firm such as Amicus International Consulting operates in a different category entirely, one based on documented legal process rather than fabricated applicants or manipulated onboarding. In 2026, confusing those two worlds is one of the fastest ways for desperate or curious consumers to drift into fraud exposure.
The hardest fraud to stop is the one that earns trust before it steals.
That is the central lesson for banks and fintechs in 2026.
Synthetic identity fraud remains so damaging because it does not demand instant success. It is willing to wait. It enters as a plausible applicant, behaves like a manageable customer, accumulates trust, and then monetizes that trust once the relationship is strong enough. The institution does not lose simply because a fraudster lied on day one. It loses because the lie was allowed to mature into a customer relationship.
That is why the problem keeps surviving each new wave of controls. The fraud is not just targeting systems. It is targeting judgment, process, and patience.
Banks and fintechs are still struggling because the synthetic applicant is often easiest to approve at exactly the moment when the institution knows the least and wants growth the most. That structural weakness has not disappeared. It has simply become more expensive.
And until financial institutions get better at spotting the believable fiction before it becomes a trusted profile, synthetic identity fraud will remain one of the quietest ways to plant a future loss inside the system.