June 2, 2026·PalmAI-ProductTeam

Deepfake-Era KYC: Why Documents and Selfies are No Longer Enough

Q: Can deepfakes really bypass face-based KYC today?

In specific conditions, yes. The WEF Unmasking Cybercrime paper documented that a meaningful subset of evaluated face-swap tools, when combined with virtual-camera injection, can defeat live verification in the right environment. iProov reported a 783% increase in injection attacks in 2024, and Jumio noted an 88% year-over-year rise in 2025. Detection has improved in parallel — but the risk is now real enough that Gartner predicted, in early 2024, that 30% of enterprises would consider standalone face-based identity verification unreliable by 2026, a prediction industry research now treats as the present.

Q: What should a bank do first to upgrade its KYC against deepfakes?

The most cited first step in the 2026 reports is *modality and signal diversity*: add at least one verification layer that does not share the face-based attack surface. Practical priorities include injection-attack detection at the camera-path level, behavioral biometrics for continuous monitoring, and an identity-grade biometric for high-value events. Banks evaluating palm recognition for high-risk account opening or step-up authentication can review the [KYCMax](https://palm.tencent.com/product/kycmax) and [PayMax](https://palm.tencent.com/product/paymax) deployment patterns, or use the contact form on this page to discuss specific KYC scenarios.

TL;DR

In March 2026, the Association of Certified Fraud Examiners and SAS surveyed 713 anti-fraud professionals across eight regions about AI-driven fraud. The headline finding was uncomfortable: only 7% said their organization was more than moderately prepared to detect or prevent it. In the same window, 77% reported a sharp rise in deepfake social engineering, and 75% reported the same for AI-generated document forgery. The era when KYC identity verification could rely on a document scan and a selfie is closing.

KYC identity verification is the process banks and regulated platforms use to confirm that a digital user is a real, unique, authorized human being. In 2026, the document-plus-selfie pattern that powered KYC for a decade is failing in measurable ways: injection attacks against face liveness rose 783% in 2024 alone, and the World Economic Forum has formally documented that face-swap and camera-injection tools are now sold as commodity software. This article explains what's changing, which deepfake detection tools banks are deploying in response, and where a non-camera biometric layer fits in a deepfake-resistant KYC stack.

Who This Article Is For

This guide is written for:

Bank fraud and compliance officers evaluating their 2026 KYC stack
Fintech product leaders facing rising synthetic identity fraud
Security architects designing layered identity defenses
Vendors and integrators comparing deepfake detection tools

Why 2026 KYC Looks Different from 2023 KYC

For most of the last decade, KYC identity verification meant two things in sequence: a photo of a government-issued ID, and a selfie or short video to match that ID. Generative AI has broken both halves of that pattern at the same time.

The World Economic Forum's January 2026 paper Unmasking Cybercrime — co-authored with Banco Santander and Group-IB — frames the shift in three layers:

Individual level: synthetic identities used to open accounts, take out loans, or move money under another person's name
Organizational level: deepfaked executives authorizing fraudulent wire transfers, attackers bypassing remote onboarding controls
Systemic level: erosion of trust in digital commerce and the integrity of regulated financial ecosystems

The 2026 Anti-Fraud Technology Benchmarking Report from the Association of Certified Fraud Examiners (ACFE) and SAS — based on a survey of 713 fraud professionals across eight regions — quantifies how fast this is moving:

77% of respondents reported a noticeable increase in deepfake social engineering over the past two years
75% reported the same for generative-AI document fraud and forgery
72% reported increases specifically in deepfake digital injection attacks
55% expect deepfake social engineering to increase significantly over the next 24 months

PwC's February 2026 fraud-trend analysis put the operational reality plainly: "fast, frictionless digital onboarding prioritizes convenience over thoroughness," and the document-plus-selfie pattern "can be bypassed by AI-generated deepfakes." The era of trusting that a webcam stream represents a real, present human is over.

How Deepfakes Bypass Document and Selfie KYC

The WEF report describes a now-standardized three-stage attack chain that did not exist commercially three years ago:

Document misuse or forging — a real, stolen, or AI-generated identity document is prepared
Face swapping — high-quality face-swap tools generate a synthetic face that matches the document
Camera feed substitution — a camera-injection tool replaces the device's real webcam stream with the synthetic feed before the KYC system ever sees it

Researchers evaluated 17 face-swapping tools and 8 camera-injection tools sourced from open forums between mid-2024 and early 2025. Three findings stand out for any bank running remote onboarding:

Camera-injection tools are now sold as commodity software at prices ranging from roughly USD 25-3,000.
Of the 17 face-swapping tools tested, 5 demonstrated genuine real-time capability, and 3 of those had virtual-camera injection paths suitable for live verification flows. Roughly one in six tools surveyed is already KYC-bypass-grade.
Independent industry data confirms the trend at scale: iProov reported a 783% increase in injection attacks in 2024, and Jumio reported an 88% year-over-year rise in 2025.

Pindrop's 2025 Voice Intelligence and Security Report shows the audio side scaling just as fast. Voice-deepfake attacks against contact centers grew 680% year-over-year in 2024, with synthetic voice fraud in banks up 149% and +475% in insurance. The Sumsub research cited by the WEF found that global deepfake incidents had already increased tenfold between 2022 and 2023.

The point is not that any single attack always succeeds. The point is that the cost of attempting a deepfake-driven KYC bypass has fallen to roughly the price of a mid-range smartphone, while the volume of attempts is rising in triple digits per year.

Deepfake Detection Tools: What Banks Are Deploying in 2026

Banks and KYC vendors are not standing still. The ACFE/SAS 2026 report and the WEF paper together describe a layered detection stack with the following components:

Deepfake detection tools and biometric layers in 2026 KYC stacks
Layer	What it does	Strength	Limitation
Active liveness (challenge–response)	Asks the user to blink, turn, or follow a prompt	Cheap, well-understood, widely deployed	High-fidelity real-time face swaps can pass simple prompts
Passive liveness (texture and depth)	Analyzes single-frame artefacts and skin texture	Frictionless for the user	Locked in an arms race with generative models
Injection-attack detection	Inspects camera path, virtual-device drivers, and stream integrity	Catches synthetic feeds before they reach the matcher	Requires SDK-level integration; browser flows remain weaker
Document forensics	Detects AI-generated or tampered identity documents	Targets the root of the synthetic-identity problem	Cannot prove the document holder is the person presenting it
Behavioural biometrics	Reads typing rhythm, device handling, navigation patterns	Continuous signal beyond the onboarding moment	Probabilistic; not an identity-grade match on its own
Subcutaneous biometrics (palm vein)	Reads vein pattern under the skin via near-infrared light	Not visible to any camera; no public training dataset exists	Requires dedicated hardware at the verification point

The same ACFE/SAS survey shows where banks have actually invested. Physical biometrics are now the most widely adopted emerging anti-fraud technology at 45% adoption — up from 34% in 2022. Generative AI is at 16% current use with 58% planning future deployment. Agentic AI, despite the headlines, sits at 8% current use, with 31% expecting deployment by 2028. Biometric layering is no longer an aspiration; it is the baseline.

Why Detection Improvements Alone Aren't Enough

A pattern is visible across the WEF, ACFE/SAS, and PwC reports: every improvement in face-based liveness detection triggers a corresponding improvement in face-based attack tools. The WEF paper forecasts this explicitly — its fourth threat trajectory predicts that injection attacks will escalate as active liveness adoption grows.

This is the classic shape of a single-modality arms race. As long as the verification signal and the attack surface share the same physical layer (a camera capturing a face), the attacker only needs to produce convincing camera output to win.

The structurally different question is whether the verification signal can come from a layer the camera cannot see at all.

Why Subcutaneous Biometrics Are a Different Attack Surface

Palm vein recognition is a contactless biometric method that uses near-infrared light to image the unique vein pattern beneath the skin of a person's palm. Hemoglobin in the veins absorbs the infrared signal; everything else reflects it. The captured pattern is then matched against an enrolled template.

Three properties make palm vein recognition structurally different from face-based modalities for the deepfake threat model:

Not visible to a camera. Palm vein patterns sit under the skin and are only revealed through specific near-infrared wavelengths. There is no consumer photograph, social-media image, or video frame from which the pattern can be reconstructed.
No public dataset to train against. Generative attacks against face biometrics are powered by billions of publicly available face images. Palm vein has no equivalent open dataset, which means the standard "scrape data, train a generator, output a deepfake" pipeline has nothing to train on.
Requires physical presence in a specific position. A palm vein scan requires the actual hand, in the actual sensor's field of view, oriented to the sensor — none of which can be reproduced through a substituted camera feed.

This is not a claim that palm vein is unhackable. It is a claim that palm vein operates on a different physical layer, which means a successful attack against face liveness does not transfer to palm vein. For a layered defense, that is exactly the property that matters.

Where Palm Recognition Fits in a Bank's KYC Stack

Palm recognition does not replace document KYC, face liveness, or behavioral biometrics. It complements them at three specific points:

High-value account opening. After document and face checks complete, a palm enrollment binds the account to a verifiable physical biometric that cannot be reconstructed from public data. Tencent PalmAI's KYCMax is built for this binding step.
Step-up authentication for high-risk transactions. When a transaction triggers a velocity, geography, or amount threshold, a palm scan provides an identity-grade check that supplements the existing face or passkey verification used at login. PayMax is designed for this transaction-level use case.
Cross-channel identity continuity. The same palm template can be used at branch kiosks, ATMs, and in-app verification — useful for institutions converging digital and physical channels across multiple regulated industries.

The use case is not "replace your face verification vendor." It is "add a layer your face verification vendor structurally cannot provide."

Limitations and Considerations

Honest evaluation matters more than enthusiasm. Palm recognition has real constraints that procurement teams should weigh:

It requires hardware at the verification point. Palm vein cannot be captured by an ordinary smartphone camera; deployments need dedicated near-infrared sensors at branches, ATMs, kiosks, or partnered points of sale.
It is not a remote-only solution. Enrollment requires the user to be physically present at a sensor at least once. Fully remote, app-only KYC flows cannot use palm vein as their primary biometric.
Regulatory mapping is newer than face. Most data-protection authorities have well-developed guidance on face biometrics. Palm vein falls under the same categories (special-category personal data under GDPR, biometric data under most national frameworks), but specific implementation guidance is less mature, and compliance teams should confirm mapping with their DPO before deployment.
It is an additional layer, not a replacement. Document KYC, sanctions screening, and face liveness still do work palm recognition does not. Layered defense means more verification, not less.

Identity Theft Prevention: A 2026 Layered Approach

The WEF, ACFE/SAS, and PwC reports converge on the same recommendation: no single deepfake detection tool will be sufficient on its own. Effective identity theft prevention in 2026 looks like this:

Don't pick one tool — combine three or more layers. Document forensics, face liveness with injection-attack detection, behavioural biometrics, and an identity-grade biometric for high-value events.
Score the camera path, not just the camera output. WEF's vendor recommendations focus heavily on detecting virtual cameras, mid-session device swaps, and SDK integrity — signals from the transport layer, not just the image.
Add modality diversity for high-risk events. When a transaction or account action exceeds a defined risk threshold, escalate to a verification signal the attacker's deepfake stack cannot reproduce.
Move from one-time to continuous verification. PwC's analysis is unambiguous: "monitoring cannot stop at onboarding." Re-verify at risk-trigger moments, not only at account opening.

For banks that have already invested heavily in face-based KYC, the highest-leverage 2026 upgrade is rarely a better face vendor. It is a second, structurally different verification signal at the moments that matter most.

Frequently Asked Questions

What is KYC identity verification, and why is it changing in 2026?

KYC identity verification is the process regulated institutions — banks, fintechs, crypto exchanges, online lenders — use to confirm that a customer is a real, unique, and authorized person before opening an account or executing high-value transactions. The 2026 shift is driven by generative AI: synthetic documents, real-time face swaps, and camera-injection tools have made the long-standing document-plus-selfie pattern bypassable at commodity prices, prompting a move toward layered defenses and modality diversity.

Can deepfakes really bypass face-based KYC today?

In specific conditions, yes. The WEF Unmasking Cybercrime paper documented that a meaningful subset of evaluated face-swap tools, when combined with virtual-camera injection, can defeat live verification in the right environment. iProov reported a 783% increase in injection attacks in 2024, and Jumio noted an 88% year-over-year rise in 2025. Detection has improved in parallel — but the risk is now real enough that Gartner predicted, in early 2024, that 30% of enterprises would consider standalone face-based identity verification unreliable by 2026, a prediction industry research now treats as the present.

How is palm recognition different from face liveness for fraud prevention?

Face liveness and palm recognition operate on different physical layers. Face liveness analyzes a camera stream of an external feature (the face) that is widely photographed and now generatively synthesizable. Palm vein recognition reads a feature beneath the skin, captured via near-infrared light, with no public dataset to train a generator on and no remote way to capture the pattern. The two are complementary, not interchangeable; layered KYC stacks increasingly use both.

What should a bank do first to upgrade its KYC against deepfakes?

The most cited first step in the 2026 reports is modality and signal diversity: add at least one verification layer that does not share the face-based attack surface. Practical priorities include injection-attack detection at the camera-path level, behavioral biometrics for continuous monitoring, and an identity-grade biometric for high-value events. Banks evaluating palm recognition for high-risk account opening or step-up authentication can review the KYCMax and PayMax deployment patterns, or use the contact form on this page to discuss specific KYC scenarios.

Is palm-based KYC compliant with GDPR and banking regulations?

Palm vein and palm print data are biometric data under GDPR Article 9 and equivalent provisions in most national frameworks (PDPA, LGPD, China's PIPL). Lawful processing typically requires explicit consent, a clear retention policy, and demonstrable necessity. Tencent PalmAI's deployment patterns are designed around privacy-by-design principles — including options for on-device template storage and no raw image retention — but specific compliance posture should be reviewed with the institution's data protection officer in the context of EU PSD3, the EU AI Act (fully enforceable from August 2026), and national banking regulators' biometric guidance.

Related Resources

About Tencent PalmAI

Tencent PalmAI is an AI-powered palm recognition service combining palm print and palm vein identification, protected by 90+ patents and validated through 20+ peer-reviewed conference papers. PalmAI products span identity verification (KYCMax), high-volume payment authentication (PayMax), edge access control (SmartLock), and offline enterprise deployment (Standard).

To evaluate palm recognition for deepfake-resistant KYC or step-up authentication in your institution, use the contact form on this page.

→ Learn more at palm.tencent.com

Sources

World Economic Forum. Unmasking Cybercrime: Strengthening Digital Identity Verification against Deepfakes. January 2026. https://reports.weforum.org/docs/WEF_Unmasking_Cybercrime_Strengthening_Digital_Identity_Verification_against_Deepfakes_2026.pdf
Association of Certified Fraud Examiners and SAS. 2026 Anti-Fraud Technology Benchmarking Report. March 2026. https://www.sas.com/en/whitepapers/acfe-anti-fraud-technology-benchmarking-report-2026.html — survey methodology and "7% prepared" headline announced via PR Newswire: https://www.prnewswire.com/news-releases/study-deepfake-fraud-surges--and-only-7-of-organizations-are-firmly-ready-302724295.html
PwC. The Fraud Trend to Watch in 2026 and Beyond: The Era of Deepfakes and Synthetic Identities. February 2026. https://blog.pwc.cz/the-fraud-trend-to-watch-in-2026-and-beyond-the-era-of-deepfakes-and-synthetic-identities
Pindrop. 2025 Voice Intelligence and Security Report. https://www.pindrop.com/research/report/voice-intelligence-security-report/ — release announcement: https://www.prnewswire.com/news-releases/pindrops-2025-voice-intelligence--security-report-reveals-1-300-surge-in-deepfake-fraud-302479482.html
iProov. Threat Intelligence Report 2025: Remote Identity Under Attack. https://www.iproov.com/reports/threat-intelligence-report-2025-remote-identity-attack/ — press release: https://www.iproov.com/press/annual-identity-verification-threat-intelligence-report
Jumio. Beyond Deepfakes: Why Injection Attacks Are the Next Major Threat. August 2025. https://www.jumio.com/about/press-releases/injection-attacks-next-major-threat/
Sumsub. Global Deepfake Incidents Surge Tenfold from 2022 to 2023. November 2023. https://sumsub.com/newsroom/sumsub-research-global-deepfake-incidents-surge-tenfold-from-2022-to-2023/
Gartner. Press release: 30% of Enterprises Will Consider Identity Verification and Authentication Solutions Unreliable in Isolation Due to AI-Generated Deepfakes by 2026. February 2024. https://www.gartner.com/en/newsroom/press-releases/2024-02-01-gartner-predicts-30-percent-of-enterprises-will-consider-identity-verification-and-authentication-solutions-unreliable-in-isolation-due-to-deepfakes-by-2026