10 Insights on Deepfake Fraud and Identity Security From Money 20/20 Europe

On June 4, I joined Thomas Rubens, Managing Partner at DN Capital, and Ahron Geminder, formerly Head of Global Digital Identity at HSBC, on the MoneyPot Stage at Money 20/20 Europe for a session called Fighting Deepfakes: A Bank's Year on the Front Line.

The conversation covered what it takes to defend against deepfake fraud at scale in 2026, from detection architecture to the regulatory gaps that leave most institutions exposed. Here are ten insights worth taking forward.

‍

‍

1. Fraud Losses Are Twofold

We know that organizations lose money to fraud. But they also lose good customers to the friction introduced by tedious identity verification (IDV) solutions. Although these are both fraud-related losses, they are documented very differently. Why? Because conversion losses from over-blocking almost never show up on a dashboard. This is interesting because, in some cases, friction can actually hurt the bottom line more than fraud itself. Until both sides of the ledger are visible, decision-makers will operate with half the necessary information.

2. Data is Key to Solving The Fraud vs. Conversion Tradeoff

Calibrating thresholds correctly requires knowing the full cost of a fraud incident and the full cost of a blocked legitimate user. Most institutions can't quantify both, so they're adjusting thresholds without the complete picture. In the absence of data, the instinct is to tighten. That instinct is understandable, but it's also incomplete. In order to truly understand what losses are stemming from direct fraud versus friction, organizations must find data about drop-off rates and pain points in their customer journey.

3. Banks Are Blocking 300-500 Deepfake Attempts Per Day

That figure came from Ahron Geminder, drawing on his experience building HSBC’s global digital identity platform. This is not a future risk being modeled. It's a current operational problem that teams are managing right now, at volume, every day.

‍

4. Layered Deepfake Defense Works Because Each Layer Fails Independently

Device integrity, session behavior, document authenticity, biometric liveness, network signals, and cross-customer intelligence are all vital for defending against deepfakes. When one layer fails, the others remain intact. An attacker who defeats one hasn't touched the rest. That structural independence is what makes it difficult for even the most sophisticated actors to beat at scale. A single model, no matter how good, doesn't have that property.

‍

‍

5. European eIDs Reduce Document Fraud Risk but Don't Eliminate Biometric Exposure

Electronic IDs reduce the document attack surface meaningfully. What they don't eliminate is the biometric binding step. At enrollment, an individual still needs to match a live selfie to the eID, and that step still requires liveness detection and deepfake detection. As document verification gets stronger, the biometric verification layer stays exposed if organizations don't address it. Solving one side without the other creates a gap attackers will find.

6. Machine Learning Models Outperform Human Fraud Reviewers by Roughly 8x

This statistic holds true for average reviewers and experts. Humans certainly have a role in IDV, but in all practicality it cannot be the first line of defense; rather, for technological innovation, edge cases, disputes, and judgment calls at the margins. To scale properly and improve fraud detection rates, the primary detection layer must remain automated.

7. Account Recovery Flows Are Where Synthetic Identities Re-Enter Financial Systems

Most institutions have hardened onboarding and left recovery running on SMS codes and knowledge-based questions. Synthetic identities incubate inside the system for weeks or months, then use recovery as re-entry. The most concrete action any fraud or identity team can take this week is to walk through their account recovery flow as an attacker. Similar patterns have surfaced at major platforms including Instagram. This is not an edge case.

8. Agentic AI Breaks Every Assumption the Identity Verification Stack Was Built On

Traditional verification stacks were built on one assumption: somewhere in the process, there’s a human. But agents don't have faces or government IDs. So, the question must shift from “who is this person?” to “Who owns this agent, what are they authorized to do, and is the session still within scope?”

9. Regulatory Frameworks for AI Fraud Are Already a Generation Behind the Threat

Regulators are just now getting up to speed on electronic signatures and eIDs. Agentic interactions and agentic fraud are not yet in the frame. The frameworks being built today are already behind the current threat, let alone where attacks are heading. Waiting for regulatory pressure to act is not a strategy. By the time that pressure arrives, the gap will be even harder to close.

10. The Gap Between Attack Sophistication and Institutional Readiness Will Get Worse Before It Gets Better

Attackers move in days. Banks move in quarters. Regulators move in years. That asymmetry doesn't resolve on its own. The organizations building the right fraud and identity infrastructure now will be in a fundamentally different position from the ones that wait.

‍

‍

Thank you to Thomas Rubens for moderating, to Ahron Geminder for bringing the operator's perspective so clearly, and to everyone who came to the MoneyPot Stage for what turned out to be a genuinely energizing conversation.

‍