The identity fraud problem in UK financial services is structurally more complex than the headline loss figures suggest. UK Finance's annual fraud report puts the overall figure in the billions for financial fraud including identity-related losses, but the specific challenge for financial institutions is less the scale of fraud in aggregate than the asymmetry between the cost of fraud prevention and the cost of false positives. A rules-based identity verification system that is calibrated to reject suspicious applications will, at any given sensitivity setting, reject both fraudulent applications and a proportion of legitimate ones. The cost of the false rejection — a genuine customer turned away, a relationship never formed, a lending or account application never completed — is harder to measure than the fraud loss but can be equally significant to a financial institution trying to grow its customer base.
The fundamental limitation of rules-based identity fraud detection is that it is trained on known fraud patterns. A rule that flags applications from IP addresses associated with previous fraud, or that triggers review when a device fingerprint has been seen across multiple applications in a short window, is effective against fraud actors reusing the same infrastructure. It is much less effective against first-time fraud attempts using clean infrastructure, against synthetic identity fraud using combinations of real and fabricated data, or against authorised push payment fraud where the genuine account holder is manipulated into transferring funds. Each of these fraud types requires a different detection approach, and the rules-based system that has been tuned against historical fraud patterns will by construction have limited capability against novel patterns.
Machine learning approaches to identity fraud detection address this limitation through a different mechanism: rather than encoding known fraud patterns as rules, they model the behavioural and contextual signatures that distinguish fraudulent from legitimate application traffic at a distributional level. A model trained on a large, labelled dataset of genuine and fraudulent identity verifications can identify combinations of signals — device characteristics, application timing, field completion patterns, document image quality, biometric consistency — that correlate with fraud even when no individual signal would trigger a rule. Detected, which we backed in 2023, is building this type of detection infrastructure specifically for the financial institution market, where the combination of high transaction volumes and significant fraud loss exposure creates the training data conditions that make ML approaches tractable.
The liability framework for identity fraud is evolving in ways that directly increase the urgency of investment in detection infrastructure. The Payment Systems Regulator's mandatory reimbursement requirement for authorised push payment scams, which came into force in October 2023, shifts a material portion of APP fraud liability to sending and receiving payment service providers. This regulatory change means that financial institutions and payment providers can no longer treat APP fraud primarily as a customer education problem — it is now a direct balance sheet exposure. The institutions that have invested in pre-transaction detection infrastructure — evaluating the payee account's fraud risk signals before a payment is executed — will carry materially lower liability exposure than those that have not. The regulatory change has, in effect, converted fraud detection investment from a compliance cost into a financial return.
The detection infrastructure opportunity extends beyond the initial account opening and payment authorisation use cases. Continuous authentication — the ongoing monitoring of account activity for behavioural anomalies that may indicate account takeover — is a growing area of investment precisely because the sophistication of account takeover attacks has increased. Biometric authentication at login is now a relatively standard control, but it does not address the scenario in which a customer's device is compromised after authentication or in which a customer has been socially engineered into sharing their credentials. Continuous monitoring of transaction patterns, device behaviour, and interaction signatures throughout a session provides an additional layer of detection that rules-based session monitoring cannot replicate. This is where we expect continued infrastructure investment to concentrate over the next few years.