8 actions to reduce fraude in Canadian banking

Synthetic identity fraud grew by 8% in just one year in Canada. Deepfake attacks have increased twentyfold in three years. And more than one-third of banks detect less than 60% of fraud before it causes a loss.

If you have read our analysis about the detection gap behind the CAD 704 million in direct losses recorded in 2025 in Canada, you know what we are talking about.

The diagnosis is already clear. What is missing is the plan. 

These are eight concrete actions that fraud, risk, and compliance leaders at Canadian banks, credit unions, and fintechs can start implementing to being closing that gap and protect both their customers and their financial results.

Go beyong transactios: incorporate contextual risk signals

Most fraud detection systems are built around transactional data: amount, frequency, geography. While necessary, it is still not enough.

Modern fraud, especially account takeover (ATO) and social engineering, does not always appear anomalous at a transactional level. What gives it away are the signals around the transaction: is the device new? Has the typing rhythm changed? Is the user navigating the app differently than usual? Did the login occur from a location 3,000 km away at 3 a.m.?

Incorporating behavioral biometrics (how the user types, scrolls, and interact), device intelligence (fingerprinting, geolocation), and activity velocity gives your models a much richer picture of what “normal” looks like

Incorporating behavioral biometrics (how the user types, scrolls, and interacts), device intelligence (fingerprinting, geolocation), and activity velocity gives your models a much richer picture of what “normal” looks like —and a faster trigger when something is not. 

The result: fewer false positives and more real fraud detected before it causes losses.

2. Move to hybrid ML: supervised models alone are not enough 

There is a recurring pattern in financial services: institutions invest in machine learning, train it on historical fraud data, and then wonder why it keeps failing against new types of attacks. 

The issue lies in the approach. Supervised models are excellent at recognizing patterns they have already seen. What they struggle with is what they have never encountered. 

Think of this way: a supervised model is like a customs officer with a list of suspects. If your name is on it, you get stopped. If it isn’t, you pass through. An unsupervised model, on the other hand, is like an officer who doesn’t rely on a list, but instead observes how each traveler behaves and compares it to thousands of previous journeys. It doesn’t need to recognize you as suspicious to notice something is off.

That is exactly what is needed to detect synthetic identity fraud, generative AI injection attacks, or new Fraud-as-a-Service (FaaS) kits before they cause losses. 

The FSB (Financial Stability Board) states that AI is no longer an experimental technology in the financial sector, but a widely used tool, including fraud detection. However, most institutions are still operating with single-layer architectures. The competitive advantage in the coming years will belong to those that combine both approaches effectively. 

In a threat landscape that constantly reinvents itself, a model that only recognizes what it has already learned will always be too late.

3. Build multi-layer defenses for synthetic identity fraud in onboarding 

Synthetic identity fraud is now one of the fastest-growing and most costly types of fraud in Canada. According to TransUnion’s Top Fraud Trends Report H2 2025, 26% of Canadian businesses attributed their fraud losses to synthetic identities, representing an 8-percentage point increase from the previous year. That rate of growth alone should make it a board-level priority. 

What makes synthetic identity fraud especially dangerous is its design: it is built to bypass standar KYC controls. A synthetic identity typically combines a legitimate Social Insurance Number (SIN) with fabricated personal data, creating a fictional persona that passes onboarding processes, builds a credit history, and then disappears after maxing out credit lines or committing payment fraud.

Detecting it requires more than document verification. An effective defense is built in layers across the entire user journey: 

• Session layer: identity verification at the point of access, combining biometric liveness detection with Presentation Attack Detection (PAD) and injection attack detection to catch spoofing attempts and AI-generated media before they enter the pipeline.
• Account layer: behavioral analisis in the post-onboarding perios, where synthetic identities typically remain dormant before activating. Monitoring for mule account patterns and anomalous activation signals in the first 8 to 12 weeks after opening is where many institutions still have a blind spot.
• Transaction layer: real-time monitoring for financial fraud patterns, ATO attempts, and AML/KYT controls that flag when a synthetic indentity finally moves.

Onboarding remains the best opportunity to stop synthetic identity fraud. Once an account has been opened, the cost and complexity of detecting it increase significantly.

4. Build a Living Threat Heat Map and Review It Quarterly 

Fraud strategies evolve faster than annual risk review cycles. What served as an effective prioritization framework in January may no longer reflect the threat landscape by October. Yet many institutions still treat fraud risk assessments as annual exercises owned by the fraud or security team — when in reality, financial fraud is today a board-level risk, not an isolated problem for the CISO. 

A quarterly threat heat map, which tracks active fraud vectors based on both frequency and growth rate, gives risk, compliance, and technology teams a shared and up-to-date view of where attention and investment should be focused. 

It also creates accountability: when a new attack type begins to scale, the heat map makes it visible before losses materialize. In the case of AI-driven fraud, INTERPOL has warned that fraud-related notifications have increased by 54% since 2024, a clear indication of how rapidly the threat is evolving. 

This type of exercise works best as a cross-functional effort, bringing together fraud operations, compliance, IT security, and external technology partners. The goal is not to produce a document—it is to align the organization around the threats that are actually active, not just theoretically possible. 

5. Replace SMS-Based MFA 

This point can be uncomfortable because a large number of banks worldwide still rely on SMS-based multi-factor authentication (MFA) as a primary security control. Yet SMS one-time passwords (OTPs) have been recognized as a vulnerability for years.

The attack is known as SIM swapping, and it is simpler than many fraud and security teams would like to admit. An attacker contacts a mobile carrier and uses social engineering—or, in some cases, insider access—to transfer a customer’s phone number to a SIM card under their control. From that moment on, they receive every text message sent to that number, including the OTP your bank just sent to “verify” a login attempt or a high-value transaction. The account is effectively theirs.

The U.S. National Institute of Standards and Technology (NIST) classified SMS as a deprecated authentication method back in 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has formally recommended moving away from it. A clear example comes from the Central Bank of the United Arab Emirates, which set March 31, 2026, as the deadline for eliminating SMS OTPs across all licensed financial institutions. The most important argument was not regulatory penalties but liability: any fraud occurring withing an SMS OTP flow falls directly on the bank, not the customer.

In Canada, the growing cost of fraud—including the account takeover (ATO) attacks enabled by SIM swapping—makes this a risk management decision, not merely a technical preference. 

So what should replace SMS?  There are several alternatives with varying levels of user friction: 

• FIDO2 and passkeys: authentication tied to a physical device and inherently resistant to phishing. No codes and no possibility of interception. 

• Hardware tokens: particularly suitable for high-risk users or privileged access scenarios. 

• Push authentication through mobile apps: more user-friendly than SMS and independent of the telecommunications network.

None of these options require organizations to chosse between security and user experience. The key is to combine them with risk-based adaptive authentication, where the level of verification requieres scales according to the risk of the session.

A balance inquiry from a trusted device does not requiere the same level of verification as an international transfer initiated from new device at 2 a.m. The system makes that decision dynamically, while the customer barely notices.

6. Identity is a continuum  

Most fraud controls are concentrated at the onboarding stage — as if identity were a single moment to validate rather than a continuum to monitor. Identity doesn’t end when the account opens. It evolves: behavior changes, devices change, patterns change. And synthetic identity fraud is designed to exploit exactly that blind spot. 

A synthetic identity that successfully passes onboarding often enters a “nurturing” phase. The account remains largely inactive, with minimal transaction activity and sometimes even small, timely payments designed to build a credit history. This phase can last for weeks or even months. Then, suddenly, the account becomes active through a large cash advance, a series of rapid purchases, or a balance transfer —and disappears.

Deploying post-onboarding monitoring specifically designed to detect delayed activation patterns during the first 8 to 12 weeks after account opening is one of the most cost-effective controls available.

The signals are already in the data; they simply require models trained to look for them. 

7. Fraud intelligence is a continuum too  

Monitoring identity as a continuum only works if your intelligence is equally continuous. And no single institution has the full picture on its own. 

In financial services, there is a tendency to treat fraud intelligence as proprietary information. This is understandable: in banking, sharing fraud intelligence is not always straightforward due to competition between institutions, regulatory requirements, and reputational risk. However, fraud networks do not respect institutional boundaries. A synthetic identity that fails onboarding at one bank will attempt the same at another. 

Evidence consistently shows that institutions participating in threat intelligence communities—sharing data on fraud attempts, attack patterns, and known malicious actors—detect fraud faster and at lower cost than those operating in isolation. In Canada, this includes engagement with FINTRAC, ACAMS Canada, and the growing network of banking consortia focused on financial crime. 

Shared blacklists, coordinated alerts about new Fraud-as-a-Service (FaaS) kits entering the Canadian market, and early warnings about emerging attack vectors are assets that no single institution can build alone. 

Canada’s National Anti-Fraud Strategy (2026) and ongoing consultations around Bill C-15 (Bank Act) are creating more infrastructure for this type of coordination. Institutions that are already engaged will be better positioned as this framework matures. 

8. Integrate KYC, AML, and Fraud Detection: Eliminate Silos 

Ask most fraud teams how their systems communicate with AML and KYC platforms, and the answer usually involves manual data extracts, scheduled batch processes, and long email chains. These operational silos create inefficiencies—and blind spots. 

A customer flagged during KYC onboarding may no trigger any signal in AML monitoring systems. A transaction pattern that looks anomalous in fraud detection may not be linked to a watchlist match sitting in a compliance queue. When these systems do not communicate in real time, the institution is effectively viewing the same customer through three separate, incompatible lenses.

Integrated platforms, with modular APIs connecting KYC, AML screening, and fraud detection solutions, turn this fragmented view into a single, coherent risk picture. For institutions without large engineering teams, cloud-native and API-first architectures make this achievable without multi-year integration projects. 

The result: faster detection, fewer gaps, and a compliance posture that can truly scale. 

Closing the gap starts with a decision 

None of these eight actions requires a complete technology overhaul. Some, such as the threat heat map, participation in shared intelligence, and post-onboarding monitoring protocols, can begin with current resources and be refined over time. Others, such as moving away from SMS-based MFA or integrating siloed platforms, require investment and sequencing, but they are achievable within 12 to 18 months with the right partners. 

What they all require is a decision: that the current state is not acceptable. 

With CAD 704 million in documented losses in 2025 and more than 112,000 reported cases, according to the Canadian Anti-Fraud Centre (CAFC), the cost of inaction is now measurable. The detection gap is real, the threat environment is accelerating, and the tools to close it already exist. 

At Facephi, we work with financial institutions in Canada and worldwide to build the identity and antifraud infrastructure that turns these actions into operational reality: from deepfake detection and behavioural biometrics at onboarding, to continuous monitoring and AML integration across the full customer lifecycle. 

As members of DIACC and aligned with the Pan-Canadian Trust Framework and the obligations of PIPEDA and FINTRAC, we support Canadian institutions with certified technology and direct knowledge of the local regulatory environment