Faryam Asif, Chief Technology Officer at Shufti – Interview Series

Faryam Asif, Chief Technology Officer at Shufti is a technology executive specializing in AI-powered identity verification, fraud prevention, and secure digital onboarding. Since joining Shufti as a software developer in 2018, he has progressed through multiple leadership roles before becoming Chief Technology Officer in 2025, overseeing the company’s technology strategy and the development of its global identity verification platform. He also serves as Chief Development Officer at Programmers Force, bringing extensive experience in software engineering, product development, and technology leadership.

Shufti is a global identity verification and compliance platform that provides AI-powered KYC, KYB, AML, and fraud prevention solutions for financial institutions, fintechs, cryptocurrency platforms, marketplaces, and other regulated industries. Operating across more than 240 countries and territories, the company combines biometric verification, document authentication, liveness detection, and AI-driven risk analysis to help organizations streamline customer onboarding, meet regulatory requirements, and defend against increasingly sophisticated digital fraud.

You joined Shufti in 2018 as a software developer and have since helped build and scale the company’s identity verification infrastructure into a global platform. How has the nature of identity fraud evolved during that period, and what changes have been most surprising from a technology leadership perspective?

When I joined Shufti in 2018 as a software developer, most fraud attempts were still relatively manual. We were dealing with edited documents, presentation attacks, and fairly basic spoofing techniques. Over the last seven years, I’ve watched fraud evolve from something that required significant effort and expertise into something that can be generated on demand using AI.

What has surprised me most is not just how sophisticated fraud has become, but how accessible it has become. Generative AI has effectively democratized fraud. Capabilities that once required specialist skills are now available through consumer-grade tools. As we highlight in our Deepfake Fraud Index, fraud is increasingly behaving like software: once it can be automated, it can scale rapidly.

Two developments stand out. The first is injection attacks, where attackers bypass the camera entirely and feed synthetic content directly into a verification stream. The second is the rise of synthetic identities, where AI-generated personas are created at scale to abuse onboarding systems, obtain financial services, or facilitate money laundering. The line between genuine and synthetic content has become significantly harder to draw, and that shift has fundamentally changed how identity verification must be approached.

Shufti’s Deepfake Fraud Index projects that document deepfakes could surge by nearly 3,900% in 2026, making them the fastest-growing category of AI-powered fraud. What factors are driving this explosive growth, and why are fraudsters increasingly targeting documents rather than faces or video streams?

Our Deepfake Fraud Index projects document deepfakes to increase by nearly 3,900% in 2026, making them the fastest-growing category of AI-powered fraud. The growth is being driven by two forces: the rapid advancement of generative AI and the increasing accessibility of tools that allow almost anyone to create convincing fake documents.

What once required specialist editing skills can now be achieved through AI-powered tools capable of generating realistic passports, driver’s licenses, utility bills, bank statements, and other onboarding documents. At the same time, many legacy verification systems still rely heavily on OCR and template matching. They can read the text and validate a layout, but they often struggle to determine whether the document itself is authentic.

Fraudsters are targeting documents because they represent the path of least resistance. Defeating a modern liveness system requires overcoming multiple layers of detection, whereas many document workflows remain dependent on relatively simple validation techniques. In addition, a manipulated document can often be reused across multiple institutions and onboarding flows, providing a much higher return on investment for attackers.

The growth we’re seeing is ultimately a reflection of fraud economics. Attackers consistently target the weakest control in a verification process, and for many organizations, documents remain that weakest link.

The report identifies synthetic identities as the largest category of AI-driven fraud, accounting for more than 40% of AI fraud activity. Why have synthetic identities become such an effective attack vector, and what makes them particularly dangerous for financial institutions and crypto platforms?

Synthetic identities have become effective because they exploit a fundamental weakness in many verification systems: they appear legitimate when individual data points are evaluated in isolation.

Historically, synthetic identities often combined real and fabricated information. What we’re increasingly seeing now are AI-generated identities built around synthetic faces and personas that never existed at all. Our Deepfake Fraud Index found that synthetic identities account for 42.3% of AI-driven fraud activity, making them the largest category of AI-powered identity fraud today.

For financial institutions, fintechs, and crypto platforms, the risk is significant because successful onboarding often provides immediate access to financial value. Once a synthetic identity enters the ecosystem, it can be used to open accounts, access credit, claim incentives, move funds, or facilitate money laundering activities.

What makes synthetic identities particularly dangerous is their persistence. Traditional fraud is often detected quickly because it involves a real victim. Synthetic identities can remain active for months or even years before discovery. By the time they are detected, substantial financial losses may already have occurred, and there is often no real individual behind the account to pursue.

Cryptocurrency exchanges, digital asset platforms, and fintech companies often rely heavily on remote onboarding. Which sectors do you believe are currently the most exposed to AI-powered identity fraud, and where are organizations still underestimating the threat?

The sectors most exposed are those that combine fully remote onboarding with immediate access to financial value. That includes cryptocurrency exchanges, digital asset platforms, digital banks, fintechs, online lenders, buy-now-pay-later providers, and iGaming operators.

The common factor is that successfully passing onboarding provides access to money, credit, wallets, payments infrastructure, or transferable assets. That creates a strong incentive for attackers.

Where organizations continue to underestimate the threat is in their reliance on legacy verification assumptions. Many still operate under the belief that if a document matches a known template, it must be genuine. That assumption is increasingly dangerous in an era where AI can generate highly convincing documents at scale.

Beyond traditional high-risk sectors, I also believe marketplaces, gig-economy platforms, and embedded finance providers are underestimating their exposure. As fraud tools become more accessible, any platform that relies on remote trust establishment becomes a potential target.

Many businesses continue to rely on selfie-based verification as a primary security measure. Your report argues that a single selfie check is no longer sufficient. What vulnerabilities exist in traditional onboarding workflows, and what should modern identity verification look like in 2026?

A single selfie is no longer enough because AI can generate realistic human faces on demand. If onboarding relies primarily on a selfie check, organizations may have limited visibility into whether they are interacting with a real person, a spoof, or a completely synthetic identity.

Traditional onboarding workflows remain vulnerable to presentation attacks, video replays, deepfakes, face swaps, injection attacks, and synthetic identities that combine AI-generated faces with manipulated documents. Attackers are no longer trying to fool one control; they’re designing attacks specifically to exploit weaknesses across the onboarding process.

Modern identity verification must be layered. Rather than relying on one signal, organizations should combine certified anti-spoofing technologies such as iBeta Level 3 liveness detection, face matching, document verification, injection attack detection, device intelligence, behavioral analytics, and authoritative database verification where available.

The objective is not simply to determine whether someone looks real. The objective is to establish whether the identity itself is genuine, trusted, and consistently linked to a real individual across multiple independent signals.

Deepfake technology is advancing rapidly alongside generative AI models. Are fraud detection systems keeping pace, or are we entering a period where attackers have a temporary advantage over defenders?

This is very much an arms race, and I would be cautious about anyone claiming the battle has already been won.

Attackers certainly benefit from the rapid pace of AI innovation and the growing availability of generative tools. Organizations relying on legacy verification technologies are already at a disadvantage. In those environments, attackers often have the upper hand.

At the same time, modern detection systems are evolving rapidly. Across the industry, advanced forensic approaches are becoming increasingly effective at identifying AI-generated content by analyzing generation artefacts, capture integrity signals, compression patterns, biometric inconsistencies, and cryptographic provenance.

The reality is that neither side has a permanent advantage. Success depends on adaptability. Fraud prevention can no longer rely on static controls; it requires continuously evolving detection models capable of responding to new attack techniques as they emerge.

The report highlights three major attack methods: presentation attacks, injection attacks, and synthetic identity creation. Which of these attack vectors concerns you the most, and why?

If I had to choose one, it would be synthetic identity creation.

Presentation attacks and injection attacks are serious threats, but synthetic identities create a deeper and more persistent problem because they attack the identity layer itself. The goal isn’t simply to bypass a verification session; it’s to establish a fraudulent identity capable of operating within the financial ecosystem for an extended period.

Once a synthetic identity is successfully onboarded, it can be used to obtain credit, create mule accounts, move illicit funds, exploit incentives, and facilitate broader financial crime. In many cases, these identities remain undetected for long periods because there is no real victim reporting the fraud.

What concerns me most is the scalability. Combined with generative AI and automated onboarding systems, synthetic identities can be created and deployed in large numbers, creating systemic risks for financial institutions, fintechs, and crypto platforms.

As digital assets become more mainstream and regulatory scrutiny increases globally, how do you see AI-powered identity fraud impacting Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance requirements?

AI-powered fraud is accelerating the shift from one-time verification toward continuous trust assessment.

Historically, KYC was often viewed as an onboarding exercise. That approach becomes less effective when synthetic identities, deepfakes, and AI-generated documents can potentially pass initial verification checks. Organizations increasingly need to monitor trust throughout the customer lifecycle.

In practice, this means greater emphasis on behavioral analytics, transaction monitoring, device intelligence, ongoing sanctions and PEP screening, and cross-account risk correlation. Compliance programs will need to continuously evaluate whether an account remains trustworthy after onboarding.

I also believe regulators will increasingly expect organizations to demonstrate not only that an identity was verified, but how it was verified. The auditability of identity controls, including evidence that AI-generated fraud risks were actively considered and mitigated, will become an increasingly important part of KYC and AML compliance frameworks.

Regulators around the world are beginning to address the risks associated with AI-generated content and digital identity fraud. What regulatory changes do you expect to have the biggest impact on financial institutions, fintechs, and crypto companies over the next few years?

Regulators are beginning to move beyond treating AI-generated fraud as a general cybersecurity issue and are addressing it directly. One important example is the EU AI Act, which introduces transparency obligations around AI-generated and manipulated content. I expect similar frameworks to emerge globally as regulators recognize that deepfakes and synthetic identities create risks that extend beyond traditional fraud management.

I also expect stronger requirements around biometric security, presentation attack detection, and anti-spoofing controls. Standards such as iBeta and NIST-related evaluation frameworks are likely to play a larger role in demonstrating compliance and risk management effectiveness.

At the same time, privacy regulations such as GDPR and CCPA will continue pushing the industry toward data minimization and privacy-preserving identity verification models. This may accelerate the adoption of digital identity wallets, reusable credentials, and attribute-based verification models that allow organizations to verify specific claims without collecting unnecessary personal data.

The result will be a more mature regulatory environment where security, privacy, and trust must all be addressed simultaneously.

Looking ahead three to five years, do you believe the identity verification industry will ultimately win the arms race against generative AI fraud, or will digital trust require an entirely new model beyond traditional identity checks?

I don’t believe the industry will defeat generative AI fraud using traditional document-based verification alone. The technology will continue to improve, and attackers will continue to adapt. Relying solely on document checks and selfie verification is unlikely to remain sufficient.

What I do believe is that digital trust is evolving toward a broader and more resilient model. Traditional KYC will remain important, but it will increasingly be supported by trusted digital identities, biometrics, device intelligence, behavioral analytics, cryptographic credentials, and continuous risk monitoring.

We’re already seeing elements of this future through government-backed digital identity programs, reusable credentials, and trusted digital identity ecosystems. Instead of repeatedly verifying the same individual using paper-based documents, organizations will increasingly rely on trusted identity networks that provide stronger assurance with less friction.

The future of digital trust will be built on multiple layers of assurance working together. Generative AI isn’t eliminating digital trust; it’s forcing the industry to build a stronger and more resilient version of it. The organizations that succeed will be those that continuously evaluate trust throughout the customer lifecycle rather than relying on a single verification event.

Thank you for the great interview, readers who wish to learn more should visit Shufti.