An interim report from Vidos' participation in the FCA Digital Sandbox programme
We're midway through our work in the FCA Digital Sandbox, analysing how enhanced identity verification can improve fraud detection in payment systems. Our analysis covers 14.68 million synthetic transaction records across four banks, examining the relationship between identity verification quality and fraud outcomes.
This interim report shares our initial findings and highlights areas requiring further investigation before we can complete our analysis.
Before we share our findings, it's important to understand what we're analysing. The FCA Digital Sandbox provides synthetic datasets that mirror statistical patterns of real banking activity without exposing actual customer data. We're working with the app_v9 dataset, which includes personal banking transactions, account data, customer information, and identity verification records across four synthetic banks.
This allows us to test hypotheses and identify potential signals, but synthetic data has inherent limitations. Patterns we identify may reflect how the synthetic data was generated rather than genuine real-world behaviour. The account age finding, for instance, could be an artefact of the data generation process rather than a true fraud signal. We're treating all findings as hypotheses requiring validation against real-world data before drawing firm conclusions.
Additionally, we set out to analyse both consumer and business fraud patterns, but discovered the synthetic dataset lacks comprehensive business fraud scenarios. This data gap has shaped what we can conclude from this phase of work. We're presenting initial findings from consumer fraud analysis while acknowledging this represents only part of the fraud landscape we intended to examine.
Our focus is examining whether cryptographically-verifiable digital credentials could improve fraud detection compared to current identity verification methods. The dataset includes 18,232 fraud transactions across several categories: Purchase Scam (11,646 transactions), Bank Impersonation (1,788 transactions), Advance Fee schemes (2,608 transactions), Romance Scam (1,500 transactions), Investment Scam (624 transactions), Impersonation: Police (644 transactions), and Family Impersonation (422 transactions). This represents a fraud rate of 0.124%, or approximately one in every 800 transactions.
The most unexpected finding relates to account age. Fraudulent transactions occur in accounts that average 3,600-3,900 days since opening, compared to 2,966 days for legitimate transactions. This represents a 20% difference, with fraud occurring in older, more established accounts.
This pattern contradicts the common assumption that fraudsters primarily create new mule accounts. Instead, the data suggests sophisticated account takeover or exploitation of long-established accounts. For fraud prevention teams, this implies that traditional "new account" risk signals may miss a significant proportion of fraud activity.
We analysed identity verification quality metrics across both fraud and non-fraud populations. Facial recognition quality averaged 0.85 for both groups, while image condition grades averaged 0.84 for both populations.
This lack of differentiation demonstrates a gap in current identity verification approaches. When verification quality metrics cannot distinguish between populations, the verification process itself may be vulnerable at the point of credential creation.
This is where cryptographically-verifiable credentials present a different approach. Consider the difference:
Current approach: A fraudster presents forged documents during account opening. The verification system checks image quality and performs facial recognition, producing metrics (0.85, 0.84) that look identical to legitimate customers. Once the account is opened with these fraudulent credentials, the verification metrics cannot distinguish this as fraud.
Credential-based approach: A customer presents a cryptographically-signed credential issued by a trusted authority (government passport service, established bank, qualified identity provider). The receiving system verifies the cryptographic signature proves the credential was genuinely issued by that authority and has not been tampered with. The credential itself carries higher assurance because of its provenance and cryptographic properties, not just biometric matching quality.
The key difference is moving from "does this photo match this face" to "can we cryptographically prove this credential was issued by a trusted authority and remains valid." High-assurance credentials issued by governments or regulated financial institutions carry inherent trust properties that current point-in-time biometric checks cannot provide.
This doesn't eliminate fraud entirely, but it raises the barrier significantly. A fraudster would need to compromise the issuing authority's systems or steal valid credentials, rather than simply presenting convincing forgeries to a verification service.
We designed our analysis to examine both consumer and corporate fraud patterns, intending to validate verification approaches across personal and business banking scenarios. However, the synthetic dataset contains comprehensive personal banking fraud scenarios but lacks equivalent data for business fraud transactions.
This prevents us from testing our hypotheses about corporate payment fraud, which we know from existing market research represents a significant proportion of financial crime. The Government's Economic Crime Survey 2024 reports that fake invoice fraud affects 11% of UK businesses annually, making it the most common type of business fraud. Research by Trustpair shows 93% of UK companies were targeted by vendor fraud in 2024, with successful attacks averaging £500,000 per incident.
In the US, Business Email Compromise remains a major threat, with the FBI's Internet Crime Complaint Center reporting $2.77 billion in BEC losses in 2024 across 21,442 reported incidents. Vendor Email Compromise attacks rose 66% in the first half of 2024 according to Perception Point's cybersecurity research, and we can expect to see similar patterns in the UK.
These existing market figures demonstrate the scale of corporate payment fraud, but without synthetic data reflecting these patterns, we cannot validate specific verification approaches for business scenarios during this phase of analysis. We are working with the FCA to identify whether additional data sources could address this gap in future work.
These preliminary findings have several implications for financial institutions developing fraud prevention capabilities.
Account monitoring needs to extend beyond new accounts. The data suggests that established accounts represent significant fraud risk, requiring continuous verification rather than point-of-onboarding checks only.
Current identity verification methods require enhancement. When quality metrics show no differentiation between fraud and non-fraud cases, additional verification layers are necessary. Cryptographically-verifiable credentials could provide this enhanced assurance through their provenance and cryptographic properties.
Corporate payment fraud requires dedicated solutions. As the market data above demonstrates, the scale of business fraud and the clear need for enhanced invoice authentication and supplier identity verification capabilities warrant specialised verification approaches for commercial payment scenarios.
The limitations we've identified in current identity verification point to specific areas where cryptographically-verifiable credentials could provide enhanced fraud protection.
The widespread fake invoice fraud and Business Email Compromise attacks point to a fundamental problem: organisations cannot easily verify the authenticity of suppliers or the legitimacy of invoices. Digital credentials could enable suppliers to cryptographically prove their identity and authority when submitting invoices or requesting payment changes.
For example, a legitimate supplier could embed verifiable credentials in their invoices proving they are an authorised representative of their organisation and have authority to request payment to specific bank accounts. The receiving organisation's payment system could automatically verify these credentials before processing payment, eliminating the manual verification burden that currently leaves organisations vulnerable to sophisticated impersonation attacks.
Adoption catalyst: Accounting and invoice management platforms represent the natural integration point for supplier credentials. Platforms like Xero, QuickBooks, Sage, SAP, and specialist procurement systems already sit at the point where invoices enter an organisation's payment workflow. These platforms could verify embedded credentials automatically when invoices are uploaded or received, flagging suspicious invoices before they reach payment approval stages. This integration would require minimal changes to existing business processes while providing immediate fraud protection.
Building on the credential verification approach described above, consider invoice fraud scenarios: a supplier could issue invoices with embedded verifiable credentials proving their legitimacy and authority to bill specific amounts. The receiving company's payment system could cryptographically verify these credentials before processing payment, eliminating many forms of supplier impersonation and false invoicing.
Similarly, when employees initiate corporate payments, they could present credentials proving their current employment status and spending authority. This creates an additional verification layer beyond traditional identity checks, addressing the Business Email Compromise and CEO fraud scenarios that are increasingly targeting corporate finance teams.
Adoption catalyst: Banks and payment processors are positioned to drive adoption of corporate payment authentication. By integrating credential verification into online banking platforms and payment initiation interfaces, banks can verify both the employee authorising a payment and the supplier receiving it before funds are transferred. This builds on existing payment authentication flows (such as Strong Customer Authentication under PSD2) by adding cryptographic proof of authority and legitimacy. For businesses, this appears as an enhanced security layer within familiar banking interfaces rather than requiring new systems or processes.
Current identity verification tells you who someone was when they opened an account. Digital credentials can prove who they are right now and what they're authorised to do. An employee's corporate credential could confirm they still work for Company X, have authority to approve payments up to £50,000, and are initiating the transaction from an authorised device or location. Similarly, supplier credentials could verify they have authority to issue invoices on behalf of their organisation and that banking details for payment are legitimate and current.
This real-time verification capability provides enhanced protection against the impersonation and authority fraud that represents such a significant proportion of current business fraud.
Adoption catalyst: Real-time entitlement verification requires coordination between multiple systems. HR platforms and Identity Access Management (IAM) systems would issue and maintain employment credentials that prove current status and authority levels. These credentials would then be verified by banks and payment systems at the point of transaction. This creates a verification chain where employment credentials issued by HR systems provide the authoritative source of truth about an employee's current status and permissions, while banking systems verify these credentials before authorising payments. The adoption path likely starts with large enterprises that already maintain sophisticated IAM infrastructure and have strong relationships with their corporate banking providers, gradually expanding as standards and integration patterns mature.
Our analysis aligns with several current regulatory initiatives. The Payment Systems Regulator's mandate for fraud data sharing creates demand for solutions that enable secure information exchange between institutions. The new Authorised Push Payment reimbursement model's 50:50 liability split creates financial incentives for improved verification capabilities.
Additionally, eIDAS 2.0 compliance requirements position verifiable credential solutions for broader EU market adoption, particularly as member states prepare for mandatory acceptance of EU Digital Identity Wallet credentials by December 2026. The European Commission has announced the European Business Wallet initiative, which aims to enable businesses to digitally sign, store and exchange verified documents across all 27 Member States. In the UK, mandatory identity verification for company directors and Persons with Significant Control became effective in November 2025, addressing the critical need to identify who controls companies.
We're continuing our Digital Sandbox work with focus on several areas. First, we're investigating whether access to Suspicious Transaction Reporting data could validate our business fraud prevention use cases. Second, we're developing technical specifications for real-time verification APIs that could operate at point-of-transaction. Third, we're exploring partnerships with data providers and accounting platforms to enable enhanced corporate payment verification.
The account age finding requires deeper investigation into account takeover patterns and dormant account exploitation. We're also examining whether additional identity verification data sources could provide the differentiation that current metrics lack.
Our Digital Sandbox analysis so far reinforces what many in the payments industry already know: current fraud prevention methods require enhancement, particularly for corporate payments and sophisticated account exploitation.
This interim report presents initial findings rather than final recommendations. We are midway through our analysis, gathering evidence about where current verification approaches show limitations and where enhanced verification mechanisms might address these gaps. The patterns we've identified in synthetic data require validation against real-world fraud cases before we can draw definitive conclusions.
However, the market data demonstrates clear problems that verification technology could potentially address. The technical foundations for cryptographically-verifiable credentials already exist across several regulatory frameworks. The critical challenge lies in developing the mechanisms and implementation pathways that drive adoption across industries.
For financial institutions interested in fraud prevention research, or regulators considering digital credential frameworks for business payments, we welcome discussion. Contact our team at Vidos or learn more about our original FCA Digital Sandbox objectives.
About the FCA Digital Sandbox
The Financial Conduct Authority's Digital Sandbox programme provides synthetic datasets and testing environments for firms developing solutions to regulatory challenges. Vidos' sandbox work is focussed on examining how verifiable digital credentials can improve detection accuracy while maintaining privacy.
For more information about our approach to fraud prevention and identity verification, contact our team directly.
