Synthetic IDs, Deepfakes and the Rise of Ghost Customers

Abstract: In this panel on fraud risk in Canadian auto lending, Marcos Lopez (CEO, Credit App) moderated a discussion with John Kontos (SVP & Head Auto Finance, Scotiabank), Chris Jepsen (Senior Product Manager, Equifax Canada), and Patrick Boudreau (Head, ID & Fraud, TransUnion) on how fraud is evolving beyond traditional credit risk checks. The panel explored why lenders can no longer assume that a strong credit file equals a trustworthy customer, how synthetic identities and “departure defaults” are driving losses, and why point solutions like ID verification—while helpful—will not solve the problem on their own. Across lender and bureau perspectives, the message was clear: fraud is becoming more sophisticated, more organized, and more expensive, and reducing that “fraud tax” will require dynamic trust models, predictive analytics, and much deeper industry collaboration.

👉 Check out the full VIDEO here.

Marcos Lopez: We’re at an interesting inflection point for our industry. Historically, we’ve used credit files as our main check and have been pretty good at validating creditworthiness. Now we’re trying to get better at validating the identity of the person behind the application. We’ve leaned into IDV as one of those tools. John, what are you seeing today, and what is Scotiabank looking to do as you lean into this new wild west we’ve created?

John Kontos: Scotia has been in auto finance for 65 years, and we recently launched a requirement for IDV to be sent in with funding packages for a certain segment of our dealers. We’re under no illusions that this is going to solve all our problems. It’s going about how you’d expect. We’ve got deals being held up in funding, white pieces of paper with “pass” stamped on them coming in from dealers, and people scrambling because they suddenly need IDV to fund a deal.

Some dealers are doing okay, but we knew it would be challenging. That said, we felt it was important to start moving the industry forward. It’s not a perfect solution, but it’s better than nothing—and it is catching deals today that would have funded yesterday and turned into losses.

What really worries me is that IDV alone won’t protect us from the broader bust-out problem. We’re hearing about temporary residents and visa holders with expiring status, and we know some identities are being sold. Some of those individuals have clean credit files. So yes, IDV helps, but I think the much bigger challenge is that as an industry we still aren’t sharing enough data in a timely way at the point of application. If we don’t solve that, the bust-out problem is going to continue.

Marcos Lopez: Chris, when we spoke before the panel, you made a line that stuck with me—that we need to move from thinking about creditworthiness to thinking about “customers I can trust.” Can you unpack that?

Chris Jepsen: We’ve conflated creditworthiness with trust for a long time. Years ago, if someone was likely to repay their bills, they were also likely to be a real person. That link made sense. But with synthetics and modern fraud, that connection no longer holds.

So the industry is shifting away from relying on one single data point and toward looking at different trust signals. The challenge is doing that without introducing friction that kills valid deals. That’s why I think we need to move toward something like dynamic friction rather than one-size-fits-all friction.

Instead of putting everyone through the same process, we need to build enough trust signals around the identity to say, “This person can be fast-tracked,” while requiring more checks for someone who hasn’t met that trust threshold. And those trust signals don’t have to be purely financial. They can include alternative data—things like email age, e-commerce history, or long-standing non-financial identity patterns.

A synthetic identity often only exists in a financial sense because the end goal is to bust out. But it’s much rarer for a bad actor to create a rich non-financial profile around that same identity. So if someone has a perfect credit profile but a brand-new email address and no meaningful digital footprint, that should be a red flag.

Marcos Lopez: That’s exactly where we talk about “building confidence” in our business. Patrick, in our pre-call you gave me a pretty stark warning: it’s going to get worse. Walk us through the research and what you’re seeing.

Patrick Boudreau: It’s definitely not getting better. Over the last 12 months we’ve done a couple of major studies, and the most important thing is understanding how fraud is happening—not just how it got through one or two controls.

Fraudsters will always find the path of least resistance. If John introduces a stronger IDV process, that doesn’t make the fraud disappear—it just pushes it to someone else. That’s why this is a shell game if we treat it as a point-solution problem.

The first study we did looked at delinquencies. Everyone in the market was talking about first-party fraud and saying they were being crushed by it. But when we dug into it, we found the “hidden culprit” was not really first-party fraud. It was synthetic identity fraud—particularly what we now call the long-haul synthetic.

Years ago, if we saw a file that had only existed for six to twelve months, we knew it was probably synthetic. Now we’re seeing identities that were created 10, 11, even 12 years ago. They’ve been carefully nurtured over time. They look exactly like first-party fraud when they bust out, which is why the industry has struggled to recognize what’s really happening.

In a 12-month study window, we found that 30% of delinquencies that went 90+ days past due within nine months on book were attributable to fraud. In auto alone, that translated to about $162 million of delinquency exposure that we’re very confident was fraud.

Marcos Lopez: And then you took that a step further into what you called “departure defaults.”

Patrick Boudreau: Exactly. Some institutions came back and said, “We understand your fraud numbers, but we think what you’re really seeing is people leaving the country and busting out—not synthetics.” So we looked at that too.

There is some of that happening. Some identities are being sold. There are pockets of new-to-country and new-to-credit risk, and international students were probably the riskiest specific bucket we identified. But the numbers did not support the idea that this was mainly a “departure default” issue. That was a much smaller part of the picture than people expected.

The bigger problem is still synthetic identity fraud and no-intent-to-pay behavior. We’ve built models that distinguish first-party, third-party, and synthetic behaviors with high accuracy. That’s where the industry needs to go—away from static point solutions and toward layered analytics and predictive fraud models.

Marcos Lopez: We were joking before the panel about how easy it is becoming to fake someone. I could take Gary’s public information, generate a convincing fake ID with my face on it, potentially clone his voice, and walk into a dealership sounding like him. That leads to a bigger question, John: indirect lending is a curious business. Banks hold their branch staff and systems to very high standards, yet we trust a huge indirect network to deploy capital on our behalf in a much looser environment. What role does the dealer play, and how do we as an industry help them?

John Kontos: It’s a great question, and it’s very challenging. One of our partners shared with us that in the early days of IDV they had three instances where dealers failed the IDV requirements. In all three cases, those deals went back into the market and were funded by another lender that didn’t require IDV. And these weren’t shady operators—they were reputable stores and reputable dealer groups.

But you’re often dealing with an employee on the ground who hits a roadblock and just wants to get the vehicle over the curb. So we’re not betting on the idea that 4,000 dealers across the country are all suddenly going to get perfectly aligned on fraud controls. It’s too fragmented.

That’s why I keep coming back to an industry solution. If Scott has already approved a deal and I’ve got an approval out there, I want to know that. If a third lender sees the same identity seeking multiple approvals in real time, they should know that too. It doesn’t have to be direct lender-to-lender sharing in the simplest sense, but we need some timely, fast infrastructure—whether that’s APIs, LOS integrations, a clean data room, whatever it is—to make that kind of alerting possible.

Dealer agreements are important, but they’re not enough. We have to solve this together as lenders.

Marcos Lopez: Chris, what are you seeing from dealers and bureaus? Has the mood changed at all with FINTRAC pulling more parties into scope?

Chris Jepsen: Compliance is definitely front of mind, and that’s going to push solutions like IDV further into the market. But the thing we need to be careful about is confusing compliance solutions with fraud solutions.

Compliance is about satisfying a regulator. Fraud prevention is about stopping a real business loss. The two overlap, but they are not the same thing.

So yes, more regulation is a good first step because it gets conversations like IDV moving. But it won’t solve things like synthetic fraud, bust-out fraud, or cross-lender exploitation unless we also think about this as an ecosystem problem. If I stop the loss today and it just gets shifted to another lender tomorrow, we haven’t really solved anything. That’s why I think the industry needs both broader data collaboration and more intelligence sharing between public and private players.

Patrick Boudreau: I agree completely. We’re still doing too many things the same way they were done twenty years ago. And the fraudsters aren’t. They’re organized, patient, and increasingly sophisticated.

One example: we saw a five-year synthetic identity that built strong credit, got a couple of credit cards and a telco account, paid everything on time, pushed the score as high as possible—and then in 29 days took out 12 auto loans. Every single one got funded. None of the vehicles were ever recovered.

That’s not a consumer deciding one day to stop paying. That’s organized crime. And the way to catch that isn’t by looking at one file in isolation. It’s by looking across the whole bureau and asking: where else do we see this address, this identity, this behavior pattern? We’ve seen cases where dozens of “different” consumers were all tied back to the same address. You won’t catch that by pulling one bureau and saying, “Well, everything matches, it must be fine.”

We need to get much better at using the data we already have, and even better when we combine it across the ecosystem.

Marcos Lopez: As we wrap up, I keep coming back to the fraud tax. It’s not just that one or two percent of losses get baked into the system. Lenders have to deploy more capital against that volatility, which means higher required returns, higher pricing, and more expensive car loans for Canadians. John, last word—what’s your plea to the industry?

John Kontos: We have to act in a more organized way. If auto theft is down in one place, my assumption is the fraud has just moved somewhere else—financing, identity abuse, bust-out behavior, synthetic loans. I don’t believe anyone has simply stopped trying to steal cars. They’re just finding a different way to get them.

So yes, I’ll make the plea again: we need to get together as lenders and solve this together. Whether CLA is the forum or whether we identify the right people from each institution to work on it, I think it’s worth doing. If this room represents most of the capital deployed into auto lending in Canada, and if we made a conscious choice to act more collaboratively, I do believe we could save Canadians money and materially reduce fraud losses.

Here are 10 key insights from the panel:

Creditworthiness is no longer the same as trust
A strong credit file does not necessarily mean the person behind it is real or low risk.

IDV helps—but it is not a complete fraud solution
Panelists agreed that identity verification is valuable, but on its own it will not stop bust-out fraud or long-haul synthetics.

Fraud is shifting, not disappearing
When one lender tightens controls, bad actors often redirect the same fraud to another institution with weaker defenses.

Synthetic identities are becoming more sophisticated and longer-lived
What used to look like a six-month synthetic can now be a twelve-year nurtured identity designed to bust out convincingly.

A meaningful share of delinquency is actually fraud
TransUnion’s research suggested that roughly 30% of early serious delinquency in a recent window was fraud-related, with large dollar exposure in auto alone.

“Departure defaults” exist, but they are not the main story
Some identities are sold and some customers leave the country, but that was found to be a smaller issue than many institutions assumed.

Alternative data can improve trust scoring
Signals like email age, e-commerce history, and broader non-financial identity patterns can help distinguish real people from synthetic profiles.

Dynamic friction is better than one-size-fits-all friction
The future is not about making every customer jump through the same hoops, but about escalating checks based on trust signals and behavioral anomalies.

Dealers are important, but they can’t solve this alone
Indirect lending creates structural gaps, and relying solely on dealer-side controls will not stop organized fraud networks.

The industry needs a lender-led, ecosystem-wide response
Panelists were clear that solving synthetic fraud and bust-out behavior will require more timely data sharing, predictive analytics, and organized collaboration across lenders, bureaus, and technology providers.

Sign up for the CLA Finance Summit Series