Trulioo Says Always-On Identity Checks Needed to Stop Fraud

Know your customer (KYC) and know your business (KYB) remain the first formal barrier between legitimate commerce and organized fraud, yet their durability depends on how they are operationalized across the enterprise.

Zac Cohen, chief product officer at Trulioo, said too many organizations still rely on episodic controls. “It’s still treating it as a one-time ‘check the box,’” he told PYMNTS as part of a mini-series on the blind spots in fraud defenses.

In practice, onboarding, transaction monitoring and account management often sit with different teams. Cohen noted that “different teams will have different responsibilities along the chain of an onboarding cycle or of a risk defense system.” When those functions are not coordinated, controls appear complete within each silo but incomplete across the lifecycle.

The alternative, he said, is a shift to continuous oversight. Referring to an “always on defense” posture, Cohen said, “bad people get friction and good people have a better experience.”

Properly aligned controls, in his view, do not degrade usability; they concentrate scrutiny on actors who present elevated risk characteristics.

Cohen emphasized that not all signals carry equal weight. In both KYB and KYC contexts, he said, “the depth and consistency of the digital footprint” are particularly telling. Authentic identities tend to display multi-layered trails, tenure and behavioral coherence. Fabricated profiles, by contrast, are often thin, recently created or inconsistent across data points.

Businesses introduce additional complexity. Newly incorporated firms may lack historical depth, which requires broader inventories of data and statistical modeling to assess typical patterns. With the right tooling, Cohen said, organizations can score “for the maturity of the business or the identity, as opposed to signal red flags.”

He also drew a distinction between unusual behavior and synthetic conduct. Risky but real users may transact outside expected norms, yet “their behavior still follows like human patterns over time,” he said. Synthetic or fully fabricated identities often reveal automation signals, abnormal velocity or mismatches between identity layers and device telemetry.

These insights matter beyond onboarding. Account updates, ownership changes and transaction flows all generate data. Without integration, those signals remain disconnected observations rather than a unified risk narrative.

Cohen identified risk tools as a primary weakness for some firms. “It really comes down to an inconsistent risk model,” he said. Onboarding, profile updates and transactions may operate on separate systems, each producing different thresholds and rules. That fragmentation creates blind spots when data are not reconciled across platforms.

He also pointed to a drop in scrutiny after approval. Organizations often apply heavier controls at onboarding and then revert to lighter monitoring. The result is not merely regulatory exposure but structural vulnerability. Fraudsters study those seams and adjust their tactics accordingly.

Balancing friction and exposure requires more than incremental tuning. Cohen advises executives to view fraud prevention as a lifecycle rather than a single checkpoint. When services operate together, he argues, the trade-off between conversion and control becomes easier to manage.

In terms of monitoring, screening and surveillance should function as “a network and event driven machine, not binary and batch,” he told PYMNTS. Meaningful triggers might include ownership updates, adverse media spikes or newly connected high-risk nodes. Yet isolated alerts, without behavioral or relational context, can overwhelm investigative teams.

By layering watchlist hits with contextual data, organizations can “prioritize true exposure and suppress the low signal alerts,” Cohen said. In his view, that approach addresses the most persistent complaint among executives: the creation of a false positive machine that consumes resources without improving outcomes.

Expansion introduces further strain. “Everything changes when you scale,” Cohen said. Risk ratings, cultural norms, customer expectations and data availability vary across North America, Europe, APAC and other regions.

He advised combining localized inputs with universal frameworks so that customization occurs within shared workflows. He also cautioned against relying solely on indirectly resold capabilities in new markets, emphasizing the importance of technology that is built and maintained across jurisdictions. Without that foundation, processes that functioned in one region can fracture in another.

Cohen closed with a broader directive for risk and compliance leaders. Emerging technologies, including agentic and AI-driven systems, should operate alongside established controls to strengthen decision layers.

“I think the biggest takeaway I’m seeing today is agents and AI technology are not going to replace certain motions,” he said. “They need to run in parallel to enhance our positions and enhance how we manage risk and how we capture fraud and prevent it from entering our ecosystem.”

The post Trulioo Says Always-On Identity Checks Needed to Stop Fraud appeared first on PYMNTS.com.