European fintechs are switching to automated document checks faster than I’ve seen any compliance trend move in a decade. And the ones that haven’t started? They’re running out of excuses.
Here’s what’s happening: payment fraud losses across the EEA hit EUR 4.2 billion in 2024, a 17% jump from the year before and up from EUR 3.4 billion in 2022, according to the EBA and ECB joint report on payment fraud. The new Anti-Money Laundering Authority (AMLA) is building a single regulatory rulebook. DORA audits are live. AMLD6 expanded criminal liability for upstream facilitators.
And 82% of financial firms now use some form of AI in their KYC processes, up from 42% in 2024.
But here’s the number that should keep compliance teams up at night: only 4% of those firms are fully automated. The rest are stuck in a patchwork of semi-manual processes, spot checks and tools that cover ID verification but ignore everything else.
That gap between “some AI” and “full automation” is exactly where fraud lives. Here’s why it’s closing fast, and what you should do about it.
The regulatory pressure European fintechs can no longer dodge
If you work in compliance at a European fintech, the past 18 months have been relentless. Three regulatory shifts landed almost simultaneously and none of them are optional.
DORA (Digital Operational Resilience Act) went into full enforcement in January 2025. It requires financial entities to prove their ICT systems, including document processing pipelines, can withstand operational disruptions. If your document verification depends on a team of three people manually opening PDFs, auditors will flag that as a single point of failure. Honestly, they’d be right.
AMLD6 (Sixth Anti-Money Laundering Directive) expanded the definition of money laundering offenses and introduced harsher penalties across EU member states. For fintechs, the big change is liability for upstream facilitators. If your onboarding process accepts fake documents that later enable money laundering, you’re exposed, even if you had zero intent.
AMLA, the EU’s new centralized Anti-Money Laundering Authority, is building out direct supervision of high-risk entities. For the first time, a single EU body can audit your compliance processes directly. No more relying on national regulators with inconsistent enforcement.
The message from Brussels is clear: document verification is not optional, and “we check some of them manually” won’t survive the next audit.
82% use AI in KYC, so why are only 4% fully automated?
This gap surprised us too. We talk to compliance teams every week at VerifyPDF, and the pattern is almost always the same.
Most fintechs adopted AI-powered ID verification early. Face matching, liveness detection, passport OCR, that part of KYC has been automated for years. But here’s the blind spot: ID verification is only one piece of the puzzle.
What about the bank statements submitted during income verification? The employment contracts uploaded for mortgage applications? The utility bills for proof of address? In most cases, those still go through manual review. A compliance officer opens the PDF, eyeballs it for a few minutes and makes a judgment call.
That’s not automation. That’s a bottleneck with a human face on it.
So why hasn’t this been fixed? Three reasons we hear constantly:
-
“Our ID verification provider doesn’t cover supporting documents.” Most identity verification platforms stop at government-issued IDs. They don’t touch bank statements, payslips or tax returns. Fintechs assume their existing vendor will expand into this space. They usually don’t.
-
“We haven’t had a major fraud incident… yet.” Survivorship bias, plain and simple. The fraud you don’t catch is the fraud you don’t know about. We’ve seen it over and over: companies that switch to automated document checks discover that 3-7% of their previously accepted documents show red flags that manual review missed entirely.
-
“The integration seemed complex.” Fair enough, three years ago. In 2026, API-based document verification takes less time to integrate than most payment providers. One API call, risk rating back in under 5 seconds. Simple, right?
If you’re still relying on ID verification alone without automated document checks, you’ve got a major blind spot in your onboarding process. And fraudsters know exactly where to find it.
Fraud sophistication has outpaced manual review
Here’s where things get uncomfortable. While fintechs have been slow to automate their document review pipelines, fraudsters have been sprinting.
The surge in EU fraud losses isn’t just about volume. The quality of fakes has improved dramatically. What changed?
Template farms went mainstream. You can buy a fake Dutch bank statement on Telegram for under EUR 200, complete with correct formatting, realistic transaction histories and embedded metadata that looks legitimate at first glance. These aren’t amateur Photoshop jobs, they’re produced by organized groups using templates that mimic real bank output down to the font kerning.
AI-generated documents are here. Large language models can produce realistic financial document content: transaction descriptions, employer names, salary figures that pass a plausibility check. Combined with accessible PDF editing tools, a single fraudster can generate hundreds of unique document variations in an afternoon.
Each one slightly different. Each one designed to slip past a human reviewer. A compliance officer reviewing 50 documents a day can’t spot trends across thousands of applications. A machine that has analyzed millions of documents can.
Cross-border fraud exploits regulatory fragmentation. A fraudster in one EU country submits fake documents from another country’s bank. Does your compliance team know what a legitimate Portuguese bank statement looks like? Or a Belgian payslip? How about a Finnish tax return? Manual reviewers usually don’t, and fraudsters know it. They deliberately pick document types from countries where your team has no local expertise. Automated systems trained on documents from over 90 countries close that gap.
The cost of getting it wrong keeps rising. Under AMLD6, a fintech that onboards a customer using fake documents can face criminal liability, not just fines. And a fraud incident reported to AMLA’s centralized registry follows a company for years.
This isn’t theoretical. The EBA/ECB report documented EUR 4.2 billion in payment fraud losses across the EEA in 2024. Some percentage of those losses started with a fake document that slipped past a manual reviewer.
Manual review was built for an era when fake documents were obvious to the trained eye. That era is over.
What a fully automated document check pipeline looks like
So what does “fully automated” actually mean? It’s not just OCR on a PDF and checking if the numbers add up. A proper automated document verification pipeline runs several checks simultaneously:
-
Metadata forensics. Every PDF contains creation metadata: timestamps, software identifiers, modification history. Automated checks cross-reference this against known patterns. A bank statement generated by a consumer PDF editor instead of the bank’s actual system? Flagged instantly.
-
Visual forensics. Font consistency, pixel-level analysis, compression artifacts, layer detection. These are checks the human eye literally cannot perform at scale, which is exactly why fraudsters have learned to exploit them.
-
Content validation. Do the numbers add up? Are the transaction dates on business days? Does the IBAN match the bank name? Does the formatting match what this specific bank actually produces? Automated systems cross-reference hundreds of data points per document.
-
Risk scoring. Not every anomaly means fraud. A good system produces a risk rating rather than a binary pass/fail. We use four levels at VerifyPDF: “Trusted”, “Low risk”, “Needs attention” and “High risk.” Your compliance team reviews the flagged documents, not every single one.
The result: documents that take a human reviewer 5-10 minutes get checked in under 5 seconds. Your team focuses on genuinely suspicious cases instead of drowning in routine reviews. And every check is auditable, which matters a lot when that DORA auditor shows up.
Why European-first document verification matters
Not all document verification tools are equal, and where a tool was built matters more than most fintechs realize.
Many solutions on the market were designed for the US or UK and later adapted for Europe. That approach leaves gaps. I’ve seen it firsthand working with fintechs that tried US-first vendors and hit a wall with European document formats.
European documents come in dozens of languages, follow country-specific formatting standards and must comply with GDPR data handling requirements. A bank statement from ING Netherlands looks nothing like one from Deutsche Bank or BNP Paribas. A payslip from a French employer follows completely different conventions than one from Spain.
We built VerifyPDF for Europe from the start. Our document forensics engine understands the specific formats, metadata patterns and red flags unique to European financial documents.
We’ve spent years mapping the output formats of major European banks: how ING generates its PDFs versus Rabobank, what metadata a genuine Deutsche Bank statement contains, how Santander structures its transaction histories. We process documents from over 90 countries, but our strongest coverage is in the EU market, where regulatory pressure is highest and fraud is growing fastest.
Being European-first also means data residency. Your documents don’t leave the EU. Your processing pipeline is GDPR-compliant by design, not by afterthought. For fintechs operating under DORA’s ICT risk management requirements, that matters for compliance. Full stop.
It also means understanding the regulatory context your team works in. When we flag a document as “High risk”, the report includes the specific forensic indicators that triggered the rating: metadata anomalies, formatting inconsistencies, content red flags. That’s the level of detail auditors expect. A vague “this document looks suspicious” won’t hold up when AMLA comes knocking.
The compliance window is closing
Here’s the bottom line. DORA enforcement, AMLD6 liability expansion and AMLA’s centralized oversight all landed in the same window. 2026 is the year “good enough” compliance stops being good enough.
If you’re among the 82% already using some AI in your KYC process, the jump to full automation is smaller than you think. Most fintechs can integrate automated document checks into their existing onboarding flow in days, not months.
Here’s what I’d recommend:
-
Audit your blind spots. Which document types bypass your automated checks? Bank statements, payslips and proof of address documents are the most commonly exploited. Start there.
-
Test with real data. Run a sample of previously accepted documents through an automated verification system. The results will tell you more than any vendor pitch. I’d bet money you find red flags in documents you already approved.
-
Start with high-risk flows. You don’t need to automate everything on day one. Lending decisions, high-value account openings and cross-border onboarding are where fake documents cause the most damage and where the ROI on automation is immediate.
The fintechs that automate document checks now will breeze through their next DORA audit. The ones that wait will spend that audit explaining why their manual process missed what a machine would have caught in seconds.
Want to see what your current process is missing? Try a free document check on VerifyPDF. Takes seconds, and you might not love what you find.
Fraudsters aren’t waiting around. Your compliance stack shouldn’t be either.