Last Tuesday the FCA did something I genuinely didn't expect. They published their first-ever Emerging Technology Horizon Scan — a forward-looking document covering AI agents, synthetic media, digital twins, tokenisation, and a handful of other themes that will be familiar to anyone who reads Hacker News. The FCA — not exactly known for moving fast on technology — beat most of the industry to putting this in writing.
Most of the coverage I've seen has focused on the AI agents section, which is fair — the FCA explicitly names agentic AI as a coming consumer interface for financial services. That's interesting. But it's not the part that made me stop scrolling.
The part that made me stop was a concept buried deeper in the document: what the FCA calls "credibility engineering." It's their term for synthetic crime that doesn't just forge a single document — it fabricates entire ecosystems of plausibility. Think: fake companies with fake filings, fake directors with real-looking LinkedIn histories, fake counterparties with synthetic transaction trails. Not one forged document. A whole constellation of them, designed so that each piece corroborates the others.
If you run a credit risk function, you can see where this is going.
The problem isn't the fake — it's the corroboration
Think about how a typical mid-market credit assessment works. You get management accounts from the borrower. You cross-check against Companies House filings. Maybe you pull a credit agency report. If it's a larger deal, you check director histories and look for adverse media.
Each of those checks assumes it's looking at an independent source. The whole framework rests on the idea that if three different sources agree, the information is probably real.
Credibility engineering breaks that assumption. If someone can generate a plausible Companies House filing, a matching set of management accounts, a credit report that reflects the same numbers, and a director profile that checks out on LinkedIn — your cross-referencing doesn't catch the fraud. It confirms it. I'll say that again, because it's worth sitting with: the more checks you run, the more confident you get in something that's entirely fabricated. That's not a flaw in your team's diligence. It's a flaw in the architecture of the process itself.
I don't want to overstate how widespread this is today. The FCA's horizon scan is forward-looking — it's flagging a trajectory, not describing a current epidemic. But the tools to generate plausible-looking corporate artefacts — websites, documents, director profiles — are getting cheaper fast. The same trajectory applies to every other artefact in the corroboration chain.
Where the existing controls fall short
Most fraud detection in credit sits in one of two places: rules-based checks at onboarding (is the company registered? do the numbers tie? is the director on a sanctions list?) or post-disbursement monitoring (is the borrower behaving as expected?).
The gap is in the middle — the bit where you're assessing whether the sources themselves are trustworthy, not just whether the data in them is internally consistent.
If someone fabricated a complete set of corroborating documents for a fictitious borrower, at what point in our current process would we catch it?
If you can answer that clearly, you're ahead of most teams I've worked with. If you can't — and I suspect most people reading this can't — it's worth understanding exactly where the vulnerability sits.
What a practical response looks like
I'm not going to suggest you rebuild your entire onboarding process. But there are a few things that are cheap to do and directly address the corroboration problem.
The first is provenance checking on Companies House data. Companies House has an API that returns filing history, officer appointments, and confirmation statement dates. If a company was incorporated 14 months ago but has a full set of filed accounts and three appointed directors with long histories at other companies — that's not suspicious on its own. But if those other companies were also incorporated recently, with their own conveniently complete filing histories, you've got a pattern worth flagging. A script that walks the director network two levels deep and checks incorporation dates takes maybe a day to write. It won't catch everything. It catches the lazy versions of this attack, which today is most of them.
The second is timestamp analysis. Synthetic documents tend to be generated in batches. If the management accounts PDF, the bank statements, and the projections all have metadata timestamps within the same hour — that's not proof of fraud, but it's a signal worth surfacing. Most credit teams I've worked with never look at document metadata. It's free information sitting in files you already have.
The third — and this is the one that scales least well but matters most — is making sure at least one person in the credit chain is asking: "Could all of these sources have been generated by the same actor?" That's a different question from "Do these sources agree with each other?" and it requires a different mindset.
The takeaway
This week, take the FCA's Emerging Technology Horizon Scan and read the section on synthetic crime and credibility engineering. Then ask your credit or fraud team the diagnostic question above. You're not looking for a perfect answer — you're looking for whether anyone has ever asked it. If they haven't, that's your starting point. Not a new platform, not a vendor RFP. Just the question, and an honest conversation about where the gap is.
— Aksel
The Analytical Banker is a weekly note on data, analytics, and AI inside corporate banking — written for finance leaders who actually have to make this stuff work. Reply to this email if something here resonates, or forward it to a colleague who'd benefit.