Glyphward

KYC identity document verification AI · OFAC sanctions screening AI · Transaction monitoring and SAR AI · Beneficial ownership verification AI

Prompt injection in AML and KYC document verification AI

Anti-money laundering (AML) and know-your-customer (KYC) document verification AI has become the operational backbone for financial crime compliance at banks, money services businesses, cryptocurrency exchanges, and fintech platforms — processing identity document scan images of passports, national identity cards, driver's licences, and utility bills through AI-assisted customer due diligence (CDD) identity verification pipelines, sanctions screening document images of corporate formation filings, beneficial ownership certificates, and entity name confirmation displays through AI-assisted OFAC SDN list and EU consolidated sanctions list entity name match tools, wire transfer and correspondent banking document images of SWIFT MT103 and MT202 COV message confirmation displays and beneficiary entity documentation through AI-assisted transaction monitoring suspicious activity indicator classification tools, and beneficial ownership certificate and UBO declaration document images through AI-assisted FinCEN Corporate Transparency Act beneficial ownership information (BOI) verification and 25% ownership threshold CDD determination tools — concentrating Bank Secrecy Act §5318(h) anti-money laundering programme requirements establishing that financial institutions must develop and implement internal policies, procedures, and controls designed to guard against money laundering, including a compliance officer, ongoing employee training, an independent audit function, and a customer due diligence component compliant with FinCEN's 2016 CDD Rule, which requires financial institutions to establish and maintain written procedures reasonably designed to identify and verify the beneficial owners of legal entity customers at account opening and to understand the nature and purpose of customer relationships to develop risk profiles — applicable to AML compliance AI systems operated by NICE Actimize AI serving HSBC, UBS, Citigroup, RBC, and 25 or more global systemically important banks (G-SIBs) with AI-assisted transaction monitoring, customer risk scoring, and SAR management platforms processing millions of transaction events and document images per day; ComplyAdvantage AI serving 1,000 or more clients including Checkout.com, Paysafe, Goin, and Ramp with AI-assisted entity screening, adverse media monitoring, and payment fraud detection processing customer and entity identity data against global sanctions and watchlist databases; LexisNexis Risk Solutions AML AI serving 6,000 or more financial institutions globally with AI-assisted identity verification, entity resolution, and financial crime compliance for banks, insurance companies, and government agencies; Pega KYC AI serving JPMorgan Chase, Barclays, Deutsche Bank, and enterprise financial institutions with AI-assisted customer due diligence, KYC workflow automation, and beneficial ownership determination tools; and Alloy AI serving Ally Bank, Brex, Mercury, Column Tax, and 500 or more fintech clients with AI-assisted identity decisioning, KYC onboarding automation, and fraud prevention tools — and Office of Foreign Assets Control (OFAC) civil monetary penalty authority under 50 USC §1705 providing penalties up to $1,368,457 per transaction or twice the transaction value for violations of OFAC sanctions programmes including the SDN List, Consolidated Sanctions List, and sector-based sanctions, with OFAC enforcement actions historically ranging from $1 million to $1 billion against financial institutions for systemic sanctions screening failures arising from automated screening system vulnerabilities; EU Anti-Money Laundering Directive 6 (AMLD6) criminal liability extension to legal persons for facilitating money laundering offences by affiliated natural persons — applicable to EU-market financial institution AML AI systems; FATF Recommendation 10 customer due diligence requirements establishing that financial institutions should identify and verify the identity of customers using reliable, independent source documents, data, and information and should verify that any person purporting to act on behalf of a legal person is so authorised and identify and verify the identity of that person — applicable to AI-assisted KYC document verification systems used to satisfy FATF Recommendation 10 documentary verification requirements; and FinCEN Corporate Transparency Act beneficial ownership information reporting requirements under 31 CFR §1010.380 establishing that reporting companies must submit to FinCEN accurate beneficial ownership information including the full legal name, date of birth, current residential or business street address, and unique identification number from an acceptable identification document for each beneficial owner — in AI systems that process identity document scan images, sanctions screening document images, transaction monitoring document images, and beneficial ownership certificate images at financial crime compliance platform volumes that make individual human compliance officer review of every AI-processed KYC document and AML screening determination before the AI classification governs CDD completion and account opening impracticable for large financial institution compliance operations.

TL;DR

AML and KYC document verification AI platforms — NICE Actimize AI, ComplyAdvantage AI, LexisNexis Risk Solutions AI, Pega KYC AI, Alloy AI — process identity document scan images, OFAC sanctions screening entity images, wire transfer document images, and beneficial ownership certificate images through AI-assisted CDD, sanctions screening, transaction monitoring, and BOI verification pipelines. Adversarially crafted document images can suppress KYC identity document forgery detection under BSA §5318 CDD requirements, evade OFAC SDN entity name match under 50 USC §1705, suppress SAR-triggering transaction pattern indicators under BSA §5318(g) SAR reporting, and falsify beneficial ownership threshold determinations under FinCEN CTA 31 CFR §1010.380 — at thresholds of 65 for KYC identity document injection, 70 for sanctions screening evasion, 60 for SAR indicator suppression, and 65 for beneficial ownership falsification. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in AML and KYC document verification AI

1. KYC identity document forgery detection bypass (BSA §5318, FinCEN CDD Rule, OCC SR 11-7)

KYC identity document verification AI processes passport biographical data page scan images displaying machine-readable zone (MRZ) character strings in ICAO 9303 Part 4 format, driver's licence scan images in AAMVA DL/ID Card Design Standard format, national identity card scan images displaying holographic laminate, UV-fluorescent ghost image, and laser-engraved personalisation security feature overlays, utility bill and address verification document scan images displaying account holder name, service address, and provider identity fields, and corporate formation document scan images displaying registered entity name, formation state, registered agent identity, and entity type classification — from Alloy AI at 500 or more fintech clients including Ally Bank, Brex, Mercury, and Column Tax processing KYC onboarding identity document scan images through Alloy Identity decisioning and Alloy KYC automation AI for CDD identity verification completion and FinCEN CIP programme compliance; Pega KYC AI at JPMorgan Chase, Barclays, and Deutsche Bank processing customer due diligence identity document scan images through Pega Customer Decision Hub AI-assisted KYC workflow for financial institution CDD completion and FinCEN 2016 CDD Rule beneficial owner identification compliance; and LexisNexis Risk Solutions TrueID AI at 6,000 or more financial institutions processing identity document scan images through LexisNexis TrueID document authentication and OCR field extraction for government-issued ID authenticity classification, MRZ field extraction verification, and BSA CIP identity match determination — extracting CDD identity verification completions, BSA CIP identity match determinations, document authenticity pass or fail classifications, and KYC risk tier assignments from identity document scan image inputs in AI-assisted customer due diligence onboarding pipelines.

The adversarial injection surface is the identity document scan image submission pathway: Alloy AI, Pega KYC AI, or LexisNexis TrueID AI identity document scan images submitted through AI-assisted KYC CDD tools for CDD identity verification record generation and BSA CIP programme compliance documentation filing. An adversarially crafted passport scan image — in which pixel perturbations applied to the MRZ check digit computation display, the date of birth YYMMDD field rendering, the document number sequence display, the issuing country code display, or the ICAO 9303 biographical data page security feature overlay cause the AI to classify a document whose MRZ check digit computation verification would fail for an authentic document as a document passing all authenticity checks — can suppress a document forgery detection indicator that would otherwise generate a KYC identity verification failure event, an onboarding rejection notification, a high-risk customer escalation, or a FinCEN SAR consideration for identity fraud suspicion. In fintech and bank CDD pipelines where Alloy AI or LexisNexis TrueID AI processes identity document scan images without individual fraud investigator review of every AI document authenticity determination before the AI governs CDD completion and account opening, adversarial suppression of document forgery indicators creates BSA §5318(l) CIP identity verification accuracy, FinCEN 2016 CDD Rule customer due diligence completion, OCC Model Risk Guidance SR 11-7 model accuracy, and FATF Recommendation 10 reliable source documentary verification compliance dimensions.

The BSA §5318, FinCEN CDD Rule, OCC SR 11-7, and FATF Recommendation 10 regulatory consequences span Bank Secrecy Act §5318(l) CIP requirements establishing that covered financial institutions must implement written customer identification programme procedures including identity verification procedures relying on documentary methods and non-documentary methods, recordkeeping of identifying information for five years after account closure, and comparison of customer information against government-provided lists of known or suspected terrorists — adversarially bypassed AI document forgery detection enabling fraudulent CIP identity verification creates BSA §5318(l) CIP programme compliance failure with FinCEN civil money penalty authority and DOJ criminal prosecution dimensions; FinCEN 2016 CDD Rule 31 CFR §1010.230 requirements establishing that covered financial institutions must identify the beneficial owners of legal entity customers and verify the identity of each beneficial owner using either documentary or non-documentary methods for the natural persons identified — adversarially bypassed AI document scan verification enabling forged identity documents to satisfy CDD Rule documentary verification requirements creates FinCEN CDD Rule compliance failure with potential BSA civil money penalty authority; OCC Model Risk Guidance SR 11-7 model risk management standards requiring that banks validate the accuracy and robustness of model outputs including sensitivity testing to adversarial inputs — adversarially crafted document images that systematically bypass KYC document verification AI without detection create SR 11-7 model validation failure dimensions applicable to OCC-supervised institutions using Alloy AI or LexisNexis TrueID AI. Threshold: 65 for KYC identity document forgery detection bypass — reflecting BSA §5318(l) CIP identity verification accuracy, FinCEN 2016 CDD Rule documentary verification, OCC SR 11-7 model robustness validation, and FATF Recommendation 10 reliable source documentary verification dimensions.

2. OFAC sanctions screening entity name evasion (50 USC §1705, IEEPA, EU AMLD6)

OFAC sanctions screening AI processes corporate document images displaying entity name fields from articles of incorporation, operating agreements, and UBO declaration certificate displays, individual identity document images displaying full legal name fields from passports and national identity cards for comparison against the OFAC Specially Designated Nationals and Blocked Persons (SDN) List and Consolidated Sanctions List, correspondent banking counterparty documentation images displaying beneficiary institution name and jurisdiction display fields for comparison against OFAC sectoral sanctions programmes including CAATSA, OFAC Russia-related sanctions, Iran-related sanctions, and North Korea-related sanctions watchlists, and entity resolution display images showing AI-generated name match confidence scores against OFAC SDN list entries for common name variations, romanisation differences, and transliteration variants — from ComplyAdvantage AI at 1,000 or more clients including Checkout.com, Paysafe, Goin, Ramp, and Exness processing entity and individual identity images through ComplyAdvantage Entity Screening AI for global sanctions, watchlist, PEP (Politically Exposed Person), and adverse media match determination; NICE Actimize AI at HSBC, UBS, Citigroup, RBC, and 25 or more G-SIBs processing correspondent banking and large transaction counterparty document images through NICE Actimize Financial Crime and Compliance AI for OFAC sanctions programme matching and blocked entity identification; and LexisNexis Risk Solutions World-Check AI serving 10,000 or more organisations globally with AI-assisted entity resolution and sanctions screening against the LexisNexis World-Check Risk Intelligence database for PEP, sanctions, watchlist, adverse media, and state-owned enterprise risk profile classification — extracting OFAC SDN list match determinations, sanctions programme block or reject decisions, PEP risk classification flags, and IEEPA-mandated transaction hold alerts from sanctions screening document image inputs in AI-assisted financial crime compliance pipelines.

The adversarial injection surface is the corporate entity name display image, individual identity document name display image, or correspondent banking counterparty document name image submission pathway: ComplyAdvantage AI, NICE Actimize AI, or LexisNexis World-Check AI entity and individual name display images submitted through AI-assisted sanctions screening tools for OFAC SDN match determination record generation and IEEPA-mandated transaction block or reject filing. An adversarially crafted corporate entity name display image — in which pixel perturbations applied to the entity legal name character rendering display, the romanisation variant display field, the DBA or trade name display, or the jurisdiction and registration number display cause the AI entity name recognition OCR and match classifier to generate a name representation that does not match the OFAC SDN list entry for the entity being screened — when the actual entity is an OFAC-designated SDN — can suppress an OFAC match hit indicator that would otherwise generate a transaction block, an account freeze notification, an OFAC interdiction hold, or a FinCEN suspicious activity report (SAR) consideration for OFAC-related evasion suspicion. In correspondent banking and large transaction processing platforms where NICE Actimize AI or ComplyAdvantage AI processes counterparty document images without individual OFAC compliance officer review of every AI name match determination before the AI classification governs transaction processing, adversarial suppression of OFAC SDN match indicators creates 50 USC §1705 OFAC civil penalty, IEEPA 50 USC §1702 transaction prohibition, EU AMLD6 criminal liability, and FATF Recommendation 6 targeted financial sanctions compliance dimensions.

The 50 USC §1705, IEEPA §1702, EU AMLD6, and FATF Recommendation 6 regulatory consequences span OFAC civil penalty authority under 50 USC §1705 providing for civil monetary penalties up to the greater of $1,368,457 or twice the value of the transaction for each violation of OFAC sanctions programmes — adversarially bypassed AI OFAC sanctions screening that fails to detect an SDN entity name in a corporate document image, enabling a prohibited transaction to be processed with an OFAC-designated SDN counterparty, creates 50 USC §1705 civil penalty exposure potentially exceeding twice the transaction value; OFAC enforcement history demonstrates penalties of $963 million against Standard Chartered Bank (2019), $892 million against BNP Paribas (OFAC component, 2014), and $657 million against Commerzbank (2015) for sanctions screening failures; IEEPA 50 USC §1702 executive power authority authorising the President to block transactions involving interests of sanctioned foreign countries, entities, and individuals — adversarially bypassed sanctions screening AI enabling transactions that IEEPA-based OFAC programmes require to be blocked creates direct IEEPA violation dimensions; EU Anti-Money Laundering Directive 6 (AMLD6) criminal liability extension to legal persons for facilitating money laundering offences by affiliated natural persons — adversarially bypassed EU sanctions screening AI enabling transactions with EU consolidated sanctions list entities creates AMLD6 criminal liability dimensions for EU-market financial institutions using ComplyAdvantage AI or LexisNexis World-Check AI. Threshold: 70 for OFAC sanctions screening entity name evasion — reflecting 50 USC §1705 OFAC civil penalty, IEEPA §1702 transaction prohibition, EU AMLD6 criminal liability, and FATF Recommendation 6 targeted financial sanctions compliance dimensions.

3. Suspicious activity report indicator suppression (BSA §5318(g), FinCEN SAR requirements)

Transaction monitoring and SAR determination AI processes wire transfer confirmation document images displaying SWIFT MT103 instruction field values including ordering institution BIC, beneficiary account number, transaction amount, currency, and value date, correspondent banking MT202 COV document images displaying beneficiary institution jurisdiction and correspondent banking chain display fields, trade finance document images including letters of credit, bills of lading, and shipping documentation displays that AI-assisted trade finance monitoring platforms use to detect trade-based money laundering (TBML) indicators, and payment pattern visualisation images including network graph display images showing customer transaction network topology and transaction velocity display charts generated by AI transaction monitoring platforms — from NICE Actimize AI Suspicious Activity Monitoring AI at HSBC, UBS, Citigroup, and 25 or more G-SIBs processing transaction document images and monitoring visualisation displays through AI-assisted SAR candidacy scoring, alert generation, and case management for BSA §5318(g) SAR filing programme compliance; ComplyAdvantage Payment Screening AI at 1,000 or more clients processing payment instruction document images for sanctions match, adverse media, and suspicious pattern detection; and LexisNexis Risk Solutions AML AI at 6,000 or more institutions processing customer activity document images through AI-assisted financial crime risk scoring for SAR candidacy determination — extracting SAR candidacy scores, alert severity classifications, structuring pattern detections, TBML indicator flags, and FinCEN mandatory reporting threshold assessments from transaction document and monitoring visualisation image inputs in AI-assisted suspicious activity monitoring pipelines.

The adversarial injection surface is the wire transfer document image, trade finance document image, or transaction monitoring network graph display image submission pathway: NICE Actimize AI, ComplyAdvantage AI, or LexisNexis AML AI transaction document and monitoring visualisation images submitted through AI-assisted SAR determination and financial crime compliance tools for SAR candidacy record generation and FinCEN mandatory reporting threshold assessment. An adversarially crafted SWIFT MT103 wire transfer confirmation display image — in which pixel perturbations applied to the ordering institution BIC display field, the beneficiary account number display, the transaction amount display, the currency code display, or the value date field cause the AI OCR and transaction pattern classifier to extract field values that, when compared against structuring thresholds, smurfing pattern detection rules, and jurisdiction risk indicator lists, produce a SAR candidacy score below the platform's alert generation threshold — when the actual transaction's originating institution, beneficiary account, amount, and value date pattern matches the platform's SAR candidacy scoring criteria for suspicious transaction reporting — can suppress a SAR alert that would otherwise generate a SAR candidacy case opening, a compliance officer review escalation, a FinCEN SAR filing, or a correspondent banking transaction hold. In large-volume transaction monitoring platforms where NICE Actimize AI or ComplyAdvantage AI processes wire transfer document images without individual compliance officer review of every AI SAR candidacy determination before the AI governs alert generation and SAR filing, adversarial suppression of SAR indicator features creates BSA §5318(g) SAR filing programme compliance failure dimensions with FinCEN civil money penalty authority and potential criminal liability for knowing failures to file required SARs.

The BSA §5318(g), FinCEN SAR requirements, and criminal liability regulatory consequences span Bank Secrecy Act §5318(g) suspicious activity report requirements establishing that financial institutions shall file a report with FinCEN when the institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activities or is designed to evade any transaction reporting requirements or lacks a lawful purpose, for transactions involving $5,000 or more in funds for banks and money services businesses — adversarially suppressed AI SAR candidacy indicator detection that prevents NICE Actimize AI or ComplyAdvantage AI from generating the alert that would trigger the compliance officer review and SAR filing creates BSA §5318(g) SAR filing compliance failure with FinCEN civil money penalty authority up to $25,000 per day of ongoing violation and potential criminal liability under 31 USC §5322 for knowing failures to file SARs; FinCEN SAR Activity Review and FinCEN advisories on financial crime typologies describing specific transaction document patterns including layering through wire transfers, trade-based money laundering documentation patterns, and structuring through multiple small transactions that AI transaction monitoring platforms must detect — adversarially crafted transaction document images that suppress these typology-specific features in NICE Actimize AI and ComplyAdvantage AI create systematic SAR filing programme failure for the documented typologies; the criminal conspiracy and aiding and abetting exposure applicable to financial institutions whose AI SAR systems are systematically compromised by adversarial injection to suppress SAR filing obligations. Threshold: 60 for SAR indicator suppression — reflecting BSA §5318(g) SAR filing programme compliance, FinCEN civil money penalty authority, criminal liability under 31 USC §5322 for knowing failures, and FinCEN financial crime typology detection dimensions.

4. Beneficial ownership certificate falsification (FinCEN CTA 31 CFR §1010.380, EU AMLD5 Art. 30)

Beneficial ownership verification AI processes UBO (Ultimate Beneficial Owner) declaration certificate document images displaying shareholder register excerpts showing individual person name, ownership percentage, share class, and registration date fields, corporate structure diagram display images showing ownership chain topology with entity names, jurisdiction labels, and ownership percentage indicators at each intermediate holding company level, Corporate Transparency Act BOI reporting confirmation images displaying reported beneficial owner full legal name, date of birth, address, and identification number fields, and trust deed and nominee arrangement disclosure document images displaying settlor identity, trustee identity, and beneficial interest holder fields — from Pega KYC AI at JPMorgan Chase, Barclays, and Deutsche Bank processing UBO certificate document images through Pega Customer Decision Hub AI-assisted beneficial ownership determination and 25% threshold CDD verification for FinCEN 2016 CDD Rule compliance; NICE Actimize AI at G-SIB clients processing beneficial ownership verification document images through NICE Actimize Customer Due Diligence AI for enterprise-level beneficial ownership determination and FinCEN CTA BOI verification; and Alloy AI at 500 or more fintech clients processing beneficial ownership document images through Alloy Identity and Alloy KYC AI for fintech platform CDD beneficial ownership completion and FinCEN CTA BOI compliance — extracting 25% beneficial owner threshold determinations, beneficial owner identity match verifications, corporate structure beneficial interest chain resolutions, and FinCEN CTA BOI reporting accuracy determinations from UBO certificate and ownership declaration document image inputs in AI-assisted beneficial ownership verification pipelines.

The adversarial injection surface is the UBO certificate document image, corporate structure diagram display image, or CTA BOI confirmation image submission pathway: Pega KYC AI, NICE Actimize AI, or Alloy AI beneficial ownership document images submitted through AI-assisted beneficial ownership determination and CDD completion tools for beneficial ownership verification record generation and FinCEN CTA BOI accuracy confirmation. An adversarially crafted UBO declaration certificate document image — in which pixel perturbations applied to the ownership percentage numerical display field, the share class designation display, the beneficial owner full legal name character rendering, the date of the ownership register certificate display, or the certification authority signature display cause the AI to extract an ownership percentage value below the FinCEN CDD Rule 25% beneficial owner identification threshold when the actual certificate documents an ownership interest above 25%, or to misread the beneficial owner legal name in a way that fails to match the owner to an OFAC SDN list entry or adverse media risk profile — can suppress a beneficial owner identification flag that would otherwise generate a 25% threshold CDD beneficial owner identification obligation, an OFAC SDN beneficial owner match alert, an adverse media risk profile escalation, or a FinCEN CTA BOI accuracy correction notice. In financial institution CDD pipelines where Pega KYC AI or Alloy AI processes UBO certificate images without individual compliance officer review of every AI beneficial ownership percentage determination before the AI governs CDD completion, adversarial falsification of beneficial ownership thresholds creates FinCEN CDD Rule 31 CFR §1010.230 beneficial owner identification compliance failure, FinCEN CTA 31 CFR §1010.380 BOI reporting accuracy, and EU AMLD5 Article 30 beneficial ownership register accuracy dimensions.

The FinCEN CDD Rule, FinCEN CTA, EU AMLD5 Article 30, and FATF Recommendation 24 regulatory consequences span FinCEN 2016 Customer Due Diligence Rule 31 CFR §1010.230 requirements establishing that covered financial institutions must establish and maintain written procedures to identify and verify the identity of each beneficial owner of a legal entity customer at the time of account opening — defining beneficial owner as each individual who owns directly or indirectly 25% or more of the equity interests of a legal entity customer and one individual who controls the customer (control prong) — adversarially crafted UBO certificate images that suppress ownership percentage display above the 25% threshold causing Pega KYC AI or Alloy AI to not identify a beneficial owner who meets the 25% threshold creates FinCEN CDD Rule §1010.230 beneficial owner identification programme failure with BSA civil money penalty authority; FinCEN Corporate Transparency Act beneficial ownership information reporting under 31 CFR §1010.380 requiring reporting companies to submit to FinCEN accurate BOI including the full legal name, date of birth, address, and unique identification number for each beneficial owner — adversarially falsified AI beneficial ownership verification that enables incorrect BOI submissions to FinCEN creates CTA compliance and willful failure-to-report criminal liability dimensions; EU Anti-Money Laundering Directive 5 (AMLD5) Article 30 central beneficial ownership register requirements and AMLD6 criminal liability provisions applicable to EU-market financial institution beneficial ownership AI. Threshold: 65 for beneficial ownership certificate falsification — reflecting FinCEN CDD Rule §1010.230 25% threshold identification, FinCEN CTA §1010.380 BOI accuracy, EU AMLD5 Article 30 register accuracy, and FATF Recommendation 24 beneficial ownership transparency dimensions.

Integration: AML and KYC document verification AI image ingestion with Glyphward pre-scan

AML and KYC document verification AI image ingestion flows from Alloy AI, Pega KYC AI, and LexisNexis TrueID AI KYC identity document scan image processing channels, ComplyAdvantage AI, NICE Actimize AI, and LexisNexis World-Check AI sanctions screening entity name document image processing pipelines, NICE Actimize AI and ComplyAdvantage AI transaction document and monitoring visualisation image processing interfaces, and Pega KYC AI, NICE Actimize AI, and Alloy AI beneficial ownership certificate document image processing endpoints into CDD identity verification AI, OFAC sanctions match AI, SAR candidacy determination AI, and beneficial ownership threshold verification AI pipelines. Insert Glyphward's pre-scan at the ingestion boundary before AI-generated output is committed to CDD completion records, OFAC transaction block or reject decisions, SAR candidacy alert records, or beneficial ownership identification compliance documentation:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# AML & KYC document verification AI — adversarial pixel injection in identity
# document scan images, sanctions screening entity name display images, transaction
# monitoring document images, and beneficial ownership certificate images with
# BSA §5318, FinCEN CDD Rule, OFAC 50 USC §1705, EU AMLD6, and FATF consequences.

# BSA §5318(l) CIP identity verification; FinCEN 2016 CDD Rule §1010.230;
# OCC SR 11-7 model robustness validation; FATF Recommendation 10 documentary.
THRESHOLD_KYC_DOCUMENT_VERIFICATION_AI      = 65

# OFAC 50 USC §1705 civil penalty; IEEPA §1702 transaction prohibition;
# EU AMLD6 criminal liability; FATF Recommendation 6 targeted financial sanctions.
THRESHOLD_SANCTIONS_SCREENING_AI            = 70

# BSA §5318(g) SAR filing programme; FinCEN civil money penalty §25,000/day;
# 31 USC §5322 criminal liability for knowing SAR failures; FinCEN typologies.
THRESHOLD_SAR_INDICATOR_TRANSACTION_AI      = 60

# FinCEN CDD Rule §1010.230 25% threshold; FinCEN CTA §1010.380 BOI accuracy;
# EU AMLD5 Art.30 register accuracy; FATF Recommendation 24 beneficial ownership.
THRESHOLD_BENEFICIAL_OWNERSHIP_AI           = 65


class AMLKYCDocumentVerificationAIContext(str, Enum):
    KYC_DOCUMENT_VERIFICATION_AI      = "kyc_document_verification_ai"      # Alloy, Pega KYC, LexisNexis TrueID
    SANCTIONS_SCREENING_AI            = "sanctions_screening_ai"            # ComplyAdvantage, NICE Actimize, LexisNexis World-Check
    SAR_INDICATOR_TRANSACTION_AI      = "sar_indicator_transaction_ai"      # NICE Actimize SAM, ComplyAdvantage
    BENEFICIAL_OWNERSHIP_AI           = "beneficial_ownership_ai"           # Pega KYC, NICE Actimize CDD, Alloy


def threshold_for(context: AMLKYCDocumentVerificationAIContext) -> int:
    mapping = {
        AMLKYCDocumentVerificationAIContext.KYC_DOCUMENT_VERIFICATION_AI:      THRESHOLD_KYC_DOCUMENT_VERIFICATION_AI,
        AMLKYCDocumentVerificationAIContext.SANCTIONS_SCREENING_AI:            THRESHOLD_SANCTIONS_SCREENING_AI,
        AMLKYCDocumentVerificationAIContext.SAR_INDICATOR_TRANSACTION_AI:      THRESHOLD_SAR_INDICATOR_TRANSACTION_AI,
        AMLKYCDocumentVerificationAIContext.BENEFICIAL_OWNERSHIP_AI:           THRESHOLD_BENEFICIAL_OWNERSHIP_AI,
    }
    return mapping[context]


async def scan_aml_kyc_document_verification_ai_image(
    image_path: str | Path,
    context: AMLKYCDocumentVerificationAIContext,
    case_entity_hash: str,      # SHA-256 of case or customer ID (never plaintext PII)
    compliance_ref: str,        # e.g. "ALLOY-KYC-2026-ONB-4412", "ACTIMIZE-SAR-2026-G-SIB-8821"
    verification_case_id: str,
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan an AML or KYC document verification AI image for adversarial injection
    payloads before forwarding to CDD identity verification, OFAC sanctions screening,
    SAR indicator classification, or beneficial ownership determination AI.

    Raises AdversarialAMLKYCDocumentVerificationAIImageError if score meets threshold:
      - KYC_DOCUMENT_VERIFICATION_AI:  threshold 65; BSA §5318(l); FinCEN CDD Rule
      - SANCTIONS_SCREENING_AI:        threshold 70; OFAC 50 USC §1705; IEEPA §1702
      - SAR_INDICATOR_TRANSACTION_AI:  threshold 60; BSA §5318(g); 31 USC §5322
      - BENEFICIAL_OWNERSHIP_AI:       threshold 65; FinCEN CDD Rule §1010.230; CTA
    """
    image_bytes    = Path(image_path).read_bytes()
    image_b64      = base64.b64encode(image_bytes).decode()
    image_sha256   = hashlib.sha256(image_bytes).hexdigest()
    client_scan_id = str(uuid.uuid4())
    threshold      = threshold_for(context)

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "aml_kyc_context":        context.value,
                "case_entity_hash":       case_entity_hash,
                "compliance_ref":         compliance_ref,
                "verification_case_id":   verification_case_id,
                "client_scan_id":         client_scan_id,
                "image_sha256":           image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "case_entity_hash":       case_entity_hash,
        "compliance_ref":         compliance_ref,
        "verification_case_id":   verification_case_id,
        "aml_kyc_context":        context.value,
        "scan_id":                result["scan_id"],
        "client_scan_id":         client_scan_id,
        "image_sha256":           image_sha256,
        "score":                  result["score"],
        "flagged_region":         result.get("flagged_region"),
        "threshold":              threshold,
        "action":                 "blocked" if result["score"] >= threshold else "allowed",
    }
    await write_aml_kyc_audit_record(audit_record)

    if result["score"] >= threshold:
        raise AdversarialAMLKYCDocumentVerificationAIImageError(
            f"AML/KYC document verification AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"entity={case_entity_hash} ref={compliance_ref}"
        )
    return result


async def write_aml_kyc_audit_record(record: dict) -> None:
    """Persist audit record to AML/KYC compliance regulatory documentation store (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialAMLKYCDocumentVerificationAIImageError(Exception):
    """Raised when an AML/KYC document verification AI image exceeds the adversarial injection threshold."""
    pass

Call scan_aml_kyc_document_verification_ai_image() with AMLKYCDocumentVerificationAIContext.KYC_DOCUMENT_VERIFICATION_AI before forwarding Alloy AI, Pega KYC AI, or LexisNexis TrueID AI identity document scan images to CDD identity verification AI — with case_entity_hash as the SHA-256 of the customer case identifier for BSA §5318(l) CIP identity verification, FinCEN 2016 CDD Rule §1010.230 documentary verification, and OCC SR 11-7 model validation audit trail. Call with AMLKYCDocumentVerificationAIContext.SANCTIONS_SCREENING_AI for ComplyAdvantage AI, NICE Actimize AI, or LexisNexis World-Check AI entity name document images before OFAC SDN match AI — for 50 USC §1705 OFAC civil penalty compliance, IEEPA §1702 transaction prohibition, and EU AMLD6 criminal liability audit trail. Call with AMLKYCDocumentVerificationAIContext.SAR_INDICATOR_TRANSACTION_AI for NICE Actimize AI or ComplyAdvantage AI transaction document images before SAR candidacy AI — for BSA §5318(g) SAR filing programme compliance and 31 USC §5322 criminal liability audit trail. Call with AMLKYCDocumentVerificationAIContext.BENEFICIAL_OWNERSHIP_AI for Pega KYC AI, NICE Actimize AI, or Alloy AI beneficial ownership certificate images before beneficial owner determination AI — for FinCEN CDD Rule §1010.230 25% threshold compliance and FinCEN CTA §1010.380 BOI accuracy audit trail. Get early access

Coverage matrix

Tool Detects KYC document forgery bypass Detects sanctions screening evasion Detects SAR indicator suppression Detects beneficial ownership falsification
Lakera Guard No (text only) No (text only) No (text only) No (text only)
LLM Guard No (text only) No (text only) No (text only) No (text only)
Azure Prompt Shields No (text only) No (text only) No (text only) Text only, Azure-gated
Platform-native (NICE Actimize, ComplyAdvantage, LexisNexis) No adversarial pixel injection detection No adversarial pixel injection detection No adversarial pixel injection detection No per-request PI evidence
Glyphward Yes — pixel-level MRZ/document field injection detection; threshold 65; case_entity_hash audit trail Yes — pixel-level entity name OCR injection detection; threshold 70; compliance_ref audit trail Yes — pixel-level transaction indicator suppression detection; threshold 60; verification_case_id audit trail Yes — pixel-level ownership percentage field injection; threshold 65; scan_id per request

Related questions

What is the difference between KYC document forgery and adversarial injection in identity document AI?

Traditional KYC identity document forgery involves physically or digitally altering a document — changing the date of birth, document number, or photograph on a passport or driver's licence — in ways that are detectable by document security feature examination including UV light inspection, hologram verification, microprint examination, and MRZ check digit computation. Experienced KYC fraud investigators and document security AI trained on known forgery techniques can detect traditional forgeries through these visual and computational checks. Adversarial injection is distinct: it does not alter the document's visual content in ways detectable by human inspection or by conventional document security feature checkers. Instead, adversarial injection applies imperceptible pixel perturbations to the document image that specifically target the vulnerability of the AI classifier's neural network decision boundary, causing the AI to extract incorrect field values or assign incorrect authenticity scores while the document image appears visually authentic to human reviewers and passes conventional security feature checks.

For Alloy AI, LexisNexis TrueID AI, and Pega KYC AI document verification systems, adversarial injection creates a compliance gap that is invisible to existing fraud detection frameworks: the traditional document security feature checks pass (the document's visual appearance is authentic), the human reviewer sees nothing suspicious, but the AI OCR classifier extracts incorrect MRZ field values or the AI document authenticity scorer assigns an above-threshold authenticity score for a document whose underlying data would cause the human reviewer to reject the application if correctly extracted. The BSA §5318(l) CIP identity verification and FinCEN 2016 CDD Rule documentary verification compliance frameworks assume that AI document verification systems produce accurate field extractions and authenticity determinations — adversarial injection that systematically corrupts AI document field extraction without any visual indicator creates a model risk that OCC SR 11-7 model validation requires financial institutions to test for and address. Glyphward pre-scan at the KYC document verification AI ingestion boundary at threshold 65 provides the pixel-level adversarial injection detection that detects this invisible attack class before the AI document field extraction and authenticity determination governs CDD completion.

How large are OFAC civil monetary penalties for sanctions screening AI failures and what is the enforcement precedent?

OFAC civil monetary penalty authority under the International Emergency Economic Powers Act (IEEPA) 50 USC §1705 and Trading with the Enemy Act (TWEA) provides for base civil monetary penalties up to $1,368,457 per transaction or twice the value of the transaction for each violation — with the larger amount applying. OFAC enforcement practice applies a voluntary self-disclosure 50% penalty reduction for institutions that proactively disclose violations, but maintains full penalty authority for egregious violations involving wilful or reckless conduct, concealment, or systematic compliance programme failures. OFAC's largest enforcement actions against financial institutions include: Standard Chartered Bank (2019, $639 million OFAC component of $1.1 billion total), Commerzbank (2015, $258 million OFAC component of $1.45 billion total), BNP Paribas (2014, $963 million OFAC component of $8.97 billion total), and UniCredit (2019, $611 million OFAC component of $1.3 billion total) — demonstrating that systematic sanctions screening failures across multiple transactions aggregate to nine-figure enforcement outcomes.

For financial institutions using ComplyAdvantage AI, NICE Actimize AI, or LexisNexis World-Check AI for OFAC screening, adversarial injection that systematically suppresses SDN entity name match detection creates an enforcement exposure profile similar to historical OFAC enforcement cases involving inadequate screening system design or implementation — where the institution's screening system consistently failed to detect OFAC-designated counterparties across multiple transactions. OFAC's guidance on compliance programme effectiveness explicitly addresses the use of automated sanctions screening systems and their vulnerability to obfuscation techniques including name variations, romanisation differences, and transliteration variants — adversarial pixel injection that corrupts AI OCR extraction of entity names from document images to prevent SDN match is an extension of the obfuscation technique category that OFAC compliance programmes are required to address. OFAC's framework for evaluating sanctions compliance programmes specifically identifies the adequacy of an institution's testing, auditing, and remediation of its automated screening systems as a determinant of penalty severity. Glyphward pre-scan at the OFAC sanctions screening AI ingestion boundary at threshold 70 provides the pixel-level adversarial injection detection evidence that OFAC compliance programme adequacy documentation requires.

What are the FinCEN Corporate Transparency Act beneficial ownership AI verification obligations and how does adversarial injection create exposure?

FinCEN Corporate Transparency Act (CTA) beneficial ownership information reporting requirements under 31 CFR §1010.380 establish that reporting companies (corporations, LLCs, and similar entities formed or registered to do business in the United States) must submit to FinCEN a beneficial ownership information (BOI) report including the full legal name, date of birth, current residential or business street address, and unique identifying number from an acceptable identification document (passport, driver's licence, or FinCEN identifier) for each beneficial owner — defined as any individual who directly or indirectly exercises substantial control over the reporting company or directly or indirectly owns or controls at least 25% of the ownership interests of the reporting company. Financial institutions using Pega KYC AI, NICE Actimize CDD AI, or Alloy AI to verify beneficial ownership information against CTA-reported BOI data use AI document verification to confirm that the beneficial owner identity documents submitted by legal entity customers match the BOI information reported to FinCEN.

Adversarial injection creates FinCEN CTA exposure for financial institutions in two directions. First, adversarially crafted beneficial ownership certificate document images that cause Pega KYC AI or Alloy AI to extract ownership percentages below the 25% threshold for individuals actually owning above 25% suppress the beneficial owner identification obligation, causing the financial institution's CDD programme to fail to identify and verify a beneficial owner that CTA and the FinCEN CDD Rule require. Second, adversarially crafted UBO certificate images that cause the AI to misread the beneficial owner's legal name prevent matching the identified beneficial owner against OFAC SDN, adverse media, and PEP databases — creating a dual-failure: the CDD programme identifies the beneficial owner but the identity verification fails to detect that the owner is an OFAC-designated SDN. CTA violations are subject to FinCEN civil money penalties of $500 per day per violation up to $10,000 per violation, and criminal penalties of up to $10,000 and up to two years imprisonment for wilful violations under 31 USC §5336(h). The interaction between CTA BOI accuracy requirements and OFAC screening obligations means that adversarially bypassed AI beneficial ownership document verification creates compounding regulatory exposure. Glyphward pre-scan at the beneficial ownership AI ingestion boundary at threshold 65 addresses both the FinCEN CDD Rule §1010.230 threshold identification dimension and the OFAC SDN identity match dimension of beneficial ownership AI adversarial injection.

How does trade-based money laundering document image injection differ from standard wire transfer document injection in SAR AI?

Trade-based money laundering (TBML) exploits international trade documentation including letters of credit, bills of lading, commercial invoices, and packing lists to move funds across borders, launder criminal proceeds, or evade sanctions — by manipulating trade document values including over-invoicing (inflating invoice prices above market value to transfer value from importer to exporter), under-invoicing (deflating invoice prices to evade customs duties), multiple invoicing (submitting duplicate invoices for the same shipment across different financial institutions), and falsely described goods (misrepresenting the nature of the goods in bills of lading and commercial invoices). NICE Actimize AI and ComplyAdvantage AI TBML detection processes trade finance document images including letter of credit display images, bill of lading scan images, and commercial invoice scan images through AI-assisted document value analysis, commodity price comparison, and document consistency classification for SAR candidacy generation.

Adversarial injection in TBML document AI differs from wire transfer SAR indicator suppression in the attack vector: wire transfer adversarial injection targets the AI OCR extraction of SWIFT MT103 field values (amount, beneficiary BIC, ordering institution) that drive structuring detection and correspondent banking screening; TBML adversarial injection targets the AI document analysis classification of trade finance document value fields (invoice unit price, quantity, total value, commodity description) that drive over-invoicing ratio analysis, commodity price benchmark comparison, and document consistency scoring. Because TBML detection AI must compare extracted trade document values against commodity price benchmarks and detect inconsistencies across multiple documents in a trade finance deal package, adversarial injection that corrupts AI extraction of any single document's unit price or quantity display can suppress the over-invoicing ratio detection that would trigger a SAR candidacy alert. FinCEN advisories on TBML typologies specifically cite document value manipulation as a primary TBML red flag indicator that financial institution AML programmes must address — adversarial injection that corrupts NICE Actimize AI or ComplyAdvantage AI TBML detection creates the specific FinCEN TBML typology evasion dimensions that BSA §5318(g) SAR filing obligations are designed to prevent. Glyphward pre-scan at the SAR indicator transaction AI ingestion boundary at threshold 60 provides detection for both wire transfer field injection and TBML document value injection attack vectors at the same pre-scan boundary.

What does LexisNexis World-Check screen for and how does entity name image injection evade its AI classification?

LexisNexis World-Check is a risk intelligence database and AI screening platform serving 10,000 or more organisations globally — including banks, insurance companies, law firms, and government agencies — that screens customer and counterparty identity information against a structured database of individuals and entities with verified records of financial crime, sanctions designation, regulatory enforcement action, serious adverse media coverage, and political exposure. World-Check's database covers OFAC SDN List, EU Consolidated Sanctions List, UN Security Council sanctions list, UK HMT financial sanctions, FATF high-risk jurisdictions, national financial intelligence unit (FIU) watchlists, Politically Exposed Persons (PEPs) from 240 or more countries and territories, state-owned enterprise directors and senior government officials, and subjects of verified adverse media coverage for money laundering, corruption, human trafficking, narcotics trafficking, terrorist financing, tax evasion, and fraud.

LexisNexis World-Check AI entity name matching uses OCR extraction from document images combined with AI-assisted entity resolution to match submitted names against the World-Check structured database, using fuzzy matching algorithms that account for name spelling variations, romanisation differences (Arabic, Cyrillic, Chinese character-to-Latin transliteration), patronymic and matronymic name format variations, name-order differences (given name first vs. family name first), and known name aliases and alternative transliterations recorded in the World-Check entity profiles. Adversarial pixel injection that corrupts the OCR extraction of an SDN or PEP name from a passport scan or corporate document image at the pixel level — before the extracted text string is submitted to the World-Check AI fuzzy matching classifier — bypasses the entire fuzzy matching capability of the World-Check name resolution engine: if the OCR output is corrupted to a string that does not trigger a fuzzy match against the target SDN entity's known name variants, the World-Check AI returns a no-match determination regardless of how sophisticated its fuzzy matching algorithms are. Glyphward pre-scan at the OFAC sanctions screening AI ingestion boundary at threshold 70 addresses the pixel-level OCR extraction corruption that occurs before the World-Check AI matching layer, providing the pre-processing injection detection that World-Check's post-processing fuzzy match algorithms cannot supply.

Further reading