Glyphward

Fintech AI · KYC AI · Expense receipt AI · Trade finance AI

Adversarial image injection in fintech and payments AI

Financial services AI occupies a uniquely adversarial environment: every image submitted to a fintech or payments platform carries a direct monetary value that creates clear financial incentives for attackers to craft inputs that manipulate AI processing outcomes. The shift from human-review workflows to AI-assisted and fully automated image processing in cheque clearing, customer identity verification, corporate expense management, and trade finance document compliance has dramatically increased throughput and reduced operating costs — but it has also introduced a new attack surface that combines the volume-throughput characteristics of the automated pipeline with the financial stakes of every image it processes. Mitek Systems’ MiSnap SDK is embedded in the mobile banking applications of more than 6,500 financial institutions worldwide and processes billions of remote deposit capture (RDC) cheque images annually, performing MICR line extraction, signature verification, and forgery detection at point of capture before the image is transmitted for ACH settlement. The Onfido–Entrust merger (completed 2024) created one of the largest KYC AI identity verification platforms globally, processing passport photographs, driving licence scans, national identity card images, and liveness detection frames for financial institutions, fintech companies, and regulated businesses across 195 countries, with AML and BSA compliance obligations attached to every onboarding decision. Expensify’s SmartScan AI and competing platforms from Brex, SAP Concur, and Navan collectively process tens of millions of corporate expense receipt photographs each month, performing automated receipt line-item extraction, merchant classification, and policy compliance checking that feeds directly into corporate accounting systems and tax filings. Finacle Trade Finance AI (Infosys), Intellect Design Arena’s eMACH.ai, HSBC Trade Solutions AI, and Bolero’s Galileo AI process scanned bills of lading, letters of credit, commercial invoices, and certificates of origin to perform documentary credit compliance checking, sanctions screening, and fraud detection in international trade finance transactions that can individually reach hundreds of millions of dollars in value. The adversarial image injection threat to fintech and payments AI exploits image submission pathways in each of these four processing contexts. This page covers the four injection surfaces — cheque processing, KYC identity document verification, expense receipt processing, and trade finance document compliance — and how Glyphward’s pre-scan gate addresses the threat at the financial AI image ingestion boundary.

TL;DR

Fintech and payments AI — Mitek MiSnap cheque processing AI, Onfido–Entrust and Jumio KYC document AI, Expensify SmartScan and SAP Concur expense receipt AI, Finacle and Bolero trade finance document AI — processes mobile cheque deposit images, identity document scans, expense receipt photographs, and trade finance document scans. Adversarially crafted images submitted through mobile deposit apps, KYC onboarding portals, expense management mobile apps, and trade finance document upload portals can clear counterfeit cheques through automated MICR misreading, pass fraudulent identity documents through KYC AI forgery detection suppression, inflate expense claims through automated receipt amount manipulation, and suppress sanctions screening flags in trade finance document AI. Glyphward scans each image at the ingestion boundary with a threshold of ≥ 55 for cheque processing, KYC, and trade finance AI inputs, and ≥ 60 for expense receipt AI inputs. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in fintech and payments AI

1. Cheque image fraud AI injection (Mitek MiSnap, Digital Check CX30, NCR Voyix BankPoint, Signum AI)

Remote deposit capture (RDC) transformed cheque processing from a physical-document logistics problem into an AI image processing problem. When a retail banking customer photographs a cheque through a mobile banking application, that image travels through an AI processing pipeline before any human reviewer ever examines it — and in most financial institutions, automated cheque clearing means no human ever examines the vast majority of images at all. Mitek Systems’ MiSnap SDK, embedded in the mobile banking applications of more than 6,500 financial institutions including Bank of America, Wells Fargo, Chase, and hundreds of community banks and credit unions, performs the critical first-pass AI processing at point of capture: MICR line extraction reads the routing number and account number encoded in the magnetic ink character recognition line printed at the bottom of each cheque; image quality assessment determines whether the photograph is sufficiently clear for processing; forgery detection AI analyses the signature, payee name, and amount fields for indicators of cheque alteration. Digital Check’s CX30 scanner and NCR Voyix BankPoint perform equivalent processing for branch-presented and commercial RDC cheque images at higher volumes and under the more controlled imaging conditions of a dedicated scanner rather than a mobile camera. Signum AI specialises in cheque signature verification, applying deep learning models trained on millions of legitimate signature samples to flag signature forgeries that MICR-focused systems may miss.

The adversarial injection surface for cheque processing AI is the mobile deposit photograph itself, submitted by a customer through the authenticated mobile banking application RDC workflow. An adversarially crafted cheque image — in which pixel-level perturbations are applied to the MICR line region of the cheque photograph — can cause the Mitek MiSnap MICR extraction AI to misread the routing number or account number, redirecting the ACH settlement credit to an account controlled by the attacker rather than the legitimate payee bank account encoded in the magnetic ink. Because the MICR misread occurs at the AI extraction stage and produces a syntactically valid routing number and account number (the attacker pre-selects a target account at a real bank), the misread passes downstream validation that checks for structural validity of the ABA routing number format and account number length — without detecting that the values differ from the printed MICR line. A distinct and arguably more financially consequential adversarial variant targets the forgery detection component of cheque processing AI: an adversarially crafted image of an altered cheque — one in which the payee name or amount has been physically modified from the original — where pixel perturbations are applied to the image of the altered region to suppress the AI forgery flag that would otherwise indicate a colour or texture anomaly inconsistent with the original printing. A forgery-flag-suppressed altered cheque that passes automated AI forgery detection clears through the RDC pipeline without triggering the human review queue that an unmanipulated altered cheque image would generate.

The financial consequences of cheque AI injection are direct and immediate: a MICR misread attack that redirects ACH settlement redirects funds from the legitimate payee to the attacker’s account, with the misdirected payment typically identified only when the legitimate payee reports non-receipt — a delay that, for business-to-business cheque payments, may be 30–60 days. A forgery-flag-suppressed altered cheque clears against the drawer’s account for the fraudulently increased amount, with the drawer identifying the discrepancy only upon account statement review. Duplicate deposit fraud — where the same cheque is deposited through two different RDC channels by submitting the original physical cheque at a branch after the mobile deposit has already cleared — is enabled when adversarial pixel perturbations cause the duplicate detection AI to misidentify the mobile-deposited image as a different cheque from the branch-presented image. The Federal Reserve estimates that cheque fraud losses in the US reached approximately $26 billion in 2023, with RDC-enabled mobile deposit fraud representing a growing share of that total. The regulatory framework governing cheque AI processing is extensive: Federal Reserve Regulation CC (12 CFR Part 229) establishes the framework for cheque clearing and return, including the funds availability schedule that determines when RDC cheque deposits become available for withdrawal — and an AI-enabled duplicate deposit or counterfeit clearing attack exploits this availability window directly. The Check 21 Act (12 USC 5001 et seq.) establishes the legal framework for electronic cheque presentment through substitute cheque (Image Replacement Document) creation, establishing legal equivalence between the electronic image and the original paper cheque — and adversarial manipulation of the image before the substitute cheque is created corrupts this legal equivalence. The Bank Secrecy Act (BSA, 31 USC 5311 et seq.) and its implementing regulations require financial institutions to file Suspicious Activity Reports (SARs) for transactions involving potential fraud — an automated cheque AI injection attack that clears fraudulent cheques without triggering a human review queue operates below the SAR detection threshold for individual transactions while potentially aggregating to significant total fraud losses across many accounts. Glyphward applies a threshold of ≥ 55 to cheque processing AI image inputs, calibrated to detect the pixel perturbation signatures characteristic of MICR line manipulation and forgery-flag-suppression attacks while maintaining low false positive rates on the high-volume legitimate cheque image population.

2. KYC identity document AI injection (Onfido–Entrust, Jumio Netverify, Veriff, IDnow eID)

Know Your Customer (KYC) identity verification AI sits at the regulatory foundation of the financial services onboarding process: a financial institution’s ability to open a new account, extend credit, provide payment services, or offer cryptocurrency exchange services depends on its ability to verify the identity of each new customer to the standard required by its AML (Anti-Money Laundering) programme under the Bank Secrecy Act Customer Identification Program (CIP) rules (31 CFR 1020.220 for banks) and the FinCEN Customer Due Diligence (CDD) Rule (31 CFR 1010.230). The shift to remote onboarding — where customers submit photographs of identity documents and liveness detection selfies through a mobile application or web portal rather than presenting physical documents in person at a branch — has made AI-based KYC document verification the primary identity assurance mechanism for the majority of new financial services accounts opened globally. Onfido–Entrust (following Entrust’s acquisition of Onfido in 2024) operates one of the largest KYC AI platforms globally, supporting identity verification across 195 countries with AI models trained on passport images, driving licence photographs, national identity card scans, and residence permit images in hundreds of document types. Jumio Netverify is the incumbent KYC AI platform for many large global financial institutions, processing identity document images with multi-layer AI forgery detection that examines security feature rendering, font consistency, micro-printing resolution, and photo substitution indicators. Veriff operates a KYC AI platform with particular strength in European national identity document types (Estonian ID card, German Personalausweis, Finnish passport), and IDnow eID provides qualified electronic signature and eIDAS-compliant electronic identity verification for German, Austrian, and other European regulated financial services contexts.

The adversarial injection surface for KYC document AI is the identity document image submitted by the customer through the onboarding portal or mobile application. A sophisticated adversarial attack against KYC AI involves crafting a digital image of a fraudulent identity document — one that does not correspond to a genuine passport, driving licence, or national ID card — with pixel-level perturbations applied to the regions that the AI forgery detection model uses as discriminative features for authenticity determination. KYC document AI models are trained to detect the visual signatures of document tampering and counterfeiting: inconsistent pixel density in the photograph substitution region, colour-shift anomalies at the laminate boundary, resolution discontinuities at the MRZ (machine-readable zone) field edges indicating digital editing, and rendering artefacts inconsistent with the security printing processes used by genuine document issuers. Adversarial pixel perturbations — imperceptible to a human document examiner viewing the image on a screen — applied to precisely these discriminative regions can reduce the AI forgery score below the threshold at which the platform would flag the document for enhanced human review or outright reject the submission, allowing a fraudulent document to pass automated KYC as a genuine identity document.

A distinct and particularly serious adversarial variant targets the liveness detection component of KYC AI: liveness detection models are trained to distinguish a live person selfie from a printed photograph, a digital display replay attack, or a deep-fake-generated video frame. Adversarial pixel perturbations applied to a printed photograph or a replay attack frame — again imperceptible in the visual domain — can suppress the liveness detection AI’s classification confidence below the threshold for a replay attack flag, allowing a printed photograph of the legitimate document holder to pass the liveness check without the attacker being physically present. The consequence of a successful KYC AI injection attack is synthetic identity fraud at scale: an attacker who possesses a population of adversarially crafted fraudulent identity document images can pass automated KYC verification at multiple financial institutions simultaneously, opening fraudulent accounts that can be used for money laundering, payment fraud, benefit fraud, or credit fraud. The regulatory consequences for the financial institution whose KYC AI is manipulated are severe: FATF Recommendation 10 requires financial institutions to conduct Customer Due Diligence (CDD) for all customers, including document verification sufficient to establish identity — a KYC AI that can be manipulated into approving fraudulent documents does not satisfy the standard of “reliable, independent source documents, data or information” required by FATF Recommendation 10. FinCEN’s CDD Rule (31 CFR 1010.230) requires financial institutions to identify and verify the identity of beneficial owners and establish the nature and purpose of customer relationships — an adversarially fraudulent account opening that evades automated KYC creates a CDD Rule compliance failure. The EBA Guidelines on the use of remote customer onboarding solutions (EBA/GL/2021/05) require financial institutions using remote onboarding to apply “appropriate technical and procedural safeguards to ensure the reliability of the remote onboarding process” — a KYC AI platform vulnerable to adversarial document injection does not provide the required safeguards.

For Enhanced Due Diligence (EDD) customers — politically exposed persons (PEPs), customers from high-risk jurisdictions (FATF grey list), and customers with complex ownership structures — the stakes are higher still: EDD requires a higher standard of identity verification precisely because the money laundering and sanctions evasion risks are elevated. Glyphward applies a threshold of ≥ 55 for standard KYC document verification image inputs, and a threshold of ≥ 50 (EDD-equivalent strictness) for customers whose risk-based AML assessment flags them for enhanced due diligence, ensuring that the most sensitive onboarding decisions are protected against adversarial document injection at the highest available sensitivity level.

3. Expense receipt AI injection (Expensify SmartScan AI, Brex AI expense management, SAP Concur ExpenseIt AI, Navan)

Corporate expense management AI automates a workflow that was previously one of the highest-cost, most error-prone administrative processes in enterprise finance: the manual entry, categorisation, and approval of employee expense claims. When an employee photographs a receipt through the Expensify mobile application, Brex’s expense management interface, the SAP Concur ExpenseIt feature, or the Navan (formerly TripActions) travel and expense platform, the AI automatically extracts the total amount, merchant name, expense date, individual line items, and payment method from the receipt image — eliminating manual data entry and classifying the expense against the company’s chart of accounts and expense policy rules without human reviewer intervention for expenses below the policy approval threshold. Expensify’s SmartScan AI is the market leader in receipt OCR and extraction, processing hundreds of millions of receipt images annually for individuals and corporate customers including major professional services firms, technology companies, and enterprise clients across 192 countries. Brex AI expense management targets high-growth technology companies, combining receipt image AI with card transaction data and software integrations to provide automated expense policy enforcement. SAP Concur ExpenseIt AI is the enterprise incumbent, embedded in SAP Concur deployments at thousands of Fortune 500 companies, processing receipt images against complex multi-tier expense policy rule sets that enforce per-diem limits, category restrictions, and authorisation hierarchies. Navan (formerly TripActions) combines corporate travel booking with expense receipt processing, providing a unified travel-and-expense AI that classifies receipts against travel policy compliance rules and links receipt images to specific booked itinerary segments.

The adversarial injection surface for expense receipt AI is the receipt photograph submitted by the employee through the expense management mobile application. Expense receipt images are low-resolution, variable-quality mobile phone photographs of thermal printer or dot-matrix receipts — a visual domain that the AI models are specifically trained to handle robustly under poor lighting and perspective distortion conditions, but that also presents a well-understood pixel structure from which adversarial perturbation targets can be derived. An adversarially crafted expense receipt image — in which pixel-level perturbations are applied to the amount field of the receipt image — can cause the SmartScan AI or ExpenseIt AI amount extraction model to read a higher amount than is actually printed on the receipt. Because expense amount extraction models use convolutional neural network (CNN) architectures trained to recognise digit patterns in the visual domain, adversarial perturbations applied to specific pixels in the digit region can shift the AI’s digit classification from the correct digit to an adjacent digit — for example, causing a “1” in the hundreds column to be read as a “7”, or a decimal point to be misidentified as a digit separator, inflating the extracted amount by a factor of 10. The inflated amount is then submitted to the expense claim as the AI-extracted value, without the employee needing to manually alter the amount field — the AI itself produces the inflated figure from the adversarially crafted image.

A distinct adversarial variant targets the expense category classification component: corporate expense policies typically distinguish between business-reimbursable categories (client entertainment, travel, office supplies) and non-reimbursable personal categories (personal meals without client contact, personal shopping, gym membership). Adversarially crafted receipt images — where pixel perturbations are applied to the merchant name or the receipt visual context features that the AI uses for merchant category classification — can cause a personal expense receipt (a receipt from a supermarket, a personal clothing retailer, or a consumer electronics store) to be classified by the AI as a business-reimbursable category (client entertainment, business supplies). A third adversarial variant targets the expense policy violation detection component: some platforms (SAP Concur, Navan) perform AI-assisted policy violation flagging that identifies receipts where the extracted amount exceeds per-diem limits, where the merchant category is prohibited by company policy, or where duplicate receipts are being submitted for the same expense. Adversarial pixel perturbations applied to receipt images can suppress these policy violation flags, causing out-of-policy expenses to pass automated approval without triggering the approval workflow escalation that would otherwise route the claim to a manager or finance controller for review.

The regulatory and legal consequences of expense receipt AI injection span multiple frameworks. For public companies, expense reporting fraud is an internal controls matter under the Sarbanes–Oxley Act (SOX) Section 302 and 404: CEO and CFO certifications of internal control over financial reporting (ICFR) include the integrity of expense reporting systems, and an expense management AI that can be manipulated through adversarial receipt images represents a material weakness in ICFR if the manipulation is systematic. The IRS’s accountable plan rules (IRC Section 62(a)(2)(A)) require that employee expense reimbursements be substantiated by receipts documenting the amount, time, place, and business purpose of the expense — an adversarially inflated AI-extracted amount that is reimbursed creates a compensation income event that may trigger Section 409A issues for executive compensation programmes if the amounts are material. For European enterprises, receipt images submitted through expense management platforms often contain third-party personal data (the names, contact details, and payment card last-four-digits visible on restaurant or hotel receipts) — and the integrity and security of these images is subject to GDPR Article 5(1)(f)’s requirement for appropriate security of personal data. Glyphward applies a threshold of ≥ 60 for expense receipt AI image inputs, reflecting the financial controls rather than external fraud context — a slightly more permissive threshold than cheque processing that accounts for the high natural variability of mobile receipt photography while still detecting the systematic pixel manipulation patterns characteristic of adversarial expense receipt injection attacks.

4. Trade finance document AI injection (Finacle Trade Finance AI, Intellect Design Arena eMACH.ai, HSBC Trade Solutions AI, Bolero Galileo AI)

Trade finance sits at the intersection of international commerce, banking, and sanctions compliance — and the document-intensive nature of trade finance has made it one of the highest-priority targets for AI automation and, in turn, one of the highest-consequence surfaces for adversarial document AI injection. A single letter of credit transaction in commodity trade (crude oil, iron ore, LNG, agricultural commodities) may represent a documentary credit value of tens or hundreds of millions of dollars, with the payment obligation triggered by a presenting bank’s determination that the documents presented by the exporter — bill of lading, commercial invoice, packing list, certificate of origin, certificate of weight, insurance certificate — are in strict conformity with the terms and conditions of the letter of credit as governed by UCP 600 (Uniform Customs and Practice for Documentary Credits, ICC Publication 745). AI-assisted trade finance document checking has emerged to address the documentary discrepancy detection bottleneck: manual document checking by experienced trade finance officers is slow, expensive, and error-prone, with industry estimates suggesting that 70–80% of first presentations under documentary credits contain discrepancies — creating re-presentation delays and financing cost for exporters while consuming trade finance officer capacity at issuing and nominated banks.

Infosys Finacle Trade Finance AI is deployed at major banks across Asia, the Middle East, and Europe to automate documentary credit document checking, extracting field values from scanned trade finance documents and comparing them against the letter of credit terms to identify discrepancies. Intellect Design Arena’s eMACH.ai Trade Finance module provides AI-assisted trade finance automation for mid-size and regional banks, with machine learning models trained on trade finance document corpora to perform automated discrepancy detection, sanctions screening, and fraud indicator flagging. HSBC Trade Solutions AI represents one of the largest bank-proprietary deployments of trade finance AI, applied across HSBC’s global trade finance processing centres in Hong Kong, London, Dubai, and New York to screen trade finance documents for OFAC sanctions list names, dual-use goods indicators, and documentary fraud patterns. Bolero’s Galileo AI platform operates in the electronic bill of lading (eBL) space, applying AI document analysis to digitally native trade finance documents transmitted through Bolero’s SWIFT-connected title registry platform, which handles eBL transfers for commodity traders, shipping lines, and banks including BNP Paribas, ABN AMRO, and Standard Chartered.

The adversarial injection surface for trade finance document AI involves scanned document images submitted through trade finance platform portals, SWIFT message integrations, and electronic document presentation channels. When an exporter or freight forwarder submits a scan of a bill of lading, commercial invoice, or certificate of origin to a trade finance AI platform for automated checking, the scanned image enters an AI document extraction and analysis pipeline. An adversarially crafted trade finance document scan — in which pixel-level perturbations are applied to the consignee name field, the port-of-loading or port-of-discharge field, the goods description field, or the country-of-origin field — can cause the trade finance document AI to extract field values that differ from the values actually printed on the document. The most dangerous adversarial variant targets the sanctions screening component: OFAC SDN (Specially Designated Nationals) list screening against trade finance documents involves AI extraction of party names (shipper, consignee, notify party, advising bank) and comparison against sanctions list entries. Adversarial pixel perturbations applied to a consignee name field that matches an OFAC-designated entity — for example, by subtly altering the visual rendering of letters in the consignee name as captured in the scanned image — can cause the AI name extraction model to extract a name that does not match the SDN list entry, suppressing the sanctions screening flag that would otherwise block the transaction.

The consequence of a successful sanctions screening suppression attack in trade finance AI is a sanctions violation: if a letter of credit payment is made to an OFAC-designated counterparty because the AI sanctions screening was defeated by adversarial document injection, the bank that made the payment has committed an OFAC violation regardless of whether the manipulation was detected or intended. OFAC enforcement actions against banks for trade-based sanctions violations have resulted in penalties ranging from tens of millions to billions of dollars — HSBC’s $1.9 billion settlement (2012), BNP Paribas’s $8.9 billion settlement (2014), and Standard Chartered’s $1.1 billion settlement (2019) were all related to sanctions compliance failures in trade finance and correspondent banking. A distinct adversarial variant targets the documentary credit discrepancy detection component: UCP 600 article 14 requires that a nominated bank examine documents to determine that they “appear on their face to be in compliance” with the terms and conditions of the credit. An adversarially crafted document scan where pixel perturbations suppress the AI’s discrepancy flag for a quantity mismatch between the bill of lading and the commercial invoice — where the bill of lading reflects a lower shipped quantity than the invoice — enables trade-based money laundering (TBML) through over- and under-invoicing, a technique identified by FATF as a major mechanism for illicit value transfer across international trade flows. Trade-based money laundering through over-invoicing, under-invoicing, multiple invoicing, and falsely described goods collectively represents an estimated $500 billion–$800 billion annually in illicit cross-border value transfer. Glyphward applies a threshold of ≥ 55 for trade finance document AI image inputs, reflecting the regulatory and sanctions compliance consequences of a missed adversarial injection in documentary credit processing.

Integration: fintech AI image ingestion with Glyphward pre-scan

Fintech and payments AI image ingestion flows from mobile deposit RDC APIs, KYC onboarding document submission portals, expense management mobile app photograph upload endpoints, and trade finance document presentation portals into AI processing queues. Insert Glyphward’s pre-scan at the ingestion boundary before images reach the cheque processing, KYC forgery detection, expense amount extraction, or trade finance sanctions screening AI:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Threshold constants for fintech AI image scanning.
# Cheque processing (MICR manipulation, forgery suppression): THRESHOLD_CHEQUE = 55
# KYC standard onboarding (forgery flag suppression, liveness bypass): THRESHOLD_KYC = 55
# KYC enhanced due diligence (PEP / high-risk jurisdiction customers): THRESHOLD_KYC_EDD = 50
# Expense receipt (amount inflation, category misclassification): THRESHOLD_EXPENSE = 60
# Trade finance (sanctions screening suppression, TBML discrepancy suppression): THRESHOLD_TRADE_FINANCE = 55
THRESHOLD_KYC = 55
THRESHOLD_KYC_EDD = 50
THRESHOLD_CHEQUE = 55
THRESHOLD_EXPENSE = 60
THRESHOLD_TRADE_FINANCE = 55


class FinancialAIContext(str, Enum):
    CHEQUE_PROCESSING = "cheque_processing"   # Mitek MiSnap, Digital Check, NCR Voyix BankPoint
    KYC_DOCUMENT = "kyc_document"             # Onfido/Entrust, Jumio Netverify, Veriff, IDnow eID
    EXPENSE_RECEIPT = "expense_receipt"       # Expensify SmartScan, Brex AI, SAP Concur, Navan
    TRADE_FINANCE = "trade_finance"           # Finacle, eMACH.ai, HSBC Trade Solutions, Bolero Galileo


def _threshold_for_context(context: FinancialAIContext, edd: bool = False) -> int:
    """Return the Glyphward blocking threshold for the given financial AI context."""
    if context == FinancialAIContext.KYC_DOCUMENT:
        return THRESHOLD_KYC_EDD if edd else THRESHOLD_KYC
    if context == FinancialAIContext.CHEQUE_PROCESSING:
        return THRESHOLD_CHEQUE
    if context == FinancialAIContext.EXPENSE_RECEIPT:
        return THRESHOLD_EXPENSE
    if context == FinancialAIContext.TRADE_FINANCE:
        return THRESHOLD_TRADE_FINANCE
    return THRESHOLD_KYC


async def scan_financial_ai_image(
    image_source: str | Path | bytes,
    context: FinancialAIContext,
    account_number_hash: str,       # SHA-256 of account identifier — never the raw account number
    transaction_id_hash: str,        # SHA-256 of transaction/session ID — never raw
    client: httpx.AsyncClient,
    enhanced_due_diligence: bool = False,
) -> dict:
    """
    Scan a fintech AI input image for adversarial injection payloads before
    forwarding to cheque processing, KYC document verification, expense receipt
    extraction, or trade finance compliance AI.

    Audit record fields:
      - account_number_hash: SHA-256 of account identifier (not raw) for BSA/AML audit trail
      - transaction_id_hash: SHA-256 of transaction or onboarding session ID (not raw)
      - image_sha256: integrity hash of the submitted image for evidence chain
    No raw account numbers, document numbers, or PII are stored in the audit record.
    """
    if isinstance(image_source, (str, Path)):
        image_bytes = Path(image_source).read_bytes()
    else:
        image_bytes = image_source

    image_b64 = base64.b64encode(image_bytes).decode()
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    client_scan_id = str(uuid.uuid4())
    threshold = _threshold_for_context(context, edd=enhanced_due_diligence)

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "financial_context": context.value,
                "account_number_hash": account_number_hash,
                "transaction_id_hash": transaction_id_hash,
                "enhanced_due_diligence": enhanced_due_diligence,
                "client_scan_id": client_scan_id,
                "image_sha256": image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "financial_context": context.value,
        "account_number_hash": account_number_hash,
        "transaction_id_hash": transaction_id_hash,
        "enhanced_due_diligence": enhanced_due_diligence,
        "scan_id": result["scan_id"],
        "client_scan_id": client_scan_id,
        "image_sha256": image_sha256,
        "score": result["score"],
        "flagged_region": result.get("flagged_region"),
        "threshold": threshold,
        "action": "blocked" if result["score"] >= threshold else "allowed",
    }
    await write_financial_audit_record(audit_record)

    if result["score"] >= threshold:
        raise AdversarialFinancialImageError(
            f"Financial AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"threshold={threshold} edd={enhanced_due_diligence}"
        )
    return result


async def scan_kyc_document_batch(
    document_images: list[Path],
    account_number_hash: str,
    transaction_id_hash: str,
    enhanced_due_diligence: bool = False,
) -> dict:
    """
    Scan a batch of KYC identity document images (passport, driving licence, national
    ID, liveness frame) concurrently before forwarding to Onfido/Entrust, Jumio
    Netverify, Veriff, or IDnow eID for document forgery detection.

    All documents in a KYC batch share the same account_number_hash (the onboarding
    session is for a single customer identity verification event). The batch is
    rejected if any single document image is blocked — partial KYC document sets
    cannot be passed to the identity verification AI for a mixed-integrity session.
    """
    allowed, blocked, errors = [], [], []
    threshold = THRESHOLD_KYC_EDD if enhanced_due_diligence else THRESHOLD_KYC

    async with httpx.AsyncClient() as client:
        tasks = [
            scan_financial_ai_image(
                doc_path,
                FinancialAIContext.KYC_DOCUMENT,
                account_number_hash,
                transaction_id_hash,
                client,
                enhanced_due_diligence=enhanced_due_diligence,
            )
            for doc_path in document_images
        ]
        results = await asyncio.gather(*tasks, return_exceptions=True)

    for doc_path, result in zip(document_images, results):
        if isinstance(result, AdversarialFinancialImageError):
            blocked.append({"path": str(doc_path), "error": str(result)})
        elif isinstance(result, Exception):
            errors.append({"path": str(doc_path), "error": str(result)})
        else:
            allowed.append({"path": str(doc_path), "scan_id": result["scan_id"]})

    return {
        "financial_context": FinancialAIContext.KYC_DOCUMENT.value,
        "account_number_hash": account_number_hash,
        "transaction_id_hash": transaction_id_hash,
        "enhanced_due_diligence": enhanced_due_diligence,
        "threshold": threshold,
        "total": len(document_images),
        "allowed": len(allowed),
        "blocked": len(blocked),
        "errors": len(errors),
        "blocked_items": blocked,
        # If any document in the batch is blocked, the entire KYC session is held.
        "session_action": "hold_for_manual_review" if (blocked or errors) else "proceed_to_kyc_ai",
    }


async def write_financial_audit_record(record: dict) -> None:
    """Persist audit record to your BSA/AML-compatible financial audit log (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialFinancialImageError(Exception):
    """Raised when a fintech AI image input exceeds the adversarial injection threshold."""
    pass

The account_number_hash and transaction_id_hash fields provide a BSA–AML audit trail without storing raw account numbers or customer identifiers in the Glyphward scan record: a blocked KYC document links scan_id + account_number_hash + transaction_id_hash + image_sha256 to the internal onboarding session for investigation and SAR (Suspicious Activity Report) purposes without exposing regulated PII outside the financial institution’s own systems. For KYC document contexts, the scan_kyc_document_batch function implements a session-level blocking policy: if any single document image in the verification set is blocked, the entire session is held for manual document review rather than passing a partial document set to the KYC AI. For trade finance contexts, a blocked document image should trigger a re-request of the original document from the presenter with a certified copy requirement before the documentary credit examination proceeds. Get early access

Coverage matrix

Control Cheque processing AI injection KYC document AI injection Expense receipt AI injection Trade finance document AI injection
Text-only PI scanners (Lakera, LLM Guard) No — pixel payloads in MICR region not seen No — pixel payloads in document scan not seen No — pixel payloads in receipt image not seen No — pixel payloads in document scan not seen
FATF/FinCEN compliance frameworks (CDD Rule, FATF R.10) Establishes cheque fraud BSA obligations; does not mandate adversarial image content validation at point of RDC capture Requires CDD/EDD identity verification standard; does not specify technical controls against adversarial KYC document image manipulation Not applicable to expense receipt processing compliance Requires TBML and sanctions screening; does not mandate adversarial image content validation on trade finance document scans
Human document review teams Reviews AI-flagged exceptions; does not independently inspect RDC images for adversarial pixel manipulation before AI Reviews AI-flagged KYC exceptions; does not assess document scans for adversarial content before AI forgery detection runs Approves expense claims above threshold; does not inspect receipt images for adversarial pixel manipulation before AI extraction Reviews AI-flagged discrepancies; does not inspect document scans for adversarial content before AI sanctions screening runs
Glyphward Yes — threshold 55; account_number_hash + scan_id + image_sha256 BSA audit trail Yes — threshold 55 (standard) / 50 (EDD); session-level blocking; account_number_hash + scan_id; SAR-linkable audit record Yes — threshold 60; transaction_id_hash + scan_id; SOX ICFR audit record Yes — threshold 55; transaction_id_hash + scan_id; OFAC/FATF audit record

Related questions

How does adversarial KYC document injection evade traditional document fraud controls such as UV light verification and hologram checking?

Traditional document fraud controls — UV fluorescence examination, hologram tilt-and-angle verification, microprinting magnification, infrared ink band examination, and physical security feature tactile inspection — are designed to detect physically counterfeited documents presented in person at a branch or border control point. These physical verification methods operate on the physical substrate of the document itself: they detect the absence of UV-reactive security fibres, the presence of inkjet or laser-printed reproductions of holographic security overlaminates, and the paper and ink properties of genuine government-issued documents versus counterfeit substitutes. Adversarial KYC document injection is a categorically different attack that operates in the digital domain, targeting remote onboarding AI that never examines the physical document at all. The attack does not require a physically convincing counterfeit document — it requires a digitally crafted image file in which pixel-level perturbations defeat the AI forgery detection model that operates on the digital image. A fraudulent document image that would immediately fail UV and hologram inspection if the physical document were presented in person can pass the remote AI KYC check if the adversarial image manipulation suppresses the AI’s discriminative features for forgery classification. This is the structural gap that adversarial KYC injection exploits: the EBA Guidelines on remote onboarding (EBA/GL/2021/05) acknowledge that remote onboarding processes “may not allow for all the checks that can be performed when a customer is physically present,” requiring compensating controls — and Glyphward’s pre-scan provides the specific compensating control for adversarial image manipulation of the digital document submission pathway that UV and hologram checking cannot address. Financial institutions deploying remote KYC AI should recognise that adversarial document injection represents a new fraud typology that their physical document fraud control frameworks do not cover, requiring a dedicated adversarial image content validation layer at the digital document submission boundary.

What FinCEN and FATF regulatory obligations apply to financial institutions whose KYC AI is manipulated by adversarial document injection?

A financial institution whose KYC AI is successfully manipulated by adversarial document injection faces potential regulatory exposure under multiple overlapping frameworks, and the exposure arises regardless of whether the institution was aware of the manipulation at the time. Under the Bank Secrecy Act Customer Identification Program (CIP) rules (31 CFR 1020.220 for banks, 31 CFR 1023.220 for broker-dealers), financial institutions must verify the identity of each person opening an account using documents, non-documentary methods, or a combination — and the CIP rule requires that the institution “have procedures for responding when it cannot form a reasonable belief that it knows the true identity of a customer.” A KYC AI that has been manipulated into approving a fraudulent identity document has not formed a reasonable belief in the customer’s true identity, and any account opened on the basis of that manipulated verification is technically in violation of the institution’s CIP obligations from opening. FinCEN’s CDD Rule (31 CFR 1010.230) requires financial institutions to establish the identity of beneficial owners for legal entity accounts — and a synthetic identity account opened through adversarial KYC AI manipulation is precisely the mechanism through which beneficial owner obfuscation structures are constructed. Under FATF Recommendation 10 (Customer Due Diligence), the international standard for customer identity verification requires that financial institutions identify the customer and verify their identity “using reliable, independent source documents, data or information.” The FATF Guidance on Digital Identity (2020) addresses AI-based identity verification and recognises that AI identity verification solutions must provide equivalent assurance to physical document examination for AML purposes — a KYC AI that can be defeated by adversarial document image manipulation does not provide equivalent assurance. FinCEN’s SAR filing requirements (31 CFR 1020.320) require financial institutions to file a Suspicious Activity Report within 30 days of detecting a transaction involving potential BSA violations — and the discovery that KYC AI was manipulated to open fraudulent accounts constitutes a known or suspected violation that triggers SAR filing obligations. The institution that has deployed Glyphward with full audit records — scan_id, account_number_hash, image_sha256, action, timestamp — is in a materially better position to demonstrate to FinCEN examiners that it implemented reasonable technical controls against adversarial KYC document injection, supports SAR filing with specific scan-level evidence, and identified the manipulation promptly upon detecting blocked submissions.

How should a financial institution handle a Glyphward-blocked image during a live customer onboarding flow?

The correct operational response to a Glyphward-blocked image during a live KYC onboarding session depends on the risk profile of the session and the specific document type that triggered the block. The first principle is that a blocked image is not a rejection of the customer — it is a hold pending additional verification. The customer-facing interface should present a neutral message indicating that the document submission requires additional review, without disclosing that an adversarial content flag was detected (disclosing the specific detection mechanism enables iterative evasion by the attacker). The institution should not return the specific Glyphward score or flag reason to the customer-facing application. Behind the scenes, the blocked image — with its associated scan_id, account_number_hash, transaction_id_hash, and image_sha256 — should be routed to the institution’s KYC operations team for manual document review. The manual reviewer examines the original document image independently of the AI forgery detection pipeline, applying physical document knowledge and cross-reference verification: does the document’s stated issue date and expiry date conform to the issuing country’s document lifecycle for that document type? Does the MRZ data decode consistently with the visual zone data? Does the document number format conform to the issuing authority’s known numbering conventions? For enhanced due diligence customers, the manual review should also include a verification of the document details against a third-party identity document database (Veridos, NEC, AU10TIX document library) to confirm the document type and security feature expectations for the specific country and issue year. If the manual reviewer determines the document is genuine, the onboarding session proceeds — with the Glyphward block recorded in the session audit trail as a false positive at the applicable threshold. If the manual reviewer determines the document is fraudulent or cannot confirm its authenticity, the institution’s BSA officer should assess whether the submission warrants a SAR filing under FinCEN’s SAR requirements (31 CFR 1020.320). The Glyphward audit record provides the evidence linkage: scan_id + account_number_hash + image_sha256 ties the blocked image to the onboarding session in the SAR narrative without storing raw account identifiers in the Glyphward scan log.

Further reading