Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Anthropic released a pre-built KYC Screener agent last month. It runs a four-step workflow on onboarding records to extract structured data from KYC documents, evaluate that data against a firm's KYC rules, screen named parties, and escalate exceptions to a compliance file for human review. The Anthropic template is purpose-built for meeting basic KYC compliance requirements during onboarding, and it lowers the cost of getting it right.

We believe trust is earned through demonstration and transparency, not promises. That’s why we worked with Trail of Bits, an independent security firm that has spent years reviewing the code behind widely-used software from cryptography libraries to critical open-source infrastructure. Persona regularly undergoes independent third-party audits across our security, privacy, and product programs.

Across Europe, two major regulatory deadlines are arriving that will reshape the mechanics of identity verification for EU-regulated businesses. By the end of 2026, eIDAS 2.0 will require organizations to accept EUDI Wallets for online services where electronic identification or authentication is necessary. That obligation covers state, regional, and local authorities; bodies governed by public law; and certain private entities that are required to provide public services.

On May 22, Brazil’s National Data Protection Agency (ANPD or Agência Nacional de Proteção de Dados) published new draft guidance on age assurance (aferição de idade) mechanisms. The guidance provides companies with their clearest picture yet of how to comply under the Digital ECA. Part of a broader rollout of Brazil’s Digital ECA framework, the guide emphasizes risk-based proportionality and privacy by design (privacidade desde a concepção).

Identity verification helps prevent fraud by requiring would-be fraudsters to verify that they are real people and who they say they are. But what about a user who opens an account with their legitimate ID and selfie and then hands the keys to a bad actor? That’s exactly what happens with identity muling, and this type of second-party fraud can be difficult to detect.

In April 2026, Mexican President Claudia Sheinbaum announced that individuals will no longer need a Federal Taxpayer Registry (RFC) number to open an N2 or N3 bank account. As the country continues its transition to cashless payments, this move has the potential to bring more than 32 million unbanked, informal workers into the financial system. But it doesn’t come without risk.

For many security teams, the 2023 MGM Resorts cyberattack was a wake-up call. A single vishing attack exploited weak identity assurance in help desk workflows and disrupted casino and hotel operations for days, causing hundreds of millions in losses and reputational damage. The breach revealed a disconcerting new reality: Just one compromised employee account can enable attackers to bypass the entire security perimeter, regardless of an organization’s size or security budget.

Addressing these potentially competing priorities is difficult with today’s technology, and it's an active area of work for government agencies and private organizations alike. But we think there’s a potential path forward if regulations and organizations limit what you have to share, who you have to share data with, and how your data can be used.

During identity verification, organizations typically have to decide between increasing security controls and improving user conversion. Tighter checks mean more abandonment, and smoother flows mean more risk. Most verification flow design is an exercise in finding the right tradeoff. Mobile driver's licenses (mDLs) are different. Because an mDL is cryptographically signed by the issuing DMV and presented directly from a user's device, it's both faster to verify and harder to fake.

As a fraud analyst at Persona, I have to balance working on fraud escalations for specific customers and keeping an eye on cross-customer (and cross-industry and cross-region) fraud trends. The work naturally overlaps, as one escalation can turn into a trend as fraud rings move on to new targets. And, getting ahead of large trends helps us stop escalations. I have a lot of tools at my disposal, but I want to discuss Graph, Persona’s real-time link analysis product.