Transactional data sources: the pivot for eIDV
The indispensable role of transactional data
For fifteen years, the identity verification market was built around two pillars: document verification (ID capture, OCR, control of security features) and biometric verification (face match, liveness check). Both worked well as long as forgery remained costly for the attacker. That equation has flipped.
The Sumsub Identity Fraud Report 2025 documents an unprecedented explosion: +700% deepfake video scams over the year 2024-2025, 8 million deepfakes online by end of 2025 vs 500,000 in 2023. iProov measures +2,665% of virtual-camera attacks on biometric onboarding streams. Pindrop reports +1,300% deepfake fraud on banking contact centers. In the field, 71% of consumers admit they cannot tell a deepfake apart.
Faced with this wave, transactional data has a unique property. It is nearly impossible to forge in volume. An attacker can generate a synthetic face in seconds. They can print a convincing fake passport for a few hundred euros. They cannot, however, fabricate 18 months of purchase history at Carrefour, 3 years of Orange subscription at the same address and a tax notice issued by the French DGFiP cross-referencing employer data. That would require state-scale coordinated fraud.
Today, everything can be forged — except real life and what people actually buy.
This insight is the foundation of an eIDV approach driven by transactional data, complementary to biometrics and document verification — and compatible with GDPR (the EU's personal data laws), provided purposes and minimization are properly framed.
The 4 converging sources: purchases, government, telecom, fiscal
Our practice does not consist of collecting or hosting this data ourselves. We verify identity through data from verified purchase transactions, backed by government, telecom and media sources — and our job is to identify, among 4,000 worldwide sources, which ones cover a given country, at what level of freshness and with what coverage rate. These sources fall into four complementary families.
Purchase data form the densest mesh of an individual's life. Every transaction leaves a trace: bank card, named receipt, delivery to an address, loyalty program, recurring subscription. For France alone, the FEVAD recorded €175.3 billion and 2.6 billion e-commerce transactions in 2024, with a projection to €200 billion in 2026. Globally, purchase databases cover most of the active population in developed countries.
For eIDV, purchase data answers a simple question: "does this individual really live at this address, under this name, since this date?". Purchase recurrence over 12-24 months, geographic consistency of deliveries, natural basket evolution: all of this draws a behavioral signature that an attacker cannot reproduce from scratch.
Government databases are the foundation of authority. By construction, they are the ultimate reference to verify that a civil status corresponds to a real person. Depending on the country, access happens via qualified APIs (FranceConnect+, Belgian eID, Nordic BankID) or via framed partnerships with the issuing administrations.
Government sources useful for eIDV include: civil status registers, business registers, electoral rolls (subject to local regulation), real estate property registers, vehicle registrations, residence declarations. Their reliability is maximal, their freshness variable (from instant to annual updates). Their main limit: heterogeneous worldwide coverage. Not every country offers a modern API access to these registries.
Telecom data are a nearly unique real-time reference: an active mobile number, at a given moment, on an identified carrier. Carriers hold several verifiable data points without revealing content: contract age (a major anti-fraud signal — a number created 24 hours ago is not equivalent to a number held for 6 years), contract type (post-paid vs pre-paid, the latter being statistically more used in fraud), SIM swap detection (a number that switched SIM the day before onboarding triggers a strong alert).
On top, aggregated geographic mobility data: the plausibility that a French number requests an account opening from an IP matching its usual usage area. Triangular consistency mobile-IP-postal address becomes a central signal of modern eIDV.
Fiscal and financial data close the loop. They are not directly accessible (and must not be in clear text, by GDPR mandate), but attestation mechanisms in zero-knowledge mode allow verification that a person is indeed attached to a fiscal household, to a declared income within a range, to an active IBAN held for a certain length of time. The French DGFiP, the British HMRC, the US IRS or the German Bundeszentralamt für Steuern offer framed gateways.
Financial data also include credit bureaus (Experian, TransUnion, Equifax, BIK, Schufa depending on the country), which maintain references covering nearly the entire adult population of banked countries. An adult client with no credit history at all is itself a signal: they exist, but their profile deserves enhanced vigilance.
::: callout-info The 4 sources in brief
- Purchases: maximum density, moderate access cost, ideal for behavioral consistency over 12-24 months
- Government: maximum authority, heterogeneous coverage, ideal for initial identification
- Telecom: real time, anti-SIM-swap signal, ideal for the transaction at moment T
- Fiscal/financial: economic depth, accessible via qualified attestations, ideal for EDD
:::
Reliability comparison: key inputs to your choice
No single source is sufficient on its own. The strength of a modern eIDV setup comes from the convergence of several sources. Here is how to compare them in practice.
| Criterion | Purchases | Government | Telecom | Fiscal/Financial |
|---|---|---|---|---|
| Freshness | Daily to weekly | Annual to real time | Real time | Monthly to annual |
| FR coverage | > 95% adults | > 99% | > 99% | > 90% |
| Worldwide coverage | Heterogeneous | Very heterogeneous | Very broad | Banked countries only |
| Access cost | Moderate | Variable (often free via public API) | Moderate to high | High |
| Anti-deepfake | Excellent | Good | Excellent | Excellent |
| GDPR risk | Moderate | Low (public data) | Moderate | High (strict justification) |
The practical rule: three converging sources are worth more than one deep source. A robust eIDV setup cross-checks a purchase signal, a telecom signal and a government signal. The probability that an attacker forged all three in coherence is statistically negligible.
Worldwide coverage: 197 countries, 1.5 billion individuals
Our monitoring infrastructure relies on 4,000 worldwide sources and 197 countries covered, with 1.5 billion individuals identified and 250 million professionals identified. This mesh allows us to serve the KYC setups of international companies without depending on a monolithic vendor.
Coverage varies by zone:
- Western Europe: coverage above 95% on the 4 sources, homogeneous quality. Almost any eIDV project for consumers (B2C) can be served in multi-source mode.
- North America: excellent coverage on purchases, financials and telecom, slightly more constrained on government data (state-by-state fragmentation in the US).
- Asia-Pacific: strong coverage in South Korea, Japan, Singapore, Australia; coverage under construction on India (Aadhaar reaches 1.3 billion registrations, but third-party access remains regulated) and China (constraining PIPL framework).
- Latin America: fast-growing coverage, dominated by historic credit bureaus (Serasa, Equifax LATAM) and telecom carriers.
- Africa: coverage under construction. Mobile money data (M-Pesa, Orange Money) is emerging as the main transactional source, complementary to government registries when they exist via API.
::: callout-info In brief Worldwide coverage of eIDV by transactional data is today sufficient to serve 95% of B2C (consumers) and B2B (companies) use cases of large international organizations. Zones with limited coverage must be handled in document or biometric fallback, without sacrificing the overall level of guarantee. :::
Complementarity with biometrics and document verification
A frequent trap in eIDV projects is to pit transactional data against biometrics. The two do not oppose each other, they complement.
Biometrics answers the question "is the person in front of me really the one on the ID?". It is powerful as a first barrier, provided the ID is itself authentic and the liveness check resists face-swap (standard ISO 30107-3, PAD passive iBeta Level 2 minimum).
Transactional data answers the question "does the person on the ID really exist in real life, at this address, under this name?". It is powerful as a second barrier. It detects the synthetic identities that biometrics lets through (a real human face, but invented for the occasion, with no prior life trace).
The recommended architecture is layered:
1. Layer 1: eIDV by transactional data on 80-90% of standard-risk files. Decision in a few hundred milliseconds, no user interaction. 2. Layer 2: Biometrics + document verification on the 10-20% of files in doubt, or imposed by the high eIDAS assurance level. 3. Layer 3: Continuous post-onboarding monitoring through transactional signals (dynamic KYC).
This architecture reduces user friction on the majority of the flow while preserving a high level of security on the sensitive fraction. Measured ROI at our online-banking clients reaches 220:1, with abandonment cut from 25% to 5%.
Use cases by sector
Regulated financial services combine AML/CFT obligation (CDD/EDD), competitive pressure on onboarding time, and exposure to synthetic fraud. Transactional data serves both to validate initial identity and to feed risk scoring (PEPs, sanctions, behavior). On 60,000 modeled annual onboardings, moving to eIDV by transactional data pushed ROI to 220:1.
The MiCA regulation and the Travel Rule (TFR) impose full KYC on Crypto Asset Service Providers, with identity and beneficial owner checks above €1,000. Transactional data is critical here because synthetic identity fraud targets the sector massively (Sumsub +217% crypto deepfakes in 2024).
Real estate marketplaces and premium e-commerce merchants outside the regulated sector are not bound to full KYC, but face growing fraud (fake buyers, refused SEPA sales). An eIDV layer by transactional data reduces client abandonment and improves the order unit value.
Insurance uses transactional data to validate antecedents (wealth coherence, long-term-condition profile). iGaming, constrained by the ANJ (French gambling authority) on age verification and anti-money-laundering, combines eIDV by data + behavioral monitoring.
Key takeaways
::: callout-info Takeaways
- Transactional data does not replace biometrics: it complements them on the residual risk of synthetic identities.
- Four converging sources (purchases, government, telecom, fiscal) cover 95% of the population in banked countries.
- 4,000 worldwide sources, 197 countries covered, 1.5 billion individuals identified make it possible to serve international KYC setups.
- Measured ROI reaches 220:1 on online banking cases, with abandonment cut from 25% to 5%.
:::
Want to go further? To understand how we articulate this approach with a full KYC setup, read our KYC vs eIDV comparison and our eIDV / biometric / document comparison. On the deepfake challenges of 2026, see Deepfakes and identity: how to detect them in 2026. On the regulatory pillars, consult the KYC eIDV France regulation page and the eIDV: electronic identity verification pillar.
::: cta Want to frame an eIDV project by transactional sources with our experts? Let's discuss your use case :::