Identifying and combatting synthetic identity fraud in financial services
April 2020 | FEATURE | BANKING & FINANCE
Financier Worldwide Magazine
April 2020 Issue
Synthetic identity fraud is nascent but increasingly common. According to McKinsey, it is the fastest-growing form of financial crime in the US. Furthermore, according to LexisNexis Risk Solutions, 61 percent of fraud losses for large banks stem from identity fraud. In 2018, criminals were able to steal approximately $14.7bn via synthetic fraud, with 14.4 million consumers directly impacted, according to Javelin Security and Research.
The emergence of synthetic identity fraud has attracted the attention of major players in the payments industry. In July 2019, the Federal Reserve published a white paper detailing its causes. The report claims that one of the key reasons for the growth of synthetic fraud, and a reason it has previously flown under the radar of the financial services industry, is because certain types of victims – such as the elderly – are less likely to access their credit information to uncover the fraud.
According to the Federal Reserve report, synthetic identity fraud is a serious and growing problem for the US payments ecosystem that can only be addressed by a collaborative effort among all payments industry stakeholders: “Like cybercrime, the growing problem of synthetic identity payments fraud cannot be addressed by any government or private sector organization working in isolation. It requires the attention of all payments industry stakeholders to collaborate and work together to understand, detect, mitigate and address synthetic identity fraud in the US payments ecosystem.”
Differences from traditional fraud
There are significant differences between synthetic and more traditional forms of identity fraud. Older forms of identity fraud typically involve a bad actor using a person’s actual identifying information to commit fraud, such as a social security number (SSN), credit card information, driver’s licence or date of birth, for example – some of which is readily available on the ‘dark web’. Criminals use this data to either create new bank accounts or take over existing ones to facilitate their fraud.
Various forms of synthetic fraud can impact victims in different ways. Depending on the criminal’s modus operandi, most forms of synthetic fraud occur when a criminal uses aspects of multiple individuals’ personal information, or fake information altogether, to create an identity to use in theft. This form of fraud usually takes a little longer to gestate than traditional fraud, as criminals must establish a realistic, though false, credit history for the ‘individual’. Criminals will slowly create a lighter profile and make several smaller transactions before they suddenly make a number of larger purchases or obtain significant loans over a short period of time.
“Synthetic identity fraud differs from traditional identity fraud based in part on the time it takes to perpetrate the fraud,” explains Jeremy Mandell, a partner at Morrison & Foerster LLP. “Traditional identity fraud generally is perpetrated in real time and, as a result, the person who is defrauded may be in a better position to detect and dispute the fraud in real time. Synthetic identity fraud, on the other hand, is perpetrated over time, where the fraudster cultivates the synthetic identity before busting out sometime in the future. In the course of synthetic identity fraud, the person who is being defrauded generally is not well-positioned to detect or dispute the fraud in real time.”
Synthetic identity fraud is one of the more serious forms of identity crime because it is difficult to detect and relatively easy to commit using readily available information. “Synthetic identity fraud has been around for more than a decade but has become more pronounced over the past five years, fuelled in part by the theft of so-called ‘wallet data’,” says James Lee, chief operating officer at the Identity Theft Resource Center. “Unlike traditional identity theft, like taking over someone’s existing bank or credit card account or opening a new account using a real person’s personal information, synthetic identity fraud is when a new, fake identity is created using real data points stolen from multiple people – for example, using a real SSN with the name of a different person at yet a third person’s physical address.”
As Mr Mandell explains, “Financial institutions and others have invested significant resources in detecting and disrupting traditional identity fraud, which has forced fraudsters to become more sophisticated and patient in perpetrating their frauds.”
Criminals can also exploit gaps in credit application processes, allowing false identities to circumvent Know Your Customer (KYC) and customer identification programmes. As a result, once the accounts are opened, they can go undetected for years. Often, synthetic profiles have strong credit scores, which makes it easier for them to pass credit underwriting checks. More than half of synthetic accounts that were flagged by financial institutions were identified as having good, very good or excellent credit, based on FICO scores, according to the US Federal Reserve in July 2019.
Main drivers
To commit synthetic identity fraud, financial criminals have adapted to new technologies. A key factor is the vast quantities of data companies hold. Whenever a large-scale data breach occurs, fraudsters can gain access to vast swathes of information, including customer identities. According to a 2018 Gartner report, since 2013, nearly 10 billion data records have been exposed. More than 471 million consumer records were compromised in 2018, according to a 2018 Identity Theft Resource Center report.
The competitive nature of the lending market has also made it conducive to greater financial crime. Ironically, one of the big drivers behind the rise of synthetic identity fraud has been improvements in the security of physical credit cards. The unbridled success of Europay, MasterCard and Visa (EMV) chip cards has forced criminals to shift their attention online. “Criminals who once churned out fraudulent cards and charges are looking to new methods as physical cards have become more secure,” says Nicole Friedlander, a partner at Sullivan & Cromwell. “Another driver has been the increase in financial transactions conducted online. Synthetic identity fraud is much harder to commit in person, but it is no longer necessary to appear in person for most transactions.”
Synthetic identity fraud has also grown due to a lack of effective identity validation and verification tools, alongside efforts to reduce friction in all transactions. Today, more than ever, there are problems around the use of ‘Knowledge-Based Authentication’ (KBA) to authenticate a person’s identity. “Wallet data or information was known only by you, and was obtained from data brokers, like your social security number, previous addresses, employers or which banks you use,” says Mr Lee. “That information was historically known only by you and not thought to be of much value to data thieves, except for SSNs. However, in the past five to seven years, both mass- and small-scale data breaches have flooded the underground data markets with this information, allowing identity thieves to create new identities using known data. And, with no easy way of validating if a SSN is connected with the person seeking to open an account, synthetic identity theft has become significantly easier and more prevalent.”
Fighting back and consent-based SSN
Technology such as machine learning (ML) and artificial intelligence (AI) are emerging as important tools to combat synthetic identity theft. “Large and disparate data sets can be synthesised both to confirm identities and spot potentially false ones,” explains Ms Friedlander. “Other technologies, like biometric screening, can be leveraged as well. Of course, there are ‘old fashioned’ authentication tools that can also help combat this threat, such as document verification. While documents can be faked, it is an extra step that may not be easy for perpetrators, and there are well-developed tools to detect forgeries.”
Efforts are ongoing to make it even harder for criminals to stitch together fraudulent identities. Following action by the US Congress and advocacy by the banking industry, the United States Social Security Administration (SSA) has created the Electronic Consent Based Social Security Number Verification (eCBSV) service, which will allow certain service providers to verify if an applicant’s details match with the SSA’s records. This could be a game changer in the fight against synthetic identity fraud in the US. “Our new electronic SSN verification service will help to reduce synthetic identity fraud by comparing data provided electronically by approved participants with the agency’s records,” said Andrew Saul, commissioner of social security, in a statement announcing the service. “This will provide fast, secure, and more efficient SSN verifications for the financial services industry and customers using their services.”
“The hope is the new e-verify system will greatly reduce the number of SSNs used to create synthetic identities,” says Mr Lee. “For any transaction that requires a SSN, the ability to quickly verify if the applicant’s SSN, name and date of birth match the social security number’s records will all but end identity fraud with organisations that use the service. Identity theft criminals are just as likely to try to frustrate the system before and after the eCBSV launches by shifting to organisations with less stringent account set-up criteria. Organisations that want to avoid an uptick in fraud need to ensure their verification systems are tuned to look for indicators of fraud and that their live account set-up teams are trained to spot fraud, too.”
To recognise its potential, the tool must fit into permitted entities’ existing customer flows. “Consumers demand, and financial institutions strive to provide, low-friction customer experiences,” says Mr Mandell. “Forcing permitted entities to take unnecessary steps to obtain consent not contemplated by the authorising statute or subjecting permitted entities to oversight not contemplated by the authorising statute, could lessen the impact of the tool,” he warns.
To prevent or minimise the impact of synthetic identity fraud, companies should revamp their internal processes to carry out effective verification. A multifaceted transaction verification process, for example, can detect suspicious email instructions.
Employees must also be given the right tools to frustrate criminal attempts to defraud companies. They should be able to recognise the latest fraud techniques, which will require appropriate awareness training.
Companies should also consider incorporating non-traditional data into their verification processes. Third-party information, such as phone records and social media data, for example, could be added to create a multi-layered approach. Dedicated tools to analyse synthetic identity fraud can add another level of defence.
As with any aspect of modern financial crime, the criminals perpetrating it are agile and sophisticated, constantly evolving and refining their techniques. However, they are able flourish because they can exploit weaknesses in existing processes.
While we might not be aware of the full extent of the damage done by synthetic fraud for many years, organisations must be vigilant. They must understand what is driving this form of financial crime and deploy strong defences to protect their interests, and those of their customers.
© Financier Worldwide
BY
Richard Summerfield