Banks struggle over detection, definitions
Synthetic identity fraud, one of the fastest-growing financial crimes in the United States, has become an increasing concern for regulators, as banks struggle to find common ways of tackling the innovative theft technique that combines real and fictitious data about individuals.
Estimates over the scale of the fraud vary, but nearly all show the problem growing. One widely reported analysis by Auriemma Group, an information and advisory firm for the payments and lending industries, suggested that synthetic identity fraud cost U.S. lenders $6 billion. Meanwhile, the consultancy McKinsey estimates the financial theft accounts for 10–15% of charge offs in a typical unsecured lending portfolio.
“When we look at the market, roughly 20% of credit losses stem from synthetic identity fraud,” said Johnny Ayers, CEO of Socure, a firm specializing in digital identity verification technology.
“Synthetic identity fraud opens up the door to bad actors in areas such as money laundering and human trafficking,” Ayers said. “One of the biggest challenges for banks is that there is traditionally not a victim.”
The growing theft has recently turned up in the U.S. government’s Paycheck Protection Program (PPP). According to a report from SentiLink, a fraud-prevention tech firm, individuals have been creating synthetic identities to obtain loans from the program designed to help those struggling under the weight of the pandemic.
U.S. bank regulators, in particular the Federal Reserve, are increasingly focused on synthetic theft and have been working with banks and technology firms to help identify solutions and common definitions.
“Synthetic identity fraud is not a problem that any one organization or industry can tackle independently, given its far-reaching effects on the U.S. financial system,” said Jim Cunha, senior vice president at the Federal Reserve Bank of Boston, in a recent study.
Unlike other types of fraud
A synthetic identity is created by using a combination of real information, such as a legitimate Social Security number, and fictitious information, which can include a false name, address, or date of birth.
Synthetic identities can be used to establish accounts that behave like legitimate accounts and may not be flagged as suspicious using conventional fraud detection models. “This affords perpetrators the time to cultivate these identities, build positive credit histories, and increase their borrowing or spending power before ‘busting out’ – the process of maxing out a line of credit with no intention to repay,” according to the Boston Fed’s analysis.
There are two significant problems with synthetic fraud for the banking industry: one is detection, the other classification.
The fraudster can leverage legitimate processes, such as “piggybacking” – adding a synthetic identity as an authorized user on an account belonging to another individual with good credit. In many cases, the synthetic identity acquires the primary user’s established credit history, rapidly building a positive credit score. Fraudsters also can piggyback new identities onto accounts owned by established synthetic identities, or “sleepers,” within a portfolio.
According to experts, all of these methods are difficult for banks to detect given existing fraud prevention systems.
An ID Analytics study found that only half of synthetic fraudsters apply for credit using digital channels, indicating a significant number can pass Know Your Customer (KYC) tests even when appearing in person.
“Traditional fraud models are not designed to detect synthetic identities,” said the Boston Fed, citing research that showed such models were ineffective at catching 85% to 95% of likely synthetic identities.
Apart from the detection challenge, one of the biggest hurdles is how banks classify this type of fraud on their books, which varies and makes getting one’s hands around the problem more difficult.
“Part of the challenge is agreeing on a consistent definition of what synthetic identity fraud is,” said Ayers of Socure. Some banks categorize such fraud as credit losses, while others mark it as third-party fraud, he said.
“When there is not a consistent definition, you can’t figure out what the magnitude of the problem is,” Ayers added. “When there is not a consistent definition, then each of the individual banks are writing their own rules.”
Greater industry collaboration needed as no single solution
To tackle these problems, regulators say there needs to be greater collaboration between themselves, banks, and technology solution providers. Since the dimensions of the fraud are complex, with the criminals a step ahead of banks and their defenses, information sharing is critical.
“There is no single solution to completely mitigate synthetic identity payments fraud. Factors such as the regulatory environment, technological advancement, and shifts in fraudster tactics create a constantly evolving payments fraud landscape,” said the Boston Fed.
Experts argue that a holistic approach would be the most effective way to mitigate synthetic identity fraud. Ideally, this approach should include a consistent definition of the fraud, technological innovation, robust data solutions for identity verification, and an ongoing dialogue between private industry and government agencies.
Technology can complement manual fraud mitigation practices, say experts, as artificial intelligence and machine learning solutions help banks analyze the data and information they capture more effectively than their staff alone.
From its perspective, the Boston Fed acknowledges that while “the technological capabilities of these models are developing rapidly, the industry must collect more and better data in order for these AI and machine learning solutions to improve their sensitivity and more successfully mitigate fraud.”