In our last post, we introduced the topic of synthetic identity fraud, the meshing of authentic personal information with fabricated date for the purposed of defrauding financial, insurance, consumer and health care businesses.
The Federal Reserve Bank launched an initiative in 2018 to raise awareness about synthetic identify fraud and, in this post, we use information and dat
e from the Fed’s work to examine how financial institutions detect synthetic identities.
Financial institutions employ processes to gain reasonable assurance of a customer’s identity. These checks help fulfill legal, regulatory and internal policy requirements to limit financial institution risks.
Fraudsters seek to pass these tests by making synthetic identities appear valid. This includes fabricating identification credentials, social media profiles and other documentation. Some apply for credit in person to make it appear that the synthetic applicant must be real. In fact, a study conducted by ID Analytics indicated that only half of synthetics apply for credit using digital channels.
This underscores the need to be vigilant, even when financial institutions have strong customer identification programs and can verify an applicant in person. Many U.S. regulatory controls applicable to detecting and identifying synthetics are rooted in the Bank Secrecy Act (BSA), the primary anti-money laundering law in the United States. BSA requires financial institutions to properly identify customers, maintain appropriate financial transaction records, and report suspicious activities to government agencies.
The USA PATRIOT Act amended the BSA to support information sharing and investigations into suspected money laundering and terrorism financing. The Customer Identification Program (CIP) Rule implements the requirements of Section 326 of the USA PATRIOT Act and requires financial institutions to know the identity of each customer. At a minimum, financial institutions must collect a customer’s name, date of birth, address, and SSN or taxpayer number before opening an account.
The SSA introduced the Consent Based Social Security Number Verification (CBSV) service in 2008 to enable paid subscribers to verify an SSN holder’s name and date of birth. CBSV can help financial institutions comply with CIP, though the SSA currently requires written confirmation from the SSN holder.
But, verification usually takes several days, so legitimate customers can find it inconvenient – particularly as technology advances enable automated account decisions and allow near-instantaneous approval. The SSA is supposed to roll out an electronic CBSV pilot program in June to allow companies to electronically check an individual’s name, SSN and date of birth against the SSA database.
Industry stakeholders and subject matter experts express optimism that the electronic CBSV service will help financial institutions and other payments stakeholders balance compliance with customer expectations of fast credit approvals.
Technology can improve data analysis efficiency and effectiveness, enhance security and reduce operational costs. It also can help detect synthetics. Institutions can leverage artificial intelligence and machine learning to determine expected customer behavior patterns and detect anomalies that potentially indicate fraud.
As fraud tactics continue to evolve quickly, these tools need frequent recalibration to remain effective. Furthermore, automated lending processes may need adjustment and updates, since they can provide another avenue for fraudsters to receive credit. For example, a synthetic with a high credit score could be targeted by an institution’s marketing campaign and receive a pre-approval offer for a new account.
Often, a financial institution may not identify an account holder as synthetic until after a fraudster busts out and the collections team is unable to find a real person to pay the debt. In our final post on this topic, we look at the ramifications of synthetic fraud.