By Erik Provitt and Brian Killeen
Financial institution (FI) executives have a difficult job when it comes to fraud risk mitigation. The need to drive revenue and compete for wallet share while balancing the cost and effort of identifying and implementing solutions for a successful fraud strategy is something many financial institutions struggle with today. FIs often adopt a “set it and forget it” policy that fails to assess and address the complexities of known and unknown fraud risks. At least once a year, but often multiple times a year, FIs evaluate their growth strategy to ensure the right technology investments are in place. However, all too often, fraud risk technology is not an adequate part of that strategy, and the need for investment in anti-fraud technology is recognized only after significant monetary loss. A “set it and forget it” approach is rarely an effective fraud management strategy. The evolving anti-fraud landscape is too fluid, and the bad actors adapt too quickly. Furthermore, it is vital that FIs identify the right tools in the fight against financial crime. Our recent survey underscored this, with 35% of respondents indicating they have the incorrect level of investment or adequate tools to fight financial crime.
Frankenstein Fraud, a.k.a. Synthetic Identity Fraud (SIF), is an example of why a “set it and forget it” strategy doesn’t work. SIF is perhaps the most complex typology FIs face in the current fight against fraud, and a primary example of why fraud technology must be a fully functional part of an FI’s organizational infrastructure. The Federal Trade Commission says, “Synthetic identity theft is the fastest-growing type of identity fraud and its occurrences have surpassed ‘true name’ identity fraud,” and “accounts for 80-85% of all identity fraud.” According to a new report from software company FiVerity, SIF resulted in $20 billion in losses for US banks and financial institutions in 2020.
SIF occurs when someone uses a combination of real and fake Personal Identifiable Information (PII) to create an identity that causes a financial loss. Many FIs have tools in place that do an adequate job of traditional identity verification. Sometimes they may not know if a certain account is associated with a synthetic identity or a real identity. However, when a customer fails to pay back a loan or credit card, the FI needs to identify whether the loss is a fraud loss or a credit loss. Having the right tools to identify that risk is important. This happens because synthetic identities are likely to pass traditional identity verification tools because they look like a traditional customer in the digital space. Due to this, institutions will continue to suffer fraud losses that are misclassified as credit losses without using the adequate tools available. At onboarding or during regular account maintenance, institutions should use appropriate tools to identify the attributes associated with a synthetic identity, such as credit piggybacking, or shared PII data. If an FI finds attributes associated with a synthetic identity, they should leverage tools that can apply authentication, create additional friction, and/or decline or offboard those clients.
Addressing this problem cannot be accomplished with a “set it and forget it” strategy. A fully functional organizational infrastructure, with fraud risk prevention as one of its pillars, is needed to address this risk. With identity fraud evolving at such a rapid pace, tools implemented as recently as five years ago may be inadequate in identifying this fraud typology. Consequently, financial institutions that do not manage this risk effectively will often open themselves to additional losses, lack of customer trust, and missed business opportunities.Synthetic identities generally present two types of risks to FIs. First, there are bad actors that create synthetic identities with the specific purpose of committing fraud. Some of these actors choose to monetize the identity immediately, while others seek to maximize their efforts, and wait up to two years before monetizing. Second, there is an entirely different subset that creates synthetic identities—these might be a financial institution's best customer or “good synthetic—full intent of repaying loan,” but they may also fall under the category of bad actor—fully intending to cause monetary loss. For example, unbanked or undocumented immigrants may use “a combination of real and fake PII to create an identity.” However, the motive of the effort is assimilation, not solely focused on short-term monetary loss. So how would a financial institution distinguish between a synthetic identity that is going to cost them $81,000 versus one that will make them $4,000? The answer is having its fraud risk management program as a pillar of the growth strategy. A fully functional organizational structure with fraud risk as one of its pillars uses technology to identify and segment these risks, thereby maximizing the FI’s overall growth and profit.
Executives who don’t prioritize risk management in such a manner could be perceived as failing in their fiduciary duties to their board, shareholders, and customers. Will Sutton was a notorious bank robber early in the 20th century. During his 40-year robbery career, he stole an estimated $2 million ($34 million in 2022 dollars). When asked why he robbed banks, Sutton replied, “Because that’s where the money is.” Criminals will continue to target our financial institutions for the same reason. Today, from a total loss standpoint, the risk for FIs is more likely to be committed by individuals with a keyboard versus a weapon. Nonetheless, the risk remains.
So as fraudsters adapt to tools and processes implemented by financial institutions, FIs must continue to innovate and be forward-thinking about how they combat fraud. At the core of this effort is an engaged risk management program that has the freedom and focus to ensure the right tools are in place.