Synthetic Identity Fraud. The biggest buzzword right now in the world of financial crime. But what is it? Over the last few years I have delivered several presentations around synthetics and each time I ask two questions:
- Who in the room has ever heard of synthetic identity fraud?
- Of those, who can define it?
Luckily hands that go up in response to the first question have steadily increased over the last year, but the second is a trick question. The problem right now with synthetics is that they aren’t properly defined and are classified differently from financial institution to financial institution. This makes it difficult to properly quantify, and almost impossible to detect.
According to the Boston Federal Reserve it’s estimated that 20% of credit losses can be attributed to synthetic identities, which equates to roughly $6 billion in 2016 alone. Banks and credit unions are definitely starting to take this threat more seriously as they begin to understand it and as they try to limit the losses on their Income Statement. But I believe there is a much more sinister plot to synthetics and how they can be leveraged by organized crime and terrorist organizations.
In my post, Weaponizing Vulnerabilities: COVID-19 Fraud, I highlight some of the major concerns of synthetic identity fraud and what some of the next steps are to address the problem. However, in order to address the problem you must first understand it.
Phases of Synthetic Identity Fraud
1. Gestation Phase
This is the stage where an identity is created. The starting point.
You might be asking yourself how this can be done. There are two underlying problems and misconceptions that allow fraudsters to manipulate data and create identities.
- Credit bureaus are simply data aggregators. They aren’t necessarily verifying the information that is provided to them. They rely on the source of the data to verify that it is accurate. Credit bureaus are simply gathering all of the information provided, consolidating it, and then providing it to other organizations requesting the data.
- There currently isn’t an efficient way to validate information with the original book of record. The Social Security Administration (SSA). There is a common misconception from consumers that the credit bureaus are a pseudo-arm of the federal government. This is not the case.
Fraudsters understand these two elements and use them to their advantage. They will either take multiple pieces of legitimate information and create a brand new identity, or they may even create a completely fictitious profile with fake data. There are a couple of different common methods for fraudsters to create the identity at the bureau. One method is that they may just try to ‘brute force’ their way in by constantly applying until the bureaus see their data enough to assume they’re real. An even more common scheme is called ‘Credit Piggybacking’ and is the act of being added to legitimate credit accounts and benefiting off of their established good history.
Example: A fraudster approaches an innocent consumer online and solicits them for ‘help’ building credit. The fraudster offers to pay the consumer $100 to simply add the fraudster to their credit card accounts as an authorized user for three months. The consumer, wanting to help someone in need and being inherently trusting accepts the fraudsters offer. The consumer adds the fraudster to a credit card account that they’ve had for 20 years and have never made a late payment. The fraudster’s information is now being communicated the credit bureau as valid and they are also benefiting from the consumer’s great credit history.
2. Credit Accumulation Phase
Once the identity is created it’s time for them to start obtaining as much available credit as possible, as quickly as possible. This is especially easy for fraudsters that created their identities through ‘credit piggybacking’. This is because their credit score will typically mirror that of the consumer that they piggybacked off of. Underwriting methods have gotten better over the years, but too many financial institutions still rely heavily on a credit score to determine eligibility for lending.
Credit cards, personal loans, and auto loans are usually the hot items for fraudsters because the typical underwriting guidelines for these are more lax than those of something like a mortgage. Verification and required documentation are either not required or are easy to fake/manipulate. Based on my experience and research into synthetic fraud over the last six years, fraudsters will open on average 2-3x the amount of credit than that of a typical consumer.
3. Bust Out Phase
Now that they’ve gathered as much credit as they can, it’s time to put it to use. Credit cards, personal loans, home equity (HELOC), and vehicle loans. They will use as much available credit as possible, sometimes running up the lines to multiple times the limit and then disappearing. Busting out a credit card is always a favorite. Fraudsters will max out their lines, make fake payments, and then capitalize on the amount of time it takes for the payment to clear to max out the credit again. By the time the payment bounces the fraudster has already gotten away with twice as much as they were originally approved.
Synthetic losses are usually much higher than a normal credit loss. Through research I have been conducting, I’ve noticed that losses tend to be around 4.6x greater per identity than that of a typical write-off. This is why synthetic fraud has become such a hot topic in the financial industry over the last year. And rightfully so. But my worry is that fraud prevention professionals are losing sight of the bigger picture while trying to put out fires and limit their losses.
What happens next?
4. Synthetic Mule
This kind of scheme is rarely brought up in the conversation about synthetic identities, and probably for good cause. Banks and credit unions are focused right now on stopping the bleeding before thinking about what happens downstream. Synthetic mules are identities that aren’t used to cause a loss to the institution but are used solely for the movement of money. Hiding in plain sight with the intent to be a vehicle for washing illicit funds with no one to tie the activity to. To be honest I don’t have a good understanding of just how prevalent or widespread this issue is. But my guess is that in the near future we will start to see that it is much worse than I fear.
Organized crime needs to move their money somehow, and why risk getting caught by using a legitimate user? Money laundering becomes much easier if the people doing it ‘don’t exist’.
5. Shell Person
Synthetics identities are great for quickly accumulating loan proceeds and disappearing without a trace. Synthetic mules are perfect for taking those proceeds and moving them through the financial ecosystem. But what about organized crime rings, or individuals who are on sanction lists? Most people have heard the term shell corporation which is used to mask illegal profits as legitimate business. A shell person can be thought of in a similar manner, but are used to mask the identity of who is actually using the account. These are identities strictly used to avoid watchlists and sanctions. It creates a very easy mechanism to circumvent OFAC. Similar to a shell company being used to move money, a shell person can be used to conduct personal activity without the risk of being flagged by automated systems.
This focuses more on impact to banks and credit unions. Synthetic losses are almost 5x larger than normal credit losses. The profitability of a loan is derived from interest and fees. This means that in a normal situation a bank will have to open 5-10 good loans in order to cover the losses associated with a credit write-off. Synthetics have a multiplier effect of around 5x.
Banks and credit unions are also going to need to rethink how they assess identity theft investigations. Usually in order to take a claim of identity theft you must first verify that the claimant has the authority to make the claim. This is becoming increasingly difficult if the majority of information provided to create the account is fake. Now the financial institution has something on their books and can’t properly verify who it belongs to as well as who it reports to. This creates a whole new level of risk. It is no longer just an issue of limiting financial risk, but also legal risk. If banks and credit unions don’t begin rethinking their identity theft investigation practices now they could be looking at a wave of FCRA lawsuits in the very near future.
What happens after the loan proceeds are gone? How can they be moved through the financial system? What are these illicit gains used for? Banks and credit unions are so focused on their bottom line that these scenarios often get overlooked. And rightfully so. Their primary function is to make money and/or service their members. But the concept of synthetic mules and shell persons aren’t even being discussed. This kind of synthetic identity fraud has a much more sinister motive. Not necessarily personal financial game, but the advancement of an ideology or criminal syndicate.
Another problem that is often overlooked, is who do these SSNs belong to? Well…they are disproportionately owned by minors. Fraudsters are able to create identities with these SSNs because they haven’t been seen in the system yet. My fear is that we have a generation that in 5-10 years will begin to apply for credit, their first car, and student loans just to find out that they already have thousands of dollars in debt. An entire generation that will have to start their adult life cleaning up messes created by people they never knew.
Synthetic identity fraud is not a new problem. It just took longer than normal to identify. The financial industry might be behind the curve on fighting this trend, but I am very hopeful seeing the amount of collaboration and education happening throughout the world of fraud prevention. I haven’t seen so many professionals coming together to fight a common problem and it gives me hope for the future.
Never stop chasing checkmate.