Banks seeking to spot and weed out fake identities face complex challenges.
By Walt Williams
FirstBank, headquartered in Lakewood, Colorado, is “somewhat unique” in how it handles online credit offerings, but that hasn’t prevented it from being targeted by bad actors using synthetic identities, says Brandon Kelly, FirstBank’s vice president. If anything, the bank’s practices have forced fraudsters to get creative.
“You’re not going to ebankfirst.com and apply for a credit card like you might do at Capital One or something like that,” Kelly says. “We generally open those types of relationships for existing bank customers … You would think that would somewhat insulate us from this problem. But what’s interesting is that, in fact, has not stopped this particular kind of species of fraud.”
Fraudsters instead enroll through the bank’s website to create an account and then follow up with some type of person-to-person contact with a bank branch, such as a phone call. “What we’ve seen in terms of synthetic ID fraud, which I think is something of the norm, is these are highly coordinated, sophisticated, orchestrated (crime) rings,” Kelly says. “What is unusual is we tend to see it a little bit more through our branch channel.”
Synthetic identity fraud is a growing problem that could soon become much worse, according to one report. The digital identity management firm Alloy recently surveyed more than 250 financial institutions and found that 91 percent reported an increase in fraud in 2022, with first-party fraud—people misrepresenting their identities—the most widely reported form of scam.
“Synthetic fraud identities are usually built over the span of multiple years as fraudsters build their fake identities’ credit history,” says Carol Lu, fraud analytics manager at Alloy, speaking at the ABA/ABA Financial Crimes Enforcement Conference in November. “Fraudsters typically wait three- to five years to ‘warehouse’ the stolen information before they start using it to apply for accounts. We expect a lot of the PIIs (personally identifiable information) that were stolen in early 2020, when the pandemic started, to surface in 2023-24.”
An evolving threat
Banks seeking to strengthen their digital identification verification processes face a complex challenge as there are many moving parts to consider. But there are general guidelines that provide a path forward. For starters, never get complacent with the security measures in place as fraudsters are constantly finding new ways to undermine bank defenses. Jeremy Grant, managing director of business technology strategy at the Washington, D.C. law firm Venable, points to verification systems that ask users personal questions, noting they are no longer the deterrent they once were.
“That worked for a while, but the problem is—in part because we’ve had so many big data breaches over the last 10 years—a lot of that data that used to be secret is now out there, to the point that a lot of the banks that I work with say if somebody answers the quizzes too quickly, too accurately, it’s actually a good chance that there’s a sign of fraud going on,” Grant says.
“That sounds weird, but people usually miss a question rather than take time to go through it.”
The amount of PII online has made identity verification particularly challenging for banks,
notes an executive at one large bank who asked not to be named so as to speak candidly. This bank is exploring new technologies to weed out fake personas from real people.
“What we’re seeing now is that a lot of the synthetic identity and even just general identity theft accounts are being opened in large volumes, so they’re being automated through bots,” the executive said. “How do we decipher what is human activity versus scripting attacks? So things like behavioral biometrics are something that we’re working on.”
This large bank is currently using tools such as phone number validation to catch fraudulent accounts before they are created. Still, no matter the systems or processes in place, some will slip through, making monitoring vital, the executive added.
“Keep in mind that when a synthetic identity is used to open up a deposit account, that doesn’t mean that same synthetic identity—or an element of that identity—is not being used in another product that you offer, whether it’s an investor account, a credit card or even an auto loan,” the executive said. The bank, for example, looks for things such as the same Social Security number being used to open multiple accounts. Or multiple accounts being opened from the same IP address or device. “We’re constantly monitoring for that activity and then providing our investigators with link analysis tools that help them identify that connection across our enterprise.”
Three-step strategy
When bolstering a bank’s digital identity verification systems, it is important to consider the three core identity processes in the bank customer’s journey, says Austin Hong, partner in the anti-financial crime practice at consulting firm Oliver Wyman, speaking at the conference. The American Bankers Association and Oliver Wyman last year published a report on the significance of trusted digital identities.
The first thing to consider is the identity-proofing and KYC processes used during customer onboarding, Hong says. The second is authentication, which usually occurs when customers log into their accounts. And the third is transaction authorization and monitoring. All three are paramount, but not equally so, in his view.
“The most important part of this process is being able to stop bad actors—the fraudsters—before they get in the bank, so having and strengthening that onboarding verification process is incredibly important,” Hong says.
Banks seeking to bolster their verification processes can start by benchmarking their organizations against peers and industry best practices, the ABA/Oliver Wyman report points out. That base can then be used to create an analysis by mapping a bank’s customer-facing processes to understand where the institution’s controls may be failing and where vulnerabilities are being exploited, as well as identify weaknesses that need to be addressed.
The next step for banks is to empower a single executive to take point on digital identity leadership by giving that person the ability to break down silos in the organization and balance perspectives between key leadership roles. With the analysis and executive leadership in place, banks can then begin vetting vendors to provide security solutions. Just don’t forget to press vendors on what they offer in terms of maintenance and updates to the digital products they provide, Hong adds.
“As we all know, fraud trends are going to change,” he says. “If the technology doesn’t change along with it, it will be out of date.”
Walt Williams is associate editor of ABA Banking Journal.
