Brandi B. Reynolds, CAMS-Audit, CCI
The pandemic and the proliferation of FinTech’s have combined to solidify the consumer online-account-opening channel. Regardless of whether the account is a checking account, a prepaid card, a consumer loan, or a credit card, the most likely way that accounts were opened in 2020 was online. Online opening adds convenience for consumers, but also increases the risk that the financial institution opening the account is being defrauded in some way. What are those risks, and how can the financial institution’s staff recognize the warning signs that online account opening fraud is about to occur (via preventive controls), or has already occurred (via detective controls)? Recognizing fraud or potential fraud is a key concept because the more sophisticated the institution’s preventive controls are, the more easily that institution can serve bona-fide customers, while stopping the bad actors in their tracks.
What are the Risks?
First, there’s the risk that an account is being opened with a stolen ID. Shortly after the account opens the institution receives notice that the true owner of that ID never opened an account and the institution follows its ID Theft procedures. An institution never wants its primary control to be “the real Mrs. Jones notifies the institution that a fraud has been committed,” but it’s always good to know that the real Mrs. Jones will notify the institution, provided she’s able to do so.
Second, there’s a bigger risk that an account is being opened via synthetic ID fraud. Since a synthetic ID belongs to the fraudster him/herself, there is no true owner of that exact ID. Yes, there’s likely an owner of the social security number used as part of the ID, but the rest of the data points for ID (phone #, address, device) “belong” to the fraudster. Thus, a synthetic, fictitious, ID is created.
Although ID Theft is important, this article focuses on Synthetic ID fraud at account opening.
With the right tools, the attempts to open these synthetic ID accounts can be searched out.
What are the Controls?
There are two effective controls that can help flush out synthetic ID fraud:
- Staff education and training at the operational level.
- The right tools, typically from vendors.
Although on-going transaction monitoring is usually a control when it comes to fraud, it’s difficult to spot synthetic ID fraud using on-going transaction monitoring. This is because the transactions orchestrated under a synthetic ID account mimic normal activity that wouldn’t get picked up by any monitoring software. Example: many times the fraudster doesn’t really need a checking account, but just wants to open an account to help make the synthetic ID seem real. So many times, these accounts get opened online, funded with a small balance, and then never used, meaning there are no transactions. With respect to credit cards, there will be activity. Typically, there will be a lot of usage, and timely payments. The activity is pristine, and that’s how it flies under the radar. With respect to synthetic ID fraud, the only monitoring that could be remotely helpful is the continual monitoring of the customer base itself (as opposed to transactions). Monitor for the same email address being used, the same address, the same IP address, even the same out-of-wallet questions and answers. Monitor those deposit accounts opened online but never used. These are good ways to monitor for fraud in general.
Essentially, synthetic ID fraud needs to be caught at the account opening stage.
Staff Education & Training
Staff education and training on account-opening-fraud should occur at all levels in the institution, including sales and business development staff, and cannot be limited to basic online courses on ID Theft. Most courses on ID Theft focus on the regulation itself, meaning the FACTA (Fair and Accurate Credit Transactions Act) Red Flags rule. Seldom do training courses focus on how ID Theft occurs, and they practically never focus on synthetic ID fraud. Pure regulatory training may show an examiner that training occurred, but it is not effective. The education and training provided to staff should be operational training and address the ways that fraudsters perpetrate synthetic ID theft, why they perpetrate it, and use real examples and case studies so staff know how to spot it.
Before providing this specialized training, first provide basic training on Identity Management. Our identities used to consist of our name, address, social security number, phone number, and something like a driver’s license number. Today, our identities include a lot more information. Multiple data points today make up our digital identities, or at least help to validate our identities. These data points include our email address, our devices, our IP addresses, our geo-locations, the rate at which we type (to show we’re not a bot), how old our email address is, how old our phone number is, and even our social media profiles and activities. For staff to understand how to thwart synthetic ID fraud, they must understand what makes up a consumer’s identity in today’s world.
The Right Tools
Vendors have risen to the occasion and have come to the market with tools that analyze all the data points mentioned above, many times in real-time, and can immediately issue a “score,” that can alert staff of an attempted fraud taking place. This analysis is where financial institutions want to place their attention because the analysis is considered automated preventive control – the best kind of control. It is best to not let a fraudster open an account to begin with.
To find the right tools, just do an internet search on “Online Account Opening Fraud Detection and Risk-Rating Tools” to see the variety of solutions available. These solutions are typically add-on products. Fintechs need these solutions so much, they’re likely to use more than one to double-team the fraudsters.
Online account opening fraud, especially that orchestrated via synthetic ID fraud, is proliferating because online account opening is proliferating. Financial institutions and Fintechs, via proactive implementation of controls, can spot this fraud in progress and bring it to a halt. This fraud prevention is good for the institution, and for society as a whole.
For more information on how CorCom can assist with your compliance needs, please contact firstname.lastname@example.org.