Synthetic identity (SID) fraud is insidious. It has many characteristics that make it hard to tackle, including reporting challenges and misaligned incentives. Nevertheless, I anticipate a high level of regulatory attention as the criminal consequences of this phenomenon crystallize, and I further believe that financial institutions that do not take immediate action may find themselves on the wrong side of regulators.
Firstly, a recap on SID fraud. A SID is one where an applicant’s PII (typically, name, SSN, date of birth and address) does not correspond with any known person but nevertheless exists in a credit record at a credit bureau. Because access to the Social Security Administration’s records is limited, it’s hard for a financial institution to definitively validate a specific combination of PII. As a consequence, most financial institutions accept the credit bureau’s record of the identity as proof of that person’s existence and proceed to open an account in their name. This gives the identity further validity, resulting in the SID opening more accounts with greater financial autonomy. The traditional economic objective of a synthetic identity is to build a sufficient credit history that will allow fraudsters to borrow hundreds of millions of dollars (DOJ) and then default, but SIDs also exist to commit other organized financial crimes, such as money laundering.
According to this report by McKinsey, “synthetic ID fraud is the fastest-growing type of financial crime in the United States”, and it’s not surprising given it’s so scalable. A fraudster can create and incubate a stable of identities, constrained only by the amount of time that can be dedicated to creating the SIDs and using them to open accounts. The risk SID fraud poses to the financial system has drawn the attention of the Federal Reserve, which is publishing a series of whitepapers on the phenomenon. Because SIDs mature over time, it’s likely that we’ve only seen the tip of the iceberg.
One of the reasons SID fraud is insidious is because the SID will 1) perform like a perfect borrower for a period of time until 2) it needs to be “burned” (used to default on a large unsecured loan or launder a large sum of criminal proceeds). For organizations who only encounter SIDs during the “perform” phase, there is no economic incentive to detect and eliminate SIDs, and the SIDs have a low-risk environment to incubate.
While plenty has been written (and done) with respect to the economic impact of SID fraud, I feel there has not been enough focus on the use of synthetic identities for other criminal purposes. As described above, synthetic identities provide an almost perfect vehicle for money-laundering, because it eliminates the need to find legitimate individuals and bank accounts that can be suborned for criminal purposes. As more synthetic identities are used for this purpose, I anticipate an increased focus from regulators (principally FinCEN) on ensuring financial institutions are implementing CIP and KYC/KYB processes designed to detect and eliminate SIDs in compliance with the Section 326 of the USA PATRIOT Act. I expect this focus will be mostly directed at those organizations that don’t have a strong economic interest in preventing SIDs, such as depository institutions or small ticket lenders.
In my time working within the financial community, I have been gratified to see how our community works together to protect our financial system. Collaboration is particularly important when it comes to SIDs, because of the way that SIDs perform early in their existence. The Fed agrees in this whitepaper, saying: “Financial institutions and payments stakeholders should take a comprehensive and collaborative approach as they continue to improve their fraud detection capabilities.” [Emphasis mine.] I suspect that regulators will take a dim view of organizations that choose to ignore this escalating risk to our financial system, law enforcement, and national security interests due to a lack of an economic incentive to do so.
This is particularly true because there is a range of affordable solutions that organizations can implement in order to substantially reduce this threat without impacting their customer onboarding experience. There is a lot of anticipation for the Social Security Administration’s eCBSV initiative (which resulted from a congressional direction designed to reduce the threat of SID fraud). While SentiLink was delighted to be selected as a pilot service provider, I feel that the expectations of this solution are too high, given the consent requirements and the requirement for exact matching. Instead, I agree with the McKinsey analysis, that the optimal solution is a “synthetic ID risk model …built from external data sources” and powered by machine learning.
Over the longer term, I am confident that Congress will address this issue structurally, by defining an identity verification regime that no longer relies upon the SSN as the principal form of identification, such as this bill proposed by Congressman McHenry. In the meantime, financial institutions need to take action to prevent and eliminate the SID phenomenon, or they will only have themselves to blame.