Synthetic Identity As a Loophole

Recently, fraud and risk operations professionals have become deeply familiar with the concept of synthetic identity fraud. As the fastest growing financial crime in 2019 it has been getting increasing attention from financial institutions, regulators, and service providers alike, with many organizations scrambling to manage their exposure.

One of the reasons that synthetic identities cause such concern in the financial community is that a synthetic identity allows a criminal to circumvent the identity controls implemented in response to the CIP Rules (1), in which identity is verified by reference to an applicant’s personal information, including their social security number.

If all financial institutions implemented a synthetic identity fraud solution, this problem would largely disappear overnight, but most don’t. Why? Because they believe that they are not required by regulation. This is likely untrue, and therefore a high-risk strategy, as I will outline below.

Forming “A Reasonable Belief”

Under the CIP Rules, a financial institution does not need to establish the accuracy of every element of identifying information provided by the consumer. However, “it must verify enough information to form a reasonable belief that it knows the true identity of the customer.” (2) This statement is deliberately broad, in order to allow for changing threats and risks.

If you are not checking to see whether the customer is using a synthetic identity — a modus operandi that is both (i) the fastest growing form of financial crime today, and (ii) known to circumvent traditional identity controls — it will be challenging to make the argument that you have formed a ‘reasonable’ belief as to the true identity of the customer.

“[R]isk-Based” In An Online Context

Under the CIP Rules, a financial institution must establish a customer identification program (“CIP”) as part of its anti-money laundering compliance program and the CIP “must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.” (3) The CIP Rules have been recently extended to cover beneficial owners of legal entity customers, precisely because legal entities have been used to circumvent identity controls in order to enable criminal activity.

Since the CIP Rules require a financial institution’s CIP to be risk-based, it follows that financial institutions that accept account applications or otherwise open accounts online should have a CIP which accounts for the heightened risk that applicants are using synthetic identities to evade identity controls.

“Reasonable and Practicable”

Perceptive readers will have noticed the second limb of the CIP requirements — namely, that the procedures need only be “reasonable and practicable.” In this context, we have heard arguments against synthetic identity solutions based on the ‘user experience’ for the customer and the ‘regulatory burden’ placed on the financial institution. Both of these arguments are compelling but unfounded.

Effective synthetic identity solutions (like SentiLink’s) are based on machine learning models fed by data sources. They can be integrated via API for live analysis, or have applications analyzed as a batch (for example overnight, covering the applications received the preceding day). In both cases, integration is simple, secure, invisible, and frictionless to the applicant (unless they are using a synthetic identity).

Furthermore, the costs of scoring an application using SentiLink’s machine learning model are trivial when compared to the lifetime value of the customer.

Conclusion

KYC stands for Know Your Customer. Companies who onboard synthetic identities clearly aren't conducting appropriate due diligence to, in fact, know their customers. Financial institutions that are not checking whether an identity is synthetic are allowing criminals into our financial system and placing themselves and the broader financial ecosystem at risk. Regulators will use the benefit of hindsight when assessing compliance and will rely on the flexibility of the CIP Rules in determining whether a financial institution is compliant.

We encourage all financial institutions to review their portfolio for the existence of synthetic identities and take appropriate action where such synthetic identities exist, as it is only a matter of time before regulators take matters into their own hands.

Resources:

(1)The Financial Crimes Enforcement Network (“FinCEN”), under the Department of the Treasury, promulgated its customer identification program requirements (the “CIP Rules”). See 31 CFR X. The CIP Rules generally require a financial institution to collect four data points about an individual customer when opening an account: (i) name, (ii) date of birth, (iii) address, and (iv) identification number (SSN or TIN).

(2)See FFIEC’s Bank Secrecy Act / Anti-Money Laundering Examination Manual (2006)

(3)See 31 CFR 1020.220

_________________________________________

James Cook is General Counsel of SentiLink, where he has been leading the legal function since 2019. James has served as General Counsel for hyper-growth B2B SaaS start-ups since 2008, including 5 years supporting identity verification and fraud technology providers.