"I remember the first time we met at Kabbage...you helped us stop something that had cost us $3M at that point."
- Rob Frohwein, Co-Founder Kabbage and Senior Executive of American Express_______________________________________________
Free Money: Fraudsters Took The Government For Billions: FI’s Are Next
Money 2020 Panel Oct 27, 2021
Moderator: Rob Frohwein, Co-Founder and CEO, Kabbage
Panelist: Naftali Harris, Co-Founder and CEO, SentiLink
Rob: The times since the last Money 2020 have been unprecedented. While government stimulus may have kept us at the lowest poverty rate in years, it also led to record levels of fraud. The victim was the U.S. government and all of us as taxpayers.
The Department of Labor Office of the Inspector General estimates that fraud with respect to unemployment benefits was $87B. I’m Rob Frohwein, co-founder of Kabbage, and I’m delighted to be here today with Naftali Harris, CEO and Co-Founder of SentiLink, an ID verification company that helps financial institutions stop applications with stolen and fake identities at onboarding. The company and Naftali and his Co-Founder are at the nexus of everything that’s happening in this space and literally spends his days immersed in fraud.
There was also a lot of fraud in the PPP program. Can you try to put the amount of fraud in perspective for people?
Naftali: $87B is a significant amount of U.S. spending. The outstandings on all credit card debt in the U.S. is around $1T.
Rob: Can you help us understand what does this fraud looks like?
Naftali: Typically a fraudster would steal someone’s identity, which is incredibly easy to do. Everyone’s identity is essentially public, unfortunately. They would open a bank account in that person’s name, and then they would apply for unemployment insurance at a state. A number of states had very weak defenses and would issue the money. The fraudster would then move the money into the bank account opened in the victim’s name. Once successful, they scaled it in a massive way.
Rob: I remember the first time we met at Kabbage years ago and you guys came to us and others in the small business lending space and said you could see fraud happening and to be aware of that. You helped us stop something that had cost us three million dollars at that point. I can’t imagine a better form of business development then going to people and saying, we’re going to save you millions of dollars over the next six months. You literally see it happen out in the wild.
Naftali: That’s right, based on the data we have, we can see which financial institutions are most impacted by different kinds of fraud whether it’s synthetic fraud, stolen identities or money laundering for unemployment insurance fraud. The way we prioritize from a business perspective is proactively reaching out to companies that are impacted that we know that we can help.
Rob: When you made contact (with Kabbage), you made contact with me, you made contact with Kathryn (Kabbage co-founder). A lot of people think that fraud is “oh we have a group that does that. That’s our front line team. They’re really good about fraud. We let them handle it.”
What’s your feeling in terms of what’s the right balance between front line handling it and when it becomes a real issue for the management team?
Naftali: In general, you want your front line team to do as much as they can. That’s the team closest to the actual data. Closest to the problem. For larger institutions that have a front line and a second line of defense or a front line maybe embedded in the business line, that team is pretty aligned with the rest of the organization. The challenge is when there’s something that really has an impact that could take down the entire institution that may not have an immediate impact on the business line. Here’s an example of this.
Historically checking and savings accounts have had much lower fraud defenses than lending products. If you look at lending products like yours at Kabbage for small business, or credit cards or auto loans, if you let fraud through the door there, you can lose a lot of money very quickly. In checking and savings, historically the perspective has been that it’s not possible to lose that much money. An FI could lose the maximum overdraft or some other money if aggressive about ACH clearances. But, they’re not going to lose their shirt as if they gave out a $100K small business loan. As a result, fraud defenses there have been lower. But with unemployment insurance fraud, there’s been a massive amount of identities stolen and they’re used to open checking and savings accounts. The financial institutions in general are not losing money to this.
But financial institutions are exposed to a massive compliance risk. For unemployment insurance fraud, the press has focused on the states but they haven’t focused on the financial institutions where that money was sent. $87B had to go somewhere and it ended up getting laundered through financial institutions.Those low defenses in checking and savings helped that to happen. That’s a case where the 2nd line of defense needs to step since this may not be an immediate risk to that P&L owner, but it’s a risk to the entire business.
Rob: It seems like the “it’s not my problem” approach is not the right way to lead in an industry. Ultimately, you have to think about your customer, your customer’s customers and all the different folks in the supply chain. You take care of them and they’ll take care of you.
How do fraudsters actually move the UI money once they get it?
Naftali: The money starts with the state, and the way they issue it varies by state. Some issue a prepaid card, others issue a check, or send an ACH transaction. At some point, the money is moved into a bank account. The money often moves a couple times. It may move from one bank to another bank. It might get aggregated, it might move through mules. It often moves to crypto, brokerage accounts which will allow you to buy crypto. Or international transfers or p to p transfers.
Rob: What can regulators do to mitigate this issue?
Naftali: There’s two main things they can do. One is that FI’s are mandated to have KYC processes. But, states, local governments and even the federal government don’t hold themselves to those relatively low standards. The first thing regulators need to do is to make sure there’s some parity. If the government is going to be handling a huge amount of money the way that it has, they should have some minimum requirements for identity verification.
The second thing is we do have the CIP rules which say that if you are an FI, you need to be able to form a reasonable belief that you know the true identity of your customer. In lending, people take that relatively seriously because they are exposed to financial losses. But, in checking and savings, in some cases at some financial institutions there’s more of a check the box attitude where they collect the name, date of birth, address and SSN and match them. Regulators should clarify that reasonable belief really means that at the end of an application process, you should have a reasonable belief that you know the true identity of the person you are doing business with.
Rob: Do you think with the extreme amount of fraud with government programs it will accelerate the speed of regulations?
Naftali: I think it will.
None of us likes regulations that are done in a fast way as a backlash, but when the story starts to shift from the states that have lost money to financial institutions through which some of that money has flowed, the folks at places like the House Financial Services Committee or the Senate Banking Committee or OCC or FinCEN will really start to pay attention. I would not be shocked if there was a push for strengthened regulation on the back of this UI fraud.
Rob: And, then, of course, everyone will rush to try to implement something. It would be very nice for them to say we’ve got a very robust solution in place, we’ve taken these 10 steps to do that.
What are the steps FIs should be taking right now,
Naftali: For UI fraud, be very proactive about the DDA product you have. Do a retrospective of your own before a regulator goes and mandates that. You can bring in people from your lending team, other vendors or a company like SentiLink and look for identity theft that might have gone through your system. Be proactive and close those accounts. So, when a regulator knocks on your door and says they saw a bunch of fraud that went through your organization, you can say yes it’s a known issue, we’ve already closed all the accounts, we filed our SARs. We’ve already taken steps to improve this going forward.
Rob: We’ve got lots of traditional banks out there. Tons of neo banks. How do you see that balance? When you talk to a neo bank, are they just drinking from a fire hose and don’t have time to think about it as much? Are the two adopting solutions at the same time or one moving slower than another?
Naftali: I’ve seen it all. For context, we work with over 100 financial institutions in the U.S. from the top 10 banks to small startups. In the middle, large credit unions, private equity backed lenders, non-bank lenders, regional banks. It’s more about the people at those places then it is about the places themselves. I’ve seen neo banks who take their regulatory obligations very seriously that are very proactive about fraud and very forward thinking. I’ve seen traditional banks that have a see no evil, hear no evil mentality.
Rob: The level of effort and investment required for someone to become a fraudster, the barriers just not that high right now.
Naftali: Everyone talks about the “dark web” but if you Google how to do carding, you’ll see tutorials on how to commit credit card fraud.
Rob: When you think about SentiLink 5 years from now, what’s the metric you would measure success. Total dollars of fraud stopped? A revenue number?
Naftali: If you think about it from a 5 year perspective, we’re trying to change how identity verification works in the U.S. If you look at ID verification over the last 50 years, we’ve done the same thing again and again. You look around this conference hall, there’s a bunch of anti-fraud, KYC. There’s a possibility to reinvent how identity verification works. There is a different way to do this in the U.S. and that’s what we’re excited to build here.