Synthetic fraud is a hot topic currently, in part due to the informative white papers written by the Federal Reserve. However, in my opinion, many commentators have mischaracterized the relationship between first-party synthetic fraud (often referred to as identity manipulation) and data breaches. Specifically, many commentators imply that the availability of stolen PII for sale on the internet is a material contributing factor to first-party synthetic identity creation and that the outcome of first-party synthetic fraud for consumers is commensurate to the results of identity theft. I disagree with both propositions, for the reasons outlined below.
What is “First Party Synthetic Fraud”?
Firstly, a recap on synthetic fraud.
Do large scale data breaches contribute to first-party synthetic identity creation?
There are numerous articles that imply that large scale data breaches have exacerbated the use of first-party synthetic identities by making stolen SSNs generally available on the internet. While this is theoretically possible, I doubt it is true for the following reasons:
For the reasons above, there is no incentive to use a stolen SSN, and smart fraudsters are much more likely to generate a legitimately-looking SSN within the schemas offered by the SSA, than voluntarily enter the higher levels of scrutiny associated with SSNs exposed by a data breach. While there might be some correlation between data breaches and first-party synthetic identities, it’s not yet proven that the two are causally related.
Is the impact of a first-party synthetic identity using someone else’s SSN the same as having their identity stolen?
Identity theft is extremely problematic for consumers because it allows a fraudster to appropriate valuable assets. Most obviously, an identity thief can use your identity to gain access to intangible assets such as cash, credit, investments, and information in order to steal, launder and liquidate those assets.
On the other hand, the outcome of a synthetic identity is a new tradeline furnished to a name, DOB, SSN combination, creating multiple credit files with a common SSN. Where there are multiple credit files with the same SSN, the credit bureau will typically post a flag to the file.
There are serious consequences of this, particularly where the appropriated SSN belongs to a child. For example:
There is no doubt these consequences can be severe. Nevertheless, these issues are not comparable to losing one’s life savings. (It’s also important to note that advanced identity verification systems such as SentiLink’s can easily see through these flags to verify the applicant’s correct SSN, thus preserving the benefit of the flag, while eliminating any additional friction.)
Consumers are subject to a variety of fraud vectors, principally identity theft at account opening or via an account take over, and there is no doubt such fraud vectors are exacerbated by large scale data breaches.
However, first-party synthetic fraud is not something that should keep consumers up at night. As noted above, fraudsters are actually disincentivized from using a stolen identity for the purposes of creating a synthetic identity. And the negative consequences, while material, are rare and capable of being resolved with time.
Don’t get me wrong: synthetic fraud is a serious threat to our financial system. It allows individuals to obtain well-priced credit to steal money. It allows criminals involved in organized crime to evade KYC processes to easily launder money. However by overstating the impact on consumers, we risk distracting financial institutions, regulators, law enforcement organizations, and consumers with ineffective solutions to this serious problem, when simple, cost-effective solutions are readily available.