New Fraud on the Block Causes Bank Losses to RiseBanks Discuss Identification Struggles as Account Opening Fraud Soars
A new type of identity fraud now plaguing financial institutions, including banks, has increased 109% year on year in 2021. This increase is a result of traditional banks offering more online lending and depository products, while digital banks, with untested fraud and compliance protocols, are under pressure to show rapid customer growth.
New account fraud, also called account opening fraud, entails fraudsters using stolen or synthetic identities, or just false information, to open new bank accounts. The fraudster's aim is to max out their credit limits before disappearing.
Experts in the sector discuss with Information Security Media Group the impact this fraud has on their organizations, the challenges of identifying and tracking fraud, and mitigation measures.
The impact of account opening fraud is widespread. As much as 50% of new U.S. accounts in 2021 were fraudulent, cybersecurity company FiVerity says, while the U.S. Department of Labor OIG puts the contribution of account opening fraud at $163 billion, with respect to losses from unemployment benefits and PPP loans.
In all likelihood, these numbers barely scratch the surface, primarily because losses from account opening fraud are not tracked centrally and depend on the maturity of the identity, authentication and fraud control stack of the financial institutions concerned.
The high attack rates also add to the challenges.
"The attack rates are so high operationally that sometimes these are losses that just hit the bottom line without giving us time or resources to conduct proper root cause analysis," says Mary Ann Miller, former fraud strategy leader at Varo Bank and vice president of client experience at Prove, an identity authentication firm.
Clearly, there is a need for banks to reimagine the way they integrate sophisticated origination tools and connect new account opening to their transaction monitoring and funding capabilities.
"Focus on vendor solutions that offer consortium-based decisions and intel. The problem with identifying and resolving first-party fraud is often not knowing what potential criminal activity is happening outside of your organization via the same device, IP or account holder," says John Buzzard, lead fraud and security analyst at Javelin Strategy and Research.
Tough to Track
Banks appear to be unaware of the exact losses that are caused by account opening fraud, primarily because they're not easy to track.
"To be honest, I don’t know current estimates on the percentage of fraud losses due to account opening fraud. I would venture a guess of about 30%," says Bushra Latif, vice president and bank fraud program manager at Johnson Financial Group.
Also, the way banks categorize losses is highly subjective.
"The way a bank categorizes a fraud loss depends on how the money is coming in or how the money is going out," says Karen Boyer, vice president, financial crimes and fraud intelligence, at People’s United Bank.
"For us, 60% of online account opening traffic is fraudulent. While some we are able to detect and decline, there are quite a few that pass through the authentication waterfall," says Boyer.
Following are examples of cases in which fraudulent accounts are tough to spot.
During fund inflow:
- Transfers from other banks;
- Wires from victims/other mules;
- Automated Clearing House, or ACH, credit from other banks;
- Counterfeit checks.
During fund outflow:
- P2P services, primarily Zelle, Venmo and Cash App;
- Crypto exchanges.
Greg Woolf, CEO of digital fraud analytics company FiVerity, says banks and regulators are still working out how to classify and report account opening fraud.
"Compared to traditional identity theft, account opening fraud is harder to detect because there is no immediate consumer victim. These synthetic identities are used to open multiple accounts across multiple institutions, causing significant losses over time when they eventually 'bust out,'" Woolf says.
Another problem facing banks is the constant pressure of customer service, which often forces them to reduce controls of stopping fraud in an effort to ensure that customers don't experience declined applications or transactions.
"If you can intelligently explain the 'how' and 'why' a legitimate transaction is declined, then you can turn a complaint into a compliment, as most customers will be impressed with the security they feel at their bank. Unfortunately, that is not the priority, especially with the rise of fintechs and the constant pressure for banks to match the ease of these applications," Boyer says.
First-Party Fraud: A Major Concern
While synthetic ID fraud continues to attract the attention of financial institutions and banks, first-party fraud has increased greatly in the past two years, and it contributes to account opening fraud.
In first-party fraud, a person knowingly misrepresents their identity or gives false information for financial or material gain. For example, by exaggerating their income, fabricating their employment or misrepresenting their financial circumstances, individuals can get services and credit they might not otherwise be eligible for.
"In general, I think there is an over-classification of synthetic fraud," a financial crimes manager at Fifth Third Bank who requested anonymity tells ISMG. "I believe a lot of 'synthetics' are just identity manipulation that leads to first-party fraud. When you check someone’s account for synthetic ID fraud, the challenges thrown at them would be 'identity-related.' First-party fraudsters are able to meet such challenges, giving banks a false sense of security," the manager says.
A March 2022 report by TransUnion, titled "2022 Global Digital Fraud Trends," shows that first-party fraud is among the top growing frauds in the world. Ranked at number five, it grew 91.1% in 2021.
Ian Mitchell, managing partner at U.S.-based fraud consulting firm Omega FinCrime and the founder of The Knoble, a nonprofit network that fights scams, says the challenge with first-party fraud and synthetics is that, by nature, they pass upfront verification and authentication processes.
"These types of fraud are manifesting as fraud losses in cases where they onboard with the intent to strip out fraudulent benefit via bad deposits and credit bust out-like activity," Mitchell says.
The Way Out
Account opening fraud has also caught the attention of regulators.
The Federal Deposit Insurance Corp. and FinCEN recently launched a Tech Sprint to explore how digital identity proofing can be modernized and improved for remote banking customers at the account opening stage. The goal of the effort is to spark the development of new solutions to fight fraud while increasing efficiency and overall account security.
The efforts by the industry so far, however, have not yielded the desired results. Many banks are currently leveraging integrated datasets, which is crucial - but the inevitable downside is data overload.
"The adoption of multiple anti-fraud solutions at global banks is well-intentioned but has led to an overwhelming volume of fraud scores and false positives," Woolf says.
He says banks need a single, holistic platform that can ingest all their fraud data, conduct analysis and translate it into a coherent view with meaningful recommendations. "Any use of AI and machine learning should be driven by humans that can incorporate their fraud-fighting strategies - making it smarter over time - while providing necessary transparency for model risk governance and compliance examinations."
The good news is that fraud intelligence sharing among institutions has gained momentum, thanks to confidential computing, which enables advanced pattern recognition while keeping private consumer data safe.
Boyer says: "I would focus on continuous authentication throughout the journey of a customers' span at the bank. I see a lot of first-party fraud at the onset of the customer's onboarding, where they want to get their quick buck and then move to another bank before the debt or fraud can be reported."
"There are other scenarios where the account 'sleeps' for a bit and then is busted out with a fraud deposit and drained too. But taking a baseline for the consumer's activity and then consistently checking the current activity with the history should be able to prevent this type of loss on a sleeper account," she says.
But legacy financial institutions and supporting processors will be challenged to look across the customer life cycle as much of traditional defenses have been constructed around individual transaction types. "Platforms now exist and reside in many of the traditional financial institutions to connect and risk-score all transactions. These FIs need to invest in connecting those channels, instruments and products," Mitchell says.
He says: "Connecting what we know about our customers, starting from application across all transaction types, is critical to success. Using advanced analytics and machine learning to contextualize the customer behavior and then applying it to appropriate treatment at the account and transaction level is key. We must get smarter about how we know and engage our customers, for their protection and the bank's."
Aside from technology, it is necessary to have a C-level commitment, Miller says. "Your fraud experts need to be at the table - they are your business enablers. Fraud teams spend much of their time fighting fraud from the bad actors breaking glass in organizations. When it comes to putting in the right controls to protect the business and customer, the financial institutions sometimes forget that fraud experts are your biggest supporters of the customer experience and technology know-how."