By: Janet L. LaFrence, Director, SHAZAM Payments Association
The payments system, one of the nation’s essential infrastructures, is continually challenged by fraud threats that evolve as technology advances. In 2018, the Federal Reserve launched an initiative to raise awareness about synthetic identity fraud, reportedly the fastest growing financial crime in the United States. The Center for Payments™, a joint program sponsored by ten payments associations for the purpose of helping members and staff better prepare for the continued evolution in U.S. payment systems, supports the Fed in educating financial institutions about synthetic identity fraud and encouraging proactive measures to mitigate this risk.
What is synthetic identity fraud?
Where money is in motion, there are those looking to steal it. While fraud isn’t new, the perpetrators’ techniques are constantly evolving to take advantage of the current environment. Synthetic identity fraud (SIF) uses a combination of personally identifiable information (PII) to fabricate a person or entity to commit a dishonest act for personal or financial gain.1
While traditional identity theft is well understood, it’s often mistaken or confused with synthetic identity fraud. Traditional identity theft occurs when a fraudster pretends to be another real person, usually supported by the person’s Social Security number, date of birth, driver’s license, bank account login credentials, or other sensitive information the fraudster has captured. The fraudster then uses the victim’s identity to access credit, accounts, and other items of value. This more traditional type of fraud is usually detected and reported quickly. Victims begin to receive unfamiliar notifications, phone calls from creditors, and other red flags that tip them off.
Synthetic identity fraud is different and results in creating a brand-new identity. Here’s one example of how it can work:
- Fraudsters buy PII or other personal information on the dark web. This data is usually exposed to the dark web by data breaches, social engineering, or oversharing on social media.
- In some cases, the fraudster uses the Social Security number of a child or an elderly or homeless person because they don’t actively use their credit and are less likely to notice the fraud for some time.
- The fraudster applies for credit using their newly minted identity. Even if the institution denies their application, the inquiry creates a credit file with the credit bureaus, which can help validate the identity in the future.
- Undaunted by the first few denials of credit, they will keep trying, and eventually, someone will approve the application, often a high-risk lender. The fraudster will use this initial line of credit to establish a timely repayment history to cultivate higher credit limits and even more accounts.
The process continues as the fraudster’s efforts gain momentum; they generate a solid credit history and build their identity with social media accounts and a home address (usually a P.O. box, vacant property, or vacation home). More sophisticated operations even create fake businesses and sign up with merchant processors to install credit card terminals to create charges on fraudulent cards.
This activity causes the fraudster’s credit score to increase. After all, they’re making payments on time, achieving increases in credit limits, and solidifying their identity. This is when they “bust out,” which is a term that refers to maxing out a credit line and vanishing without repaying. The fraudster might use a fake check to pay off the balances before maxing out a credit line again and defaulting. Adding insult to injury, some fraudsters even cry “identity theft” and have their charges erased, then make additional transactions and repeat the process.
Synthetic identity fraud has gained prominence in recent years for several reasons:
- In 2011, Social Security number randomization eliminated the geographical significance of the first three digits (the area number) and the chronological significance of the remaining digits, making the numbers less helpful in corroborating other forms of identification.
- The increase in PII available to fraudsters has increased significantly due to spikes in data breaches and the amount of PII that consumers voluntarily make available on social media.
- Synthetic identities often escape detection during the credit application process, which is becoming increasingly automated.
Who bears the cost?
Generally, the individual whose personal information was used to create the false identity won’t be responsible for losses, provided they can prove they weren’t behind the synthetic identities.
Instead, financial institutions bear most of the cost of this type of fraud. Industry experts estimate the load borne by U.S. financial institutions at over $14.7 billion in 2018.2 Further, roughly 20% of credit losses in the financial industry are believed to stem from synthetic identity fraud.2
What can financial institutions do?
The best time to detect synthetic identity theft and prevent the risk of loss is at the time of account opening. The problem is that synthetic identities often pass traditional Know Your Customer (KYC) compliance requirements, which rely heavily on established credit history and assume the first Social Security number in a credit file is valid.
To detect synthetic identity fraud, it’s essential to look beyond the basic identifying information to verify whether an identity is legitimate or artificial. For example, in their white paper, Detecting Identity Fraud in the U.S. Payment System,3 the Federal Reserve advises financial institutions to look for the following characteristics of a synthetic identity:
- Social Security numbers issued after 2011
- Credit file depth inconsistent with the customer’s age or other profile information (such as a 60-year-old applicant with a credit file less than a year old)
- Multiple identities with the same Social Security number and numerous credit applications from the same phone number, mailing address, or I.P. address
- Use of secured credit lines to build credit
- “Piggybacking” to build credit (applicant is an authorized user on multiple established credit accounts which may be associated with geographically dispersed addresses)
- Multiple authorized users on the same account
Also, the Social Security Administration has introduced an electronic Consent Based Social Security Number Verification Service (eCBSV) to help identify synthetic identity fraud. With the consent of the SSN holder, eCBSV can verify if the SSN, name, and date of birth combination provided by an account applicant matches Social Security records. eCBSV returns a match verification of “yes” or “no.” In addition, if SSA’s records show that the SSN holder is deceased, eCBSV returns a death indicator. The SSA introduced this service in 2008 as a paper-based process, but the initial roll-out of a more efficient electronic version has been in a pilot phase since June 2020.
What else can be done?
Verifying your customer can be even more difficult if you never see the account applicant in person. In addition, online account opening, already gaining popularity thanks to consumer demand, has quickly accelerated due to the pandemic. As a result, many financial institutions are challenged to safely meet the increased demand for more digitized services.
To build on the Fed’s work and help support financial institutions that want to offer online account opening, the Center for Payments recently conducted a study titled Digitizing Payments: The Online Account Opening Experience4. Over 500 c-suite executives from financial institutions of various sizes were surveyed to examine current practices and procedures to detect, evaluate, and mitigate fraud risks throughout the online account opening process. The key findings are:
- Online account opening is a growing trend in financial services.
- Risk avoidance is the key rationale for not offering online account opening.
- Financial institutions must understand the types of fraud risks associated with online account opening, such as synthetic identity fraud.
- Financial institutions that offer online account opening use various tools and techniques to mitigate fraud risks, including additional steps beyond their standard Customer Identification Program (CIP) requirements.
Visit the Center for Payments website for an executive summary of the study: Digitizing Payments: The Online Account Opening Experience4, and contact your payments association for access to the full report that provides more information on ways to support a safe and secure online account opening experience.
See the problem, solve the problem
The growing problem of synthetic identity payments fraud requires the attention of all payments industry stakeholders and collaborative efforts to understand, detect, and address synthetic identity fraud in the U.S. payments system. The Center for Payments will continue to work closely with the Fed, community financial institutions, and industry stakeholders to increase awareness and mitigate the risk of synthetic identity fraud.
12021, Payments Fraud Insights, Defining Synthetic Identity Fraud, The Federal Reserve
2 2020, PYMNTS.com, Deep Dive: How F.I.s Are Looking Beyond Traditional Know Your Customer Data to Spot Synthetic ID Fraud, PYMNTS.com
32019, Payments Fraud Insights, Detecting Synthetic Identity Fraud in the U.S. Payment System, The Federal Reserve
42020, Digitizing Payments: The Online Account Opening Experience, The Center for Payments™