Synthetic identity fraud has increasingly impacted lenders in the last three years as criminals and credit abusers used fabricated identities to secure lines of credit and then oftentimes cash-out and disappear. Based on TransUnion’s analysis, there’s more than $1 billion in synthetic balances within card, auto and personal loan segments. Because synthetic identity fraud uses legitimate looking data — made up of fake and real PII — it can be difficult to detect.
When constructing synthetic identities, fraudsters have relied on the Social Security number (SSN) because of its use as a near-universal personal identifier and because of a lack of source verification with the Social Security Administration (SSA). One way to help lenders combat synthetic identity fraud is stronger controls in the use of SSNs. Fortunately, Congress has acted to set up a new process, Electronic Consent Based Social Security Number Verification (eCBSV), to allow for real-time validation of personal information connected with a SSN.
What is Electronic Consent Based Social Security Number Verification (eCBSV)?
U.S. Senate bill, S.2155 “Economic Growth, Regulatory Relief, and Consumer Protection Act,” Section 215, requires the SSA to accept the electronic consent of an individual to allow a financial institution to verify his or her name, date of birth, and Social Security number using SSA’s Electronic Consent Based Social Security Number Verification service (eCBSV). The SSA is piloting the eCBSV service this year. It’s anticipated that a real-time, eCBSV service will be enabled through service providers like TransUnion, as well as with the SSA directly.
With the implementation of eCBSV looming, we see at least five potential impacts on the multi-billion-dollar synthetic identity fraud problem:
- Rush to create an inventory of ‘aging’ synthetic identities
Just like the conversion to EMV (chip) cards in the US, technology, cost and operational complexities will make full eCBSV implementation difficult to achieve overnight. Before the eCBSV service gains full adoption in the market, fraudsters are likely to create sleeper identities that sit inside lenders’ books where they can age with no negative performance and increase their reputation over time. As new identities are less common, it could drive demand for ‘aged’ synthetic identities with established accounts, allowing fraudsters to use these identities without running into the eCBSV litmus test.
- Synthetic identities in financial services will drastically shrink
It’s likely lenders will have the ability to check a name, date of birth (DOB), and SSN directly against the SSAs database in real time to flag fake data used by synthetic fraudsters. A positive or negative response from the eCBSV service will offer high confidence the SSN presented is a valid combination with a given name and DOB. Consequently, blatant misuse of fake and stolen SSNs, alongside fabricated and real name and date-of-birth combinations, may come to a halt.
- Return to other first-party fraud and credit abuse
Many lenders struggle to detect credit manipulation with synthetic identities with certainty, making first-party fraud scalable. Significant growth in bust-out behavior the last couple of years shows signs of increased credit manipulation.
As synthetic identity fraud becomes more difficult, we anticipate other types of credit abuse and first-party fraud will rise into further popularity, such as:
- Individuals claiming to be victims of identity theft to submit fraudulent and frivolous credit repair claims
- People ‘selling tradelines’ by offering authorized users space on their credit cards for a fee, giving fraudsters the ability to build positive credit histories on the backs of legitimate credit lines
- Continued growth of identity theft
Cybercriminals continue to hack networks to access personal data records. Data breach activity was up 39% in 2019 with an eye-popping 5,183 events exposing 7.9 billion records. With the implementation of eCBSV, we expect this trend to continue.
In addition to data breaches, individual consumers are at risk because many don’t take steps to effectively protect their identity online by buying from unverified websites, using weak or recycled passwords or falling prey to phishing. According to a recent TransUnion study, 1 in 4 people have been targeted by COVID-19-related digital fraud, and the FTC has already reported as of 05/28/20, consumers have lost more than $40MM in 2020 to COVID-19 related scams and complaints.
- Non-permitted entities will increasingly become targets
Fraudsters will look for new paths to create and legitimize synthetic identities. The eCBSV defines a “permitted entity” as a financial institution or service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution. (Public Law 115-174, Title II, 215(b)(4), codified at 42 U.S.C. 405b(b)(4).) Three categories of accounts may be at risk from not using eCBSV:
- Consumer services: Retailers, gaming and gambling sites, social networks, media sites, dating apps, gig economy and ecommerce platforms may not be regarded as permitted entities. Many of these sites and apps are less likely to require genuine identity verification, which may allow synthetic identities to persist in their ecosystems.
- Deposit accounts: There are fewer losses from synthetic identity fraud in deposit accounts because they’re more likely to be used for moving money. As a result, the ROI for a business to invest in synthetic fraud solutions for deposit accounts is often not valued as highly as it is in credit and lending. Consequently, some financial institutions may consider not running the eCBSV services for services such as opening checking or savings accounts.
- Business lending: Business lending and banking is actively targeted by synthetic identity fraudsters, but there’s less standardization in business loan underwriting practices and security. With little to no participation in reporting performance activity for business lending to credit agencies, it’s unlikely business lenders will adopt eCBSV — even though they may be eligible.
It’s Time to Get On-Board with eCBSV
Synthetic identity fraud will continue to be an issue for the industry. Social Security number verification via an eCBSV is a significant step in the right direction to protect business and consumers from fraud losses. However, to help truly mitigate synthetic identity fraud, eCBSV needs to be adopted as an integral part of identity proofing services — using not only consumer PII but also device identifiers and online behaviors to accurately verify and authenticate identities.