11/29/2023
Blog
The premiere event for financial services, Money 20/20, wrapped in late October. Identity and fraud were front and center on the agenda as major challenges facing the industry. Synthetic identity fraud was a particularly hot topic. With their presentation — What’s Behind the Rise in Synthetic Identity Fraud — Jim VanDyke, TransUnion Senior Principal and Head of Innovation, and David Mattei, Strategic Advisor, Fraud and Anti-Money Laundering (AML) Practice, Datos Insights, shared insights to help attendees better understand synthetic identity risk and how to improve their abilities to combat it.
There’s no common definition for synthetics, even within the same organization. Synthetic identities are commonly understood as identity fabrication, compilation or manipulation. Complicating a clear understanding of synthetic identities is recognizing there’s no single way bad actors perpetrate this fraud. Once an account is created with a synthetic identity, fraudsters may choose to just take the money immeditately, or they may maintain the account in good standing while building up credit history.
When synthetic accounts finally default, there’s no common way financial institutions categorize this loss. For instance:
With no agreed-upon definition and understanding of synthetic identity, the FedPayment Improvement initiative — part of the Federal Reserve Bank — undertook the task of coming up with a common definition industry can use. Its definition is “the use of a combination of personal identity information (PII) data to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.”
Without consistent categorization of the problem synthetic identities pose, financial services organizations don't necessarily track it properly, often simply bucketing it under credit risk losses. This lack of visibility limits most organizations’ abilities to understand the scope and scale of the problem they face, impacting loss prevention strategies.
Synthetic identity fraud can be difficult to spot. A September 2020 US federal indictment of participants in a coordinated synthetic identity fraud attack illustrates the extent to which crime rings behind these attacks play the long game.
The ring included 13 individuals and three fraudulent businesses. Over the course of 18 months, they obtained more than $1 million in fraudulent loans from 19 US banks and credit unions:
A perfect storm around synthetics developed in the past decade:
The number of data breaches in the US increased 83% over the past two years, according to TransUnion’s 2023 State of Omnichannel Fraud Report, expediting the access and sale of personally identifiable information to create synthetic identities. Increasingly, cybercriminals have begun targeting third parties to acquire identity information; these are organizations that process data on behalf of the organization holding the consumer relationship.
Datos Insights estimates synthetic identity fraud for unsecured US credit products totaled US$1.8 billion in 2020 and will grow to US$2.94 billion in 2025. “Recently, a fraud executive took a new position at a financial institution. One of their first tasks was analyzing existing accounts to see how many of them were potentially opened using synthetic identities. They found upwards of 15% of the accounts were tied to a synthetic identity,” stated David Mattei, Strategic Advisor, Fraud and AML Practice, Datos Insights. If the number of credit charge-offs attributable to synthetics is indeed in the 10% to 12% range, then the losses could be as high as US$6 billion.
TransUnion’s internal analysis recently showed US lender exposure to synthetic identities was nearly $3 billion; auto loans reached $1.8 billion, representing more than 60% of total exposure to synthetic identities.
Not only are the losses painful, so is the fact much of synthetic identity fraud is written off as a credit risk — meaning valuable collector time is spent trying to collect from someone who doesn’t exist. Many of the FinTechs interviewed by Datos Insights believed synthetics represent an AML issue, as well as a fraud issue: If you have a bunch of synthetics on your books, how well do you know your customer?
Mitigating synthetic identity fraud requires a company-wide effort by financial institutions. The federal government is trying to support industry solutions but with mixed results. The electronic Consent Based Social Security Number Verification (eCBSV) Service, for example, isn’t a silver bullet to protect organizations from synthetic identities. The system is limited by its requirement to match names exactly as they exist in SSA’s files. Submissions with small variances will not pass eCBSV checks, requiring financial institutions to verify identities some other way.
Many organizations simply charge off the loss of synthetic accounts as bad debit. However, synthetic accounts represent a significant compliance challenge for organizations, including Know Your Client (KYC) and AML. To mitigate synthetics, organizations need to take a layered approach: combining identity verification, device-based risk assessment and portfolio reviews using a synthetic fraud model. By taking this layered approach, organizations can improve their abilities to detect suspected synthetic identities at the front door and take steps to prevent future losses.