2017 was a monumental year for data breaches. Some 1,500 data breaches exposed the records of nearly 179 million Americans, affecting approximately 55 percent of the total US population.1 The increase in consumer data available to fraudsters is driving bank fraud losses higher every year, propelling the shift from counterfeit cards to identity theft and synthetic identity fraud. To combat these trends, financial institutions must look to more advanced tools and technologies to keep up with—and get ahead of—increasingly sophisticated fraud attacks.
Until recently, fraudsters’ primary focus was on obtaining the card data needed to produce counterfeit cards. Since the US rollout of EMV chip technology, however, counterfeit fraud is falling fast. In fact, credit card issuers reported a 60 percent decline in counterfeit card losses between 2014 and 2016, according to the Nilson Report’s most recent data.2 Now that the proverbial low-hanging fruit of counterfeit card fraud is effectively guarded, fraudsters are moving on to new areas. They have found a ripe opportunity in identity theft and new account fraud. They’re no longer looking just for card data to steal; they’re looking for personal information they can use to create new fake accounts.
“Synthetic identity theft” has emerged as a major driver of payments fraud in the US. These are cases where criminals weave together real and fictitious information to create new, digital-only identities, and then use them to open new accounts of all types. This form of new account “theft” is attractive to fraudsters because it allows them to obtain control of the account, cultivate high credit limits and bypass account alerts—all to facilitate high-dollar transactions with low risk of detection. A recent Accenture survey indicated that losses on fraudulent credit card applications can be up to 4.0 bps of card sales volume3—and that that loss rate is increasing. On top of the identified fraud losses, synthetic identity fraud may also be hiding in a financial institution’s credit loss line item, with up to 20 percent of credit losses attributable to synthetic identity fraud, according to 2017 Auriemma research.4
The government is taking some steps to help, enacting the Economic Growth, Regulatory Relief and Consumer Protection Act in spring 2018. The Act will allow financial institutions to validate social security numbers in near real-time with an electronic signature, rather than the current paper-based process, which can take weeks. The law also brings with it complex technical requirements, however, and has no official implementation start date or deadlines, leaving financial institutions to fend for themselves for the foreseeable future.
Addressing synthetic identity theft will require financial institutions to develop more rigorous tools and processes for compiling and validating customer data at the time of account opening. Financial institutions should validate each data point provided by a new applicant, using both internal and external sources. These data points should include not just the traditional name, address and phone number, but also less-obvious information, such as the use of the same address, phone, email or even IP address by others. Chances are, a criminal will attempt fraud at the same bank multiple times, so capturing data through all contact channels can be highly valuable for use in identifying fraudulent applications later.
Artificial intelligence engines and Machine Learning will likely play important roles in synthesizing the enormous pool of data, and the first step for financial institutions will be working to collect the data in a usable form. The task is daunting, but so is the future loss potential. Fraudsters continue to evolve their technologies and techniques, and if financial institutions want to keep up, then they must do the same.
1Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review
2Nilson Report October 2017 – Issue 1118
3Accenture Card Fraud Study, July 2017
4Auriemma Consulting Group, Synthetic Identity Fraud Cost Lenders $6 Billion in 2016
I invite you to join me at Money20/20, where I will be moderating a panel called Fraud Whack-a-Mole: Securing Payments in a Post-EMV World, Monday, October 22, 2018 from 1:00 pm – 1:40 pm.