Gena Boutin of data industry specialist Refinitiv, believes there is only one way to defeat synthetic identity fraud
It’s been described as the Frankenstein’s monster of ID theft because criminals don’t need all of your identity, just a piece of you, from which to construct a threat that is casting a sinister shadow over financial services.
Synthetic identity fraud (SIF), to give it its real name, is the act of piecing together real and fake credentials to create seemingly legitimate accounts that are then used to carry out costly credit scams. The worst of it is that the constant industry battle to make onboarding new customers as frictionless as possible, could be handing criminals the keys to the vault.
According to a recent report by industry analysts McKinsey, SIF is the fastest-growing branch of financial crime in the United States, with the Federal Reserve putting losses through SIF attacks to the credit card industry at $6billion in one year alone. The largest synthetic ID ring detected to date racked up losses for banks of $200million from 7,000 synthetic IDs and 25,000 fraudulently-obtained credit cards. Many of those were verified using routine credit score checks of what were, in fact, composite individuals, created by bolting together real and fake (or sometimes entirely fake) information, including for example email and social media account details.
McKinsey points out that, although an initial credit application will be rejected by a credit bureau because it cannot match the name in its records, the simple act of applying for credit automatically creates a file in the name of the synthetic ID. The fraudster can now set up accounts in this name and begin to build a credit history, in effect bringing their creations to digital life. The fact that the credit file looks identical to those of many real people with limited or no credit history makes the scam nearly impossible to detect… until, that is, their credit line is maxed out and the repayments cease, or, in the jargon, the synthetic IDs ‘bust out’.
Fraud rings sometimes establish thousands of these synthetic IDs, all waiting to default, creating what McKinsey describes as ‘hidden time bombs’.
Businesses that rely on static personal identifiable information (PII) as a fraud gatekeeper are particularly vulnerable because, at the heart of the problem, are the inconsistencies that sit within the huge volume of structured and unstructured data that has been built up to establish our digital selves and is increasingly used during the onboarding process by financial institutions. The cracks between these online identities are the Achilles’ heel that allows cyber criminals to infiltrate the system.
So, what’s the answer? According to Gena Boutin, executive talent acquisition services manager for data industry specialist Refinitiv, the financial services industry is now at a crucial crossroads. It has two paths to choose from: to lobby for a federated approach to identity by financial services institutions and governments, or allow individual consumers to be responsible for protecting the integrity of their data, otherwise known as self-sovereign identity, which utilises technologies such as blockchain. Refinitiv is firmly in the former camp.
“The scary thing is that synthetic identity is passing know your customer (KYC) checks, including sophisticated machine learning networks, 85 to 95 per cent of the time,” says Boutin. “That’s because the inconsistencies in data that we leave throughout the course of our lives are being exploited to get past the banks’ thresholds.
“It’s why the provenance of data, trusted data, is important. It has to come from independent, reliable sources, not social media, and has to be comprehensive and complete. It has to capture each individual data attribute about you, across all spheres – the sum total of everything about you, from the day you were born to today. We’re currently not getting all of that because we’re just looking at bits and pieces. That’s where criminals exploit the gaps, specifically those inconsistencies.”
Refinitiv recently teamed up with crossborder verification specialists Trulioo to launch Qual-ID, a digital identity verification and screening programme to plug the gaps.
Developed as a direct response to the increasing intensity of cybercrime facing both companies’ customers, it encompasses a three-stage ID verification process utilising Refinitiv’s respected World-Check risk intelligence platform, and is available through a single application programming interface (API).
“We felt that we had the ability to deliver a solution to our customers, with Trulioo, to turn the tide on financial crime,” says Boutin.
While all financial institutions have to adhere to KYC regulations, the relative ease with which sophisticated criminality is passing these checks points to deep-seated flaws within databases.
“We think that, between trusted data and recalibrating what we believe is the appropriate way to verify an identity, we can shift financial institutions onto a positive footing, where they can not just compliantly and confidently know their customer, but also enhance customer experience in the process,” she adds.
Boutin argues that the sheer scale of the data being held on systems at present means it’s virtually impossible to sort the good from the bad. Which is why Refinitiv is urging the world’s financial institutions to pursue the idea of a federated identity in which everyone cooperates in bringing together physical, digital and biological elements of each individual, so the slightest inconsistency can be spotted. Refinitiv’s head of digital ID and financial crime has previously said that the variety of ways in which governments are approaching citizens’ identity locally make it difficult for financial services firms operating in multiple markets, adding ‘we believe the best solution is an open, federated digital identity programme with consistent standards and a level of portability for consumers in their use of it’.
“We need to establish an infrastructure, an entire ecosystem around identity – no single entity or individual can do it themselves,” says Boutin. “We need to minimise the amount of data that’s out there, because it’s effectively blurring the boundary between good and evil. We don’t know where the data’s coming from – is it good data or bad data, has it been compromised? – making it that much harder to distinguish a legitimate consumer from a fraudster.
“As an industry, we’re at an inflection point right now. We need to decide whether we have a federated identity model, meaning we establish a few trusted providers or issuers of identity that other institutions then rely on. That would minimise the amount of data that’s out there and create efficiency, because we would no longer be recreating a verification over and over. The alternative concept is self-sovereign identity, where people would say ‘you know what? It’s my data, I should control it as an individual’. And there are some benefits to that. However, in the financial services sector, my personal opinion is that the value of self-sovereign ID is diminished.”
Boutin believes identity, and the data it is comprised of, is the fundamental mechanism through which financial institutions establish the trust essential to their survival and prosperity. By using trusted data and recalibrating the way it’s verified, they can address what she describes as the ‘precarious position they’re in’.
A survey on behalf of Refinitiv, among more than 3,000 managers with compliance-related responsibilities, last year, found that financial crime affects most organisations in one form or another. Conducted across 24 countries, it revealed that nearly three quarters (72 per cent) of those organisations were aware of financial crime in their global operations in the preceding 12 months, yet recovery of stolen funds is marginal.
Emile Van Der Does De Willebois, the World Bank’s lead financial sector specialist and global lead for financial market integrity, has spoken of the gaping discrepancy between the number of suspicious activity reports (SARs) submitted by financial institutions (FIs) and money recouped. He calls the gap ‘formidable’, citing a special report from the Future of Financial Sharing programme that of more than two million SARs submitted in the US in one year, fewer than one per cent of criminal funds were frozen or confiscated.
Clearly, identity fraud is not just a financial services industry problem. More than 446 million consumer records of all kinds were exposed in data breaches in 2018 alone in the US, an increase of 126 per cent on the previous year. But it’s FIs that are most severely impacted. Frankenstein’s monster chose to end its reign of terror by its own hand; those who seek to defraud others using synthetic identities can’t be expected to make such an honourable exit.
The industry has to act, says Boutin: “It’s really become a matter of urgency.”