Estimates over the scale of the fraud vary, but nearly all show the problem growing. One widely reported analysis by Auriemma Group, an information and advisory firm for the payments and lending industries, suggested that synthetic identity fraud cost U.S. lenders $6 billion. Meanwhile, the consultancy McKinsey estimates the financial theft accounts for 10–15% of charge offs in a typical unsecured lending portfolio.
“When we look at the market, roughly 20% of credit losses stem from synthetic identity fraud,” said Johnny Ayers, CEO of Socure, a firm specializing in digital identity verification technology.
“Synthetic identity fraud opens up the door to bad actors in areas such as money laundering and human trafficking,” Ayers said. “One of the biggest challenges for banks is that there is traditionally not a victim.”
The growing theft has recently turned up in the U.S. government’s Paycheck Protection Program (PPP). According to a report from the SentiLink, a fraud-prevention tech firm, individuals have been creating synthetic identities to obtain loans from the program designed to help those struggling under the weight of the pandemic.
U.S. bank regulators, in particular the Federal Reserve, are increasingly focused on synthetic theft and have been working with banks and technology firms to help identify solutions and common definitions.
“Synthetic identity fraud is not a problem that any one organization or industry can tackle independently, given its far-reaching effects on the U.S. financial system,” said Jim Cunha, senior vice president at the Federal Reserve Bank of Boston, in a recent study.
A synthetic identity is created by using a combination of real information, such as a legitimate Social Security number, and fictitious information, which can include a false name, address, or date of birth.
Synthetic identities can be used to establish accounts that behave like legitimate accounts and may not be flagged as suspicious using conventional fraud detection models. “This affords perpetrators the time to cultivate these identities, build positive credit histories, and increase their borrowing or spending power before ‘busting out’ – the process of maxing out a line of credit with no intention to repay,” according to the Boston Fed’s analysis.
There are two significant problems with synthetic fraud for the banking industry: one is detection, the other classification.
The fraudster can leverage legitimate processes, such as “piggybacking” – adding a synthetic identity as an authorized user on an account belonging to another individual with good credit. In many cases, the synthetic identity acquires the primary user’s established credit history, rapidly building a positive credit score. Fraudsters also can piggyback new identities onto accounts owned by established synthetic identities, or “sleepers,” within a portfolio.
According to experts, all of these methods are difficult for banks to detect given existing fraud prevention systems.
An ID Analytics study found that only half of synthetic fraudsters apply for credit using digital channels, indicating a significant number can pass Know Your Customer (KYC) tests even when appearing in person.
“Traditional fraud models are not designed to detect synthetic identities,” said the Boston Fed, citing research that showed such models were ineffective at catching 85% to 95% of likely synthetic identities.
Apart from the detection challenge, one of the biggest hurdles is how banks classify this type of fraud on their books, which varies and makes getting one’s hands around the problem more difficult.
“Part of the challenge is agreeing on a consistent definition of what synthetic identity fraud is,” said Ayers of Socure. Some banks categorize such fraud as credit losses, while others mark it as third-party fraud, he said.
“When there is not a consistent definition, you can’t figure out what the magnitude of the problem is,” Ayers added. “When there is not a consistent definition, then each of the individual banks are writing their own rules.”
To tackle these problems, regulators say there needs to be greater collaboration between themselves, banks, and technology solution providers. Since the dimensions of the fraud are complex, with the criminals a step ahead of banks and their defenses, information sharing is critical.