In the US, synthetic identity fraud (SIF) criminals are combining information taken from social media and compromised identities available on the dark web to create entirely new, fraudulent IDs which are then used to infiltrate consumer lending institutions and steal billions of dollars. In 2020 alone, SIF cost US financial institutions $20billion. To date, banks have failed to effectively fight back due to uncertainties about what information they can share without violating privacy regulations or security rules. This has become such a big problem due to fraudster collaboration, however, if cyber security companies begin to work together, there will be a higher chance of eradicating SIF.
Greg Woolf is the founder and CEO of FiVerity. A serial entrepreneur, Woolf has more than 20 years of experience founding and running fintech companies. He moderates AI industry groups with more than ten thousand members and a think tank that has advised Congress on using AI to modernise financial crime detection. Woolf was awarded “IT-CEO of the Year” by AI Global and “FinTech Innovation Winner” by the Financial ManagementAssociation. With this wealth of experience Woolf explains the importance of collaboration to make sure innocent consumer information is not compromised as the fight against fraudsters continues:
Although banks have long expressed interest in collaborating with each other and law enforcement to combat fraud, a variety of legal, competitive and logistical concerns have held these efforts back. Despite legislation such as the Patriot Act encouraging information sharing, financial institutions have several concerns about collaboration, including:
- Violation of consumer data privacy and security requirements.
- Loss of a competitive advantage or violation of antitrust requirements.
- Uncertainty around the types of shared information that qualifies for safe harbor.
- The lack of a trustworthy and scalable framework for distributing information.
Current Approaches to Information Sharing
These challenges haven’t completely eliminated information sharing among financial institutions (FIs), however, they’ve certainly limited the scope of it. The most common form of fraud alerts may be posts to makeshift online forums, or emails to peer groups of fraud analysts and investigators.
These approaches lack scalability and have the potential to expose personal identifiable information (PII) of perfectly innocent customers. It’s hard to blame the fraud analysts for trying however – they’re torn between competing requirements to protect consumer privacy and share information on suspected bad actors.
Cyber Fraud Raises the Stakes
The rise of cyber fraud – the convergence of fraudulent theft with cybercrime tactics – significantly increases the financial services industry’s need for widespread information sharing. Unlike traditional forms of identity theft, this convergence is especially costly for a few reasons:
- Volume – The sheer amount of cyber fraud attacks requires a shared defense. Unlike traditional identity theft, crimes like synthetic identity fraud (SIF) leverage automation to create tens of thousands of fake consumer profiles to apply for a range of loans, economic stimulus programs and health care reimbursements.
- Evasion – Various forms of cyber fraud are nearly impossible to detect using the traditional identity verification systems in use today. AI-powered fraud detection systems can combat these attempts, but sharing alerts on suspected fraudsters provides a simple and effective layer of defense.
- Infection – FiVerity’s research into SIF activity across consumer lending institutions shows that synthetic profiles have an average of 4.9 accounts at different banks. FIs would have an exponential benefit from widespread alerting of fraudulent profiles across the community, dealing a serious blow to cyber fraud’s effectiveness.
- Impact – Synthetic identities represent a relatively small number of consumer accounts, but are responsible for a massive amount of theft and cyber crime. Our estimates show that SIF accounts for up to 25% of consumer loan write-offs, which translates to $20billion per year. Even for large companies, this is too much to chalk up to “the cost of doing business online.”
New Technology Offers New Solutions
Technology offers the potential to facilitate widespread intelligence sharing while meeting a long list of requirements:
- Protect consumer privacy.
- Meet the needs of multiple business verticals, regulators and law enforcement.
- Integrate with existing identity verification and fraud detection systems.
- Eliminate duplicative efforts among anti-fraud, underwriting and cyber security departments.
- Support financial crime reporting requirements.
Among the tech solutions available, data encryption is key to the future of secure information sharing. It offers the potential to protect consumer privacy and each financial institution’s competitive advantage.
Splitting an encryption key across a broad network ensures that no single institution holds the complete key to decrypt consumer data. In this case, each company within the network can only access a fraudulent profile if they’re already in possession of the corresponding PII. This allows companies to receive alerts on fraudsters that have accounts within their portfolio, but prevents them from seeing additional information on their competitors’ customers.
Information sharing practices have plenty of room for improvement within organisations as well. Anti-fraud and cybersecurity departments historically focused on different threats from disparate actors, so collaboration wasn’t a priority. By merging identity theft with elements of cyber attacks however, criminal organisations are essentially taking advantage of the gap between these siloed departments.
Developing an effective partnership between these departments goes well beyond sharing information, however. It requires both teams to get educated on the complex criminal organisations, rogue countries and individual hackers working against them, understand a range of threats and combine defensive playbooks, jointly evaluate new technologies, and coordinate reporting with regulators and law enforcement.
A recent and positive development within financial institutions has been the creation of “cyber fusion” centres, which bring anti-fraud and cyber security analysts together for a holistic view of shared threats.
Fight Fire with Fire
Unlike traditional perpetrators of identity theft, cyber fraudsters share information and techniques with one another to increase their effectiveness. Fighting back requires financial institutions to adopt a similar approach for effective defence against cyber fraud. The biggest lesson to take from bad actors may be the outsized effectiveness of working together.