The Federal Reserve and the Financial Crimes Enforcement Network, or FinCEN, both recently issued reports addressing worrisome trends in technology-assisted financial fraud. The reports seek to engage the financial services industry in partnering more closely to reduce associated losses.
Specifically, the Federal Reserve issued a report entitled Synthetic Identity Fraud in the U.S. Payment System. FinCEN issued a report entitled Manufacturing and Construction Top Targets for Business Email Compromise. Collectively, the reports reflect how techonology-driven fraud and identity theft schemes can target financial institutions, businesses and consumers alike, thereby impacting the Anti-Money Laundering and related anti-fraud programs of the financial institutions implicated by such schemes.
The Fed Report: Synthetic Identity Fraud
The July 2019 report issued by the Federal Reserve compiles insights from subject matter experts both within the Fed and industry that stem from an initiative launched by the Fed last year regarding synthetic identity fraud.
The generally accepted definition of “synthetic identity fraud” is the combination by a fraudster of various fictitious pieces of information—sometimes with some real-world information mixed in—to create a new identity. This is distinct from “traditional” identity fraud (in which the fraudster simply steals the identity of another real person), which is relatively easier to catch because it directly affects another person. Synthetic identity fraud has been estimated by McKinsey to be the fastest-growing type of financial crime in the United States, and is more prevalent in the U.S. than in many other countries because of the American financial system’s heavy reliance on static “PII” (personally identifiable information – e.g. Social Security number, driver’s license number, etc.).
The trend toward synthetic identity fraud actually has been exacerbated, in the Fed report’s assessment, by a 2011 decision by the Social Security Administration to randomize the assignment of Social Security numbers. The SSA’s stated rationale for this decision was to “protect the integrity of SSNs and to extend the pool . . . available nationwide”, by dispensing with the previous system of assigning the first three digits based on geography. A significant side effect, however, is that financial institutions no can longer rely on the number to identify an applicant’s state of origin. This is not merely a hypothetical problem: current estimates posit that about 40% of synthetic identities utilize a post-2011 randomized SSN. Such numbers have an added bonus for fraudsters: they are unlikely to trigger an alert for their victims, who are for the most part children not engaged with the credit system. This troubling pattern may foreshadow a crisis a decade from now, when a generation of children born with post-2011 SSNs apply for student or auto loans and discover a doppelganger-lifetime of negative credit history.
The increasing frequency of large-scale data breaches has compounded the problem by providing fraudsters with a large volume of raw material PII from which to construct synthetic identities. The weakest link in the system with regard to synthetic identity fraud is the credit application process, which allows a fraudster to legitimize and monetize his synthetic identity. An initial application for credit by a synthetic identity triggers the automatic generation of a new credit profile at a credit bureau, whether the financial institution accepts or rejects the application. That profile then becomes circumstantial evidence of the identity’s legitimacy in subsequent credit application processes. Perhaps worse, it shifts the burden of proof to subsequent applicants using the same SSN to prove that they are not fraudsters – even if they are the victim of identity theft.
Although discovery of the use of one’s SSN by one or more synthetic identities may come with emotional costs for the individual, the major financial costs of this fraud are borne by financial institutions. The Fed’s report cites the Auriemma Group for an estimate that, in 2016, U.S. lenders alone incurred six billion dollars in synthetic identity fraud costs–20% of all credit losses that year. Synthetic identities are often crafted specifically to pass a financial institution’s baseline KYC requirements. The industry has not yet arrived at a consensus regarding best practices in discerning synthetic identities. Although not explicitly stated, a clear goal of the Fed’s report is to underline the urgency of arriving at such a consensus.
The FinCEN Advisory on Business Email Compromise
Also in July, FinCEN released an advisory on business email compromise (“BEC”) fraud. This advisory functioned as an update to FinCEN’s September 2016 “Advisory to Financial Institutions on E-mail Compromise Fraud Schemes” (the “2016 BEC Advisory”). This advisory relied in part on analysis of Bank Secrecy Act data (e.g. information contained in Suspicious Activity Reports, or SARs) and is thus an invaluable view from the front lines in the battle between financial institutions and fraudsters.
The advisory notes that, since the 2016 BEC Advisory, FinCEN has received “over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes”. BEC involves targeting accounts of either financial institutions, or of commercial/nonprofit/governmental entity customers of those institutions, and sending emails to induce transfer of either funds, or of data which can be used to access funds. An email account may be compromised either through a direct intrusion (a “hack”) or an impersonation (“spoof”) of an account. The compromised account is then used to instruct other individuals within the company or at a financial institution to initiate a transfer of funds or data. FinCEN notes that such fraud schemes are popping up with increasing frequency not only in the commercial sector, but within governmental and educational institutions. The education sector, for example, has shown the largest concentration of high-dollar-value BEC attempts—a function of the nature of the sector, which is comprised of institutions engaging in regular transactions of large amounts of money in the form of tuition payments, grants, etc. Financial institutions themselves also often serve as a direct target of such fraud; such attempts often take the form of fraudulent interbank transfer requests purportedly from employees in the department dealing with such transfers.
The risk to U.S. financial institutions goes beyond direct losses; banks are not only a prime target for BEC fraud, but also the primary route for the flow of its ill-gotten gains. The majority of BEC incidents involve initial domestic transfers of funds, often utilizing networks of witting or unwitting “money mules”. Such transfers can put those banks at risk for KYC compliance failures.
Along with guidelines about how financial institutions should file detailed SARs regarding possible BEC fraud, FinCEN’s advisory closes with several recommendations. Foremost among them is that institutions and their customers engage in a thorough assessment of the vulnerabilities of their business processes, and analyze the possibility of taking steps to “harden” those processes against BEC schemes. Hardening could include enhanced practices for authenticating communications, authorizing and internally “publicizing” transactions, and training employees at all levels to recognize and avoid social engineering intrusion attempts.