Professional Documents
Culture Documents
Frs Synthetic Identity Payments Fraud White Paper July 2020
Frs Synthetic Identity Payments Fraud White Paper July 2020
Frs Synthetic Identity Payments Fraud White Paper July 2020
JULY 2020
Mitigating Synthetic
Identity Fraud in the
U.S. Payment System
FOREWORD
In 2019, the Federal Reserve published two white papers as part of
our Payments Fraud Insights series. Our goal was to raise awareness
and encourage industry action against synthetic identity fraud,
reportedly the fastest-growing type of financial crime facing the
United States. The first paper focused on causes and contributing
factors of synthetic identity fraud and its impact on the U.S. payment
Table of Contents
system, while the second focused on detecting synthetics and
examples of sharing information across the industry.
1 Foreword
This white paper picks up where our last one left off. It highlights
2 Key Findings:
Federal Reserve 2019
different ways that organizations – both individually and collectively
White Papers – can work to mitigate synthetic identity fraud. Additionally,
we summarize a number of external factors that impact mitigation,
6 Introduction
such as the regulatory environment.
8 How Organizations
can Mitigate Synthetic Synthetic identity fraud is not a problem that any one organization
Identity Fraud or industry can tackle independently, given its far-reaching effects
11 The Importance of
on the U.S. financial system, private industries – such as healthcare,
Working Together automotive and insurance – government entities and consumers.
The Federal Reserve recognizes the need for collaboration as
13 Regulatory and
Environmental
we work with a wide array of payments industry stakeholders to
Influences on advance U.S. payments security, which is consistent with the
Mitigation approaches described in our paper, Strategies for Improving the
20 Conclusion
U.S. Payment System: Federal Reserve Next Steps in the Payments
Improvement Journey. Our Payments Fraud Insights white papers
were made possible by the contributions of many industry and
government subject matter experts and Federal Reserve colleagues.
We appreciate your shared insights and look forward to continued
dialogue and collaboration in reducing synthetic identity
payments fraud.
Jim Cunha
Payments Security Strategy Leader and Fintech Division Head
Senior Vice President, Federal Reserve Bank of Boston
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 1
KEY
FINDINGS:
FEDERAL
RESERVE
2019
WHITE
PAPERS
Our first white paper, Synthetic Identity Fraud in the U.S. Payment
System, described key characteristics of this type of fraud. Fraudsters
leverage the personally identifiable information (PII) of individuals –
frequently children, the elderly or homeless – who are less likely
to access their credit information and thus, discover the fraud.
Synthetic identities can behave like legitimate accounts and
may not be flagged as suspicious using conventional fraud
detection models. This affords perpetrators the time to cultivate
these identities, build positive credit histories, and increase their
borrowing or spending power before “busting out” – the process
of maxing out a line of credit with no intention to repay.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 2
DIFFERENTIATING TRADITIONAL IDENTITY
FRAUD FROM SYNTHETIC IDENTITY FRAUD
Other fake
Person A’s name Person A’s name identifying
Fake name
information
PERSON A PERSON A
SYNTHETIC ID
This is a fraudster who pretends This is a real person who uses This is a fraudster who combines fake
to be another real person in order valid information to set up and sometimes, real information to
to use his or her credit. accounts and obtain credit. establish a credit record under the
new synthetic identity.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 3
• Increase in PII available to fraudsters. According to the Identity
Theft Resource Center, the volume of PII exposed in data breaches
increased by 126% between 2017 and 2018 to more than
446 million records exposed. Dark web marketplaces sell these
breached records, including bank account login credentials,
driver’s licenses, credit card numbers and SSNs.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 4
In our second white paper, Detecting Synthetic Identity Fraud in the
U.S. Payment System, we stressed the importance of looking beyond
the basic required identifying information in order to verify whether
an identity is legitimate or synthetic. Some characteristics of synthetic
identities include:
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 5
INTRODUCTION
Over the past year, we have spoken with more than 50 industry
experts about synthetic identity payments fraud and its impact
on the financial services industry. These experts represent a
broad spectrum, spanning financial institutions, consulting firms,
government agencies, industry organizations and consortia,
service providers and technology companies. In our most recent
discussions, we asked for their insights on current trends,
detection and mitigation strategies, and where they expect
fraud tactics to move in the future.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 6
In this paper, we discuss:
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 7
HOW
ORGANIZATIONS
CAN MITIGATE
SYNTHETIC
IDENTITY FRAUD
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 8
LINK ANALYSIS CAN IDENTIFY OTHER
SYNTHETIC IDENTITIES AND ACCOUNTS
Vehicle
Loan
Mortgage
Loan
Bank
Account LOOKING FOR
ACCOUNT HOLDER COMMON
INFORMATION:
CHARACTERISTICS
JOHN DOE
123 MAIN STREET
ANYTOWN, USA
DOB: 2/1/1978
Business
Loan SS#: 123-45-6789
Multiple
authorized
users Identities with
same SSN
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 9
We recently spoke with a credit union about its machine learning
tool developed for fraud detection. In beta tests, the tool flagged
approximately 85% of credit applications originating from synthetic
identities. While this demonstrates that detection models can
successfully be adapted to synthetics, fraud industry experts
advise that these detection models could be improved if they
utilize a standard definition of synthetic identity fraud. This would
allow for broader comparison and analysis of the data and results.
APPLICANTS
KYC Checks
Link Analysis
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 10
THE
IMPORTANCE
OF WORKING
TOGETHER
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 11
It is vitally important for law enforcement and financial institutions
to share information about threats and trends, which in turn,
supports effective investigations. Information sharing must comply
with applicable laws and regulations. For example, Section 314(a) of
the USA PATRIOT Act allows law enforcement agencies to request
information from participating financial institutions for terrorism or
money laundering investigations, while Section 314(b) of the act
allows participating financial institutions to share customer
information with one another in support of their own due diligence,
compliance and reporting requirements. Section 314(b) also allows
for sharing information that relates to specified unlawful activities –
which could be inclusive of fraud. Industry experts note that some
financial institutions are uncertain which information would qualify
for 314(b) safe harbor. In turn, this affects the amount and type of
information shared by financial institutions.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 12
REGULATORY AND
ENVIRONMENTAL
INFLUENCES ON
MITIGATION
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 13
Experts have expressed optimism that electronic verification
will reduce the prevalence and impact of synthetics in the financial
system by blocking new synthetic accounts. However, they noted
this will not be a complete solution. The service will be available only
to financial institutions or service providers, subsidiaries, affiliates,
agents, subcontractors or assignees of financial institutions. This may
shift fraudster tactics, including attempts to create synthetics at other
types of organizations without access to the eCBSV service.
• Service hours. While the SSA has not yet set eCBSV service hours,
it expects to provide at least the same availability as for CBSV.
If so, the eCBSV system will be unavailable for periods overnight
on weekdays and longer periods of time overnight on weekends.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 14
• Approved eCBSV uses. Currently, the eCBSV service only allows
for customer information validation for new accounts. Experts have
suggested that if the eCBSV service were expanded to include
validation of information on existing accounts, financial institutions
could more easily identify synthetics in their existing portfolios.
However, according to the SSA, this is not possible, as the Privacy
Act prohibits federal agencies from disclosing information without
prior consumer consent.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 15
Impacts of Regulatory Changes
The Fair Credit Reporting Act, Section 605B, mandates that once
a consumer disputes information directly with a credit reporting
agency (CRA), the financial institution has four days to address the
dispute. This process is intended to decrease the amount of time
it takes consumers to resolve inaccuracies on their credit reports.
While this process benefits consumers, fraudsters have taken
advantage of the change by flooding CRAs with invalid disputes.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 16
In all the above cases, the changes made were well intentioned
and reflected various important public policy objectives, such as
consumer protection. However, fraudsters will take advantage of all
opportunities. It is important for all participants to try to understand
how the fraudsters will exploit new processes and develop strategies
to mitigate them.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 17
sources and helps organizations create a more complete picture
of their customers. Integrating dynamic data sources, such as
past transaction behavior, can further help organizations validate
an identity, while limiting the risk of a static dataset being
compromised.
• The right for a consumer to opt out of the sale of his or her personal
data to third parties, such as for targeted advertising.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 18
Data protection and consumer privacy is increasingly in the public
eye given the high number of data breaches over the past several
years and increased availability of consumer data for sale on the
dark web. Some experts have called for federal legislation for data
protection and consumer privacy or other actions aimed at more
consistency in these protections. One potential outcome of this
would be to help prevent fraudsters from leveraging perceived gaps
in legislation. The policy implications of such changes should be
examined carefully to understand potential far-reaching effects.
WA
NH ME
MT VT
ND
OR MN MA
ID WI NY RI
SD
WY MI CT
IA PA NJ
NV NE
IL IN OH DE
CA UT WV
CO MD
MO VA
KS DC
KY
NC
TN
AZ NM OK
AR SC
AL GA
MS
AK TX LA
FL
HI
Laws passed
Legislation proposed
No consumer data privacy law Source: International Association of Privacy Professionals; information as of April 2020
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 19
CONCLUSION
There is no single solution to completely mitigate synthetic
identity payments fraud. Factors such as the regulatory environment,
technological advancement and shifts in fraudster tactics create
a constantly evolving payments fraud landscape. Experts have
suggested that a holistic approach would be the most effective way
to mitigate synthetic identity fraud. This approach should include
a consistent definition of synthetic identity fraud, technological
innovation, robust data solutions for identity verification and an
ongoing fraud mitigation dialogue between private industry and
government agencies.
Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System | © 2020 Federal Reserve Banks. Materials are not to be used without consent. Page 20