Application fraud is a billion dollar problem for financial institutions (FI). It occurs when a fraudster applies for credit, like a credit card or personal loan, with no intention of paying it back. While some fraudsters might use their own information and then drop off the radar, first-party application fraud is a less common technique today.
In order to commit application fraud without implicating themselves, fraud operators assume a new identity that they know will clear the identification process necessary for credit approval. They either steal or purchase personal information to apply for credit using someone else's identity. Forbes estimates that 61% of the fraud losses incurred by large banks are a result of identity theft.
Today, fraudsters have become increasingly sophisticated, going beyond identity theft to create a brand new synthetic identity with which to apply for credit. Synthetic identities are fabricated by combining real personal information, like the SSN of one person and the address of another, to create a profile that appears legitimate. According to Datavisor, 20% of all credit losses in 2016, which equalled 6 billion dollars, was due to synthetic identity fraud. Since then, tens of millions of identity records have been exposed and fraudsters have refined their techniques, making it easier than ever to commit application fraud but harder to detect it.
Synthetic identities are multifaceted and difficult to recognize. Fraudsters using this technique don’t follow a playbook and use varying strategies to construct an identity and build its credibility. According to the Federal Reserve, existing fraud models overlook 85% - 95% of synthetic identity attacks. While identity theft is a game of velocity - the quicker the fraudsters are, the better their chances of cashing out undetected - with synthetic identities however, fraudsters play the long game. They often spend years building credit and are meticulous about how it is used. In many ways, synthetics exhibit behavior that is closer to a legitimate borrower than a traditional fraud operator. In fact, LexisNexis reports that 50% of synthetics have a credit score of over 650, allowing them to sail through credit checks and bypass traditional fraud defenses. This approach makes application fraud particularly costly for financial institutions, with average losses of $10,000 - $15,000 per fraudulent incident.
The use of synthetic identities is designed to exploit existing fraud prevention systems in several distinct ways:
With billions of identity records exposed through data breaches and available for purchase on the dark web, static PII is no longer reliable on its own as verification of identity. In addition, fraudsters use the existing credit reporting system to their advantage by leveraging automatic credit pulls and credit limit increases.
They then submit a second application with a different lender and the previous record check typically satisfies the history criteria. Similarly, these fraudsters will take their time, paying off their debts each month, until their credit limits increase and they can cash out with a bigger amount.
As awareness of these techniques grows, financial institutions are looking for additional techniques that can supplement credit information to help discern whether an identity is legitimate. Techniques like micro-deposits and knowledge-based authentication questions are effective in certain circumstances but can be circumvented and are not practical for online lenders who churn out thousands of decisions per day and need to offer a frictionless experience.
To catch subtle inconsistencies it is critical that financial institutions analyze as much online and offline behavior as possible. Behavioral cues can be used to determine whether an additional check is necessary without impacting the user experience. By leveraging precise location data, Incognia’s behavioral biometric solution can link real-time location behavior of mobile users to the personal information provided by the user. In the case of synthetic identities, it's likely that the address provided at onboarding would not match the offline behavioral history of the applicant. This would give the institution cause to investigate further.
By layering various data sources, financial institutions can detect and block synthetic identities without causing friction for legitimate customers. Learn more about the use of location-based behavioral biometrics for application fraud prevention here.