Synthetic identity attacks usually create financial losses, but the average loss and total impact vary significantly by industry. On the higher end of the financial loss spectrum, the auto finance and credit card industries share the greatest average loss at roughly $17,000 and $14,000 per incident, respectively.
By comparison, financial services’ demand deposit accounts (DDAs), savings and investment accounts average much lower losses of around $400 per occurrence, with digital banks having a higher synthetic fraud incidence rate than traditional brick-and-mortar financial institutions.
Because the dollar loss of synthetic fraud is perceived as minimal in deposit accounts, financial institutions have yet to broadly adopt sophisticated synthetic fraud prevention at account origination. And there has only been a modest effort to proactively eliminate synthetic identities hiding in existing portfolios. The reason financial services companies can’t better identify synthetic fraud operating inside their portfolios is that synthetic identities are fake and don’t connect back to a true consumer identity, so there is no victim to step forward and report identity theft, like third-party fraud. Coupled with minimal financial loss that generally comes from an overdrawn account charged off as a credit loss, synthetic fraud often goes undetected—which leads banking and fintech organizations offering deposit accounts to believe they don’t have a synthetic fraud problem.
Simply put, a good majority of US banks and fintechs offering deposit accounts are falling victim to fake identities because they are not looking hard enough.
Synthetic Identities: 1-3% of Open, Active DDA Accounts in the US
The synthetic fraud vector emerged 20+ years ago in the unsecured credit card sector, but synthetic identities are showing up today in greater numbers, attempting to open DDA, investment, and savings accounts—at attack rates ranging from 5-25% depending on the organization. These accounts are attractive for depositing the proceeds from impersonator and P2P scams and for laundering funds. The Financial Crimes Enforcement Network (FinCEN) expresses significant concern that these accounts are also used to fund even more nefarious activities, including drug and human trafficking, and terrorism. Socure proprietary synthetic analysis of deposit institutes shows that approximately 1-3 of every 100 active accounts are synthetic identities. For banks and fintechs who don’t have adequate synthetic protections up front, the rate of synthetic identities hiding in deposit portfolios can easily exceed 3%.
The Economics of Synthetic Identity Fraud
Why don’t banks and fintechs offering deposit accounts stop synthetic fraud at the point of origination? The answer is simple. The math behind the economics of stopping synthetic fraud before the account can be opened doesn’t make economic sense to the account originator.
However, that might change soon.
Currently, the Consumer Financial Protection Bureau (CFPB) is considering a proposal to shift liability from consumers to banks for scams involving peer-to-peer (P2P) payments. While not every P2P scam is funded through a deposit account held by a synthetic identity, because of the recent increase of synthetic attacks against these types of accounts, we can safely assume that a good percentage of these fraudulent scams are funded through these types of accounts.
To date, the math has simply not worked for banks and fintechs to keep synthetics out of their portfolios because the false positive rate and the fraud capture rates don’t add up in a way that makes the investment seem worth the value.
A false positive rate is the ratio of the number of “good” accounts that a model has incorrectly flagged as fraudulent over the number of “bad” accounts that are legitimately bad or, in this case, synthetic identity fraud. As an example, if a model captures fraud at a false positive rate of 8:1, it means the model is scoring nine accounts as risky, but only one of those high-scoring records is bad, and eight good accounts are incorrectly scored, by the score (eight “goods” for every one “bad”). Any application submitted under the Gramm-Leach-Bliley Act (GLBA) cannot be declined for credit without some form of additional verification. This additional verification creates friction and origination costs that might negatively impact “good” applicants (those that score “risky” but are not.)
To better understand the economics of false positive rates, let’s assume the customer lifetime value (CLV), or the total worth realized during the lifetime of a legitimate customer is $500. And, let’s assume the financial loss taken from a fraudster is $2,500. Therefore, a rough break-even return on investment (ROI) would put the required false positive rate at 5:1. Here’s the breakdown:
- 5 good applicants multiplied by their individual value to the financial services company of $500 = a potential loss of $2,500 if you don’t approve and convert the good applicant to a new customer
- One bad applicant multiplied by the expected financial loss of $2,500 = a potential loss of $2,500 if that applicant gets beyond your new account fraud defenses and becomes a customer.
So, in the example above, you would lose $2,500 of revenue if you were not able to bring on these good applicants to avoid a $2,500 loss from a potential bad actor. Not compelling math if you are trying to decide to buy an outside solution.
When adding in additional processing, manual review, and other solution costs, the break-even false positive rate is closer to between 5:1 and 4:1. So, even worse, these situation would create a loss for the financial institution.
Another number that is important in the ROI equation is the fraud capture rate. The fraud capture rate is the amount of fraud that you could stop using a given strategy. The fraud capture rate has an inverse relationship to the false positive rate. Meaning, as the false positive rate decreases—5:1 down to 1:1, for instance—the number of applicants that fall in the lower FPR also decreases. As the number of applicants that fall into a given false positive range declines, so does the opportunity to capture fraud, so it lowers the fraud capture rate.
Even at a 1:1 false positive rate, most banks and fintechs that offer deposit accounts perceive the fraud capture rate as too low and the friction to good consumers too high to economically justify implementing a synthetic fraud solution.
Correcting the Math to Stop Synthetic Identity Fraud
What can correct the math to make it economically feasible for financial services companies to stop synthetic fraud before it can get through the front door?
The financial loss of a synthetic identity in deposit accounts has to be counted in the calculation by the banks and fintechs who offer these type accounts. This would increase the financial loss by roughly $1,000, from $400 to somewhere around $1,400. That’s the simple answer to fixing the math that supports the growth of synthetic fraud in deposit accounts.
However, this is more difficult than you might think in practice because synthetic identities do not always cause a financial loss to the financial institution. Oftentimes, those losses are absorbed by consumers victimized by P2P scams, or fly under the radar in the form of money laundering or other nefarious activities. And there is a real brouhaha forming around who will take these losses in the future.
As mentioned earlier, the CFPB is looking to push these losses back to the financial services companies, and in response the CFPB received a letter from the American Bankers Association (ABA) suggesting that pushing these losses to the banks would be bad for P2P. The ABA’s response tried to reassure the CFPB by stating that “the banking industry shares the CFPB’s goal to protect consumers from P2P payments scams, and we understand the agency’s interest in wanting to respond to instances when consumers have suffered losses. However, any CFPB effort to shift liability for authorized P2P transactions should acknowledge the substantial benefits of P2P payments to consumers, the relatively small incidences of fraud, and how consumers are warned about and can avoid scams.”
So, today we are at an impasse. The problem of synthetic fraud is unfortunately alive and well in deposit accounts, and Socure research shows that the rate of synthetic attacks is growing.
What’s in the balance?
If consumers continue to absorb the costs of P2P and other scams, the math will continue to support the lack of need to stop synthetic fraud in deposit accounts, and scams will continue to have a place to call home.
If financial institutions are regulated by the CFPB or another regulatory body to absorb the costs of P2P scams (or if the financial service industry self-regulates), financial institutions will work hard to identify and keep synthetic fraud out of their portfolios.
It’s that simple. I wish all math was that simple.
How Socure Can Help
Socure’s Sigma Synthetic Fraud provides a purpose-built synthetic identity fraud detection solution that delivers holistic protection through multi-layered controls to block harmful synthetic identities from entering an ecosystem at account creation. The model employs both advanced ML techniques cyclically trained with expert human-in-the-loop analysis to mitigate rapidly evolving and complex synthetic patterns. It results in the ability to deploy the right tools at the right time to hone your decisioning strategy, whether the goal is to capture more synthetic fraud or create a lower-friction user experience.
Companies are testing Sigma Synthetic Fraud to determine the number of synthetic identities hiding in their existing portfolios. To schedule your proof of concept, book a meeting today.
Mike Cook
Mike Cook is VP of Fraud Solutions Commercialization at Socure and works alongside Data Science, Product, Sales and the Fraud Investigation team to help ensure solution optimization across all the markets Socure serves. Mike has been an innovator in fraud, identity, and credit risk for almost 35 years and has created several patents for identity risk technologies.