What Every Fraud Executive Should Be Aware of in Times of Banking Turmoil

After the recent collapse of Silicon Valley Bank (SVB), many in our banking and fintech ecosystem are experiencing substantial increases in new application volumes as consumers and businesses race to open and fund new accounts. Socure data has shown changing patterns in new applications since March 9, when SVB’s leadership team revealed that they had made $21 billion in asset sales that sparked a $1.8 billion loss and they would be looking to raise $2.25 billion in capital.

That news set off a wave of fear across Silicon Valley, where the bank serves as a key lender to tech startups. Many of SVB’s customers panicked, pulling out $42 billion on March 9 alone when SVB’s stock crashed by 60 percent. By close of business that day, SVB had a negative cash balance of about $958 million.

Since then, several regional banks could get a credit rating downgrade, Moody’s warned, after SVB’s collapse revealed perceived cracks in the system. The concern is that consumers and businesses might panic and flee smaller regional banks, moving money to what they believe could be a more stable bank.

With the consumers and businesses switching banks and opening up new accounts elsewhere, there will be a lot of unplanned account origination and money movement, which we believe will act as a dog whistle to bad actors looking to defraud the U.S. financial system.

Explosion of new account origination among the turmoil

Unfortunately, the rapid increase in onboarding volume specifically of high-net-worth individuals and organizations poses an intersection of unique risk – and frankly a blatant opening for fraudsters to attack. Yet, the demand for frictionless rapid onboarding couldn’t be more important as individuals and businesses attempt to keep their lives and operations moving even as their trusted institutions change beneath them.

There is no doubt that the confusion caused by these market events will be something that fraudsters and transnational criminal organizations use as an opportunity. These criminal organizations thrive on the uncertainty that these kinds of disruptions bring. They use the opportunity to assume the role of victims or try to “blend in” with the true victims of this market event.

While our hope is that banking customers will not panic and that the current turmoil will subside soon, hope is not a plan. At Socure, we are talking with our customers about how all of this commotion may change the fraud landscape in account originations and money movement. We believe the industry should take precautions in advance of the fraud attacks that could come.

Proactive monitoring and a partnership with our data science teams

In an effort to get ahead of these fraud attacks for our customers, our data science team is using a unique technology launched in late 2022 that monitors every customer across our portfolio to identify spikes in transactions, measures anomalous pattern changes in signal firing rates, and unearths score distribution changes, among several other fraud attack behaviors. This allows us to proactively identify attacks taking shape amid the market movement. We have already reported on two separate fraud attacks to two of our DDA customers.

After we identify a fraud attack, we assign data scientists to those accounts with identified pattern changes which may reflect additional risk, operational burden or customer experience challenges. Where necessary, we partner with these institutions to adjust logic to allow for seamless onboarding with limited risk. This will help both those receiving institutions as well as those looking to rapidly transition to maintain their own business-as-usual operations.

As other organizations look to step up to help support those businesses and consumers impacted by these closures, how will you manage the risk that can occur from such a market disruption? Our team of seasoned identity fraud and CIP KYC compliance experts got together to talk about the types of efforts traditional banks and fintechs should consider in this short term market disruption – here’s the advice they had to share.

Fraud considerations

The concept of “organic growth” may fundamentally change for your organization if you are on the receiving end of an onslaught of new customers. You may decide that differing risk profiles and anomalous patterns previously considered unacceptable, may be acceptable in the current environment. The key will be to distinguish new applicants as legitimate growth from those that hold malicious intent.

Consider the following guidance for new account onboarding, funding accounts and ensuring compliance:

• Device signals are more important than ever. We’ll see less experienced fraudsters attempting to open new accounts by impersonating business owners, sole proprietors and high-net-worth individuals. Running velocity checks against identified devices connected with identities will surface this quickly. Additionally, we anticipate that bad actors will apply credential stuffing to take advantage of potentially relaxed controls. Device signals allow you to determine differences from previous logins by your existing customers. If you are not currently using a device solution, Socure’s Sigma Device can be easily integrated into your system and velocity signals can be used almost immediately, and it’s free to Socure customers.
• Avoid static rules in your onboarding decisioning. The use of blind rules with static velocity thresholds will result in excessive friction and the loss of good applicants to poor processes. Now more than ever, it’s important to have a process in place for identity fraud detection in banking and fintech organizations to intelligently process identity checks using up-to-date advanced analytics built into onboarding scores that dynamically detect anomalous behavioral patterns, suspicious linkages, inconsistencies in identity elements, and of course velocity. Socure is about to make our newest Sigma Identity v3.1 model available in production in the coming weeks. The model has been refreshed to include new fraud patterns discovered in 2022 and early 2023 fraud attacks. If you are a Socure customer or process your new applications through one of our partners, you can migrate to this new model almost immediately to lessen the impact of potential fraud attacks resulting from the current environment.
• Risk score non-monetary account changes. The recent fallout will drive consumers to reconsider how they manage their accounts, and they may add additional authorized users to help protect their deposits if there is a sudden run. Fraudsters will look to mimic this to execute account takeovers (ATOs). It’s crucial to monitor all non-monetary changes of your deposit customers to identify which changes to phone, email or address are likely ATO attacks. We are asking our banking customers to score their non-monetary changes with Socure’s Sigma RiskScore and Correlation suite. These scores can quickly and frictionlessly help separate out non-suspicious account changes from those that may cause financial harm.
• Watch out for synthetic identity fraud attacks. We have seen a dramatic increase in synthetic identity fraud during and following COVID, with increasing attacks on deposit and investment accounts at both fintechs and traditional FIs. We expect bad actors to take advantage of all of the new account openings as a result of the recent bank failures, and in fact, we are already seeing an uptick in the percentage of apps that are likely synthetic across the banking sector. As a result, we believe it is crucial to apply synthetic fraud monitoring at onboarding. Please be aware, if you are relying on your CIP KYC program to stop synthetic identity fraud, you are leaving the door open to synthetic fraud attacks.
• Automate as much of the onboarding process as possible to better manage spikes in new account applications. Should you be experiencing higher volume, high-value transactions, you may consider increasing the use of electronic document verification technology as a faster and more accurate alternative to some manual processing. Document verification with selfie ID verification can be used both at the point of account high-value account funding or outbound account wire transfer initiation to drive additional verification without additional manual intervention.

Funding new accounts

As you establish new accounts, you will need to apply risk controls to post-day zero events ranging from account funding to the release of initial, potentially high-risk wires and disbursements. This is an important time to apply a comprehensive, identity verification software, such as Socure’s Account Intelligence (SAI) account validation.

• Validate new funding sources. There will be a high concentration of new funding events alongside an onslaught of onboarding. Establish account validation before all deposits, disbursements and on credit payments that increase “available-to-buy” limits.
• Validate recipients before approving any high-value wires. Many institutions see more risk in high-value transactions that occur within the first day or two of establishing an account, but in this scenario that pattern will be typical. It is crucial to leverage intelligent account validation against recipients before high-value wires are placed.

Compliance considerations

Some financial institutions have announced plans to expedite know-your-customer (KYC) processes to streamline account onboarding for businesses affected by the current crisis. While identifying truly impacted businesses versus opportunistic ones may seem straightforward, institutions cannot afford to wait weeks or months to provision new bank accounts. For organizations struggling to pay employees and bills, time is of the essence to minimize disruption and further economic fallout.

If your organization is looking to help support this effort and gain new clients in the process, how do you assure mitigation AND speed? One critical component is to document changes in controls and identify HOW and WHY your organization is changing course.

Suspending normal risk mitigation practices can cause further market disruption and allow opportunistic organizations to come through the door. Assure that after a certain period of time you will reassess or discontinue suspending these practices once the issue has been resolved. This will help assure that changes in practice are not cause for regulatory scrutiny.

Some options to consider building into your processes for long-term success could include:

• Accurate identity verification. It’s essential to have total confidence that you know who your customer is, and that you can do business with them. Replacing outdated legacy tools with a modern identity verification software that uses robust data sources and leverages technology to deliver the highest level of assurance of the customer’s identity can help you avoid pitfalls associated with legacy providers. These tools regularly approve customers with incorrect DOB and SSN, deceased individuals, commercial and correctional facility addresses, and even sanctioned individuals.
• Ongoing monitoring of customer portfolio risk. Once a customer is onboarded, their risk level can change. It’s essential to be continuously monitoring your portfolio for customer status changes. In the current dynamic sanctions environment, you need a watchlist solution with monitoring that will ensure you are notified in real time of anything requiring attention. This means you can quickly take appropriate mitigation measures, and demonstrate to regulators that you are doing your part. It’s also prudent to perform regular scrubs of your portfolio to identify other risks that may emerge.
• Tools to examine beneficial owners. Business accounts require even more scrutiny than regular customer accounts to ensure you understand source of funds, business norms, as well ultimate beneficial ownership (UBO) to avoid running afoul of any sanctions that may be in place.
• Streamlined exception processes. Manual review can be tedious for your organization, unless you have tools designed to expedite the task. A tool that offers complete transparency to the best-matched identity with side-by-side comparison with customer input PII data, along with identified risks can expedite your reviews without sacrificing the accuracy you demand. Socure offers this capability as standard within Socure Verify.
• Confident audit response. Ensuring you have an accurate and accessible audit trail of customers that were approved, along with any context that was considered in conjunction with the approval can make a difference if any questions arise later. Socure offers the full output of consumer PII data with KYC Plus to review during a regulatory exam, or for other critical use cases including automating exception processes, SEC 17AD-17 requirements and more.

As regulators in partnership with the banking and fintech industry work to bring stability to a turbulent climate, we will continue to monitor the activity across our 1,900+ customers so that we can proactively identify threats and help our customers remain prepared. We will also update the industry as a whole on the fraud attack patterns we are seeing and continue to offer advice to help you stay ahead of a difficult and changing environment.