Why Synthetic Identities Are a Risk to Your FirmBy Guest Author | Posted 2016-05-10 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Since it is possible for cyber-criminals to create a synthetic person, businesses must be able to differentiate between synthetic and true-party identities.
By Christopher Danese
Children often make up imaginary friends and have a way of making them come to life. They may come over to play, go on vacation with you and have sleepover parties. As a parent, you know they don’t really exist, but you play along anyway. Think of synthetic identities like imaginary friends.
Unfortunately, some criminals create imaginary identities for nefarious reasons, so the innocence associated with imaginary friends is quickly lost.
Fraudsters combine and manipulate real consumer data with fictitious demographic information to create a “new” or “synthetic” individual. Once the synthetic person is “born,” fraudsters create a financial life and social history that mirrors true-party behaviors. The similarities in financial activities make it difficult to detect good from bad and real from synthetic.
There really is no difference in the world of automated transaction processing between you and a synthetic identity. Often the synthetic “person” is viewed as a thin or shallow file consumer— perhaps a millennial.
I have a hard time remembering all of my own passwords, so how do organized “synthetic schemes” keep all the information usable and together across hundreds of accounts? Our data scientists have found that information is often shared from identity to identity and account to account.
For instance, perhaps synthetic criminals are using the same or similar passwords or email addresses across products and accounts in your portfolio. Or, perhaps physical address and phone records have cross-functional similarities. The algorithms and sciences are much more complex, but this simplifies how we are able to link data, analytics, strategies and scores.
Identifying the Business Impact of Synthetic-Identity Fraud
Most industry professionals look at synthetic-identity fraud as a relatively new fraud threat. The real risk runs much deeper in an organization than just operational expense and fraud loss dollars.
Does your fraud strategy include looking at all types of risk, compliance reporting, and how processes affect the customer experience? To identify the overall impact synthetic identities can have on your institution, you should start asking:
· Are you truly complying with "Know Your Customer" (KYC) regulations when a synthetic account exists in your active portfolio?
· Does your written "Customer Identification Program" (CIP) include or exclude synthetic identities?
· Should you be reporting this suspicious activity to the compliance officer (or department) and submitting a suspicious activity report (SAR)?
· Should you charge off synthetic accounts as credit or fraud losses?
· Which department should be the owner of suspected synthetic accounts: Credit Risk, Collections or Fraud?
· Do you have run any anti-money laundering (AML) risk when participating in money movements and transfers?
Depending on your answers to the above questions, you may be incurring potential risks in the policies and procedures of synthetic identity treatment, operational readiness and training practices.
Since it is possible to create a synthetic person, businesses must be able to differentiate between synthetic and true-party identities, just as parents need to differentiate between their child's real and imaginary friends.
Christopher Danese is a decision analytics global consultant at Experian. He has operational expertise in online and digital banking enrollment and fraud detection for consumer and small business credit cards, among other areas.