Defining Synthetic ID Fraud: How It Helps With MitigationFed Releases a Definition That Could Make It Easier to Identify Red Flags
Now that the Federal Reserve has issued a definition for synthetic ID fraud, fraud-fighting efforts likely will improve because it will be easier to identify red flags, some security experts say.
The Fed has defined synthetic ID fraud as "the use of a combination of personally identifiable information to fabricate a person or entity in order to commit a dishonest act for personal or financial gain."
“You can't manage what you can't measure. Without a common definition, it was hard to determine the significance of synthetic ID fraud and the best way to remedy it," says Greg Woolf, the founder and CEO at FiVerity, who was one of 12 fraud experts participating in a focus group that helped the Fed craft the definition. "And more importantly, without a clear definition and greater consensus, the industry can't successfully manage the rising problem."
The Fed developed the definition to foster improved awareness, detection, measurement and mitigation, says Mike Timoney, the Fed's vice president, secure payments. “The group reviewed definitions currently in use by the industry, looking for common elements that could be incorporated into its recommended definition," he says.
A Common Approach
The Fed wanted to create a clearer definition of synthetic ID fraud "that could be leveraged by not just U.S. domestic financial service providers but … be applicable in other global financial markets, as well as something that was applicable to other industries as well,” says Amy Walraven, president at Turnkey Risk Solutions, who was part of the focus group that worked on the definition. “It was important for us to provide a clear and concise definition of synthetic identity fraud that can be used to create a universal way to define the issue in order to ultimately get all of the institutions to a commonly accepted definition.”
Woolf from FiVerity adds: “We felt it was important to define the purpose for which fraudsters use synthetic ID. It is mainly used for credit repair, payment default schemes and other criminal activities where the data is used for facilitating illegal acts by individuals or crime syndicates.”
If security experts fail to properly identify cases of synthetic ID fraud and simply classify such cases as bad underwriting decisions, the use of fake identities as a front for money laundering and other nefarious activity could skyrocket, Woolf adds.
Over the years, the lack of a common definition of synthetic ID fraud has led to inconsistent categorization and reporting, making it difficult for the industry to identify and mitigate this type of fraud.
Although it's been difficult to measure the financial impact of synthetic identity fraud because of the lack of a clear definition, the Aite Group estimates that such fraud will grow to $2.42 billion in 2023, up from $1.8 billion in 2020. This fraud is growing, in particular, in U.S. COVID-19 relief programs.
“Synthetic identity fraud isn’t actually identity theft," says Walraven of Turnkey Risk Solutions. "Identity theft fundamentally in its most basic terms is impersonation. When a person is a victim of identity theft, someone other than themselves is using the victim’s name, date of birth, Social Security number and other identifiers to open new accounts in the name of the victim or to take over existing accounts that belong to the victim.”
Synthetic identities, on the other hand, don't involve impersonation, she points out. "They may involve the use of one element of a person’s identity, like the Social Security number of a child, for example. But when a synthetic identity is created leveraging a child’s SSN, the fraudsters are not using the child’s name, date of birth, address or any other identity element of that child. An SSN is not a complete identity in itself."
Fraudsters have successfully used synthetic identities to establish bank and credit accounts that are not flagged as suspicious by conventional fraud detection models, some security experts say. In many cases, they can use synthetic identities to keep accounts open for months to improve their credit standing, max out the credit line and then disappear without a trace.
“Banks treat synthetic identity fraud losses differently and need to be consistent - is it bad underwriting or is it fraud?" Woolf says. "That was one of the key issues the industry has faced without a common definition of synthetic identity fraud. Too often, banks and credit unions wrote off [bad credit] losses, when it was, in fact, intentional fraud caused by fake and synthetic identity.”
In addition to banks, fintech firms, government agencies, telecom companies, real estate brokers and others can be victimized by synthetic ID fraud, according to a report by the Aite Group in collaboration with TransUnion.
Technologies to Leverage
Now that there is a clear definition of synthetic ID in place, fraud-fighting experts are hopeful that enterprises, especially financial institutions, will be able to better mitigate the risks.
“I am hopeful that there will be a better community collaboration. We can use artificial intelligence and digital identity management to better collaborate across financial services and with the government,” Woolf says.
Walraven suggests financial institutions and others should add layers of authentication to help battle against synthetic ID fraud.
“We need to stop depending solely on self-provided identity credentials," Walraven says. "Traditional controls work, but they do not work by themselves. It is a matter of keeping the foundation and adding security layers on top of it."