Identity fraud is on the rise, with losses estimated to reach $635 billion by 2023. One form of identity fraud that is a growing concern, especially to the financial services industry, is account opening fraud.
According to FIVerty, as many as 50% of new US accounts in 2021 were fraudulent.
Unfortunately, numbers may be even higher, since the warning signs of fraudulent new accounts frequently go undetected.
With so much at stake when it comes to fraud, it’s critical that teams understand the latest criminal tactics to protect their customers and themselves. To get a better understanding of account opening fraud, let’s dig into what it is and how you can proactively combat it.
What Is Account Opening Fraud?
Account opening fraud, also referred to as “account enrollment fraud” or “new account fraud,” occurs when fraudsters open accounts using stolen or fabricated identities and happens one of two ways:
True name application fraud
Synthetic identities
Fraudulent account opening using real, stolen identities is called “true name application fraud.” To open an account with a stolen identity, a fraudster acquires or purchases an identity kit, also known as “fullz,” with the victim’s personal information, including social security number, date of birth, payment information, and address, which they then use to apply for credit cards or loans, or open bank accounts in that person’s name. These accounts are opened to establish credit history and or launder funds.
Another way account opening fraud is perpetrated is with synthetic identities, which aren’t linked to a specific person because they are constructed using stolen PII and/or other forms of fabricated information to construct identities to open new accounts, launder money, make fraudulent purchases and build credit profiles. Synthetic identities are notorious for using data from children or a deceased person and can fly under the radar for years, since there isn’t a clear victim to alert, as opposed to true name identity fraud in which the victim is evident.
The Importance of Know Your Customer (KYC)
The financial services industry faces the greatest risk from account opening fraud. Every financial organization is responsible by law for making sure that its customers are who they say they are. The Know Your Customer (KYC) regulations were established by the US Financial Crimes Enforcement Network (FinCEN) and “prescribes minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution.” Failure to comply with these regulations can lead to strict penalties. For example, from January 2021 to March 2022, FinCEN imposed more than $600 million in fines for anti-money laundering violations in which banks’ failed to properly assess the risk of customers and follow up on suspicious transactions.
Per FinCEN, financial companies need to have an anti-money laundering program with strict rules related to Customer Due Diligence (CDD) to verify the identity of all customers and clients who own, control, or profit when an account is opened. For high-risk customers, the requirements for KYC go beyond CDD to Enhanced Due Diligence (EDD), which requires further verifications and ongoing checks. In these cases, it’s even more important to remain in compliance.
For CDD, companies have to classify customers according to risk profiles and be ready to report on suspicion of fraud. According to PYMNTS, the lack of adequate CDD processes contributed to every case where FinCEN levied a fine during the January 2021 to March 2022 time period.
This includes a $140 million fine for a bank that failed to report thousands of suspicious transactions. FinCEN determined that this bank’s CDD process at account opening was insufficient to collect the necessary information to be able to effectively evaluate a customer’s risk and provide active risk monitoring.
Another bank was fined $390 million when it failed to comply with minimum requirements. In this case, the bank took a risk-based approach to identifying high-risk customers, but the system established by the bank didn’t allow the bank to get the complete understanding it needed of its customers’ activity and patterns in order to identify illegitimate behavior.
It’s clear that being able to fulfill the requirements of KYC and CDD is essential to maintain a trusted environment for customers, not to mention avoiding steep fines from FinCEN. In order to move forward, you need to know that you have KYC and CDD covered to prevent account opening fraud. And you need to be ready to act before the damage is done.
How to Stop Account Opening Fraud
Being able to distinguish between fraudsters and legitimate customers early is imperative in preventing account opening fraud. And SpyCloud Identity Risk Engine is designed to do just that – making it an essential addition to your KYC and CDD processes. What separates SpyCloud Identity Risk Engine from other anti-fraud solutions is that it can assess risk based on data that is normally only available to fraudsters in the criminal underground.
By querying as little as an email or phone number, SpyCloud links and analyzes billions of recaptured data points from breaches and malware logs, to correlate the risk associated with a user’s identity. We can identify anomalies within a user’s information, like multiple unique counts of SSN, DOB, government IDs, names, addresses, etc., to highlight illegitimate accounts created by criminals using stolen data. Identity Risk Engine also has the ability to detect emails that have not appeared in any (or in limited) breaches, which is another high indicator that the email was just created for the purpose of opening an account using a synthetic identity.
Paired with existing anti-fraud and identity verification solutions, this gives you the ability to intervene and prevent fraud before it can happen.
Furthermore, once you know who your high-risk customers are, you can focus your resources on them for a more efficient and cost-effective KYC process.
Aside from alerting to synthetic identities, Identity Risk Engine can provide actionable insights into a user’s security posture, like recency of breach and password hygiene, and even detect malware- infected users. For financial institutions, these underground insights placed at vulnerable points of fraud like new account creation, application submission, account modifications, or money transfers can provide them with real-time, comprehensive data to prevent fraud.
Alternatively, FIs can easily identify users at low risk of synthetic identity or account takeover, preventing negative user experiences and friction, along with decreasing unnecessary time and resources allocated to manual review. With this increased ability to identify legitimate users versus threats, companies can feel confident that they’re doing all they can to know their customers – and not risking millions in fines.
