The term “fraud” has become a catch-all for some financial institutions, which sometimes downplay these occurrences as mere nuisances rather than genuine threats. However, the stark reality is that fraud has given rise to a multitude of attack methods, each carrying its own nuances and varying degrees of impact on customers and financial institutions.
In an age of escalating cyberattacks, the proverb “knowledge is power” holds truer than ever. A financial institution’s familiarity with various fraudulent tactics becomes central to its ability to prepare for and safeguard against potential threats. By delving into the intricacies of these attacks, institutions can strategically invest in the right fraud prevention solutions that address particular types of fraud.
According to a Javelin Strategy & Research webinar, Cybersecurity: 2024 Trends and Predictions, more serious fraud attacks are set to wreak havoc for FIs in 2024 in the form of deepfakes and other artificial-intelligence-related scams. FIs that don’t take these types of attacks seriously could face reputational and monetary damage.
Sunil Madhu, CEO and Founder of Instnt, and Tracy Kitten, Director of Fraud & Security at Javelin Strategy & Research, further delved into this topic during a recent PaymentsJournal podcast. They discussed the current types of fraud that face financial institutions, why first-party fraud is complex to resolve, and what steps FIs can take to resolve first-party fraud.
Understanding the Various Types of Fraud
The pandemic brought on an acceleration toward digitalization, and this opened the door for cybercriminals to leverage the latest in tech innovation to detect vulnerabilities in their targets and launch attacks. These attacks have been especially felt within the banking sector.
Madhu outlined the types of fraud having the biggest impacts on financial institutions today:
Synthetic ID fraud: This is also referred to as synthetic identity theft. Fraudsters create a fake identity by using real and fictitious personal information. Criminals begin by stealing a real Social Security number through the dark web or other data breach, then create a fictitious name, date of birth, and address. This new “synthetic” identity is then used to open credit cards and bank accounts and to take out loans.
Third-party fraud: Also known as identity theft, this occurs when a fraudster uses a person’s stolen identifiable information to open new accounts without the consent of that individual. This type of fraud has a shorter lifespan; the victim quickly learns of the compromise and can take immediate action to bar further malicious activity.
First-party fraud: This occurs when a consumer takes out a loan or opens up a credit card without intending to pay it back.
Madhu explained that first-party fraud is the most difficult to detect because there is no way of knowing beforehand whether a consumer will default on a loan. Although there are genuine consumers who will default on loans because of economic reasons, such as a loss of a job, some premeditatively take out loans with the clear intention of not paying them back.
“You can’t put [genuine consumers] in the bucket of fraudsters,” Madhu said. “That would have legal dire consequences for people already in dire circumstances. So the industry as a whole cannot preemptively solve this problem.
“You can examine and cross-reference people’s personal information and figure out if the ID is fake or stolen. At the time when the loan is issued, you can’t really say, ‘I’m going to call you, I’m going to mark you as a fraudster because I think you’re going to default on the loan.’ So what the industry does is they make the loan payment after looking at all of the historical and financial data of the individual.”
After a loan is issued, the mode of operation for banks is to simply wait and see if the first payment is made by the consumer. If not, the next course of action is to use collection as a means of identifying whether the account is fraudulent.
This may not be the best tactic for banks, as it can expose them to more financial losses—the fraudster could spend more money before being detected, for example. And if this is a genuine customer who unfortunately can’t make that first payment, being labeled a fraudster would be a wrongful accusation.
“This emergence of what we define as scams—where you have a consumer who is conned or convinced in some way to open up a loan to transfer funds to use an account in a way that they have not historically used it—it just adds to the complexity, because it’s going back to the fact that this is a consumer, a trusted consumer for whatever reason, something has changed,” Kitten said. “The habits or the use of that account have changed.
“What makes it very challenging for financial institutions is to know when this consumer is under duress and at what point does an institution step in to take some kind of action.”
Kitten also pointed out that financial institutions continue to struggle to detect synthetic identity fraud. She recommends stronger verification and authentication at the early stages.
Why First-Party Fraud Is Difficult to Resolve
First-party fraud is one of the most challenging types of fraud for financial institutions to resolve. The main reason is first-party fraud involves the legitimate accountholder. It’s difficult for FIs to accurately gauge the intent of the accountholder, and it’s even more complex to differentiate between a legitimate activity and a fraudulent activity.
“The challenge for FIs with first-party fraud is the very intrinsic nature of it and that it’s a psychographic behavioral change of the individual or some financial change, or economic circumstance change that may be outside of the view of the financial institution,” Madhu said.
“Traditionally, the leading indicator for first-party fraud is that the very first installment payment from the loan or the charge is missed.”
Adding more to the complexity is how most financial institutions operate, by taking a less proactive approach and simply waiting for missed payments before proceeding to the collections process.
Another indicator for FIs that a missed payment is the result of first-party fraud is an inability to contact the borrower. After 120 days of missed payments, the bank simply takes the loss. Over time, this will not be a sustainable approach.
What FIs Can Do to Resolve First-Party Fraud
Consumers from younger generations often lack credit histories and therefore are not accepted by traditional credit models, leaving them vulnerable to predatory loans. This can place them in a more difficult financial situation if they default on their loan because of something like the loss of a job.
A preemptive measure, according to some in the industry, is to take the data of these individuals and compile it into a consortium block list database, categorizing them as fraudsters and thus avoiding any potential risk. The problem, Madhu points out, is that this could block these individuals, who are already in dire financial circumstances, completely out of the financial industry.
Another solution is to use a universal identity. It will be a form of digital identification through which consumers pass know-your-customer requirements and build a good reputation. This will reward them with a reusable pass and identification to demonstrate digital proof of ownership. Those in the financial services industry will be able to see beforehand what level of risk that individual is approved for, without having to worry about taking on a fraud loss.
Madhu also proposes the use of Instnt’s solution, which can assess the risk of first-party fraud, assign a financial value to the risk, and transfer the risk off the balance sheet.
“We came up with an underwriting mechanism looking at the first-party loss rate of a particular business to price the losses using technology that we’ve built end-to-end so we can control all the aspects of false positives through the system instead of layering different technologies together,” Madhu said.
“We can therefore say yes to more people than businesses could traditionally do themselves. We can offer to transfer the risk that they’re holding on their balance sheets up to the tune of $100 million a year off through our SaaS platform and on to the insurance industry, which has studied that risk and studied the underwriting algorithms and has agreed to partner with us to create an insurance product in the marketplace to transfer that risk.”