Gaming the system: Loan applicants are reverse engineering the online lending algorithms

Online lenders are assailed by fraudsters on all fronts. There were 1579 data breaches in the U.S. in 2017, 302 of which resulted in the exposure of full credit and debit card numbers. Because online finance frees up applicants from having to show up physically to a bank, it also opens up opportunities for identity fraud. This really is the other side of phishing and identity hacks. Once data ends up in the hands of criminals, the next step is to monetize it by taking out fraudulent loans. Those people are generally easy to spot, though, given how AI and compliance have matured in the online lending industry. There's an entire industry of cybersecurity companies working on fraud detection in online lending. Fintech companies typically cobble together a combination of software, third party data sources, and good old sleuthing to help sniff out the bad guys. And for the most part, outright scammers are getting caught. "We once had a teenager apply with his parents’ info," said Russell Weiss, chief risk officer of Brazilian business lender, WEEL. "We were able to catch him because his email was linked to his presence on social media. And when we checked Facebook, he clearly wasn’t in his 50s." Online lenders have also grown wary of borrowers stacking loans, or applying for a number of loans from multiple lenders at the same time. Online lenders employ a variety of tactics to prevent this -- from creating their own proprietary algorithms to reporting loan applications more quickly to the credit bureaus. Experian's Clarity Services division creates what is called a Temporary Account Record, a notation that signifies a pending loan transaction on a borrower's credit report. iovation, owned by TransUnion, employs a cross-lender database that can provide real-time intelligence on applicants. Others, like ThreatMetrix, analyze dynamic information, such as device, location, behavior and threats, on the lookout for fraud. But there’s another type of behavior that’s perhaps more pervasive, and that’s individuals and businesses trying to game the lending algorithms. Here, the scamming is significantly more subtle. These types of applicants try to reverse engineer the systems put in place by developers to automate their lending decisions. Many times, this means lying on the application form or leaving out pertinent information an applicant believes will hurt his chance at being approved for a loan or result in a worse rate. "We'll frequently see a bunch of roommates apply for a rental guarantee and of course, they'll use the roommate with the strongest credit to apply," said Jeremy Esekow, founder of HelloRented, a consumer rental finance company. "But when you look into it, he or she may not actually be a roommate at all." For some online lenders, applicants submit pay stubs or employment contracts as part of the application process. But when risk teams analyze the documents, it's clear that these documents are dated and that the applicant hasn't been paid by her company for at least a few months. To verify that the information applicants submit is valid, lenders are making digital verification de rigueur in the industry. Finicity, a provider of APIs for financial data, helps lenders prevent fraud. "Lenders using digital verification methods reduce various types of fraud while improving the overall experience," said Steve Smith, Finicity's CEO. "One example is the doctoring or omission of paper statements. Digital verification methods receive data directly from a borrower's financial institution making it near impossible to alter information." The more digitally-native the lending process is, the harder it is for people to fool the algorithms. Some online lenders provide a digital front-end, but rely on more manual processes for the risk and underwriting process. Others, like small business lender, Kabbage, have expanded the number of digital checks they make with the financial applications its applicants use. Kabbage claims that 95 percent of its customers have a fully-automated underwriting experience.  "By getting customers to connect their Amazon, Square, eBay, and business bank accounts, Kabbage gets a direct view into the finances of a small business borrower," said Yaakov Erlichman, vice president of fraud and underwriting strategy at Kabbage. "We have more than two million live data connections. It's really hard to fake live business data." It’s not always customers pushing on the lending algorithm string. Many upstart online lenders are driven by sales. Account executives want their bonuses. Sales staff can cut corners and lobby their risk teams to approve loan decisions for people and businesses that otherwise might not pass muster. Employees may submit loan applications and leave out damning information entirely. For online lenders, there can be major tension between sales and risk teams. "Sales guys have a way of presenting their applicants in a way that focuses on the future revenues they will theoretically produce, rather than what's happened historically," Esekow said. Oftentimes, salespeople may communicate to applicants and loan brokers that they've been approved before risk has even reviewed their files. That puts added pressure on the risk team to make sure the loans get originated. Online lenders tune their risk systems and algorithms to account for this subtle form of fraud. Modern risk models approach the credit decision from multiple vantage points to ensure that no one entity can game the system. "There's always a risk that aggressive salespeople can skip over important information," said WEEL's Weiss. "But ideally, the risk models shouldn't allow this to happen."