With consumers continuing to take a digital-first approach to everything from shopping to dating and investing, fraudsters are finding new and innovative ways to commit fraud. While this issue is not new in financial services, it’s only starting to be uncovered more adequately.
Traditionally, when a person would walk into a bank branch to open an account, they would need multiple forms of identification. But online, customer onboarding has turned into a riskier process for banks and consumer fintechs, with fraudsters trying to take advantage of their systems.
Every major bank and consumer fintech in the US has been impacted by fraud, according to Naftali Harris, CEO of SentiLink, an identity verification technology company.
Harris used to work as a data scientist at Affirm when he first noticed this issue. He and his team were detecting multiple applications for credit having the same name, date of birth, but different social security numbers.
When double checking with credit bureaus to ensure the accounts were fake, they were stunned to find that all of those identities had real credit reports with good credit scores, and that every major bank lender in the US was giving them money.
The assumption was that credit bureaus had records on everyone in the United States, and somehow they knew who was who. But this isn’t exactly true – the bureaus don't have any sort of authoritative records – it’s just a data consortium, he said.
Moreover, if a bank or a lender makes an inquiry about an individual and the bureau doesn't have a record for that person, it will create a provisional record. And with enough inquiries, the bureau will also create a credit report for the individual.
In this way, an account with made-up information can bypass the system.
“I think it was a situation where everyone thought everyone else was doing the job. And actually, no one was doing it. So we realized that there was a real issue impacting financial services – for us it was a crazy moment, how we were the only ones seeing this,” Harris told Tearsheet.
This led to his departure from Affirm to set up SentiLink and build a synthetic fraud detection API, raising a total of $85 million in capital. His company now works with over 100 financial institutions, including several of the top US banks.
There’s many different types of fraud, with ID theft and synthetic fraud being the most common. Synthetic fraud is a name, date of birth and social security number that doesn’t belong to the same single real person. While ID theft is easier to do, synthetic fraud is more prevalent and harder to catch.
Reducing the stress of fraud allows for a more streamlined application process, making it easier for consumers to get approved for a loan or bank account. This aspect also has implications for groups of consumers that previously had a hard time accessing credit or other types of financial products and services, as banks can verify the applicant in a way they weren’t able to before, Harris said.
Banks all across the spectrum are having issues with fraud, not just legacy players - in fact, neobanks in particular are facing increased scrutiny over their fraud and risk compliance systems.
Neobanks and consumer fintechs have benefited from the rise of banking-as-a-service allowing them to lean on legacy banks’ licenses, as well as the existence of payment networks and other standards and regulations. All these factors allowed new players to launch products and services on an “equal” footing to legacy solutions.
Thanks to this ecosystem, a new bank wouldn’t have to convince every merchant to accept their cards or every consumer that their deposits are safe. But this premise could be in danger, says Laura Spiekerman, chief risk officer at Alloy, an identity decisioning platform for banks and fintechs.
“The rapid rise of fintech companies over the last two years from startups into major players is converging with fraud and financial crime to create some cracks in the level playing field. This issue has significant impacts on financial access and equity, as well as the competitive landscape for financial services broadly,” she told Tearsheet.
Neobanks in the US have experienced skyrocketing market penetration in a short amount of time.
For example, PayPal added 120 million new customers over the past two years, to bring its total user base to 426 million. Last year, it used incentivizing customer acquisition tactics, such as cash rewards upon signing up, to a much greater extent than ever before, according to its CFO John Rainey. But the executive also revealed that the company identified 4.5 million accounts that were “illegitimately created”, leading to reports over the issue of fraud in fintech.
Chime, the largest neobank in the US, is getting hundreds of thousands of new accounts each month, according to WSJ. The company nearly doubled its customer base from 7 million at the start of 2020 to more than 13 million by the end of last year.
While there are no available fraud figures for Chime specifically, other industries such as rental car agencies are beginning to worry about this and have started to ban the use of the neobank’s cards.
Rental car agency Avis tweeted last year that it won’t accept Chime cards due to many fraud reports, while Enterprise and Hertz have also banned the fintech’s cards, with Cash App, Paypal or Venmo also rejected by some storefronts, according to reports. Chime denies that its app has become a fraud haven.
"Digital-focused banks have a target on their backs because fraudsters know that the banks want to make the user signup flow and banking experience as seamless as possible,’’ Kevin Lee, VP at fraud prevention firm Sift, told Forbes.
The types of fraud fintechs experience depend on the type of financial service they offer, added SentiLink’s Naftali Harris. For the consumer-facing fintechs that offer lending services, synthetic fraud has been a huge issue, while for those doing checking and savings accounts, ID theft has been more prevalent, he said.
European neobanks and fintechs have also been vulnerable to fraud, experiencing mounting concerns over their services potentially being used for sketchy activities ranging from criminal transactions to fraudulent users.
For example, German neobank N26 got fined by regulators for weak anti-money laundering controls, and Monzo is under investigation for the same issue.
Revolut was also in the headlines in 2019 as a whistleblower told the FCA that they believed compliance systems were “utterly inadequate”, and that there were tensions between the compliance team and CEO Nikolay Storonsky.
This also led to staff departures, with two compliance department leaders leaving the company in quick succession in 2020. However, since then, Revolut ramped up its systems and hired around 600 people last year.
New areas prone to fraud: BNPL and crypto
As the pandemic led to a surge in synthetic identity and account takeover fraud, this has threatened the security of accounts and their associated payment data. According to Juniper Research, merchant losses to online payment fraud will exceed $206 billion cumulatively for the period between 2021 and 2025.
While traditional payments products have legacy fraud detection systems in place, newer services such as buy now, pay later don’t enjoy the same risk verification mechanisms. This will lead to fraudsters taking advantage of some BNPL companies and consumers, according to Experian’s 2022 Future of Fraud Forecast, resulting in significant losses for BNPL lenders.
And just like in the case of fintechs, fraudulent activity is directly proportional to the rapid adoption of BNPL among consumers and lenders. The number of BNPL users in the US has grown by more than 300 percent per year since 2018, reaching 45 million active users in 2021 who are spending more than $20.8 billion, according to Afterpay research.
The BNPL space can solve this problem by applying technologies used in other parts of the payment ecosystem, such as identity verification beyond credit risk worthiness like device recognition, according to David Britton, VP of strategy, global identity and fraud at Experian.
As most transactions are digital now, companies can use device intelligence, behavioral analytics and network observations to ensure a customer is a trusted individual. This allows for quick customer onboarding while also detecting the maximum amount of fraud as well.
“We believe that identity in the digital world has to be defined as more than just the name, address, National ID, Social Security and phone number. All the information about the devices customers are using, such as their computer or phone, can be proxies to help build a much more robust picture of the true digital identity of a person,” Britton told Tearsheet.
Crypto is another area prone to scams. According to the FTC, investment cryptocurrency scam reports have skyrocketed, with nearly 7,000 people reporting losses totaling more than $80 million from October 2020 to March 2021. Experian predicts that this year fraudsters will set up cryptocurrency accounts to extract, store and funnel stolen funds.