Fast approval fertile for stolen and synthetic identities: BNPL’s fraud problem

In 2022, BNPL is poised to grow by 66.5% to reach $82 billion in transaction volume annually. In addition, as more people use BNPL, adoption is growing steadily with a CAGR of 32.5% between 2022-2028.

In the shadows, however, adoption by fraudsters is also surging.

BNPL fraud rate grew by 66% YoY between 2020 and 2021. Bad actors are defrauding BNPL payment systems to steal items ranging from fast food to video game consoles, according to experts. The ecosystem’s fast-approval loans, coupled with speed-oriented identity verification mechanisms and loose credit checks, have set the stage ripe for such activity. 

Some experts say that the popularity of BNPL perhaps leaves the system even more vulnerable. With the sheer volume of credit applications processed digitally, it has become easier for fraudsters to slip through the cracks.

“The more this market grows, and the more common BNPL becomes, the more fraudsters will seek to exploit it. That’s their nature,” said Uri Arad, a PayPal risk department veteran and the co-founder of Identiq, an information security company.

Most BNPL providers offer users a default line of credit upon registering an account. Over time, as the provider collects more of the user’s account data — transaction, payment, and debt pay-back history — lending limits generally increase. Fraudsters misuse this model, either making purchases through a hacked account or setting up fake accounts and exploiting the default limits.

Hence, the most prevalent methods of fraud in the industry are account takeovers (ATOs) and synthetic identity fraud.

What’s allowing fraudsters to get in behind the defense?

BNPL as yet remains unregulated, which means there is no unified industry-wide protocol to deal with fraud. Each provider uses its own set of fraud detection and prevention procedures and settles cases as per self-appointed policies. 

The industry-wide onboarding protocols, however, are pretty much the same: each credit application must be created in-flow with the transaction. This grants BNPL the transaction speed merchants and consumers love it for, but to make that possible, providers generally conduct credit checks less thoroughly than with traditional credit products. That’s where the risk is born.

“The effect of fast approval processes is that companies only make light, cursory identity and credit checks, opening the door to use of stolen and synthetic identities,” Arad said.

Fake accounts are easier to set up in today’s world of digital signups. Most providers just require customers to upload copies of documents for proof of identity and/or a current address, and a credit/debit card to register. Fraudsters use data obtained from stolen mail or data breaches to register fake accounts, which are then used to make purchases. Paying only as much as the first installment, often through stolen cards, bad actors obtain a product that they can then resell in the market for profit. 

In some cases, fraudsters complete a few small transactions through a particular service to build a reputation and increase their accounts’ credit limit. Once they have achieved their desired level, they may complete a transaction using a stolen card and steal a higher-valued good. The smaller purchases made initially may or may not be paid for in the end, depending on how long the fraudster is dragging out the reputation-building phase. In other cases, they try to get access to aged accounts with extended credit limits — through age-old tactics like phishing, credential stuffing, and SIM card cloning — to commit bigger thefts. The delay factor in BNPL adds complication to the paradigm for providers while making fraudsters more effective at their tasks.

“Delay in payment, which is what you get with BNPL, adds some confusion into the story,” Arad said. “The victim won’t see the payment coming out of their card, account, or ID for a while, giving the fraudster more time to misuse it.“

What this means is that a transaction is not billed immediately after something is purchased from an account — creating a delay between the purchase and the actual transaction. This delay allows fraudsters to make multiple purchases from a stolen card before their activity is noticed. In the case of synthetic IDs, this allows fraudsters to make a series of purchases that look good to the computer but end up never actually paying for them. 

Where does the solution start?

“The main gap in BNPL is being able to verify identities without adding high-friction,” Arad said. “The information available to BNPL providers through the credit bureaus is not sufficient to establish a strong identity, therefore leading to major exposure. I think that’s something that’s going to have to change.”

Dealing information with credit bureaus goes both ways: firms share user data with bureaus, which run the data against their records, and provide individual consumer information — identity markers and credit histories — back to the firms. However, not all BNPL companies are comfortable sharing personal user information, and since there’s no obligation to report, they may as well choose not to. For example, Affirm, Afterpay, and Klarna report some loans to a credit reporting agency, other players do not. 

Firms in the space can find a way to use what’s called Privacy Enhancing Technology, such that everyone can leverage the knowledge of the crowd without sharing any of the sensitive information. Using these technologies would allow the BNPL providers, and their partner-merchants, not only to confirm that a person is real, but also that the person is who they claim to be – all while protecting users’ personal information. 

Regulators can play a big role in facilitating BNPL providers and credit bureaus to share data and make the ecosystem safer against fraud. While reporting for other kinds of credit already exists, it is understood that BNPL won’t be an exception for long. 

There is a catch, though: traditional models of reporting may be a threat to the BNPL model.

While BNPL providers reporting to bureaus might curb some of the fraud and offer some protection from credit bust-out cases, it may actually work against the core value of BNPL: an alternative to credit cards.

“If the current model worked perfectly, providing all the people who need it with the financial flexibility they require, we would not have seen the growth of BNPL as a solution. It is critical that the industry comes together with regulators and tech companies to define a solution fitting the 21st century and supporting greater financial inclusion than the current bureau model,” Arad elaborated. 

BNPL for the future

There is risk involved in every type of payment method, and it is only through iteration that emerging models find their fit for the market. There’s a learning curve as retailers and providers learn how to protect against risk, and consumers learn how to use the new method wisely — and that curve can have some teething pain as we all get used to it. Ultimately though, having more options is often positive for consumers, businesses, and the payments world. 

Arad believes that as BNPL technology matures, it will become a staple of consumer behavior. 

“It provides a much better alternative to the current options available to struggling consumers, such as payday loans, gray market loans, and financial exclusion.”