Cybercrime has evolved to exploit gaps in enterprise data security and disrupted identity theft in the process. It has spawned a parallel black market on the Dark Web, where criminals transact in bitcoin to anonymously trade stolen data, minting hundreds of billions in annual and often untraceable proceeds for sellers.
Javelin Strategy & Research’s 2017 Identity Fraud Study said ID theft hit a record high in 2016, victimizing 15.4 million people, or roughly two-million more victims than the previous year. ID theft is generally a precursor to credit card fraud, which attributed to worldwide losses of $21.84 billion in 2016.
Card issuers incurred 72%, of those losses last year, with card fraud expected to syphon a grand total of $88.87 billion out of the global financial system over the next four years.
Beyond standard ID theft, synthetic identity fraud (SIF) schemes, where criminals cyberuse stolen data to create fictitious, but bankable, identities, are also hitting lenders hard. ID theft and SIF schemes are increasingly enabling new account fraud (NAF), which can derail money laundering inquiries, and is integral to the furtherance of application fraud.
In addition to application fraud, the emergence of NAF-enabled crime complicates anti-money-laundering (AML) investigations by adding more hidden layers to transaction structuring for scammers and criminal organizations. This threat landscape constitutes a digital identity crisis for financial institutions (FIs) and demands industry-wide action to improve outdated know-your-customer (KYC) processes following three principles: understanding the Dark Web; recognizing the growing threat of SIF schemes; and exploring new regulatory technology solutions (regtech).
Dark Webnomics 101
Understanding the vast supply-and-demand mechanism of the Dark Web economy is integral to KYC strategy for banks. The Center for Strategic and International Studies pegs the worldwide cost of cybercrime at $445 billion a year. According to the 2016 Cost of Cybercrime Study, data breaches, cyber-fraud and related disruptions impact U.S. organizations the hardest, with the average cyberattack generating $17.36 million in costs. Of the 4149 data breaches and 4.2 billion records exposed in 2016, as reported by cybersecurity firm RiskBased Security, the U.S. comprised 47.5% and 68.2% of those numbers, respectively.
Based on the monetization model of the Dark Web, it is safe to assume that most of those 3 billion stolen American data records are being trafficked on anonymous “eBay-like marketplaces,” where the median price of a stolen identity fetches for $21.35. Although, stolen identity data is a depreciating asset that become less valuable with each passing second on the market, new SIF schemes prove that high-volume data theft can still yield enduring dividends for financial criminals.
KYS: Know Your Synthetics
The Wall Street Journal ranked synthetic identities as one of the top-three risks facing the banking industry in 2016. In SIF schemes, scammers construct partially or entirely falsified consumer or legal entity data to open new accounts, obtain credit cards or apply for loans. Beyond the unfathomable deposits of stolen financial and ID data available on the Dark Web, criminals can create fake pay stubs, businesses and references to further confound bank customer due diligence (CDD) and KYC filters.
SIF schemes can also obstruct money laundering inquiries by inventing a web of fictitious account beneficiaries, thus layering multiple firewalls between the scammer or the criminal organization.
FIs should be aware that scammers typically create synthetic IDs in one of the following three ways:
- Pair a real social security number (SSN) with a fake name
- Use an “inactive” SSN with a real name (typically belonging to a child or someone who has died) to pass KYC filters
- Fabricate both the SSN and the name completely
Banks Need Next-Generation KYC
Never in history has data been more valuable, monetizable or accessible to criminals. Banks, fintech companies and other financial service platforms need a data-driven, KYC solution to enhance their customer authentication processes and properly safeguard their organizations.
FIs across the board should partner with a regtech vendor that screens risk by using best-in-class data, with real-time and continuously updating information streams. Further, they must embrace more progressive local suspicious-activity data sharing between institutions, because the most prolific identity and bank frauds cast a wide net and target many lenders.
How efficient is your customer identification process?