It’s a crime that cost U.S. lenders an estimated $6 billion in 2016. It slips through the cracks 85-95% of the time. And it’s currently the fastest-growing type of illegal financial activity in the U.S.

Synthetic identity payments fraud is an alarming problem for financial institutions today. And, unfortunately for lenders who bear the brunt of the cost, it’s not getting better anytime soon.

In recent years, the theft of personal data has been fuelled by increased data breaches and the availability of personal identifiable information (PII) on the dark web (which sells for as little as $1 in some cases). This reality, combined with existing gaps in the credit process, makes it possible for individuals and organized crime rings to use fabricated identities to manipulate their way into big cash payouts.

The feds and private sector are just beginning to develop strategies for detecting, mitigating and addressing synthetic identity fraud in the payments ecosystem. Until then, developing a detailed understanding of this complex crime is an important step.

Traditional versus synthetic identity fraud

Whereas traditional fraud is usually caught as soon as a person’s finances are affected, most synthetic identity fraud slips through the cracks, persisting for months or years before being detected. Typically fraudsters who steal existing PII target children, older adults or homeless

people who either don’t have credit or don’t monitor it regularly. Some victims may be unaware they’ve been targeted until they apply for their first credit card or student loan at 18.

How the credit application process makes it possible

The biggest, most complex credit card scheme in U.S. history used synthetic identity payments fraud to steal an estimated $1 billion over 10 years. This same process is used and repeated by individual fraudsters and international crime rings alike.

Here’s how it works, according to the Federal Reserve’s white paper on the topic:

1. The fraudster creates an identity using stolen or fabricated PII, often sourced through the dark web, social engineering or social media.
2. They apply for credit using a synthetic identity. The application is typically rejected, but the credit bureau still creates a new credit profile for the synthetic identity, assuming that the first applicant using an SSN is authentic. The new profile becomes artificial proof of the identity.
3. The fraudster casts a wide net, applying for credit at various institutions (and often with high- risk lenders) in order to get approved.
4. Once a credit account is set up, the fraudster spends months or years nurturing a high credit score by making small purchases and on-time payments to increase credit availability. They can expedite this process by being added as an authorized user on an account with good credit, whether a legitimate or synthetic identity account.
5. The fraudster “busts out,” maxing out the credit line and disappearing. Sometimes they double the payout by reporting identity theft to remove the charges or paying the balance off fraudulently, then maxing out again.

Impact on consumers and institutions

Individual customers whose SSNs are stolen to create synthetic identities are not held financially responsible. But there are other implications for the victim, including out-of-pocket legal fees and the painstaking process of righting their credit score.

Financially, institutions are hardest hit by synthetic identity payments fraud, with costs at every stage of the payments lifecycle. During enrolment, institutions pay for setup and maintenance of synthetic identity accounts, as well as potential fines when synthetic identities pass Know Your Customer (KYC) requirements. At the transaction phase, they take on monetary responsibility for all unpaid balances. Finally, institutions have to pay for collection costs and additional staff to reconcile losses.

Fighting fraud in the future

While the process that makes this type of fraud possible is generally understood, the Federal Reserve says more data is needed to properly quantify, identify and mitigate the issue. This grey area is compounded by a lack of consistency in identifying synthetic identities, lack of investigation, lack of awareness and lack of reporting around synthetic identity payments fraud.

"This grey area is compounded by a lack of consistency in identifying synthetic identities, lack of investigation, lack of awareness and lack of reporting around synthetic identity payments fraud."

As one way to stem this problem, financial institutions may be able to mine third-party data sources and develop more detailed customer profiles to heighten fraud detection. This approach is based on the idea that real identities have years-long data trails with consistent, predictable data points that are difficult to fabricate. Institutions can assess the depth of applicants’ third- party information as a way to flag suspicious, potentially synthetic identities. By leveraging the power of data, banks could minimize losses and avoid transferring the burden of rigorous ID checks onto customers as they combat the growing risk of payments fraud.