How your bank can fight first-party fraud

It’s a crime that can take months or even years to pull off. But when it’s done successfully, it means a criminal can grab cash and dash away in an instant. This crime—first-party card fraud—occurs “when an external party, including a bank customer, commits fraud against the bank,” according to the Office of the Comptroller of the Currency (OCC). It involves a fraudster who intends to establish a credit line, max it out and never pay off the balance.

First-party card fraud includes the mounting problem of synthetic identity fraud, where an individual or group develops a forged identity that mixes authentic personally identifiable information, such as a Social Security number, with a false persona. Fraudsters build this forged identity over time—estimates range from six months to five years—with the ultimate goal of “busting out,” or disappearing with as much as they can get.

McKinsey and Company in New York City reports synthetic identity fraud is the fastest-growing type of fraud in the U.S. “New account fraud,” in which fraudsters open accounts under false pretenses using personally identifiable information, rose an estimated 70% between 2017 and 2018. In addition, synthetic ID fraud alone accounts for 80% of all credit card fraud losses, with charge-offs in this area expected to grow to 40% by 2021.

So, what can a community bank do to stop its rise and impact?

3 ways to fight first-party fraud

1. Collect and review key data. McKinsey studied first-party card fraud and identified 150 data markers that real people have online, from social media accounts and email addresses to physical addresses. These markers helped researchers to categorize various account applicants as having a higher or lower risk of being a synthetic ID and to better guide financial institutions on who warranted additional scrutiny. The research found that knowing applicants better makes a difference.

“The approach we proposed was not using this to decline new applicants, but using this to prioritize your view,” says Bryan Richardson, a senior knowledge expert at McKinsey and Company. “There’s a perception that [banks] have to build these really big, fancy AI [artificial intelligence] systems with tons of data to affect the problem, and that’s not the case. They can start small, build incrementally and still do a lot to mitigate potential crime.”

2. Leverage new technology. New solutions support the fight against first-party fraud. For example, electronic consent-based Social Security number verification, or eCBSV, allows banks to check applicants’ Social Security information against a national database. Advancements in card technology—such as 3D Secure 2.0, which establishes a stronger authentication approach; and secure remote commerce, a standardized e-commerce method—help banks to streamline their risks. Cross-channel solutions help banks monitor activity across the organization.

“We’ve been implementing an enterprise-wide fraud solution where we can take all occurrences of fraud and bring them together in one place,” says Frank Bentz, senior vice president and chief information security officer at $11.4 billion-asset Sandy Spring Bank in Olney, Md. “It also uses components of artificial intelligence and machine learning to identify patterns in the data. We’re trying to bring in things like first-party fraud and see if it ties to fraud in other channels.”

3. Share information. First-party fraud often moves from bank to bank, so a sound defensive strategy relies on sharing information. New risk management systems and data aggregators allow banks to request and share this type of information with one another digitally, and organizations like the Financial Services Information Sharing and Analysis Center (FS-ISAC) provide forums for discussion. Simply talking about mitigation strategies goes a long way.

“When it comes to security, we’re generally very open with one another about ‘What systems are you using? Are you seeing these kinds of fraud attempts? And how are you mitigating it?’” says John Sadowski, executive vice president and chief information officer at Sandy Spring Bank. “When it comes to the safety of clients in general, we don’t hold that stuff close to the vest, because we want to try and protect folks around the industry.”

For community banks to address the complexity of first-party fraud, they will need to try a combination of approaches. “There is no silver bullet,” Richardson says. “The goal of this is to mitigate losses before they happen by making it harder for synthetic identities to be onboarded at an institution.”