Best Practices for Preventing Online Account Opening Fraud

Best Practices for Preventing Online Account Opening Fraud

Mark Dawes

Apr 2, 2021

The COVID-19 pandemic arrived without any warning and with it accelerated the need for organizations across the globe to be able to deliver digital goods and services to their customers. This seemingly overnight shift to digital allows criminals to remain faceless and creates problems for financial institutions as traditional (in-person) identity verification measures no longer apply.  This is particularly vexing in account opening processes.

As a result, it is necessary to find a balance between offering a seamless digital experience for legitimate customers while protecting against fraud and other criminal activity.

But First — How Did We Get Here?

Let’s look more closely at the problem. Data breaches and social engineering attacks, like phishing and smishing, continue to arm perpetrators with social security numbers, email addresses, usernames and passwords, and other PII needed to construct a fictitious persona to commit account opening fraud. The fraudsters then use the stolen or synthetic identities to open a bank account, apply for credit, or secure a loan.  They then nurture these accounts for many months, even years, making payments and performing activities to build up a good credit history and then suddenly ‘bust out’ and vanish.

Synthetic identity fraud continues to gain favor with criminals and now accounts for as much as 15% of all charge-offs in unsecured lending portfolios. One reason synthetic account opening fraud is growing is that there is no consumer victim to raise the alarm.

Fraudsters simply create new identities using a mix of real and fake names, birth dates, and social security numbers.  Since they are in possession of other key data points at account opening, like email addresses and phone numbers they receive second factor confirmations and security tokens. This level of sophistication leaves traditional 3rd party fraud controls, such as knowledge based authentication (KBA) and multi-factor authentication, less effective at detecting bank account fraud. While there is no silver bullet, the following four tenants of a multi-layered approach can be effective at detecting and preventing bank account opening fraud.

1. Machine Learning

Despite machine learning’s ubiquity, some organizations are still using legacy rules based applications to assess risk. While rules have their place and produce deterministic outcomes (ex: If ‘X’, then do ‘Y’, else do ‘Z’) they often become challenging to maintain and update when they get into the hundreds, their performance declines over time, and typically no one in any organization knows all the rules and therefore adding news ones can be an onerous task. Enter machine learning.  While machine learning, a subset of artificial intelligence, is not a new concept (some algorithms were discovered in the 18th century), the exponential rise in computing power has enabled it to be applied to many business problems to quickly and cost effectively reveal patterns and trends across millions of data points.  Machine learning models come in many shapes and sizes (topic for another post) but some key factors that make it suitable for account opening are:

  1. Customer experience – Rather than subject each applicant to a rigid set of constraints and processes that may lead to abandonment, machine learning is better equipped to analyze hundreds of data points, and identify patterns across data points, and guide to an optimal experience.
  2. Ability to adapt – All computer programs are written to produce an outcome. Traditionally, people were required to explicitly code the rules to meet that goal. With machine learning, computer programs can discern how to best achieve the goals and independently improve as they intake more data and receive feedback from prior decisions.  
  3. Flexibility to co-exist – We noted some shortcomings of rules earlier.  Machine learning is not a panacea either.  However, combining rules-based applications with machine learning enables each approach to succeed and balance out any weaknesses of the other. Rules-based applications can make deterministic decisions, allow business policies to be enforced and can deliver accurate decisions before any data is gathered. Machine learning can augment these systems by improving accuracy over time and adeptly responding to any changes in the process.

2. Community Data

Community data can be called by an array of different names – consortium, network, exchange, or data share – but they all generally reference the same thing. The central premise is that a single organization only has access and insight to a finite set of data points to make a risk decision.

Let’s take the case of a new customer arriving on your digital doorstep to create a bank account. If you’ve never seen them before, how do you discern their intent while still delivering a differentiated customer experience? One answer may lie in the community. Chances are what may be new to one organization may have already been vetted by another. How do I find a “viable” community? Here are three factors to consider:

  1. Breadth. A community that has two participants is not a community. Seek breadth across industries and geographies. A good rule of thumb is to find a community that is part of people’s everyday lives – where they shop, eat, travel, entertain, and bank.
  2. Reputation. While breadth is vital, knowing the outcome or reputation of an event is essential. A community needs an active feedback loop to continually evaluate risk. An event that was positive six months ago may not be today.
  3. Framework. By its definition, a community is an aggregation of data and that asset should be backed by defensible security practices that meet your organization’s standards. One asset to seek is an operating guide (or set of defined principles) by which all subscribers in the community must adhere to gain admittance and remain in compliance.

3. Document Verification and eCBSV

While it admittedly may introduce friction into the customer experience, requiring applicants to upload documents for verification can help prevent account opening fraud. This process enables financial institutions to authenticate the document and compare information with other user-entered data.

Unlike slow, manual legacy processes that may have required applicants to mail in documents or upload them to a secure location, artificial intelligence, underpinned by machine learning, and the omnipresence of mobile phones has transformed this process to be able to act in near real-time. Today, banks can ask customers to photograph and send drivers’ licenses, passports, and other picture forms of identification for verification. In the background, sophisticated software examines security features such as holograms, threads, and watermarks that are difficult to fake. These systems can ensure legitimacy by inspecting digital measurements of spaces between letters, scrutinizing lengths of strokes and serifs, inspecting ink colors and font consistency, and comparing document sizes and shapes.  If the documents are legitimate, they can be cross referenced against other user-entered data and serve as an additional layer to prevent fraud.

In mid-2020, the Social Security Administration (SSA), rolled out the electronic Consent Based Social Security Number Verification (eCBSV) Service to a limited set of entities. This service, which needs the applicant’s written consent with a wet or electronic signature in order to disclose their social security number (SSN) for verification, allows permitted entities to verify if an individual’s SSN, name, and date of birth combination matches SSA’s records. The service returns a ‘yes’ or ‘no’ for a match.  While a positive development on the synthetic identity fraud front, the service is fee based, lacks defined SLAs, only supports exact matches, and it does not verify an individual’s identity.

4. Behavioral Biometrics

The final layer in preventing bank account opening fraud leverages behavioral biometrics.

Behavioral biometrics track, measure, and compare the way people interact with their devices when opening accounts. Real-time evaluation of cursor moves, mouse clicks, keystroke dynamics, page navigation, and phone swipes and taps can determine if the applicant is a legitimate customer or a fake. Fraudsters exhibit specific usage patterns that banking customers do not. Behavioral biometrics examine actions such as the number of characters typed without pause, and the pixels clicked within buttons to identify probable bank account opening fraud.

Accertify Digital Identity: The multi-layered solution

It is critical to fight the complex problem of account opening fraud with a multi-layered approach. Accertify helps clients build comprehensive, scalable, tailored processes for detecting bank account opening fraud. Our platform can integrate these prevention methods and more into a holistic process that incorporates unparalleled industry insight and best practices coupled with advanced machine learning technology.

Request a Consultation to learn how Accertify Digital Identity can protect your institution against bank account opening fraud.