The past two years created a perfect storm for account opening fraud. Many banks and organizations were unprepared to handle a greater volume of online transactions and to transition to the widespread use of digital services. Without the right fraud controls in place, criminals worked the system to falsely apply online for economic relief packages and then to open fraudulent accounts to deposit their stolen money into. In 2021, $6.7 billion in total losses was attributed to new account fraud.
The latest storm may have passed, but there are rumblings in the distance. Criminals are opportunistic and constantly evolving their tactics. In a recent webinar, Denny Prvu, Director of Identity & Access Management: Enterprise Security at the Royal Bank of Canada, and Raj Dasgupta, Director of Fraud Strategy at BioCatch, spoke about the latest tactics for account opening fraud and how banks can strike a balance between reducing risk and exposure while creating a positive user experience.
Account Opening Fraud Tactics: Combining Human and Non-Human Activity Is the New Norm
Financial institutions are a major target for account opening fraud because criminals need to create new accounts to use in money laundering operations. As we saw with economic relief packages, criminals are targeting where the money is — claiming unemployment or stimulus benefits, for example — and opening accounts to deposit stolen funds. They then move the money out to other accounts or buy cryptocurrency to conceal their actions.
Financial institutions that rely on PII or device-based authentication to detect account opening fraud are finding that their controls are falling short. Criminals have clean sets of PII data to work with to make their way through the account opening process, and the problem is so commonplace there are even how-to videos on YouTube to walk would-be criminals through the process. Because of the flurry of activity, Denny Prvu of RBC noted, banks had to act and began investing in new technology, like AI and machine learning, to shut the door on criminals. However, they have continued to adapt.
Raj Dasgupta explained that criminals have a new MO and are using bots to open accounts at scale. Criminals leverage automated scripts and large caches of stolen PII to which are capable of opening thousands of applications in minutes. Because most banks have bot detection technology in place to detect this activity, criminals have modified their attacks to blend real human interaction or introduced time delays on purpose with the intention of mimicking a human.
“It’s a pretty sophisticated operation where it’s a mix of human activity and non-human programs attacking financial institutions,” Dasgupta said.
Implications for AML and Fraud Teams
Because account opening fraud is a key link in the money laundering supply chain, there is room for AML and fraud detection teams to work together on the problem. In particular, mule account detection is a significant issue for financial institutions, both at account opening and within existing accounts.
In the world of mule accounts, there are criminals that open accounts with false paperwork or with a stolen or synthetic identity. There are also individuals who will sell their genuine account or multiple accounts to a criminal to make fast money. AML teams step in to investigate these accounts when there is a trigger, like a large transaction, that is indicative of money laundering. AML investigations can take weeks, months, or years once suspicious activity is uncovered. However, there are opportunities to prevent money from moving out of these accounts at all, and fraud teams can collaborate with AML teams to achieve this goal.
To reduce risk, “we need to blur the lines between fraud and AML teams,” Dasgupta said. One way to do this is by using technology that analyzes user behavior to uncover activity that is out of the norm for a genuine user, either at account opening or later in the customer life cycle.
Someone using an account for money laundering may behave like this:
- A customer opens an account and uses it like a regular account for awhile
- A criminal takes over or purchases the account from a genuine user and lays low, leaving the account dormant for a period of time
- Then, suddenly, there is a host of incoming payments followed by outgoing payments
Technology like behavioral biometrics monitors user behavior over time and at account opening to detect these patterns, and can flag the transactions or account for fraud, preventing them from going through if a case of money laundering is suspected.
Reduce Risk and Exposure and Create an Uninterrupted Account Opening Experience
Despite our best efforts, fraud will never completely go away. It will morph, as criminals are adaptable. “You have to find a way to balance what is an acceptable level of risk versus a delightful level of experience for the user,” Dasgupta noted.
One way is to layer machine learning and other technologies to “provide that balance between a beautiful user experience with the necessary amount of friction, but not an excessive amount of user friction, while at the same time reducing your fraud exposure,” Dasgupta said.
Behavioral biometrics looks at user behavior during account opening to look for indicators of criminal activity. For example, the use of copy and paste or excessive deleting when filling out an online application is common for criminals. Genuine users know their personal information from long-term memory thus their typing patterns will appear much different than a criminal using stolen PII. Because behavioral biometrics also works silently in the background, it does not add friction to the user experience. Instead, the technology identifies “tell-tale signs that can build a bigger picture of who’s behind it, how they are behaving, and what is really happening when someone is applying for an account,” Dasgupta said.
Prvu shared additional strategies for finding the right balance. First up is choosing controls that match your users and the devices they use. Mobile users are conditioned to provide a second factor, like a thumbprint, but your online banking audience might be less open to extra steps. Second is deciding what transactions are low risk for your organization and setting priorities for higher value transactions or clients. Financial institutions also shouldn’t cut corners on the measures they have in place to meet compliance requirements.
“In my personal opinion, we have to address reputational risk,” Prvu said. “If you don’t like what an FI does, you can switch apps and go to someone else. So you want to build that consumer trust.”
Shutting the Door on Criminals at Account Opening
Banks are susceptible to account opening fraud, but by layering smart fraud controls, they can reduce fraud risk while improving the account opening experience and increasing customer acquisition.
Watch the full discussion between Prvu and Dasgupta for more insight on account opening fraud and how top banks are approaching the problem.