In Episode 8 of Digital Tells we speak with Suzanne Sando, Senior Fraud and Cybersecurity Analyst at Javelin Strategy and Research. BioCatch recently published a report written on our behalf by analysts at Javelin Strategy and Research titled New Account Fraud A Threat Down Every Avenue.
In this discussion, Suzanne discusses many aspects of new account fraud, including identity theft and synthetic identities, stimulus fraud, the rise of Buy-Now-Pay-Later (BNPL), money laundering and anti-money laundering compliance, and opportunities for financial institutions to address these increasingly hot challenges.
Peter Beardmore [00:00:00]
BioCatch recently published a report written on our behalf by analysts at Javelin Strategy and Research. It's titled New Account Fraud A Threat Down Every Avenue. There's a link to the report in the show notes. And in the run up to the report's publication, I had an opportunity to talk with its principal author, Javelins Suzanne Sando. We talked about a range of topics from scams to mule accounts to buy now, pay later, and identity theft, all relating to the challenges institutions face when it comes to new account fraud and strategies for dealing with these challenges. If you're a regular listener to the podcast, you know that normally I script a narrative infused with clips from conversations I've had in preparation for each episode. But for this episode, we've decided to switch it up a little, mostly because I don't think there's really anything to improve upon Suzanne's commentary on all the topics we discussed. So here it is, my complete discussion with javelins. Suzanne Sandow, thanks for taking the time to talk with us today.
Suzanne Sando [00:01:10]
Peter Beardmore [00:01:11]
So, Suzanne, let's get started with just some introductions. Can you tell us what you do and what your origin story is, how you got to where you are?
Suzanne Sando [00:01:20]
Sure. I wish it was interesting in some of these Marvel movies I've been watching, but. So my name is Suzanne Sando. I am a senior fraud and cyber security analyst at Javelin Strategy and Research. And I've been there about two years prior to getting into the analyst role. I was actually doing a lot of behind the scenes coding work. So I worked for a major financial institution in the U.S. and I did a lot of payment systems, back end coding, worked a lot of personal information, a lot of private data. So I kind of have that technology background that I bring to this new analyst role.
Peter Beardmore [00:01:58]
So you've been working on a number of reports. Javelin just released, a fairly large identity related study, and you're also soon to release. Probably by the time this podcast comes out, we will have released a paper that you've done that's been sponsored specifically by BioCatch can you tell us a little bit about both pieces of research?
Suzanne Sando [00:02:19]
Sure. So the main identity fraud report, the larger report that you referenced, that's something that's in its 19th year and that we've been putting out. And, you know, we kind of take a look at all aspects of identity fraud, both traditional identity fraud and identity fraud scams. And we kind of look at the losses to financial institutions, the consumer impact. Where are the pitfalls? What are the things that some of these industry verticals can be doing better? What can consumers do better to try and mitigate some of this loss that's happening in tandem with what's going on in the world? You know, because obviously we've had a lot going on with the pandemic. I mean, that has just changed every single facet of life. And the report that you mentioned, that's kind of an offshoot of that larger report that I wrote for you guys for BioCatch that's more specifically targeted to new account fraud and how that has sort of taken off between 2020 and 2021.
Peter Beardmore [00:03:22]
Okay. So let's jump right into new account fraud, which is going to be the focus of our conversation today. What are the overall trends related to new account fraud? What are the highlights?
Suzanne Sando [00:03:32]
So 2021 was unfortunately just another year of record losses across the board. Overall, consumers lost 52 billion between identity fraud scams and traditional identity fraud, like, you know, account takeover, existing card fraud, and then, of course, new account fraud that we're going to talk about. And of that, 52 billion, 7 billion is attributed to new account fraud. So if you compare that with last year's losses of 3.2 billion, that's like a 109% increase in new account fraud losses for consumers. You know, I think new account fraud is so attractive to criminals because just the nature of our world and e-commerce and, you know, digital banking activities, it's not going to go away. We continue to get more and more digital centric as that technology advances. So that means that that, you know, attack surface for new account fraud just keeps growing, especially as our daily activities evolve from both, you know, like a necessity and a convenience standpoint. So once you give consumers that convenience, like opening accounts online, applying for loans online, it's so hard to take that convenience away without impairing the customer experience.
Peter Beardmore [00:04:49]
Or impairing your revenue.
Suzanne Sando [00:04:50]
Peter Beardmore [00:04:52]
As a as a lender or as a credit card issuer or what have you, for sure.
Suzanne Sando [00:04:56]
You know, we've also noticed that, like, it's not just checking and savings accounts and, you know, credit accounts that are driving this growth. Criminals are going to be motivated by any single thing that puts more money in their pocket. So payday loans, mortgages, even car loans are appealing to criminals. They don't need to know every single piece of a legitimate account holders information. It's just enough to get that application approved and get that fast cash. And of course, like, you know, I mentioned the pandemic, and that's a part of, you know, what we do for these reports. We look at what's going on in the world. The government is not immune to these problems. You have government assistance programs like the Unemployment Assistance Paycheck Protection Program. They're all facing huge issues with fraud. I read recently, I think that it. The Department of Labor reported 163 billion had been, quote, improperly dispersed, which could mean many things. But one thing it for sure means is fraud. It means that a lot of these funds went to fraudulent sources and there's a high chance that this money isn't going to be recovered. So I think the thing to take away from this is that criminals are so crafty in their exploitation and the techniques and the lengths that they're going to go to commit fraud.
Peter Beardmore [00:06:09]
Out of curiosity, you mentioned the Paycheck Protection Program and the unemployment assistance. I just saw a headline recently that talked about the DOJ was had been appropriated some X hundreds of millions of dollars for an investigation related to, I believe, unemployment fraud. Is that good money chasing, bad? I mean, is there anything that's going to come of that, given that those programs are effectively over at this point? What's to be gained by even chasing that do you know?
Suzanne Sando [00:06:37]
You know, part of me thinks that it's sort of a goodwill type of situation where we're trying to make good on these funds that were supposed to go to consumers who were really in need, small businesses who really needed that aid. But the fact of the matter is, if you you know, there's that 163 billion I mentioned, there's a full report from the testimony from the Department of Labor about that, you know, those missing funds. And I believe they mentioned that 4 billion at this point had been recovered, but 4 billion out of 163 not great. So, you know, like I said, I think it's it's a goodwill we're trying, but it's probably going to come to a very not great ending.
Peter Beardmore [00:07:22]
Just for clarity, you didn't mention those numbers, 52 billion and 7 billion in new account fraud? Are those global numbers or those?
Suzanne Sando [00:07:29]
Those are good. Thanks for for asking that. Those are United States. Those are U.S. numbers.
Peter Beardmore [00:07:34]
Okay, good. I just want to be sure.
Suzanne Sando [00:07:37]
Peter Beardmore [00:07:37]
And so with the new account fraud, the identity specific new account fraud, do you have any sense for are these legitimate ID legit, these stolen IDs? Are these synthetic IDs? You know, what what are the what are the sources?
Suzanne Sando [00:07:53]
Criminals are using all types of identities between actual stolen identities and synthetic identities to carry out this new account fraud. Some are legitimate consumers. They, you know, have had their information exposed in the data breach. And then it's sold on the dark web for extremely high prices. And then other identities are pieced together using some real consumer PII. And then fake information is kind of thrown in the mix to create that synthetic identity, which then ideally, ideally for the criminal (chuckles) ideally is untraceable back to a real person. So, you know, when it comes to. What… What it is that they're using? I think it always goes back to what's available. You know.
Peter Beardmore [00:08:39]
Let's shift focus here a little bit. One of the big trends we hear a lot about in the news lately and there were mentions in in your reports was related to buy now pay later and also I guess there's some other related fintech type offerings that are out there with respect to making credit more available to consumers in different forms. Can you talk a little bit about what buy now, pay later is and why it it is so attractive to fraudsters?
Suzanne Sando [00:09:11]
That's a great question because I think that there's a lot of gray area around bnpl for consumers. So the main difference between Bnpl and, you know, a traditional credit card like a store credit card is that, you know, your site, you're getting these products by signing up for installments, but there's typically no interest on the purchase. And there's also not like this huge approval process standing in the way of you actually making that purchase. You don't have to have this amazing credit to get approved for a bnpl plan. So, you know, it's it's good for the consumer because they can get the thing they want and it's good for the retailer because they can draw in more people to buy their product and make more money. And they're not just having to target, you know, higher incomes. So, you know, if you want to buy, I don't know, a guitar, for example, but you can't afford the full purchase price upfront. The idea behind Bnpl is you make one payment upfront, which includes usually a fee for the Bnpl platform because you know they're going to make money too, with the promise then of making the other payments on an agreed upon schedule. The consumer, you know, is able to take advantage of bnpl with as many merchants that offer that option as within the checkout process. Whereas, you know, a traditional store credit card is obviously going to be tethered to a specific retailer. And then even interestingly enough, there's now been this explosion of financial institutions and credit issuers who are getting in on the competition. They're offering their own version of, you know, installment plans to kind of keep up with what consumers want and the competition in the market. And as far as fraud goes, you know, it's certain it's just like everything else. It's not without its faults, you know, besides the effects that it can have on a consumer in terms of if they miss or make late payments, they rack up debt. I think bnpl providers face a really difficult road with fraud in terms of detecting and preventing it by stealing a consumer's identity, a real consumer's identity, and opening up a bnpl account, a criminal can then purchase a significant amount of goods and stuff the consumer with the bill, and it's one that, you know, they might not find out about until those payments start rolling in. So since the plans, it kind of depends on the platform you're using and the customer's needs. That repayment can start within days or it could be months after the fact, which leaves that fraud undetected for a significant period that that can cause real problems, not just in terms of late payments. It could ding your credit. If you've got these missed payments, it can have real consequences. And then I think even trickier to kind of go back to the synthetic identity that you had mentioned after successfully setting up that account using real PII mixed with fake information to fill in those gaps, criminals will start making those big ticket purchases and then when it comes time to pay again, this time there's nobody left to make those remaining payments. So that creates substantial loss for retailers who now have no way to make good on these installment payments. And so I think Bnpl fraud is really lucrative for criminals because they can make these highly priced purchases for a fraction of the cost. They're just making that first installment payment and then they can turn around and sell it for full price. I feel like I'm giving away secrets of the trade, but yeah, you know, so I think the the good thing here is we're kind of getting to a point now where there might be some regulation for Bnpl. You know, people are talking about it. The government wants to get in on regulation for this in order to protect consumers. And we kind of have to hope that maybe there's going to be some fraud guidance and protection baked in as well.
Peter Beardmore [00:13:07]
Who's ultimately left with the liability? So is it the is it the Bnpl company or is it the retailer itself when the payment is not made?
Suzanne Sando [00:13:16]
That's a good question. And again, I think that's kind of another gray area that we're working with, because you have to imagine that there is an agreement that's that's built into when a retailer gets set up with a bnpl platform. But it also, I think, kind of depends on the circumstances of the individual fraud event. It may vary between fraud types. It may vary if the consumer can prove that it was scam or whatnot. It kind of depends on what really happened. And that's another thing that I think it would be good for both bnpl platforms and financial institutions and retailers and the like to have that regulation in place that also addresses fraud.
Peter Beardmore [00:14:03]
Yeah, because also somebody has to go and investigate this.
Suzanne Sando [00:14:06]
Peter Beardmore [00:14:06]
There's a cost associated with that as well.
Suzanne Sando [00:14:08]
Yep. Those operational costs can really add up.
Peter Beardmore [00:14:11]
I want to shift focus again here and talk a little bit about money laundering. You know, we've seen over the course of the past six months a couple of major fines, one in Europe with HSBC, I believe one recently here in North America with USAA, both sort of relating to not ignoring AML requirements, but sort of neglecting the full force and effect of AML requirements. Is there an identity component here as well? And if so, how does that work?
Suzanne Sando [00:14:46]
You know, one of the trickiest things about anti-money laundering practices is the balance between observance of AML policies adhering to these to these policies. But then the competition to gain account holders and revenue. So while you're following regulatory guidelines, financial institutions want to entice new customers and members. They want to have incentives for opening up accounts like, for example, policies for immediately available funds. So as soon as you open up the account and you make a deposit, those funds are ready and available for you to withdraw and use. And I think that this attracts a certain group. That is constantly monitoring what these policies are and they're looking for vulnerabilities that they can exploit for their own financial gain, and that that fits in perfectly, I think, with that identity component.
Peter Beardmore [00:15:45]
And where in particular are the and you may not have an answer to this question, I'm not sure. But what are the weak points? Right. If you look at this in terms of a kill chain, if you will, of protection. Right. What are the weak points in the chain that institutions are failing at?
Suzanne Sando [00:16:02]
I think right from the get go, when you have someone opening up a new account and you cannot, you think you know who's on the other end of that interaction, but you don't necessarily know. And that's kind of where money mules come into the picture here. It fits in perfectly with that because, you know, once those organized groups, as organized crime groups find that vulnerability that they want to take advantage of, that's sort of when they recruit their consumers, their money mules, to start laundering that money with the promise, you know, of some financial reward for very little effort. And so how that starts is they start opening these accounts, they start pounding these financial institutions to get these accounts open and immediately start using their account to get those funds. And I think the difficult part here is the layering and the concealing of funds. When we talk about AML, it's really difficult for law enforcement to trace when there are so many different hands in the pot and so many different ways that that money is being moved. You know, once you get that account open, you might be depositing a counterfeit check and you might be using a prepaid debit card, opening up traditional bank accounts. And then on top of it, you kind of add this complexity to the mix of consumers who they know what they're doing, they know what they signed up for, they're willingly doing the muling. And then there's those who are scammed into it through like employment scams, romance scams. And if you look at the guidelines and the guidance that the FBI has put out about money, muling they mention very specifically that like even if you don't know what you're doing, it's still a crime. So I think the two main points here to take away for, you know, financial institutions is, number one, it's that new account opening where you don't know who it is that you're working with. So if you're not verifying that identity, you're not using good ID proofing, you are going to be overwhelmed with new account fraud. And then on top of it, it's that element of you need to make sure that your consumers, your customers and members know what to look for when they are getting scammed into doing the dirty work for the criminal.
Peter Beardmore [00:18:14]
And it's really difficult to be able to detect when this is happening when you're the bank, because in most cases it's legitimate people with legitimate Social Security numbers and addresses and.
Suzanne Sando [00:18:26]
Peter Beardmore [00:18:27]
Credit histories and other accounts. Right. So the traditional KYC approach to validation of a user or an account holder, they don't necessarily apply in the circumstance.
Suzanne Sando [00:18:40]
And it's interesting that you bring that up because in Javelin’s research, we noticed that 55% of consumers said that new accounts were opened in their name at their existing primary financial institution. So if I have this history, like you said, they've got this this history of we know who this person is. We know Suzanne Sando. She has an account at ABC Institution, so she's got to be legit. Of course, she wants to open up another checking account. Of course she wants to open up a savings account. And so, like you said, that aspect I think is what is really tricky. It's knowing at that point then what are the important pieces of information to look at? How do we assess this person who's opening this account and make sure I know who this is for sure?
Peter Beardmore [00:19:30]
So obviously this will be a self serving question. You can answer it however you like, but I would imagine that you get into conversations with financial institutions frequently about how do you go about doing this? Obviously BioCatch is in the game of behavioral biometrics, but what are the conversations like when you get into this? You know, okay, there might need to be another technology in the stack here to figure this out or to identify an indicator of risk in the circumstance where you've got a legitimate applicant applying for a seemingly legitimate account, but for nefarious purposes. How does behavioral biometrics fall into that discussion?
Suzanne Sando [00:20:08]
So this is another one where I have a lot of thoughts. You know, something that (chuckles) something that we talk about a lot with our clients specifically, you know, financial institutions is that balance of the customer experience. And making sure it's frictionless, but still maintaining that level of security. And I think for a lot of institutions, they don't want to introduce additional friction, what they perceive to be additional friction into the process to kind of drive consumers away. And in my eyes, the account opening process is kind of make it or break it for a lot of organizations. If the application is too confusing, if it takes too long, you're risking application abandonment. So you have to make sure that what you're doing works for both the consumer and it works for your organization. So to kind of bring that back to behavioral biometrics, that is one of the things that we really impress upon FI’s as being incredibly important for this I.D. proofing. Consumers want to know that their PII is protected and they should be able to trust that the organizations have solutions in place to ensure that, you know, accounts aren't being fraudulently opened in their name. But equally as important when balancing that user experience and that friction. Consumers want to know that they're not going to have to jump through all these extra hoops to prove who they are and that they are who they say they are. So for me, the best solution takes full advantage of behavioral and device use biometrics. One of the hardest things for a criminal to fake or recreate is the inherent behaviors of a consumer. You know that thing that is distinguishing you from me? People are very hesitant to give up their passwords because it's very easy for consumers to use, but it's equally as easy for a criminal to crack. But as soon as you introduce behaviors and habits, that really adds a layer of complexity to the entire process. An important to note here is that very little friction is going to be introduced for legitimate consumers. Because when you use behavioral biometrics, it's all it's a combination of PII that they should already know and behaviors that they already have. So when you pair some of those behavioral biometrics, so for example, keystroke your mouse movements, the way you move around on your phone, the way you hold your device, that really gives a financial institution key data into the identity of the person on the other end of that interaction. And there are even, you know, more nuanced things that can be used during that account opening process. So the way a consumer moves throughout the application, the way they scroll, how they type, not just the speed but the cadence and all of that, it's very telling. The way you type in the PII that you should be familiar with your birthday, your Social Security number. Consumers who are really familiar with that info, they enter it differently and they move around a session differently than a criminal is going to do it. A criminal is attempting new account fraud. They're trying to overwhelm the system and open as many accounts as they can in a short period of time. And so all they're going to do is the bare minimum they're going to bring to that application. They're going to do everything as fast as they can. They're not paying attention to optional fields. They're not reading disclosures and agreements. Whereas genuine consumers who are opening these accounts, they're going to take the time to review more than just the bare minimum.
Peter Beardmore [00:23:50]
Have you had conversations? We talked a little bit about scams at the beginning, but also mules, right where you've got these situations where you've got a legitimate user that may be in a position where they're doing something that is not in their best interest because they're being coached by a scammer or they've been recruited in the mule activity, which again is not in their best interest because they'd be violating AML laws or what have you. Have you had discussions with financial institutions who are using any of that technology and got any insights to how they're actually communicating with those victims in those circumstances?
Suzanne Sando [00:24:25]
You know, I think that well, a lot of our research relies on self-reporting. So if the consumer doesn't know that they're being scammed, we won't know either. And there's also sort of this stigma around scam victims, and I would imagine also unwitting mules who don't know that their, you know, what they're doing because they're also scammed into it. There's this negative connotation around scam victims that, you know, sometimes might feel ashamed of what they did because they can't believe they got scammed into doing something. And so that data is not readily available to us. But I do think that having some of those contextual clues with a consumer who is legitimate, like let's say I'm opening another account, I'm being scammed in opening another account where I'm already an existing cardholder. My financial institutions should be able to use some of those contextual clues to say this is not how she normally acts when she's opening up an account. Maybe it's taking me a little longer to do something than it should, or maybe it's taking me even faster than it should. So I think that some of those aspects should play into that identity proofing solution.
Peter Beardmore [00:25:38]
Let me just ask you a little bit about the decision making process and the factors that go in to financial organizations or even fintechs decisions around their anti-fraud stack. Could you shed any light on what are conversations like in 2022 when when organizations are looking at what should be in that stack or maybe what should we trim, or is there a high degree of risk of new tack or anything along those lines?
Suzanne Sando [00:26:07]
Sure. I think that one of the main things that we hear a lot is what is our investment? And I don't just mean monetary, you know, am I able to take the solution and almost immediately plug it into what I'm already doing? Am I able to mold it to be what I need it to be? So that's kind of where having a solution that is rules based is very helpful because you can take these aspects of the account opening process and say, okay, Suzanne's application has a score that's kind of low because this is a rule that we have set up on our end. We can say, let's send this for a manual review. So I think that one of the important things here is, is it configurable and is it something I can easily get going and start using almost immediately with very little integration or deployment on our end? And I think that's another important aspect of this too, is to go back to manual review. I think that going into using a solution like this, you know that (chuckles) it's not going to take away every manual review. It shouldn't if you're never having to manually review an application that might come through this solution. Something might be wrong here. (chuckles) But the point is, is that if you can help cut down on the time that it takes for an employee to do that manual review, you're cutting back on operational costs because now that employee can do what they are really supposed to do, which isn't just necessarily manual reviewing every new account application that comes through. So I think those are some of the really important things to to consider when you're looking to add to your your broad technology stack.
Peter Beardmore [00:28:01]
So there's a let me just surmise and make sure I get you correct is that there's a technical integration piece here, which obviously we want to minimize the the impact or the the disruption that goes along with that. There's the workflow that occurs in relation to that. In other words, is it substantially affecting the workflow that we currently have in place to the point that it would be too disrupting? And then there's the what's the overall impact on operations? Ideally, if it can lower the total operational time it takes per application or what have you, all the better.
Suzanne Sando [00:28:38]
Exactly. That's exactly it. And really, at the end of the day, are we weeding out these new accountants that are fraudulent? That's another obviously important piece of it. But yeah, I think that about sums it up.
Peter Beardmore [00:28:52]
And that was my conversation with Javelin’s, Suzanne Sando. As I mentioned at the top of this episode, you can find that report, Suzanne, authored for BioCatch, New Account Fraud, a Threat Down Every Avenue. It's on the BioCatch website. There's a link to it in the show notes. Digital Tells is written and narrated by me, Peter Beardmore, in partnership with my producer, Doug Stevens of Creative Audio and Music and with support and sponsorship from Bio Catch. Special thanks to Suzanne Sando from Javelin Strategy and Research. For more information about this episode, behavioral biometrics, or to share a comment or idea, visit biocatch.com/podcast. Until next time, take care.