Why Identity Fraud Persists Despite Regulation

If you read Part I of our blog series on identity fraud you almost surely remember the sum totals of the losses attributed to it - some $37 billion, larger than than the GDP of three states.  Fraudsters are indiscriminate about which type of transaction to target, and will go for everything from run-of-the-mill credit applications, to money orders and transfers, to even safety deposit boxes -- as long as they know they stand a good chance of getting away with it.
 
They get away with these crimes, it should be noted, despite a robust body of rules governing the handling and tracking of financial transactions. A small sampling of the major ones:
 
* FACTA (Fair and Accurate Credit Transactions Act of 2003) and its associated Red Flag Rule - requires financial institutions and any merchant with a “covered” account to set up a system of proactively identifying identity fraud and notifying customers of any suspicious activity; in addition to verifying customer changes of address as legitimate. (We covered the FACTA issue extensively, explaining what it is and what it does, in a series of blog posts during the summer of last year).
 
* CIP (Customer Identity Program) - requires financial institutions to preform ID verification on customers both new and existing, whenever they perform any type of transaction. The CIP itself is part of a larger series of rules established under the Bank Secrecy Act (BSA), which established financial institution and merchant reporting requirements as a way to combat money laundering.
 
* OFAC (Office of Foreign Assets Control) -  restricts financial transactions involving countries officially sanctioned by the United States government.
 
There are also CPI regulations (not to be confused with CIP above), Title 31 regulations for casinos, and many more. The upshot of this whole alphabet soup of rules and requirements is that the true cost of fraud, taking into account the law-mandated investigations, reporting and possible fines -- which can easily reach into the millions for large violations -- is much larger than just the initial loss. About three times larger, in fact, according to a Lexis-Nexis study published late last year: for every $100 in fraud committed, the total loss including time and manpower spent on investigation, interest, and making the victims whole again, comes out to be about $310. Now imagine that $37 billion loss to identity fraud tripled in size, and you start seeing the full scope of the problem.
 
So why has identity persisted, waxing and waning, in spite of all these regulations and huge losses? Part of the reason can be traced back to the standard identity verification process. Each time an individual has to prove they are who the say they are, the steps are largely the same. The customer’s personally identifiable information - address, social security number, date of birth, driver’s license number - is gathered and cross-checked against the information from one of the usual assortment of agencies -- LexisNexis, say, or ID Analytics. That works great -- as long as identity thieves do not obtain their info from those very agencies. Which can happen via a large-scale hack; or just creative social engineering such a fraudster posing a bank employee.   
 
In other words, this type of process verifies fine the existence of identity, but does not authenticate that identity. This is an important distinction, and one we have talked about before: just because the identity is confirmed as legitimate does not necessarily mean it belongs to the person presenting it. That kind of authentication, conducted by ensuring the identity documents are genuine, is only done as the last, almost perfunctory step in the identity verification process. Which is exactly backwards, and why fraudsters have been able to game the system for so long.
 
What is needed is a re-design of the process, focusing on identity document authentication. While fraudsters can gain enough personal information about their victims to fool any database check, they will be discovered the minute they have to show their ID. That emphasis on genuineness of the ID, rather than identity. should be the basis of every transaction, and one that Fraud Fighter is best equipped to handle. To see how our techniques and technologies enable this new authentication process, read on to our last part of the blog series.