The Economic Growth, Regulatory Relief, and Consumer Protection Act, which became law this spring, contains an important legislative development to fight identity theft and synthetic identity fraud.
Synthetic fraud is one of the fastest-growing and hardest-to-detect forms of identity fraud that enterprises face today, which makes the law relevant and timely.
But as the law stands, it doesn’t go far enough to protect consumers or lenders.
Section 215 of the law focuses on reducing identity fraud by directing the Social Security Administration to facilitate the verification of consumer information upon request by a certified financial institution. The proposed service will validate a consumer’s name, social security number and date of birth in real time or via batch. It requires gathering consent from a consumer, but no longer requires the collection and submission of hard-copy wet signature on an SSA consent form, which is a major obstacle to using current SSA services. Electronic consent will allow financial institutions to verify identities more quickly and at scale in connection with a credit transaction.
This will help prevent certain forms of credit card fraud by allowing the bank to verify that the Social Security number asserted on an application truly belongs to the applicant, a capability not readily available before this change. Synthetic fraudsters have used the lack of verification ability to create fictitious identities to defraud lenders, and in some cases inadvertently ruin the credit of the legitimate owners of those identities.
Yet while this regulation has the long-term potential to significantly reduce synthetic identity fraud, the final rules are subject to an SSA implementation process, and current reading of the law presents three potential concerns.
First, there are concerns that some divisions within a bank could be blocked from using the service. Use of the system is restricted to cases described under Section 604 of the Fair Credit Reporting Act, which establishes permissible purposes to provide a consumer report. When it comes to detecting financial fraud, the most relevant intended use relates to the proposed extension of credit. But absent an approved use case, certain noncredit arms of financial institutions could arguably be blocked from using the service. For example, the opening of a demand deposit account or an investment account could be excluded, despite know-your-customer regulations.
Second, the requirement that a consumer provide an explicit consent to run the check would preclude a financial institution from performing portfolio validation of already-opened accounts. Short of going back to current customers with a request to obtain consent, no action can be taken to identify existing fraudulent accounts. Setting aside the logistical implications of obtaining the authority to proceed with evaluating current accounts, one could reasonably expect that fraudsters would be most unlikely to give their consent. In other words, fraudsters could remain undetected.
Finally, many key parties in the financial reporting system are excluded, including telecommunications companies, fintech providers and nonbank lenders. This creates a loophole for synthetic fraudsters to build credit histories through institutions unable to verify identities through the SSA. Consider one example: A fraudster uses a synthetic identity to open a cell phone account and take out several online loans. He maintains a positive payment history for a few years and builds up a solid credit report. The presence of a credit history and the cost of the verification might drive financial institutions to elect not to run the SSA check for what appears to be a legitimate, low-risk consumer. Even if they do run the check and decline the application as fraudulent, other lenders without access to this service will remain unaware of the fraud, with continuing impact to enterprises, consumers and other participants who rely on accurate credit reporting.
Section 215 is the best version of the measure that could be passed at the time and is a significant move in the right direction. The only way to stop fraud is to apply broad, universal protections to detect latent synthetic fraud and prevent new synthetic account openings.
To reiterate, the SSA’s exclusion of industries like telecommunications and nonbank lenders allows the continued creation of synthetics with potentially devastating results to the U.S. economy. Industry leaders now need to step up, collectively, to improve the law and to ensure the SSA provides a usable service. As synthetic identity fraud evolves and proliferates, it is imperative that the financial services industry works to stop the spread of this synthetic epidemic.
This article represents the author's own opinions and does not necessarily reflect the views of his employer.