Technological advances mean that financial institutions are automating the handling of documents to remove manual work, improve accuracy and make better decisions. In the rush to gain such efficiencies, however, many institutions could be leaving themselves wide open to fraud – and not even realise it.
By Jan Syrinek
Product Manager at Resistant AI
Documentation is necessary, but no financial institution wants to be bogged down with manual work that is costly, time-consuming and error prone. So, when technology vendors come a-knocking offering to automate their document-handling processes, it is a no-brainer. Automation cuts costs, improves accuracy and creates efficiencies for financial institutions, but… it also does the same for fraudsters.
The business of automating documents is booming, and various early-stage technology providers have successfully raised funds in the last couple of years. In fact, according to Deep Analysis, the level of investment by venture capital firms in intelligent document processing companies is unprecedented (https://www.deep-analysis.net/intelligent-document-processing-market-analysis-2022-2026/ ). There are over 400 companies in this space, and according to Deep Analysis’ research, the market size is set to double from US$2 billion in 2022 to US$4 billion in 2026.
For financial institutions, the technology is attractive and there are numerous use cases. In the banking business, for example, it could be used to streamline the assessment of documentation in loan applications, verifying identification during know-your-customer checks, or handling trade finance documentation. And there are other applications in the support functions of organisations, such as marketing, IT and finance.
Consultancy Roland Berger analysed[1] more than 50 use cases of the technology for banks and identified seven examples that have the most potential, with up to 80% efficiency gains. These are billed as ‘no regrets’ moves for banks to automate and include applications for automated data extraction and document processing as well as for fraud prevention and anti-money laundering (AML) compliance.
These two use cases, however, should be linked. By pressing ahead with document automation and not considering the risks of fraud and financial crime, banks could be sowing the seeds of their downfall. Compared to other organisations, the risks for financial institutions are much greater – because that’s where the money is. Get this wrong, and banks are at risk of being defrauded of vast sums of money. They could also be facilitating heinous crimes by organised gangs – such as human trafficking and slavery – which in turn could also result in a business-ending fine from the authorities.
These issues have arisen because of the rapid developments in technology. Optical character recognition (OCR) has made it possible to scan paper documents – with unstructured data – and convert them into text. Meanwhile, robotic process automation (RPA) has automated repetitive tasks by setting up rules for the robot to follow. And intelligent document processing (IDP) – as the name suggests – is more intelligent and can automate the whole document-handling process, using machine learning to train itself on the best course of action. Added to this is the buzz surrounding generative artificial intelligence (AI) and its ability to create natural language and produce multi-media content.
These technologies are a boon for financial institutions – and also to criminals who are exploiting them to launch automated attacks at scale. Preventing fraud and financial crime has to go hand-in-hand with any document automation; one without the other could be leaving the door wide open for increasingly-sophisticated fraudsters.
One line of attack is during customer onboarding where fraudulent identity documents are used to open bank accounts for the purposes of money laundering. Given the advances in automation, this can be done repeatedly – and at scale.
At Resistant AI, we have seen cases where a single bank statement was edited and resubmitted nearly 1000 times to a single institution over 90 days— with slight modifications made to names, addresses, and numbers — for attempted account openings. This practice makes it easier to substantiate stolen identities that can be bought on the web for as little as US$10. It is also easy to buy document templates online – for bank statements and pay stubs for proof of income, utility bills and leases for proof of address, and business licences and permits for proof of business operation – without even needing to go on the dark web. The financial system is being flooded with such false documents, which institutions are automatically processing.
This kind of mass serial document fraud is a real risk to financial institutions, particularly if they have automated their document processes: intelligent document processing can read, transcribe and analyse documents but can’t determine whether they are authentic. Greater automation allows criminals to ‘fuzz’ the system: constantly submit various document alterations to test the system for vulnerabilities. Instead of ‘hacking in’, now criminals are ‘hacking through’ automation systems by overwhelming the controls that are in place with false documentation.
While fraudsters are using the same templates over and over, some financial institutions may not even realise the scale of the problem. Banks may be bombarded with fraudulent documents and not even know it because on the face of it, the documents look genuine—and even if one instance is caught, it is hard for humans to share exactly what they saw. AI, however, can reveal how the creases on an energy bill are exactly the same for dozens of versions. Or maybe a photo submitted for identification was taken on an iPhone 6 but submitted by another kind of device. Perhaps the shadows in the selfie background are the same for other onboarding applications. These are just some of the hundreds of red flags that the right kind of AI can detect – signs that would otherwise be invisible or ignored.
In the face of this automated onslaught, financial institutions need to do better. As they automate their document-handling, they need to do this in tandem with their risk controls and ensure they are not leaving themselves wide open to attack.
[1] https://www.linkedin.com/search/results/content/?keywords=roland%20berger%20banking%20use%20cases&sid=cx5&update=urn%3Ali%3Afs_updateV2%3A(urn%3Ali%3Aactivity%3A7096073383712313344%2CBLENDED_SEARCH_FEED%2CEMPTY%2CDEFAULT%2Cfalse
