By Raj Dasgupta, Director, Global Advisory, BioCatch
The last two years have created a perfect storm for account opening fraud. Many banks and organisations were unprepared to handle an increase in online transactions and the widespread usage of digital services spurred by the pandemic. Criminals exploited the system by falsely applying online for economic relief packages and then opening bogus accounts to deposit their stolen money into. It has been revealed that account opening fraud in the UK, was at its highest level in more than three years in 2021.
The latest wave may have passed, but there are ripples in the distance. Criminals are opportunistic, and their strategies are continuously evolving. As highlighted in our recent webinar with the Royal Bank of Canada, it is critical that financial institutions are aware of the latest account opening fraud strategies, finding a balance between decreasing risk and exposure, while providing a great customer experience.
New Strategies for Account Opening Fraud: Combining Human and Non-Human Activity
Account opening fraud enables criminals to carry out money laundering. As we saw with economic relief packages, criminals are targeting where the money is — claiming unemployment or stimulus benefits, for example — and opening accounts to deposit stolen funds. They then move the money out to other accounts, often many times over, or buy cryptocurrency to conceal to make it hard to trace the origin of the funds.
Financial institutions that rely on PII or device-based risk assessment to detect account opening fraud are finding that their controls are falling short. Criminals have clean sets of PII data to work with to make their way through the account opening process, and the problem is so commonplace there are even how-to videos on YouTube to walk would-be criminals through the process. Because of the flurry of activity, banks had to act and began investing in new technology, like machine learning-based models, to shut the door on criminals. However, they have continued to adapt.
Criminals have a new MO and are using bots to open accounts at scale. Criminals leverage automated scripts and large caches of stolen PII to submit new account applications in minutes. Because most banks have bot detection technology in place to detect this activity, criminals have modified their attacks to blend real human interaction or introduced time delays on purpose with the intention of mimicking a human.
It’s now an incredibly sophisticated operation, mixing human activity and non-human programs to attack and confuse financial institutions.
Risks for Anti-Money Laundering and Fraud Teams
Although account opening fraud is a critical component in the money laundering supply chain, there is room for AML and fraud detection teams to work together on the problem. Mule account detection is a serious challenge for financial institutions, both at account opening and within existing accounts.
In the world of mule accounts, there are criminals that open accounts with false paperwork or with a stolen or synthetic identity. There are also individuals who will sell their genuine account or multiple accounts to a criminal to make fast money. AML teams’ step in to investigate these accounts when there is a trigger, like a large transaction, that is indicative of money laundering. AML investigations can take weeks, months, or years once suspicious activity is uncovered. However, there are opportunities to prevent money from moving out of these accounts at all, and fraud teams can collaborate with AML teams to achieve this goal.
To reduce risk, we need to blur the lines between fraud and AML teams. One way to do this is by using technology that analyses user behaviour to uncover activity that is out of the norm for a genuine user, either at account opening or later in the customer life cycle.
Someone using an account for money laundering may behave like this:
- A customer opens an account and uses it like a regular account for awhile
- A criminal takes over or purchases the account from a genuine user and lays low, leaving the account dormant for a period of time
- Then, suddenly, there is a host of incoming payments followed by outgoing payments
Technology like behavioral biometrics monitors user behaviour over time to detect these patterns, and can flag the accounts for money laundering activity, preventing money transfers from going through.
How to Create an Uninterrupted Account Opening Experience
Despite our best efforts, fraud will never be eradicated. It will change because criminals are flexible. “You have to find a way to balance what is an acceptable level of risk versus a delightful level of experience for the user,” Dasgupta noted.
One way is to layer machine learning and other technologies to “provide that balance between a beautiful user experience with the appropriate level of friction, while at the same time reducing your fraud exposure,” Dasgupta said.
Behavioural biometrics examines user behaviour during account opening to detect signs of illegal conduct. Criminals, for example, frequently employ copy and paste or excessive deletions while filling out a web form. Genuine users know their personal information from long-term memory and thus their typing patterns appear much different than those of a criminal using stolen PII. Because behavioural biometrics also works silently in the background, it does not add friction to the user experience. Instead, the technology identifies tell-tale signs that can build a bigger picture of who’s behind it, how they are behaving, and what is really happening when someone is applying for an account.
There are additional strategies for finding the right balance. First up is choosing controls that pair well with your users and the devices they use. Mobile users are conditioned to provide a second factor, like a thumbprint, but your web banking audience may be less open to extra steps. Second is deciding what transactions are low risk for your organisation and setting priorities for higher value transactions or clients. Financial institutions also shouldn’t cut corners on the measures they have in place to meet compliance requirements.
Banks have to address reputational risk, too. If today’s discerning consumer doesn’t like what an FI does, they can switch apps and go to a competitor.
Banks are vulnerable to account opening fraud, but by stacking smart fraud controls, they may reduce fraud risk while improving customer acquisition and improving the account opening experience.
