Latest Products

The Need to Close-in on Identity Fraud

Thursday 17 May 2018

* This article was originally published in the
GRC Professonal: Financial Crime 2018 Edition.

by Eveline Estephan 

Modern society has been marked by the significant evolution of financial crime—arguably to the point where, these days, the risks are no longer predictable and barely even manageable. Consequently, we are now surrounded by and exposed to numerous financial risks from various avenues, the most probable being identity theft with intent to commit financial crime.

The threat of identity theft is almost all-pervasive, from perpetrators targeting our letter boxes, to governance failing to protect our identity, and various data breaches, to name a few. What is particularly concerning, however, is that our identities are being traded on the black market, with current laws, regulations and controls failing to capture the perpetrators.
In today’s global world, we live in a
Risk Society in which financial crime risks are unknown, unpredictable, universal and irreversible. In such an environment, and with the unprecedented ascent of financial crime, facilitated by an exponential growth in technology, customers’ identification laws and regulations are fast becoming outdated, causing governments, regulators, and the financial sector to scramble to keep abreast of the pace.

Nowadays, criminals have built galleries filled with collections of financial crimes in which additional criminal opportunities are available for fraudsters. Strategies that worked in the past to reduce financial crime are no longer effective. Cohen and Felson (1979) stated that “crime results from three interrelated events that occur at the same time, in the same place: a motivated offender, a suitable target, and the lack of a capable guardian”. Well, it is noticeable that, currently, the intersection of these three events at the same time and in the same place is easier than ever, with the eradication of geographic boundaries, the increased supply of motivated offenders and the absence of controls (Benson & Simpson, 2015).

It is incorrect to assume identity fraud is new. However, it is an increasing risk facing everyone. Technological advancement in the financial landscape, coupled with lawful electronic identification and verification of customers, are major contributors to the rise of identity fraud activities within the financial industry, enabling money laundering, terrorism financing, sanctions’ breaches, and other criminal activities.

Governments, regulators and financial institutions need to look closely at existing loopholes within customer identification rules to stop perpetrators from using our stolen personal data to execute their criminal activities.

Financial institutions represent a lucrative market for fraudsters to use stolen identification in order to gain access to financial products and services to perform various criminal activities. Nowadays, you do not need to visit a branch to do your day-to-day banking, nor to open a bank account or even to apply for a loan. Similarly, criminals do not need to break into your house to steal your money or your banking details. Online Identity Fraud in the financial industry is a primary concern that financial institutions are struggling to control.

According to the Attorney-General’s Identity Crime and Misuse in Australia 2016 report (PDF) (report), identity fraud was the most frequent type of crime by which individuals were affected, and the finance industry was the most prominent industry via which personal information was stolen. The report identifies a combined total of 27.7% of instances in which personal information was stolen via online banking transactions, ATM transactions, or Eftpos transactions. Additionally, the report indicates that, during 2014 and 2015, 1,959 Suspicious Matter Reports (SMRs) were submitted to Australian Transaction Reports and Analysis Centre (AUSTRAC) with the suspicion being ‘false name and identity or false documents’.

The report also indicates that financial institutions are using Document Verification Services (DVS) as a prevention tool against identity crime. This is a superficial control, as it is able to be circumvented easily. If perpetrators are able to open an online account or apply for a credit facility using the victims’ identities, they would likely already be in possession of the victims’ identifications, and thus be able to cite complete and accurate data, thereby passing the DVS automated verification. The automated verification technology’s primary limitation is the absence of physical verification, providing fraudsters with a comfortable opportunity to undertake online activity without presenting themselves and their identification documents to a financial institution, physically. The non-face-to-face environment is removing one layer of fraud detection where fraudsters have more confidence in performing their criminal activities without being caught. It is also evident in the report that existing controls within the financial institutions are failing to detect identity fraud. One highlighted case in the report was that of an employee of a South Australian car dealership who was able to apply for numerous loans using the details of customers whose cars had been serviced at the dealership, and to fraudulently obtain large amounts of money from various financial institutions. Moreover, the report indicates that stolen identity information is in high demand on the internet ‘dark web’ and therefore is highly lucrative in itself. Accordingly, government, regulators, and financial institutions should consider these risks in their policy-making, and update legislation, regulations, and controls to mitigate this risk, which has proven capable of affecting anyone.

Taking identity fraud risk within the financial industry one step further into the future, it is crucial to touch on recommendation 3.4 (identity verification assessments) of the Treasury Review into Open Banking December 2017 (PDF). This recommendation provides that ‘If directed by the customer to do so, data holders should be obliged to share the outcome of an identity verification assessment performed on the customer, provided the anti-money laundering laws are amended to allow data recipients to rely on that outcome’. This recommendation further exacerbates the risk inherent in the growing realm of identity fraud. In instances where fraudulent identifications have bypassed the controls of the first financial institution via DVS automated verification, perpetrators are able to progress further and make their way to other financial institutions through the reliance on the verification approved by the initial financial institution.

Generally, it is accepted that certain risks are hard to control and prevent, due to insufficient foresight into future events in an ever-changing technological landscape. For example, the emerging Blockchain technologies and their suggested use for customers identification. However, DVS automated verification risks are apparent and high; therefore, controls should be in place to prevent criminals exploiting them. They say those who cannot recall the past are condemned to repeat it. The Government should act on its own findings of identity fraud and legislate to strengthen the system on which we depend.

About the author
Eveline Estephan is a Sanctions Support Officer at Westpac and a student at the Australian Graduate School of Policing and Security, CSU.