Regulations, compliance and overall risk management place a significant operational burden on financial services.
Online lenders are no different. You have to comply with multiple regulatory requirements, and you are- like any other financial service- very susceptible to fraud.
If you want to prevent and reduce loan application fraud, your strategy and fraud detection system should include a combination of identity verification, account onboarding protection, and account monitoring.
In this post, we’ll explain how identity verification and Know Your Customer processes are related, and how you can expand them for better fraud coverage.
We’ve also provided specific recommendations for identity verification security tests, and account origination protection strategies that can help you prevent fraud during the loan application process.
…We’ll leave account monitoring for a following post.
Disclaimer: What you won’t learn here
For the purposes of this article, we’ll focus on the aspects of fraud that have to do with identity theft, and account origination fraud.
We will not be discussing the aspects of identifying fraud that involve defaulting on a loan due to the inability of an individual or business to pay back an acquired loan.
The analysis and the recommendations in this article are intended to help you validate an identity and ensure an individual or business is who they say they are, rather than someone else applying under their name, with no intention of paying off the loan afterward.
KYC Is Your First Line of Defense- But Not Sufficient
Anti Money Laundering (AML) regulatory compliance requires financial services to perform a set of tasks to verify the identity of the customer (individual or business).
These tasks are usually part of the Customer Identification Program (CIP), loosely referred to in the industry as Know Your Customer (KYC).
Unfortunately, KYC also has a meaning outside compliance – it means that you know enough about a customer to perform financial behavior analysis.
In this post we’ll refer to the parts of KYC that deal with identity verification and its uses when trying to prevent lending fraud, and more specifically loan application fraud.
From an AML perspective, the focus of the KYC process is to ensure you know enough about your customers to flag suspicious activity, and if need be, have enough information to support an investigation.
However, when performed correctly, activities during the KYC process can also help you flag serious issues like identity theft, and help you protect your business from fraud.
The Main Challenges for Online Lenders when Performing KYC
Online lenders deal exclusively with online onboarding. Validating an online borrower’s information has different challenges than in-person:
- An online loan application is accessible to a wider set of potential customers. Unfortunately, this means loan applications are also available to a wider set of fraudsters. You will have to interact with them electronically and, like customers, they can access your website anytime from anywhere in the world.
- The methodology for assessing an identity online is less secure than most in-person interactions, and documents can be easily forged online.
- The level of scrutiny required to assess an identity online (friction) dramatically affects the likelihood of acquiring a new customer, which can then negatively impact the performance of your business model.
Because of the impact caused by additional friction, online financial services tend to reduce the information required from clients during onboarding. They simplify the process to what is necessary for complying with regulations, and thus open the door to abuses and fraud.
The large majority of financial services- especially in online lending, leverage credit bureau databases for identity verification. However, these services offer limited attributes for validating an identity.
The fundamental problem lies in that the data attributes used most frequently are also the most commonly stolen and available for purchase online. Checks against identity databases may be sufficient to comply with AML regulations, but they are not sufficient for preventing lending fraud.
The key is to strike a balance between mitigating risk, and adding friction that causes customer abandonment.
It’s important to determine the risk level associated with each potential customer, and only introduce more friction to the onboarding process when necessary. However, the more security checks, the less likely borrowers will be to complete their application.
8 Identity Verification Tests to Prevent Loan Application Fraud
The following Know Your Customer (KYC) security checks are the most commonly applied tests used on the IdentityMind platform to better verify a potential borrower’s identity during the onboarding process:
- Identity Document Verification (e.g. passports, drivers license, national IDs)
This is accomplished by analyzing a picture of the image of the document, and verifying its authenticity. Taking the picture can be included as part of the onboarding process with the device camera, on either a PC or Mobile device. While it can also be accomplished by the consumer uploading a picture previously taken, this is less reliable because a fraudster may have stolen the picture of the victim.
See how identity document verification works here:
2. Identity Data Validation
This is the verification of a match between the submitted information such as name, address, phone, Social Security Number (SSN), tax ID and date of birth against public and private databases. It is possible to extract this data from an authorized document, and compare that extracted data against the provided information, as well as public and private databases.
3. Bank Account Ownership
The goal of this test is to verify a client actually has access to the bank account presented during the onboarding process. This validation can be done by having the client provide the bank’s credential details, or via micro-deposits to the account.
4. “Out of Wallet” Questions
In “Out of Wallet” Questions- which can also be referred to as, “Knowledge Based Authentication”- the system matches an identity based on submitted information, and provides questions that should only be answered correctly by that person. These questions are presented in a multiple choice format, and the user must choose the right answer. Common examples of these questions include previous address, names of relatives, place of birth, etc.
You can find a good infographic about this subject by our partner, Idology, here.
5. Identity Risk Scoring
This test compares submitted information with databases of stolen attributes and heuristics, providing you with a risk score based on the likelihood of the given identity being forged using compromised information.
6. Out of band Phone Verification
Out of Band verification allows you to assess in real-time whether the presented phone number is indeed in the possession of the identity being evaluated. In some geographies, you can even verify whether the phone number and subscriber data match.
7. Social media analysis (feature in-roadmap)
Social Media analysis examines social network information to identify risk conditions that may indicate the identity in question is fake, or presents enough risk indicators to require further vetting. This is especially useful if the onboarding process is tied to social network accounts.
8. Video Conversation (feature in-roadmap)
In some countries, you are required to have a personal conversation with the potential client. This can be accomplished by embedding a video chat plugin to perform a video conference with the potential client.
Account Origination Fraud Prevention — Beyond Identity Verification
Regardless of how lax or strict you are during the identity verification portion of the onboarding process, some identity theft will always slip through- the question is how much. You are obviously trying to minimize it, but fraudsters can be surprisingly diligent in stealing an identity.
The really good ones are hard to catch, and those who have acquired multiple stolen identities will attempt to use them rapidly when they find a way in. If they find an institution vulnerable to one identity, they’ll typically attempt to exploit that institution multiple times with other stolen identities. This is common in the online world.
Online lenders must analyze the risk of the account origination and loan application fraud by looking at the online session information, and incorporating it within the context of the identity data.
These are well known practices by risk managers in ecommerce. However, many of the emergent financial business models (e.g. crowdfunding, internet lending, money transmitters) are not used to this type of fraud prevention. Especially when risk and compliance officers are transitioning from the physical to online world.
Incorporating advanced fraud prevention into the KYC process is a necessary protection you should implement right at the moment when borrowers are creating their accounts or applying for a loan.
4 Strategies to Prevent Lending Fraud with Account Origination Protection
The following strategies- gathered from real use cases with our clients- describe some of the ways you can prevent loan application fraud during the onboarding process using our platform:
- Leverage industry data
Fraudsters tend to reuse stolen identity data across businesses in the same industry. If a fraudster is able to acquire a loan from an , they will attempt to acquire a loan using the same information at a different online lender.
The IdentityMind platform shares fraudulent data in real-time, alerting you when fraudsters recognized by other online lenders are applying for a loan at your institution. The relevance of industry data has been demonstrated repeatedly as fraudsters focus on a particular industry.
2. Leverage your own data
We enable clients to seed the IDM system with historical data, including your watch lists, black lists and rejected users.
Our system automatically adds the attributes of rejected applications to a watch list, and alerts you when they appear as part of a new application. This allows you to easily identify recurrent users trying to hide their previous attempts.
The system highlights these “watched” attributes even when hidden under several layers of transactions (what we call “degrees of separation”). Similarly, and perhaps more important, is when this reveals new applications connected to entities on your black list.
3. Common attributes outside identity data
Fraudsters often utilize attributes that are common across their stolen identities, such as phone numbers, bank accounts, and email addresses.
One of our clients configured a rule that flagged new loan applications attached to bank accounts already associated with another identity.
This rule detected fraudsters who had passed all identity verification security tests, and had even verified “ownership” of the bank account.
These fraudsters had used different devices, but the same bank account. The loan applications were then rejected, and the fraudsters attempted another application using a different bank account. However those attributes were already tainted from the previous process, and they were repeatedly denied for new loans.
4. Geolocation Risk Analysis
Our clients benefit from our expertise in eCommerce fraud prevention, specifically with risk analysis based on geography, distance between the location of the potential customer and their billing information, and more.
Location is assessed for all users regardless whether they are accessing your website from a computer or mobile phone. Our platform can connect to Mobile Network Operators and assess the location of the subscriber, take latitude and longitude from the device itself, or rely on the true IP address of the computer, removing proxies in between.
The combination of KYC and fraud prevention techniques during account origination are a much better solution than just one or the other. The more diverse your protection is, the better the overall results.
A combined solution also offers alternatives to heavy friction during the identity verification process. Distributing the effort between Identity Verification and Account Origination will help you achieve a better balance during the onboarding process.
While we have talked and described scenarios during account origination, account fraud can go far beyond origination. In a future article we’ll discuss of the relevance of continuous monitoring throughout the lifetime of an account.