In a growing form of creepy and eerily patient criminality, fraudsters are obtaining the Social Security numbers of children (who have pure credit records because they've never had any credit) and using their identities to slowly build up good credit histories over the course of as much as five years, so that they can then write bad checks and disappear.These criminals are taking advantage, somewhat ironically, of a provision of the Equal Credit Opportunity Act, Regulation B, according to Mike Urban, senior director of fraud management at FICO, who spoke to me by phone yesterday about this strange type of fraud and what banks can do to combat it. "Regulation B requires that when someone applies for credit, they can use their spouse's credit as an authorized user," Urban says. This allows, for instance, a spouse who doesn't work to get a credit card based on their spouse's credit history. "Some of the not-so-nice credit repair companies will find people who will get paid to grant people with bad credit authorized use of their credit. You go in as an authorized user, and the credit grantor is looking at the good credit in their decision."
Now, criminals are using this general principle and finding Social Security numbers of people who don't have credit reports, such as children or people who have been in jail for a long time (they obtain this information over the Internet and by hacking into government agency and school databases), compromising that information and getting paid to add users to that Social Security number. The users are advised not to provide their address on a credit application, so the creditor won't see the address linked to their actual bad credit history. To the creditor, it looks like a new identity coming in as an authorized user.
"Before you offer a loan product, whether or not you're offering it to an authorized user on the account, if there's no credit history, that should be a red flag," Urban says.
Banks process so many credit applications, Urban says, that they typically don't go through a formal routine to check authorized users. And because these people are tagging on to someone else's Social Security number and not sharing their address, they won't be found in a credit bureau database. The owner of the account will find out that there's a new credit facility attached to their name if they check their credit report. But children typically don't pull their credit reports.
These stolen identities represent a person just starting out on a credit journey, and therefore it takes time for criminals to gain access to a sizable amount of credit. "They may be offered a $500 credit card or a secured credit card at first," Urban says. "They're not going after the first opportunity they get to obtain credit. They're trying to build up the identity over time. They'll get whatever type of facility they can initially and start to transact on that, pay it back, and start to build a good credit rating and score with this identity. Then they'll look to go from secured to unsecured credit, look for other installment loans they can add to that, and maybe open a checking account. Once they've built that identity and credit to a certain point, they'll start to send in bad checks, then pull everything out and disappear." It takes anywhere from five months to five years, Urban says, before the fraud will take place.
"In our current economic conditions, there are people who will do things they wouldn't normally do," Urban notes. "Maybe they have intentions of paying back, maybe they don't."
The losses to banks from this style of fraud are in the billions and greater than payment card fraud losses. In the U.S., 5 to 15 percent of bad debt is related to identity fraud, Urban says.
What can banks do to detect and avert this type of fraud? They need to build a consolidated view of risk for each customer, Urban says. "Once one of those products goes bad, the bank should know what other products they have with that customer," he says.
When the bank is onboarding a new customer, the bank should check the application for completeness, make sure underwriting requirements are validated, and look carefully at their credit score.
"The problem is that criminals already understand banks' rules and policies, and they adjust as financial institutions adjust their rules," Urban says. "In order to understand the risk of the application coming in, you have to look at what you don't see on surface, the variables that interrelate to each other." For instance, a rule based strictly on income will block good applications as well as bad. Only a small percentage of credit applications are fraudulent, he notes.
Urban notes that about 15 years ago, there was a rash of incidents in which criminals used the Social Security numbers of deceased people. The Social Security Administration then came up with an index against which banks can check for living/dead status. To solve the current epidemic, the Social Security Administration could come up with an index for minors, Urban suggests. The government does offer a Social Security number verification service, but it costs $5 per lookup and requires the written consent of the Social Security number holder.
A simpler way for banks to detect such fraud is to use fraud-finding analytics throughout the customer relationship, Urban says. By monitoring customer behavior against the numbers of law-abiding borrowers and criminals, banks can start to detect fraud risk based on financial and nonmonetary transactions, address changes, account changes, and transaction changes. The timing of certain behaviors can be profiled.
For instance, if a customer who's never had an overdraft, who always transacts at low dollar amounts and pays on time, suddenly has an overdraft and hits the maximum on his credit card starts hitting its maximum, that should raise a red flag. There might be a perfectly innocent explanation, and there might not.