Daniel Flowe
Last week, the Financial Crimes Enforcement Network (FinCEN) published their highly anticipated Financial Trend Analysis on identity-related suspicious activity. FinCEN’s report, part of what was previously called the Identity Project, classified and analysed all suspicious activity reports (SARs) in 2021. The result: a clear, quantified view of just how many SARs were connected to the exploitation of identity-related processes – nearly half of all the SARs reviewed, in fact.
- In 2021, Suspicious Activity Reports (SARs) connected to identity exploitation totalled $212b, according to a report just published by the US Treasury Financial Crimes Enforcement Network (FinCEN)
- The report underscores the importance of getting identity verification “right” – in the words of Jimmy Kirby, FinCEN’s Deputy Director, this means “implementing identity solutions that preserve privacy and security, promote financial inclusion and protect the integrity of the financial system”
- Successful identity verification processes should consider implementing a multitude of checks and partnerships with trusted providers, to reduce fraud risk while maintaining a positive customer experience
In 2021, SARs connected to identity issues totaled a jaw-dropping $212B USD in value. What’s more incredible is that identity-related SARs continued to increase by 15% above this already staggering number in 2022, showing that these attacks are trending in the wrong direction. Andrea Gacki, the Director of FinCEN, said the report highlights the “existence of significant identity-related exploitations through a large variety of schemes” and connected the importance of robust identity verification processes to the broader security of the US and global financial systems.
FinCEN’s report defines 14 typologies of identity-related fraud, which it groups into 3 buckets:
- Impersonation
- Circumvention
- Compromise
Impersonation is the most common exploitation. This is where attackers present false, misleading, or synthetic data to obscure their true identity and transact under another identity. This exploit accounted for a total transactional value of $200B, or 1.7M SARs.
Circumvention is also very common, particularly for money services businesses. This happens when an attacker identifies an entity with inadequate or incomplete KYC processes or uses informal value transfer systems or unregistered means to obfuscate the movement of funds. This exploit accounted for a total transactional value of $39B, or 323k SARs.
Finally, Compromise is an exploit that occurs when an attacker improperly uses their access to systems, or illicitly gains access to systems, to defeat an identity verification process. These exploits tend to represent very high transactional values, with only 18% of the SARs accounting for 32% of the total monetary value.
Jimmy Kirby, the Deputy Director of FinCEN, said “To get financial services right, we need to get identity right. Getting identity ‘right’ means implementing identity solutions that preserve privacy and security, promote financial inclusion and protect the integrity of the financial system.” The report underscores that identity protection is a critical issue that affects us all, irrespective of where we live. Successful identity verification (IDV) processes must include:
- Multiple modalities
- A trusted provider
- Great customer experience
Multiple modalities: One of the key insights from the FinCEN analysis is that there is no silver bullet – no single perfect solution that can solve identity attacks in every use case. Document, biometric and data-based IDV are all strong in their own right – but collectively, they’re much stronger. No matter how confident a model or a human reviewer is that a document is authentic, combining that check with data verification against the issuing authority creates a confidence greater than the sum of its parts. Similarly, data checks offer high authoritativeness and low user friction, but combining them with other forms of IDV create a huge challenge for attackers. By harnessing the power of multiple data points and creating more data-centric IDV strategies, more comprehensive and dynamic profiles can be built for individuals and businesses to ultimately strengthen defences against identify fraud.
A trusted provider: You have probably heard the phrase: business moves at the speed of trust. Nowhere is that truer than when selecting identity verification providers. Selecting providers who rigorously test their models for bias, conduct strict due diligence on their data sources and who have a reputation for stability and accountability is of paramount importance. Excellent processes backed by untrustworthy partners are a recipe for failure.
Great customer experience: To those focused on strengthening their identity verification process: never lose sight of your customer and their experience. A knee-jerk reaction that locks down customer onboarding to the point that all your customers flee isn’t the right solution either. It’s possible to create a KYC process that increases security and simultaneously delights your customers.
Fraud is, at its core, a failure to resolve identity. FinCEN’s thoughtful analysis emphasizes this, and illuminates where and how fraudsters and criminals are attacking the global financial system. Let’s work together to strengthen protections for consumers and businesses – people – globally and prevent bad actors from leveraging our financial systems to further crime and abuse.
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2024 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.