Report: Synthetic identity fraud is growing

A new U.S. Government Accountability Office (GAO) report on its recent audit of the US Social Security Administration’s (SSA) Electronic Consent-Based Social Security Number Verification (eCBSV) service direly warns that synthetic identify fraud “is a growing concern among financial institutions.”

Indeed. It’s been estimated that more than 80 percent of all new account fraud can be attributed to synthetic identity fraud.

In its report to congressional requesters, GAO cited the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) as having reported that financial institutions experienced $182 million in suspicious activity associated with synthetic identity fraud in 2021.

Synthetic identity fraud is a special form of fraud that involves the creation of a fictitious identity through the combination of real and fake personally identifiable information. This usually involves a person’s stolen Social Security number (SSN) to which a name, date of birth, mailing address, email account, and phone number are made up and applied to the legitimate SSN to create a new identity which is then used to defraud financial institutions, government agencies, individuals, or other entities.

“Unlike traditional identity fraud, which uses a real person’s identity, synthetic identity fraud creates a new, fictional identity to commit fraud, such as applying for a credit account or other benefit,” GAO said.

In 2019, the Federal Reserve Bank of Boston reported that losses from synthetic identity fraud amounted to $6 billion in 2016. In 2022, the bank cited a study indicating that losses from synthetic identity fraud were estimated to be $20 billion in 2020.

GAO said that “as the financial system has shifted to digital platforms, it has created new opportunities for synthetic identity fraud. In response, financial institutions have increasingly relied on electronic solutions to mitigate the growing incidence of synthetic identity fraud and comply with [federal] regulations.”

“The frequency and impact of synthetic identity fraud has increased in recent years, according to the Federal Reserve Bank of Boston,” GAO said, also noting that “the growing number of data breaches compromising personally identifiable information has further enabled the creation of synthetic identities.”

Indeed. According to FinCEN, in January 2024, financial institutions submitted roughly 3,000 suspicious activity reports for synthetic identities that amounted to $182 million of potential fraud in 2021. “However,” GAO pointed out, “this figure likely underestimates the true cost of synthetic identity fraud.”

More disturbingly, GAO told lawmakers in the report that “synthetic identities may be difficult for financial institutions to detect and can go unnoticed for years. For example, fraudsters may create a synthetic identity to open a credit card, make on-time payments to build a positive credit history, and gradually increase their credit limit. They may then accumulate large amounts of debt they never intend to repay. When the fraudster stops making payments, it is difficult for the financial institution to track them down, as they used a fictitious identity.”

According to Experian, one of the big three credit reporting agencies, “synthetic identities can be notoriously difficult to detect. Fraudsters sometimes incubate synthetic identities for months or even years before using them to borrow large amounts of money or take other actions. Once that’s done, they’ll often abandon the identity and create another one using the same methods … synthetic identity fraud is a rapidly accelerating threat.”

In 2018 Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act which directed SSA to combat such fraud by developing a database to electronically verify identifying information. However, questions have been raised about the service’s financial viability and use by industry participants.

In May 2018, Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act. To combat synthetic identity fraud, the act directed SSA to modify or create a database allowing financial institutions and other permitted entities to electronically verify an individual’s Social Security number, date of birth, and name from SSA in real time.

In June 2020, SSA launched eCBSV to meet these requirements. As required by the act, SSA charges users an annual fee to recover its development and operating costs. In July 2023, SSA increased user fees because of unrecovered costs and lower-than-expected participation.

eCBSV allows computer systems operated by permitted entities to send verification requests to SSA’s computer systems and receive real-time matching results. Authorized users must obtain an individual’s written consent, which may be obtained electronically, and use the service for the authorized purposes to verify whether the combination of SSN, date of birth, and name matches SSA records. The results provide a single ‘Yes’ or ‘No’ indicating whether all the data elements match. The results also indicate if the individual is deceased for each requested SSN.

Financial institutions can access eCBSV directly by paying a fee to SSA or through a third-party service provider that directly pays SSA for access to the service.

“However,” GAO said, “some members of Congress and other stakeholders have raised questions about the level of industry participation in eCBSV, its financial viability, and its effectiveness in reducing synthetic identity fraud.”

GAO said that in March 2024, SSA reported it had not recovered $37 million of the $62 million cost associated with developing and operating eCBSV through fiscal year 2023,” and that “industry participants have … raised questions about the costs to develop eCBSV and the growing price to access the service.”

GAO told lawmakers it determined that the SSA has not done as good of a job as it should to ensure that the eCBSV service “achieves its intended purpose of reducing synthetic identity fraud by developing strategies and assessing tradeoffs for expanding its use and establishing related performance measures and goals.”

As part of its audit of the eCBSV service, GAO looked at the legislation’s intent for the SSA to “reduce the prevalence of synthetic identity fraud, as well as best practices for managing and assessing the results of federal efforts.” GAO said it believes the evidence it “obtained provides a reasonable basis for [its] findings and conclusions based on our audit objectives.”

GAO’s audit found that eCBSV’s matching results have limitations that hinder its use, such as binary matching results that limit the usefulness of ‘No’ responses, and a nontransparent matching process that further limits the service’s usefulness.

But GAO said, “SSA officials expressed concerns” that by “providing more granularity in eCBSV’s matching results and more detailed information on the matching process could have unintended consequences, including facilitation of synthetic identity fraud.”

“SSA officials said that revealing additional information on how SSA performs matches could allow fraudsters to exploit the ‘fuzzy logic’ used for some data elements to adjust for common typographical errors across data sources. This could allow the fraudster to manipulate the system and obtain a positive SSN verification match, even if the information provided is inaccurate or incomplete.”

Social Security Administration officials further informed GAO’s auditors that the disclosure of “more granular match responses could increase the risk of improperly disclosing identifying information because the agency does not collect the SSN holder’s consent or independently confirm their identity before completing a verification request.”

For its part, users of eCBSV have suggested that the problems could be addressed by incorporating government issued ID authentication, biometric verification, and public records analysis. However, there doesn’t seem to be any momentum towards an acceptance of these suggestions.

Meanwhile, GAO concluded that “by not developing strategies and assessing tradeoffs to expanding the use of the [eCBSV] service, SSA is missing an opportunity to maximize eCBSV’s benefit in addressing synthetic identity fraud.”

Congress’s investigative arm said it determined that there are “areas where SSA could improve the financial viability of the service and its potential effectiveness as a tool for reducing synthetic identity fraud,” and made seven recommendations for executive action to address the issues it identified.

The Social Security Administration concurred with all seven recommendations and assured GAO that it will evaluate its policies and processes to determine how to address them.

Article Topics

financial services  |  fraud prevention  |  GAO (Government Accountability Office)  |  identity verification  |  synthetic identity fraud  |  U.S. Government