After the Mueller indictments, do banks’ “day zero” identity verifications need a makeover?
We’re referring, of course, to the act of opening a bank account from scratch, from the beginning – providing everything from name, address, Social Security number, identity documents and the like…
The data that belongs to you, except when it doesn’t.
If the startling indictments from Special Counsel Robert Mueller’s probe into Russian meddling into the 2016 elections show one thing in the payments world, it is this:
It can be easy to open a bank account.
At least it seemed so for the Russian operatives named in the indictment, who traipsed somehow or other into the realm of U.S. banking, created accounts and then used them to open PayPal accounts to pay for various activities, from buying social media to campaign paraphernalia, all with an eye toward influencing the election.
Oh, and they used pilfered data to do so.
In an interview with PYMNTS’ Karen Webster, Sunil Madhu, CEO of Socure, said that the indictment, taken as a whole, “really doesn’t mean that much when all the people involved are in Russia.” He noted that those indicted may not cooperate and there is no extradition treaty in place – so the legal impact may be somewhat slight.
But there’s food for thought in just what these bad actors allegedly got away with, exposing some yawning chasms between the way banks vet their applicants and the way they, perhaps, should do so.
Madhu said that there are notable differences in the verification and compliance processes in banking here and abroad.
The biggest difference between the European market and ours is that in the case of the former, the government usually dictates compliance and regulation and then the market adopts it. In the U.S., he explained, market adoption is “a matter of waiting and watching to see what 40 percent of the market does” and the rest follows.
When it comes to verification, Eastern Europe lacks the infrastructure needed to keep tabs and to ensure that people opening accounts are who they say they are – at least down the road, that is, after that first account is opened.
Here, then, is the Achilles’ heel of banking there, and how the verification system proves porous. There are no credit bureaus and accounts are established on what he termed a “transitive trust basis.”
With that very first account in those geographies, said Madhu, “someone comes to your house, sits with you, examines the documents, takes pictures or video.”
And that’s it: The KYC process is complete, he said.
But subsequent accounts a consumer wants to set up – innocently or not so much – would be done using the KYC work done for that initial, first account.
“The challenge is with a state sponsor of this type of activity,” he said of the Mueller indictments, which showed how 13 Russians were able to create use PII from real people to create fake IDs and eventually pay for goods and services, “it is very difficult for anybody to do anything about it.”
Though the alleged bad baker’s dozen opened accounts at U.S. banks, Madhu said that “once you’ve got a digital footprint and you actually have got a valid identity somewhere, it’s easy to propagate that throughout the financial system.”
Particularly, he said, it’s not possible to look at that person’s complete online social profile … and examine the disparities between the person’s identity in the real world versus their identity online.
That stands in stark contrast to the way the troll factory operated in Russia, grabbing onto PII, and where one can spend about $4 per ID to open up accounts online. “There isn’t any challenge from a PII verification perspective for these guys to be able to pull this off,” Madhu told Webster.
Think the events depicted in the Mueller indictment are an isolated incident? Think again. Wells Fargo employees, said Madhu, used the very same tactics to open fraudulent accounts that the Russians did. They took people’s legitimate information, created synthetic IDs from them and then opened up accounts without innocent individuals’ knowledge.
A wakeup call?
One would hope the Mueller indictment would serve as one. But then again, most banks, Madhu said, “still use antiquated rules-based systems. The fundamental problem with this is, in decision-making the system is completely reactionary.”
Thus, a good knowledge of the rules can enable the bad guy to skirt those rules and evade detection. A rule that flags someone opening 10 accounts in one day is great – until the bad guys catch on and then open one account a day over 10 days. Then, that rule gets changed to one account a week over 10 weeks. You get the picture – rules that plug the rules that plug the rules only chase the bad guys, ineffectively.
Madhu said that the future lies in the fact that “more regulations are going to force the banks to disclose these types of things,” noting legislation in Congress that will set in place punishments for FIs that breach an individual’s PII.
One way to make the banks sit up and take notice is to levy fines on each act of PII and compliance breach on an individual basis, said Madhu, enough so that it becomes material to their P&L.
Perhaps the best way, he said, is to make it impossible for a fraudster to fake a real person’s identity – because there’s irrefutable proof that they really can’t be that person. That all comes down to melding the two worlds of data – the online and the offline – to flush out the fraudsters before they cause too much harm.