Synethic identity fraud, which is projected to cost banks $23 billion by 2030 (and more in operational and reputational costs), is on the rise, and it's getting more complex with the use of general artificial intelligence and deepfakes by bad actors to carry out attacks. Fraudsters rely on automated tools to create and scale AI-generated fake identities and documents across multiple platforms, exploits gaps in identity verification systems, notably with digital accounts. To prevent the orchestration of ID fraud, banks must work to shore up points of vulnerability and secure digital platforms to guard against data breaches that expose sensitive data that makes it easier for ID theft to occur. Industry practitioners and experts detail why proactive usage of AI/machine learning, strong identity verification, Know-Your-Customer technology-enabled document verification, and tokenization of customer data are required to combat ID fraud.
Transcription:
Carter Pape (00:11):
All right, we're going to go ahead and get started. Welcome. This session is Darkness Visible, Proactive Steps For Banks To Detect And Prevent Synthetic Identity Fraud. I'm Carter. I'm a Reporter for American Banker. I cover cybersecurity and financial crimes, and I have with me Joel Castaneda and Brian Anderson with Plaid. So I'm going to let Joel introduce himself. Joel is the Executive Vice President and Chief Risk Officer at Vantage overseeing enterprise risk, the and compliance programs. Joel, you've been in risk management for over 10 years. What's the biggest way in which synthetic identity fraud has changed in the last decade?
Joel Castaneda (00:51):
Yeah, thank you, Carter. Can y'all hear me okay? Okay, good. So I will say one thing hasn't changed, which is over the past X number of years, banks hold money and criminals are trying to get that money. So they're trying to exfiltrate funds out of the bank. So the premise of synthetic identity hasn't changed specifically, it's creating a fake name, date of birth, whatever it is. But what has changed is our ability to recognize it, I think, as banks and combat it versus about 10 years ago. So we'll get into AI and there's a lot there that we'll unpack there, so I won't go there, but yeah.
Carter Pape (01:29):
Awesome. And Brian is the Industry Association's Lead at Plaid. So Brian, you've worked in politics for much of your career before joining Plaid, and now you lay liaise between plaid and trade organizations. So what are the primary regulatory and legal changes banks could use to combat synthetic identity fraud? What would it be nice to see?
Brian Anderson (01:51):
Sure, nice to see. I think as a general table setting statement, legal clarity around what data can be shared and can't be shared or how it can be shared is kind of table stakes for making this happen more specifically. I know we've talked a little bit about things that in the past that were helpful versus what we'd like to see. Certainly there is some legal authority to share information between financial institutions. It's in the Patriot Act under three 14 B, but that only does a little bit. It doesn't contemplate, I guess the current world we're in. And so I think modernizing that provision of the Patriot Act would be a very helpful enabling tool to help. We talk about a network level visibility and fighting fraud, being able to bring those entities into the statute, into the regulatory structure framework so that everybody can appropriately share data.
Carter Pape (02:48):
So Plaid is kind of well positioned as a consortium of data that it gets from banks and that it can share with banks to some extent subject to regulatory things. But what do you do today for banks to help prevent synthetic identity fraud?
Brian Anderson (03:08):
Two things I think that I can point out. The first is that we have, I think it's called a product called Beacon that is more of an exchange for banks and other financial institutions. Fintechs can supply information and they can also get information back in the form of, I dunno if anonymized is the right word, but tokenized information that's devoid of I I that helps those financial institutions see signals, patterns, behaviors that they can use for early detection within their own fraud prevention efforts. And then we also do our own searching through those patterns. We use models to sift through, find, recognize flag behaviors, whether it's through information through somebody's device or somebody's behavior online that maybe there's a phone that opened up three checking accounts in 24 hours. And most people wouldn't do that. Somebody might do that. That's something you want to flag. And then they can go elevate their protection and see what's going on there.
Carter Pape (04:17):
Joel, so we were talking earlier about what Vantage Bank does with synthetic identity fraud. So you don't actually sign up customers online at all. You have to go into a branch to do that. But you said you're working on a synthetic identity fraud framework. So tell me a little bit about that. Are people coming in with synthetic identities?
Joel Castaneda (04:37):
So we open accounts in branch, obviously, and everything I'm saying is from a community bank perspective. So we're sub 5 billion, we're 4.5, but we don't have end to end online account opening process where we don't know the customer. So it's usually referral based. We do have a process for digital onboarding. We're streamlining that most banks are right now, and if you're a customer, we got to know you or going to have a phone call, something it is. So it's straight through. We are preparing for the day when we do have onboarding straight through. So we're looking at the different factors, including synthetic identity. How can fraudsters get money out of the bank? How can they open an account with a name that isn't tied to the social, which isn't tied to the date of birth? So we're going through the various typologies of synthetic id. Is it somebody with a real social that matches the name and matches the date of birth with a fake address and a fake employment history? Or is it somebody with a real social, with a fake name, with a fake date of birth? So the various processes, we've got to think through that risk assess and then make a determination. What are the signals that we need to see in the onboarding to identify a synthetic identity being proactive?
Carter Pape (05:59):
Yeah, so the one thing that I always think about when I'm talking about synthetic identity fraud is the Social Security administration's E-C-B-S-V program. It's basically a thing that banks can use specifically to send social security number, date of birth and name, and the social security administration comes back and says, yes, that matches our records, or no, it doesn't. And a very naive way of thinking about synthetic identity fraud is like that solves it. You just go to the source of truth about whether an identity is real and get back an answer. You just trust that answer. Why is that system not sufficient to address this problem? I think Brian like to hear from you.
Brian Anderson (06:43):
Yes, I can answer that. So that as a tool is part of the solution, but it's a database based tool. So you're essentially just matching, like you just said, three data points against what is in the ledger. You can build around that and still have synthetic identity fraud. If a social security number is reused, repurposed, stolen, however you get it, you can use that information and just build a whole identity around that information. And it's no different to a bank without the right protections to figure that out. It's a little bit, the way I think about it is you can have a key that goes into a lock and that lock unlocks the door or the key unlocks the door, but you don't know who's holding the key. So it kind of works like that.
Joel Castaneda (07:27):
Yeah, I would also say with the prevalence of data breaches, there's already fraudsters in the banks. They've already built credit files. So I mean, at initiation, that makes sense, but there's already a lot of synthetic IDs just dormant in the system right now, so that's a problem.
Carter Pape (07:43):
Yeah, yeah. So part of the conversation that we need to get to, of course, is generative ai. So I want to talk about offensive and defensive side. So what's the primary threat that generative AI poses in this front of synthetic fraud specifically? Is it really useful to be able to generate a live face when you're holding your phone to try to sign up for an account somewhere? Or is there other generative AI technology that's like people need to think about with respect to syn identity? Yeah,
Brian Anderson (08:24):
So I think along those lines, the, sorry, I lost my train of thought. You want to go ahead and go and I'll jump in?
Joel Castaneda (08:35):
Yeah, I mean, it's the ability to create convincing identities at scale. That's the main premise. Going back to what I said initially, the fraud is still the same, but how you can scale the fraud and how convincing it is with synthetic identities, that's really what is scary with Gen ai. On the offensive side, from the fraudster standpoint,
Carter Pape (08:55):
What are the defensive technologies? Is an LLM useful at all or is it really these other visual things that you need to be using that are even useful? I mean, is generative AI useful to fight synthetic identity fraud?
Brian Anderson (09:11):
It's definitely useful because at this point it's robots fighting robots. It's going to be robots fighting, robots going forwards. Humans are falling by the wayside. I think very rapidly. The timeline is maybe we can argue about that in three years. We could all be under the authority of a robot, God, or we could be kind of just slowly UR away there. So we don't know. It's up for discussion. But the point is, these things are happening. The things that an LLM can do, humans can do some things that LLMs cannot do and vice versa. And one of the things that they do very, very well, better than humans, I think, is recognizing patterns that just we cannot see. And so that's where the folks on the offensive side, I suppose you would call it, they're already networked. They're already working together. They're already using these technologies to synthesize identities, to scale them, to coordinate attacks. It's important for us to be matching that in an arms race kind of scenario.
Joel Castaneda (10:11):
One thing that I read that happened last year, it was IBM published an article on a proof of concept that they did called audio jacking. So it's essentially a man in the middle attack where it's playing off keywords, fraudsters, in this case they're simulating a fraud, but the fraudsters playing off those keywords like bank account. And then when one person on the end of the phone is saying something, it intercepts that and changes the statement essentially live. And they've said, pretty easy to do this, infect the phone with malware. There's some other stuff that has to happen, but that's the kind of thing that's scary from the fraud standpoint, not just synthetic identity at the front end or account just sitting waiting to bust out, but someone simulating a real person where the banker on one end is thinking that they're talking to a real person, which is usually the confirmation that you want. Somebody says email, you pick up the phone and call 'em, but that's a little scary what's happening on that front.
Carter Pape (11:17):
So I want to talk about collaboration. I think that this is an important point. Earlier when I talked about social security administration, one of the shortcomings of that is just that even though it is a source of truth, it's not like you're not getting information from other banks about this synthetic identity was used to defraud us for this reason. So there's a use to being able to get information from other banks specifically. So Joel, I'm interested, what does Vantage do in terms of working either directly with other banks or with consortia that might have data that's useful?
Joel Castaneda (11:53):
Yeah, so there's two. Brian mentioned one, right, three 14 B on the a ML side, so quite a bit there and we'll get to synthetic identity and then F Isaac on the cyber side where we're getting intelligence and feeding that into our models on the cyber side. So going back to your question, I think those two things, there's infrastructure and communication that exists, how we incorporate synthetic identity into that. It sounds like there's some solutions brewing right on the communication front there, but we're thinking about it. I don't have a solution.
Carter Pape (12:27):
And Brian, this kind of gets back to what you were talking about initially with there needs to be changes to what the regulations are around what data banks can and cannot share. Give us an example, something tangible we can talk about. What's a piece of data or way of sharing data that banks can't do today that would make a really big difference?
Brian Anderson (12:53):
Cannot, that's a good question. I'm not sure I'm specifically positioned to answer that specifically, but I will just say that even if you can't share direct information, like this person is creating a fraudulent account or sharing, we don't want to do any of that. We do want to be able to transmit and communicate and have the clarity, the legal clarity and confidence across institutions and across networks that you can send signals, behaviors, things like that. It's important, again, to really lean into the network aspect of it, because institutions, I think sometimes end up looking inward more than across and up and down. And that is where we run into a lot of trouble with this because it's so easy, especially we're talking about generative AI is like a force multiplier. It's so easy for these attackers to scale up attacks across institutions, and before you know it, the same attack or a similar kind of attack is happening at 20 different institutions in a non sharing world without anybody really realizing it, it's coordinated that it could be stopped before it spreads. So yeah.
Carter Pape (14:03):
Joel, what would you say are the biggest barriers to being able to work either directly with other banks or with consortia to especially get data from them that would be useful for fighting identity fraud?
Joel Castaneda (14:18):
From a community bank standpoint, it's having the data infrastructure. Brian talked about signals at checking account opening. A lot of community banks are building that infrastructure. I mean, I'm sure a lot of community banks here talking about that, refining the onboarding process and collecting all those data points and those signals to be able to share and get back. So when you have limited budgets and tough integrations,
Carter Pape (14:39):
And is the regulatory framework there for being able to share that data?
Joel Castaneda (14:44):
I mean, I think about 314 B and it feels like that safe harbor role provides some protection, but I think there needs to be clarity as far as how far it goes. Like Brian said,
Brian Anderson (14:54):
Just to piggyback on that, I mean, again, the 314 B thing is it works for Joel, it doesn't work for the rest of the sector, which is halfway there or a quarter way there. So really if we were able to modernize it, we would then have bringing the fintechs, bringing the critical infrastructure providers into that fold so that you have a much more comprehensive picture.
Carter Pape (15:12):
So tell me more about that. You mean it covers banks, but it doesn't cover fintechs?
Brian Anderson (15:16):
Well, correct. It was drafted, whatever the Patriot Act was enacted, 2002, I think. I don't even remember actually. But at that point in time, fintechs weren't really a thing in the modern sense. And so it was built to contemplate banks, credit unions, wealth management, older kind of wealth management model firms, not fintechs, not data exchanges, not all these different things that have proliferated and blossomed over the last 20 years. And so that is a weakness of it.
Carter Pape (15:46):
Gotcha. So part of fighting fraud is complying with KYC and CIP regulations. So how much do these regulations, how much of the way do they go just complying with them? Does it go to addressing the risks of synthetic identity fraud?
Joel Castaneda (16:05):
Yeah, so you think about CIP, it's data collection, and even on a synthetic identity, you're getting a name, an address, a social date of birth. So it's complying, but Brian said it earlier, but it's not contemplating the actual fraud. And that's why I get back to looking at the typologies of fraud, doing that deep risk assessment and understanding not just from a compliance standpoint, but from a risk standpoint.
Carter Pape (16:33):
And those regulations are kind of addressing AML and other things. So it's almost like they don't really contemplate synthetic identity fraud as a problem. So what are the extra, well, I'll skip that one. So looking ahead, what are the most significant challenges and opportunities to combating synthetic identity fraud? Just in terms of either technology? Well, let's do technology. Second. I want to focus first on changing regulatory environment. Of course, we saw a 10 33 rolled back last week that doesn't directly address this, but obviously there are a lot of changes to regulatory environment. What are some low hanging fruit that banks might be able to address to make this easier for them,
Joel Castaneda (17:23):
Make it easier for them to
Carter Pape (17:25):
Identify, share data?
Joel Castaneda (17:28):
You talked about regs and one we didn't talk about was facta, right? Red flag role. And we're supposed to be as banks identifying attributes of stolen identities. That's great for somebody walking in the branch and presenting their ID and they're in front of you. It's hard to enforce that at scale, and that's a huge problem why we're seeing the proliferation of synthetic identity.
Brian Anderson (17:51):
Yeah, I mean, I would just piggyback on just say generally modernization. We just were going over that with a lot of this stuff was created without knowledge of what the world would look like now, and it doesn't necessarily align. So definitely we need to rethink how to apply these regs, how to make sure they work for the entire sector. So that, again, I'm just going to keep saying it over and over again. Network is the answer here. You've got to have a collaborative approach across everybody sharing different signals. You're not sharing information, it's just, Hey, we saw this over here. We're putting it into place where everybody can see it so they can look for it as well. That's kind of the basics of it.
Carter Pape (18:28):
Gotcha. Now let's talk about the technology. What changes do you see that are promising in terms of being able to, how much can advances in generative AI even help? Is that going to meaningfully impact the area of synthetic identity fraud, specifically protecting against it? Or is that kind of orthogonal to the issue of gathering the data that you need to be able to catch these synthetic identities?
Joel Castaneda (19:03):
Yeah, I think it's both. Number one, and gathering the data and the models, being able to make sense of all that data and give you signals and anomalies, right? That's an important factor. So I agree with that on the use of ai. The other one is we experimented with POC and some banks are using this, but for a community bank, a liveness test. So making sure that the person that we're talking to or sending a payment in this case is actually who they say they are from the liveness test and not just a photo. So that's enabled by ai, obviously not a technology we develop, we're leveraging a vendor's technology, but that's another use case for AI on combat.
Brian Anderson (19:49):
And I think to kind of not counter but prove the point, the thesis we have right now with this question, which is you need it on both sides of the ball because at the same time that you're using AI for selfie liveness checks and things like that, to your point earlier, the DeepFakes are getting so good that you've got to constantly level up with the different models and tools you're using. When I onboarded at Plaid recently, one of the aspects of my onboarding included a purposeful deepfake from our CEO kind of instructed me to wire money somewhere is just kind a, this is what it could look like and whatever. It was very real. So it's even something like that kind of tool can very quickly be co-opted for ulterior motive. So yeah.
Carter Pape (20:38):
So people will talk about sometimes the intersection between cybersecurity and fraud. And I am just interested in your thoughts if you have any, about the value of having an interface between your fraud team and your cybersecurity team, and what value does that bring?
Joel Castaneda (21:00):
Yeah, so we talk about that all the time. So we have a very, again, community bank, small organization, less than 500 employees, very collaborative approach between fraud and cyber. Maybe at a larger bank there's different sectors, but we collaborate all the time and it does add value. So if we're seeing something on the fraud and we go trace where did the customer initiate the payment? What was their IP address? And then we can block it on the cyber side. So that talking between and having that dialogue is absolutely critical to the fight.
Brian Anderson (21:36):
I'll just throw this in there. In a previous life I did a lot of work around cybersecurity and operation resilience with large banks, and some of the problems, or many of the problems that I see or hear about in the fraud space, especially on the regulatory side or just kind of how public and private sector work together mirror so much of the issues that like the cybersecurity community deals with as well within banks, just kind of fragmented regulation regulators that are behind the ball, but trying really hard. So it's important I think for both those teams to get together because one kind of is downstream of the other, for sure.
Carter Pape (22:10):
So earlier during one of the keynotes, Brian, I think mimic was fifth. Third was talking about how specifically in the cyberspace, the most valuable information comes through back channels. Basically, that gives you a lot of indicators that if you handle them carefully, you can use over the long term to be able to identify sources of cybersecurity attackers. To what extent does that same principle apply in fraud? Are you getting useful data through back channels or is it the stuff that you really need is coming through the consortia? And,
Joel Castaneda (22:53):
Yeah, I'll adjust that a little bit and say that identifying when you have a fraud loss, did that come from a synthetic identity, right? I think that's really important. And if it's a credit loss, your credit guy, a small dollar, don't worry about it. But I think it's really important to go deep and figure out where did that stem from? Was it a synthetic identity? Do we have any other patterns that may be indicative of a synthetic identity fraud? So I'm not sure I answered your question, but I think it's really important to dig deep into at the point of a loss, what else is in your portfolio and collaboration between cyber fraud and the credit team as well.
Carter Pape (23:37):
We're going to have time for maybe one or two audience questions, so I'm going to ask one more question of them and then we will open it up. So the last thing I want to ask you is basically what do you want people to take away from this? What are the things that they need to think about as they are thinking specifically about synthetic identity fraud?
Brian Anderson (24:00):
So in tech, there's a saying that startups try to achieve scale before incumbents try to get distribution. And I think you can massage that into this here in that fraud actors, their motivation is to try to get scale before the incumbents, the banks, whoever gets to kind of collaboration and network response. So the importance here is to recognize that whatever you're seeing inside of your own bank, I think you can almost just assume it's happening elsewhere, and that the quicker you can find your way into or find a way to put more data into these different fraud information sharing consortiums, the better off the entire sector is. Everybody's fraud losses will start to go down, hopefully we really want to lead into the idea and plaid is self-serving. Lee, we are very interested in helping facilitate that. So overall just network, network, network data share. Thank you.
Joel Castaneda (25:00):
Yeah, I would say risk assess, I talked about it earlier. Think about the different typologies, how the fraudsters will enter your bank, especially if you're improving your digital onboarding process. Think about synthetic identity fraud and how you're going to combat it upfront and leverage the modern tool set to do so.
Carter Pape (25:18):
Awesome. If we have any audience questions, you'll probably have to just yell it at me and then I will repeat it. But are there any questions? Yeah, go ahead. Good idea. Good idea. Thank you.
Audience Member 1 (25:38):
Is this going to change with DLT technology or not? Because DLT technology may be you have identity fraud when you have your customer for the first time, but after that you don't.
Joel Castaneda (25:57):
Yeah, so I mean, I think the concept is the same, right? You're talking about distributed ledger. Okay, that's a good question. I mean, I'd probably have to spend a little bit more time thinking about that, but the fraudsters are going to find a way. I know there's publicly available wallet. You're saying the wallet address defrauded somebody, therefore that wallet is blacklisted. Is that what you're referring to? Yeah. Okay. Well,
Audience Member 1 (26:34):
Once you have a wallet, a token, that token can do automatic transactions without needing to be identified, the token is an identification by itself.
Joel Castaneda (26:47):
Yeah, I would say just like with everything else, you stamp out the fraud and they go find somewhere else and find a way to mask it, right? So I'm not sure it really changes much.
Carter Pape (27:06):
Oh, there's one.
Audience Member 2 (27:13):
Might be hard to hear. I guess the question is for both of you, how are you from verifying business entities? That question would go to both. And then could you walk me through the platform of technology that you're using to do that?
Brian Anderson (27:31):
I'll answer very quickly. We are a consumer focused network, so I don't believe we verify business entities. So I'd have to pass that off to Joel.
Joel Castaneda (27:38):
Yeah, so we're a commercial bank, so that's definitely something that we do in the manual process. Legal documents, obviously verifying ownership and existence, state registration. And then things like mid desk we use as well to expedite that. But we're a very relationship based bank and most of our inbound are referrals from another customer. So that's not a major issue that we have in the fraud space at least.
Carter Pape (28:08):
Okay. I think we'll give you some of your time back. Thanks so much for coming out and please give a round of applause for Joel and Brian. Thank you.
Darkness Visible: Proactive Steps for Banks to Detect and Prevent Synthetic Identity Fraud
Published June 2, 2025 1:44 PM
|
Updated October 1, 2025 11:33 AM
28:20