Addressing Fraud Risk from COVID-19 Relief Efforts

On May 3, 2020, small business were extended the second round of the Paycheck Protection Program (PPP) Loans – totaling $175 billion. In addition, Larry Kudlow, Director of the U.S. National Economic Councils, was quoted stating he believes a third allotment of money might be necessary. Similar additional stimulus packages are being extended in the UK, with the ‘Bounce Back’ loan scheme announced on 27 April, building on the existing CBIL packages already in place.

With another large amount of PPP loan disbursement, Financial Services Organizations (FSO) need to examine the risk associated with these COVID-19 relief efforts, even where there is full or significant government guarantees.

• ID Theft: Fraudsters are adept at obtaining enough information to impersonate a genuine firm or individual, so FSOs are at risk of onboarding and lending to fraudsters rather than the genuine customer. The data may be obtained through multiple methods such as data compromise, social engineering or a combination of both. Victims ccould be a targeted by campaigns encouraging them to apply via the fraudster. In this situation, the risk is likely to sit with the FSO for failing to adequately undertake KYC and anti-impersonation correctly.

• Synthetic Identity: In this case, the fraudster applies for a loan with a synthetic identity, or a mixture of real and false data. Similar to identity theft, the responsibility for the debt will largely fall on the FSO for failings in the KYC and application fraud checking procedure.

• Account Takeover: Here, the fraudsters gain access to an FSO’s existing customer’s account. Then, they either fraudulently apply for the stimulus loan and then remove the funds, or wait for the customer to apply and then send the PPP loan funds to their accounts. In this case, credentials may have been compromised via social engineering scams like Phishing or Vishing, or some of the SMS campaigns that center around government messages. As the FSO has allowed someone other than the customer to access their account, this will be seen as failing to prevent the account takeover fraud.

• Fraudulent Misrepresentation: This last type is a form of first-party fraud, where the actual firm misrepresents themselves in the lending application in some way. This may take the form of lying about their ability to repay, such as levels of sales or amounts due to them. It may also include falsification of employee numbers and salaries to obtain higher payments than are due. These may all be an attempt to keep their businesses going, rather than for profit. A final method is where the firm applies to multiple FSOs for loans, and then removes the funds, called a Bust Out. It is less clear if these losses would sit directly with the FSO or the government. Regardless, any process failures in the risk assessment process can bring additional liability to the FSO.

How can FSO combat these risks?

The key to addressing these risks is getting the right data and analytics in place. Looking at ID theft, synthetic identity and account takeover, there are a number of areas of overlap.

FSOs can use device profiling and intelligence to:

• Limit velocity of apps from the same device
• IP address or dongle to block known fraudulent devices
• Request step up authentication when a new device is used
• This can also be used to alert customers when a new device is used

Adding behavioral biometric information can also assist in looking for unusual behaviour in how the data is entered for new accounts. This can also be used to highlight someone who is not the normal user logging in, or detecting a Remote Access Trojan to prevent account takeover.

Bringing in data on the customer in terms of Know Your Customer (KYC) and account ownership checks can help mitigate risks for onboarding customers and also with understanding first-party risks. This can also be expanded with additional credit bureau data such as velocity of recent credit searches, as well as income and expenditure data.

Here are specific approaches for these types of fraud:

ID Theft & Synthetic Identity

• Only provide loans to existing customers
  • How long ago did they become a customer? Treat recent customers the same as new when the apply for lending.
• Only deposit loan funds into an account you hold that matches the name.
  • Undertake ownership checks on where the bank account funds are going.

Account Takeover

• Only deposit loan funds into an account you hold that matches the name.
• Extra review where unusual payments outare seen, such as:
  • Large payments to new beneficiary
  • New staff in payroll run
  • Larger amounts in payroll run

Fraudulent Misrepresentation 

• Use open banking information
  • Inbound payments – has their income dried up?
  • Check for income and expenditure
  • Risk assess or block if not willing to sharedata
• Use internal data
  • Inbound payments – has their income dried up?
  • Normal payroll values
  • KYC/CDD data on number staff, turnover
  • Check to external sources
• Cross reference all of the above

As we continue to see PPP loans disburse, it’s critical for FSOs to understand the risks they face and how to combat them. As I stated in a previous blog, this is clearly not an exhaustive set of strategy updates, but gives an idea of the level of investments required. The good news is, much of this technology is here already but not universally used. With COVID-19 changing the world, the time to plan to tackle this is now.