New FinCEN report highlights why getting identity verification right is more important than ever 

Last week, the Financial Crimes Enforcement Network (FinCEN) published their highly anticipated Financial Trend Analysis on identity-related suspicious activity. FinCEN’s report, part of what was previously called the Identity Project, classified and analysed all suspicious activity reports (SARs) in 2021. The result: a clear, quantified view of just how many SARs were connected to the exploitation of identity-related processes – nearly half of all the SARs reviewed, in fact. 

1. In 2021, Suspicious Activity Reports (SARs) connected to identity exploitation totalled $212b, according to a report just published by the US Treasury Financial Crimes Enforcement Network (FinCEN)
2. The report underscores the importance of getting identity verification “right” – in the words of Jimmy Kirby, FinCEN’s Deputy Director, this means “implementing identity solutions that preserve privacy and security, promote financial inclusion and protect the integrity of the financial system” 
3. Successful identity verification processes should consider implementing a multitude of checks and partnerships with trusted providers, to reduce fraud risk while maintaining a positive customer experience

In 2021, SARs connected to identity issues totaled a jaw-dropping $212B USD in value. What’s more incredible is that identity-related SARs continued to increase by 15% above this already staggering number in 2022, showing that these attacks are trending in the wrong direction. Andrea Gacki, the Director of FinCEN, said the report highlights the “existence of significant identity-related exploitations through a large variety of schemes” and connected the importance of robust identity verification processes to the broader security of the US and global financial systems.

FinCEN’s report defines 14 typologies of identity-related fraud, which it groups into 3 buckets:

1. Impersonation
2. Circumvention 
3. Compromise 

Impersonation is the most common exploitation. This is where attackers present false, misleading, or synthetic data to obscure their true identity and transact under another identity. This exploit accounted for a total transactional value of $200B, or 1.7M SARs. 

Circumvention is also very common, particularly for money services businesses. This happens when an attacker identifies an entity with inadequate or incomplete KYC processes or uses informal value transfer systems or unregistered means to obfuscate the movement of funds. This exploit accounted for a total transactional value of $39B, or 323k SARs.

Finally, Compromise is an exploit that occurs when an attacker improperly uses their access to systems, or illicitly gains access to systems, to defeat an identity verification process. These exploits tend to represent very high transactional values, with only 18% of the SARs accounting for 32% of the total monetary value. 

Jimmy Kirby, the Deputy Director of FinCEN, said “To get financial services right, we need to get identity right. Getting identity ‘right’ means implementing identity solutions that preserve privacy and security, promote financial inclusion and protect the integrity of the financial system.” The report underscores that identity protection is a critical issue that affects us all, irrespective of where we live. Successful identity verification (IDV) processes must include:

1. Multiple modalities
2. A trusted provider
3. Great customer experience

Multiple modalities: One of the key insights from the FinCEN analysis is that there is no silver bullet – no single perfect solution that can solve identity attacks in every use case. Document, biometric and data-based IDV are all strong in their own right – but collectively, they’re much stronger. No matter how confident a model or a human reviewer is that a document is authentic, combining that check with  data verification against the issuing authority creates a confidence greater than the sum of its parts. Similarly, data checks offer high authoritativeness and low user friction, but combining them with other forms of IDV create a huge challenge for attackers. By harnessing the power of multiple data points and creating more data-centric IDV strategies, more comprehensive and dynamic profiles can be built for individuals and businesses to ultimately strengthen defences against identify fraud.

A trusted provider: You have probably heard the phrase: business moves at the speed of trust. Nowhere is that truer than when selecting identity verification providers. Selecting providers who rigorously test their models for bias, conduct strict due diligence on their data sources and who have a reputation for stability and accountability is of paramount importance. Excellent processes backed by untrustworthy partners are a recipe for failure.

Great customer experience: To those focused on strengthening their identity verification process: never lose sight of your customer and their experience. A knee-jerk reaction that locks down customer onboarding to the point that all your customers flee isn’t the right solution either. It’s possible to create a KYC process that increases security and simultaneously delights your customers.

Fraud is, at its core, a failure to resolve identity. FinCEN’s thoughtful analysis emphasizes this, and illuminates where and how fraudsters and criminals are attacking the global financial system. Let’s work together to strengthen protections for consumers and businesses – people – globally and prevent bad actors from leveraging our financial systems to further crime and abuse.