In order to provide over $600 billion of timely capital to businesses affected by COVID-19, the Small Business Administration (SBA) needed to supercharge its processing of loan applications. As it increased throughput by nearly three orders of magnitude, the SBA lightened its diligence processes, creating an unprecedented vector for fraudsters. Cautions of COVID-related fraud have been issued by top US government agencies, including the SBA, as well as more general warnings made by the FBI, FCC, IRS and SSA. The issue is not limited to the United States, and we are seeing specific instances of fraud crystallize worldwide in the market for credit relief. One example in Germany’s North Rhine-Wesphalia (NRW) region poses an interesting case study on lending infrastructure in times of crisis.
Fraudsters stole at least $30M from a major government aid program for COVID-19, as reported on by Handelsblatt (written in German) and later covered by Forbes. The crime ring targeted an analogue of the Paycheck Protection Program (PPP), which was distributing relief funds to German businesses and self-employed individuals. The German government had eased its underwriting procedures, with the local Economic Minister Andreas Pinkwart saying that the application process would be “as simple, lean and unbureaucratic as possible.” Its guard down, the NRW enabled fraudsters to exploit the fact that they did not collect and analyze identity documents, nor did they use modern APIs for verifying bank information.
The techniques used by fraudsters were not novel, but were opportunistic and clever in extracting true information from actual people and businesses, creating an effective emulation of their identities. The first phase was a classic phishing attack: fraudsters created a mirror-image of the NRW’s official government website for COVID-19 relief. Then, the fraudsters served online advertisements to unsuspecting German business owners, luring them to apply for funding on the fake website.
Armed with sensitive application data from businesses, the fraudsters applied for real funding on the official government website, under the guise of the businesses they phished. Essentially, all the data in these fraudulent applications was a mirror image of the real thing. There was one glaring difference, though: the fraudsters provided their own bank account information in place of the victim’s, so that when the relief funds were disbursed, they were funneled directly to the fraudsters.
Loan application fraud has varying levels of complexity, ranging from a sole practitioner with photoshop to an international crime ring. In a normal credit environment, credit risk is the main determinant of funding, so many attacks aim to manipulate the lender’s risk scoring. For example, a common fraudster could be a small business owner who digitally edits his bank statements to increase apparent cash flow. More sophisticated fraudsters assume the identities of others when applying for loans. The most cunning attacks build fabricated identities in what’s known as synthetic fraud. But in the application for PPP loans and many other COVID-19 aid programs, credit risk is not taken into account, and risk scoring is a singular function of identity resolution. Fortunately, there are tools like bank APIs and document analysis technology that private lenders have been using for years to resolve identity with a high degree of accuracy.
Document and verify as the primary line of defense
The premise behind bank APIs for identity verification is that if a person has online credentials to a bank account, that person is almost certainly the legitimate account holder. US business lenders employ bank APIs at the bottom of the funnel, forcing merchants to link their bank account before disbursement of funds. The linkage serves multiple purposes. One, it validates header-level information about the bank account, such as the account holder’s name and address- in essence, identity verification. Two, it enables the lender to corroborate transactional data via API with bank statements earlier furnished by the applicant, verifying the business’ cash flows. This latter point of cash flow validation provides additional resolution in credit scoring and identity prediction.
While bank APIs are an efficient solution for identity verification, they are only a partial solution, with fundamental points of friction. Technical reliability of the APIs is one issue, even in Europe where they are mandated by PSD2. More importantly, sentiment about privacy has proven to be the main roadblock to adoption. Many business owners (and consumers) simply do not feel comfortable sharing their bank account credentials with third party service providers. With all the new warnings being issued by government agencies in the last three months, one would hope that consumer skepticism is higher than ever. The premise of bank API’s– furnishing sensitive credentials– goes against the grain of caution in today’s tense environment.
The proof is in the funnel metrics. When it comes to the requisite step of entering their bank passwords, lenders see too many applicants dropping out of the application funnel. For practical and arguably political reasons, we have yet to see bank APIs implemented at scale by governments for loan underwriting purposes. Nonetheless, bank APIs can be considered the best source of truth for bank data and have potential to transform eligibility determinations for government-sponsored credit programs and private lenders alike. Indeed, private lenders like Paypal and OnDeck have demonstrated that bank APIs are best implemented as a two-pronged approach that combines data aggregation with flexible technology for loan document analysis, the latter being a more benign and attractive option for most borrowers. In tandem, these two technologies widen the origination funnel by catering to both digital natives, who are more comfortable with the likes of Plaid, and more typical applicants, who prefer to upload PDFs.
Compared to bank APIs, document collection analysis is a more common and manageable approach to validating identity. Furnishing identity documents is simple; your main ID is literally in your pocket all day, and can even be uploaded via cell phone picture. While signing up for Coinbase, Chime, Airbnb or a host of other services, you may have gone through an onboarding process where you take a selfie while holding your driver license. The underlying technology from companies like Jumio and IDology offers smooth user experiences with multifaceted identity resolution that combines data captured from identity documents with database lookups, facial recognition and liveness detection. Using these fintech services, simple identity determinations can be made with confidence in just minutes. For lending decisions that require a greater level of KYC diligence, more tailored lending technology like Ocrolus provides flexible processing for any format of loan document.
While government-issued photo IDs are ubiquitous, other less common documents serve as de-facto identity verification. Articles of incorporation and tax forms, for example, provide privileged information that would be difficult to obtain by malicious third parties. Whereas the German relief program did not leverage identity documentation for underwriting, the PPP required extensive documentation, such as incorporation and tax documents. By delegating the underwriting process to SBA lenders, and making them liable for their diligence process, the PPP piggybacked on lenders’ existing infrastructure for identity verification. Of course, not all identity verification technology is created equal, and there are material differences in speed, accuracy and applicant experience.
Since before the PPP program, the compound approach of validating data extracted from documents with permissioned data aggregation has been embraced by fintech lenders, who have achieved the best of both worlds in their private sector originations: flexibility of document collection and processing, and direct linkage with bank accounts. At the beginning of a loan application, document upload gives borrowers with a familiar and nonthreatening way to provide financial data. Once approved for credit at the bottom of the funnel, borrowers find the prospect of account aggregation via Plaid more amenable. Whereas the primary step of document analysis used to take hours or days with manual, newer fintech solutions have reduced the turnaround time to a matter of minutes while providing increased accuracy with human-in-the-loop validation. The result is a frictionless borrower experience with reconciled credit model inputs.
Cases like the NRW fraud serve as a warning signal that fraudsters will take every opportunity to exploit weaknesses in underwriting. On one hand, the attack came during unprecedented circumstances, as the German government had relaxed underwriting standards and not collected identity documents. On the other hand, the actual vector of fraud– phishing identity information to use in fraudulent loan applications– is all too common. These attacks are difficult to prevent and will continue to occur as long as lenders are providing fast online access to capital.
When it comes to volatile spikes in origination opportunities, it can be tempting for lenders to lighten their diligence to fund more deals. But as identity verification technology has grown increasingly accessible and accurate for companies in financial services, originators should focus on streamlining their diligence processes rather than cutting corners. Lenders need to validate and reconcile multiple sources of bank data to counter bad debt and fund confidently. Whether they are originating money through the PPP, or funding under more normal pretenses, lenders can minimize fraud by implementing fintech solutions for bank aggregation and document analysis.