Fear can be a powerful motivator, especially where payments fraud is concerned.
While financial institutions have a healthy fear of high-profile fraud vectors like business email compromise and authorized push payments fraud, they may not have developed it around a new source of concern: instant account funding fraud. And with the Consumer Financial Protection Bureau (CFPB) essentially mandating consumer financial data portability in its final Rule 1033 issued Tuesday (Oct. 22) account opening is very much in the news, and for good reason.
Technology has raised expectations for speed, and consumers and businesses expect to open an account — especially a FinTech account — within five minutes, whether it’s through ACH, check or cards. The problem is that fraudsters can get the money out of the account as fast as it goes in. The five-minute rule goes both ways. If consumers are going to be more comfortable moving between accounts and more incentivized to open new ones, account opening fraud has moved from the periphery to front and center.
“I would say a vast majority of fraud occurs instantly,” Soups Ranjan, CEO of fraud detection and defense platform Sardine, told Karen Webster in an interview. “The money settles instantly, and a fraudster can withdraw it instantly as well. The same value prop that faster payment methods have for a consumer to fund their account instantly is actually a great value prop for fraudsters as well.”
Ingo Payments has formed a new partnership with Sardine to combine data sources and technology to detect and fight against account opening funding fraud. But before you understand the partnership and its methodology, it’s important to understand how account opening funding fraud works and why it should inspire a healthy fear factor.
Instant account funding fraud exploits the speed and convenience expectations created by instant access to deposits, Ranjan said. Fraudsters use stolen identities or synthetic IDs to open new accounts, especially at neobanks. Within seconds, these criminals can transfer money from compromised accounts at one bank to newly created accounts at another, often cycling through multiple institutions to obfuscate the money trail.
The irrevocability of these transactions, combined with the near-instantaneous settlement, leaves banks with about a 10-second window to detect and prevent fraudulent activity. Within as little as five minutes, the account can be opened and emptied, and the issuer is left holding the bag.
This narrow timeframe poses a formidable challenge for traditional fraud detection systems and is motivating companies like Ingo and Sardine to form partnerships leveraging artificial intelligence and machine learning to analyze data and identify suspicious patterns in milliseconds.
It’s also important to understand the math. According to the New York Federal Reserve, 200 million new accounts were opened in the United States over the past 12 months. At the same time, up to 2.9 billion consumer records were pinched as part of the National Public Data breach, and 145 million found their way to the dark web as part of the Change Healthcare breach. Once on the dark web, fraudsters can buy credit card credentials with a $3,500 balance for about $140.
Ingo CEO Drew Edwards likened the account funding transaction issue to a “bloodbath.”
“This is such a critical problem because if you’re a new account issuer and you’re trying to fund a new account, there’s really good, honest people trying to do business with you, and they need to fund that account, or they move on to other places,” he said. “Then the bad guys in that same five minutes force them to restrict [fund] availability [even with] a fast digital opening experience. You need to be able to open the account and fund it safely immediately. And that’s what we’re solving for here. Now they have a safety net.”
Combining Ingo and Sardine’s datasets and behavioral science approaches to flagging fraud creates a formidable hedge against instant account opening fraud, Edwards said, enabling Ingo to expand instant account opening guarantees beyond checks to cards and ACH payments.
Sardine’s platform works like a vigilant digital detective, constantly monitoring user behavior and device information to catch potential fraudsters in the act, Ranjan said. When someone interacts with a company’s website or app, Sardine’s technology observes thousands of subtle clues, such as how fast they type, how they move their mouse, and even the specific device they’re using.
Sardine can spot red flags that might indicate fraud, such as unusual typing patterns, mismatched location information, or the use of tools designed to hide a user’s true identity. This comprehensive approach helps companies prevent various types of fraud, from fake account creation to unauthorized transactions, all without disrupting the experience for legitimate customers, he said.
Sardine works with more than 300 financial institutions and eCommerce marketplace platforms globally. It has a consortium of about 2 billion devices and about 160 million customer profiles tied to those devices, he said.
“We like to say that there’s never a single silver bullet,” Ranjan said. “So, you have to have a variety of signals. However, what we at Sardine have found is that some of the best signals, which are indicators of fraud as well as authorized push payment scams, are actually device and behavior signals, which is what Sardine specializes in. We capture a lot of intrinsic features, which fraudsters may not be aware of, that are being collected, like how you type, swipe, scroll, move the mouse, hold the phone, and all these signals are highly indicative of fraud.”
Edwards said he believes “honest fraud” has a place in the conversation.
“It’s not always an artificial person or an artificial thing,” he told Webster. “And that’s where Sardine has innovative methods to help detect the difference. But oftentimes people can behave badly, especially when the economy’s bad or when they’re desperate. And when you give them an instrument [like a check] that opens the door for them to game the system, that gets lumped into fraud because it’s still a loss. That’s where we have the advantage, especially for platforms that think that because they have KYC’d [know your customer] a customer, they’ll never be defrauded by them.”
Ranjan and Edwards said the partnership creates the efficiency of an all-in-one guaranteed account funding transfer for every type of inbound deposit, as well as economies of scale, improved economics and certainty for banks and nonbanks that want to offer customers a better account opening experience without the “gone in five minutes” fear factor.
They also offered advice on how to think differently about fraud and fraudster behavior when it comes to account opening.
“It’s important to realize there’s always a fraud risk on every transaction as you’re funding them,” Edwards said. “Either way, the fraud doesn’t go away on the third transaction or the fourth transaction. [But] some of the biggest losses we’ve ever taken at Ingo have come from people we thought we knew who set us up over a series of good transactions. So, you need to be very careful thinking [fraud prevention] is just about a first transaction scenario.”