In June 2020, the US Social Security Administration (SSA) launched their electronic consent-based verification service (eCBSV). The eCBSV is an electronic service that offers registered members, such as banks, the ability to confirm the social security number of their customers, with the customers consent.
Why is the eCBSV needed?
The USA has been suffering from a pandemic of synthetic identity fraud. Synthetic identity fraud happens when fraudsters use a combination of real and fabricated information to create identities of people that don’t exist. They then go on to use those identities to open accounts fraudulently. According to a report by analyst firm Gartner,synthetic identity fraud could account for as much as 40% of write-offs for financial institutions in 2021.
Although the issue of synthetic identity fraud is global, the USA has proven to be particularly susceptible. Much of this hinges on the fact that our social security numbers are the foundational element of our identities and the verification checks that can be carried out on them are limited. In other countries where there are national identity schemes or where establishing an identity is based on more provable elements such as documented and verifiable date of birth and name, it is more difficult to build these networks of fraudulent identities.
Social security numbers have experienced severe scope creep since they were introduced to manage citizens use of the social security program back in 1936. Today, they have morphed into the de facto national identification number even though that is not how they were intended to be used, and certainly not in a digital world.
2011 saw possibly one of the most important factors for the use of SSNs in the creation of synthetic identities with the randomization of social security numbers. This was done to expand the total number of available SSNs that can be issued, about 5.5 million SSN’s are issued per year and they are never re-used. To do this they removed the rules that determined how a SSN is created, effectively removing the connection of certain digits to a geographical location and stopping the issuing of new numbers consecutively. The unintended consequence is that it is no longer possible to validate those data elements – it also means that financial institutions can’t tell if an SSN belongs to a minor.
The SSA realized that enabling financial services providers to confirm the ownership of social security numbers would help tackle synthetic identity fraud and in 2020 they launched the eCBSV to allow them to do this.
How does the eCBSV work?
Permitted entities such as the major banks are invited to become registered members. The members pay a subscription fee. Then with the consent of their customer, they can use the eCBSV, to check the name and date of birth associated with a social security number. It is a welcome step towards managing the issue of synthetic identities, but it cannot provide the entire answer.
Those that use it must weigh up the potential benefits against the downsides. Asking customers for their consent and then carrying out the check adds friction to the application process, particularly as this is currently not a 24/7 service, it’s unavailable for periods overnight or on some weekends.
Banks know that adding friction consistently leads to increased rates of application abandonment. What do you do if a customer doesn’t give consent? You could immediately decline the account, but that might lead to unacceptable loss of business so you might need to make more complex decisions. For example, rather than decline, be more conservative in the credit you offer or flag the account for further scrutiny on an ongoing basis.
The check is, by necessity, somewhat limited. For example, it checks on name and DOB, but for data security reasons it only returns a pass or fail. Legitimate names have a lot of variation, so an automatic decline based on a failed name check can create false positives.
The creation of a fake identity often begins at another organization. For instance, at a telco, these organizations are not currently able to use the eCBSV so sometimes, by the time a bank sees a synthetic identity it is already well established and enforcing an eCBSV check may seem like the wrong thing to do given the customer appears to be legitimate.
Lastly, even for banks and financial services organizations this service is only available for new customers and many of these synthetic identities are already established and in account portfolios.
The current eCBSV is a new service and the SSA have ambitious plans to further develop it. While it gives financial institutions a major boost in their ability to fight synthetic identity fraud, they cannot and should not look to the SSA to completely solve the issue of synthetic identity fraud. As I discuss in my recent podcast ‘Synthetic Identities – Latest Insights on a Real Fraud Problem,’there is much that financial institutions and other organizations such as telcos can do to protect themselves and play their part in ending the scourge of synthetic identity fraud.