Synthetic Identity Fraud Risk Assessment is a key component of your Enterprise Risk Management risk assessment. Identity theft is not new. In fact, is as old as checks being stolen from a mailbox to apply for credit using the victim’s name or to make purchases using the checks. When conducting an Enterprise Risk Management Risk Assessment, ensure to include this new risk category that I call “Customer and Synthetic Identity Fraud.”

The Federal Reserve formally defines Synthetic Identity Fraud as the use of a combination of personally identifiable information (PII) (Off-site) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain. There are two primary ways your institution could be dealing with Customer Risk:

• Identity Theft: Someone stole another person’s identity.
• Fraudulent Entities: A company is completely fraudulent and conducts business as if they were legitimate.

In the most common way of identity theft, your institution provides banking services such as depository accounts or loans to persons who stole someone else’s identity. They use the Personal Identifiable Information (PII) to open accounts and apply for loans.

Dealing with fraudulent entities is a different matter and they are harder to identify as such. They establish the entire scheme from beginning to end. They organize a company, hire real employees, create fictitious sales and produce Accounts Receivable records—including legitimate invoices. They even pay bills just like any other legitimate company—except it’s all fake. Some employees have no idea they are working for a fictitious organization until the Feds show up at their doors after years of investigation.

Protecting Your Institution from Synthetic Identity Fraud/Customer Risk

So, how does your institution protect itself from these two types of Customer Risk? Below are some questions you should include in your Risk Assessment when assessing “Customer Risk:”

• What other risks are impacted when Customer Risk occurs in your institution? Typically, you may have reputational risk as well as earnings, regulatory, and legal risk.
• What mitigating factors do you have in place? Mitigating factors can be your software solutions to automate the CIP processes.
• Is your BSA Program strong and include robust CIP, KYC, OFAC checks, CDD, and EDD (see key below)? Your BSA Program must include all these elements.
• Do you have an ongoing training program for your employees and how often do you train them? Without the appropriate and timely ongoing training your employees will miss important cues to identify and prevent fraud.
• Do you offer training for your customers? Regulators are increasingly asking institutions to provide some type of identity theft training for your customers.
• Are dual controls and segregation of duties in place for new deposit and loan accounts? For example, one employee opens the account, a second employee makes the deposit, and a third person reviews the core system’s Daily Activity Log?
• Have you implemented a BSA Fraud Software to automate the process? Automation is the trend to avoid the intensive manual monitoring and reporting processes.
• Are procedures in place to monitor kiting suspect activities and filing SARs and CTRs on potential AML activities?
• Do you monitor daily overdrafts regardless of the amount, high risk customers, and mobile banking deposit activity?
• Are monitoring systems in place to alert your employees of potential fraudulent transactions in your customers’ accounts?

As mentioned above, the Synthetic Identity Fraud Risk Assessment is a key component of your Enterprise Risk Management risk assessment. I hope these questions will help you complete a Customer/Synthetic Identity Fraud Risk Assessment. If you need help conducting this type of risk assessment, feel free to reach out to us.

Below is a key to all the acronyms used above for your reference:

• BSA = Bank Secrecy Act
• CIP = Customer Identification Program
• OFAC = Office of Foreign Assets Control
• AML = Anti-Money Laundering
• KYC = Know Your Customer
• CDD = Customer Due Diligence
• EDD = Enhanced Due Diligence
• SAR = Suspicious Activity Report
• CTR = Currency Transaction Report

Enterprise Risk Management (ERM) is a cycle that your financial institution must continue to work on regularly. Below are the three ongoing phases of Enterprise Risk Management:

1. Identifying and Assessing Risk
2. Mitigating and Eliminating Risk
3. Monitoring and Reporting Risk

Let’s go through the cycle by describing what each phase entails.

Identifying and Assessing Risk

The first phase of the three ongoing phases of Enterprise Risk Management is to identify and assess risk. There are 8-14 risk categories that you must identify first and then assess to see if they impact your institution. The OCC refers to eight risk categories: Credit, Interest Rate, Liquidity, Price, Operations/Technology, Compliance, Strategic, and Reputation. I like to assess seven additional risk categories: Technology (separate from Operational risk), HR, Legal, Earnings, Capital, and Model risk.

Risk Assessments: Use risk assessments as the tool to identify and assess how these types of risks affect your financial institution. We developed the ERM Risk Assessment Template to assess these risk categories. If you would like a free copy of the template, please contact us and let us know you would like the ERM Risk Assessment Template.

Unique Risks: During Phase I you identify individual risks that are unique to your institution. For example:

• Relationship Concentration. You need to assess how critical certain loan and deposit account holder relationships are if you were to lose them. How would losing them impact your balance sheet and thus your income?
• Portfolio Concentration. You need to assess if you have a concentration by type of loans such as Commercial Real Estate, Construction, or Commercial and Industrial (C&I) loans in your portfolio. Some rural institutions may have their biggest concentration on agricultural (or “Ag”) loans because there are less opportunities for other types of loans in their market. These institutions must assess their risk if major Ag loans default and perform a stress testing on this portfolio.
• Succession Planning. Your institution may be at a higher risk if the current CEO is an owner who is also Chairman of the institution. This presents a significant risk to your institution and you need to have an emergency succession plan as well as a longer-term plan. How about the rest of your senior leadership team? Do you have succession plans in place for those positions and other key individuals in your organization?
• Geographic area. Your institution may be located in a rural area where population is declining, and you are losing business consistently due to residents and businesses moving away.

Categorize Risks: As you conduct the ERM risk assessment, you also categorize the risks identified from four perspectives using a number scale of Low to High:

• Criticality: How critical is this particular asset or process to the everyday operation of your organization?
• Confidentiality: Refers to what type of data that particular asset (or vendor) has access to sensitive information.
• Impact and Probability/Likelihood: What is the impact that this particular risk category you’re assessing would have in your institution if it were to occur? What is the likelihood of this type of risk happening at your institution at the time you’re conducting the risk assessment?
• Vulnerability and Speed of Onset: How vulnerable is your institution as of the date you’re assessing the risk category? Lastly, how fast could this risk spread once it’s triggered?

Mitigating and Eliminating Risk

The second phase of the three ongoing phases of Enterprise Risk Management is to mitigate and possibly eliminate the risks identified in phase I. During Phase II, you:

• Determine the steps your institution will take or tools used to mitigate the risks identified in Phase I.
• Determine how your institution can eliminate certain risks, if possible.
• Ensure your institution is comfortable with the residual risk which is the risk remaining after you have implemented all the mitigating factors to the inherent risk.
• Establish policies, processes, and procedures (also systems and outsourced expertise) to mitigate and eliminate risks.

Monitoring and Reporting Risk

Lastly, the third phase of the three ongoing phases of Enterprise Risk Management is to monitor and report on the activities you established to mitigate the risks identified. During Phase III, you:

• Conduct ongoing monitoring of risks identified that are being mitigated.
• Establish accountability across the board so no one person is responsible for implementing all the mitigating tools. This is a team effort.
• Ensure policies, procedures, and systems in place are being followed AND are working (measuring) as you purposed.
• Establish ongoing reporting of risks and status to the Board of Directors at least quarterly.
• Provide results from monitoring efforts to leadership and Board of Directors. These reports are what auditors and examiners will look at during audits and safety and soundness exams.
• Directors learn about risks, get updates, understand their liability.
• Use tools such as “heat maps” to help you report on results.

The goal is to transition from a “reactive” stage where there is no ERM Program in place nor support from the top, to a “aware” stage where you are implementing your ERM Program, to finally a “strategic” stage where you have a formal ERM Program in place. These three phases should take place on an ongoing basis so your institution remains on the strategic stage of the ERM Program.