When it comes to mortgages, fraudsters have shown incredible creativity over the years. Consider the advent of ‘air loans,’ in which a fraud artist uses purely fictional borrowers and loan transactions to receive loan proceeds. In these wholly fabricated schemes, fraudsters may even create phony offices representing escrow or title companies to continue benefiting from false customer accounts.
Regarded as the ultimate mortgage con, air loans are an extreme form of misrepresentation. Many of the common frauds identified by the Federal Bureau of Investigation (FBI) game the system by making use of false or doctored identity information. In fact, according to the FBI, every mortgage fraud contains some type of ‘material misstatement, misrepresentation, or omission relating to the property or potential mortgage.’
In a straw buyer scheme, for example, a borrower's true identity is concealed by using the name and credit history of a nominee. In a stolen identity scheme, identifying information is used without the true person's knowledge.Â
Such schemes have helped contribute to a near quadrupling of dollar losses reported due to mortgage fraud, from $225 million in 2003 to $946 million in 2006, according to the FBI). And these are not small-time ruses. More than half of the cases represent estimated losses of more than $1 million.
Given the rampant use of false identity information in mortgage theft, it is not surprising that one of the best anti-fraud practices is to know the customers with whom you are doing business. This not only makes good business sense, but also dovetails well with official Know Your Customer (KYC) requirements.
Putting KYC to work
With passage of the USA Patriot Act in 2001, regulators have pressed financial institutions to strengthen their KYC policies. As regulators have interpreted the law over the years, a baseline guide of the elements considered essential to a well-designed KYC program has emerged:
- Establish baseline customer requirements: First, before any interactions with customers ever occur, financial institutions should develop policies dictating which customers they will accept and which they won't, based on predefined risk levels.
- Develop a comprehensive identity verification program: In addition, a program to verify customer identities is needed. This step includes checking names against a watch list of known terrorists and making reasonable efforts to ensure customers are in fact who they say they are.
- Assign red flags to identify suspicious behavior: A good KYC program also sets definitions of how a customer is expected to interact with the financial institution, assigns a risk level to that activity and periodically checks against those expectations. Some method should be instituted to flag irregular or suspicious activity.
- Conduct internal training and perform audits regularly: Finally, ongoing training and regular audits are essential to an adequate KYC program to ensure understanding of and adherence to your organization's standards, as well as uncover any inconsistencies or red flags.
A surprising lesson learned from the subprime meltdown only now being realized is that in the rush to originate mortgages, home equity loans and issue credit cards to subprime borrowers, many lenders made themselves highly vulnerable to fraud by forsaking best practices during underwriting.
These loose lending practices included failure to properly document an applicant's income level; verify an applicant's identity and credentials; or uncover the risk associations of mortgage professionals such as originators, real estate brokers, appraisers and real estate attorneys involved in the loan transaction. Most documented fraud involved collusion or collaboration amongst loan transaction parties, which also included employees responsible for qualifying the information provided by applicants to support the funding decision process.
Part of the failure to fully verify income grew out of the popularity of a loan product called the stated income loan, which does not require the applicant to produce W-2s or 1099s, pay stubs or tax returns. Instead, the applicant only needs to state his or her income, and in some instances show cash reserves equivalent to one monthly mortgage payment. The requirements vary for different lenders, however the lack of typical documentation is a common denominator throughout.
Stated income loans were created to help less traditional borrowers qualify for a loan. This included borrowers such as: the self-employed; consumers with income earned from investments or rental properties; service industry employees who earn a large portion of their income from tips; and retirees. There is difficulty verifying an annual average income for each of these borrowers.
The lack of required documentation creates an opening for fraudsters to falsify their stated income, earning such loans the nickname ‘liar loans.’
In other instances, loan officers relied heavily on an applicant's credit score, which can be manipulated through a process referred to as ‘piggybacking.’ Piggybacking is a process in which a consumer with very good credit is compensated for being added to an applicant's credit card account. This process can raise credit scores by as much as 100 points in a few months, resulting in an artificial portrait of the applicant's credit history.
A recent study by credit rating agency Fitch Ratings found that of the loans it examined with average FICO credit scores of 680, 16 percent involved the piggybacking ruse. Documenting an applicant's income and increased scrutiny of an applicant's credit report for the recent addition of authorized users who are not also family members can help thwart artificial credit manipulation attempts.
It is also good practice for loan officers and underwriters to act with more vigilance when verifying the identity of the applicant. The two methods of falsifying identities, as cited in the Financial Crimes Enforcement Network's (FinCEN's) update to its November 2006 mortgage loan fraud assessment, are identity theft and identity fraud.
There are multiple resources lenders can access to verify the personal information provided by an applicant to help deter fraudulent misuse of an identity. In addition, institutions can put processes in place to check for patterns that may be indicative of potential collusion between customers and employees or third-party vendors.
Collusion, which is defined as an agreement between two or more parties to secretly work together to deceive, mislead or defraud others, is costly. In its most recent edition of ‘Financial Crimes Report to the Public,’ the FBI described cases in which mortgage professionals colluded to expose financial institutions to losses of tens of millions and even hundreds of millions of dollars. When industry professionals collude to defraud others, the potential damage they can wreak is far greater than what one individual could accomplish alone.
Fraud perpetrated by insiders has become very prevalent in the mortgage industry and is where law enforcement agencies such as the FBI are now focusing their efforts to help deter further fraud. Not only is this type of fraud more difficult to detect, but it also accounts for 80 percent of all reported mortgage fraud losses, which reached $946 million in 2006, up almost four times from $225 million in 2003.
At its core, a cost-effective, automated identity verification system uses publicly available databases to ensure that verifiable personal information provided by customers on their applications can be validated. The system would check, for example, if the name and address provided match public records. It also would check that a name matches the appropriate Social Security number, or detect if a name is associated with multiple numbers. A robust identity verification system should also provide access to other relevant databases, such as a national criminal file or bankruptcy filings.
Based on the results of the checks, an identity verification system should be able to produce easily understood reports that clearly indicate whether an individual or company should be considered a high, moderate or low risk of involvement in fraudulent activity. Further, the system should be flexible enough to let institutions determine their own risk parameters. Such configurability is important to enable institutions to adhere to their predefined KYC policies.Â
Identity verification systems should include effective management tools, or institutions may find themselves inundated with more work than they expected. A system running on all cylinders may produce an excessive number of red flags, draining resources as employees go to work investigating each one. The best identity verification systems incorporate sophisticated algorithms, as well as management tools, aimed at reducing the number of false positives.
While identity verification systems help to weed out fraudsters during mortgage originations, identity verification is typically done much further into the process. Once a customer relationship is established, there must be systems in place for continued evaluation of a customer's information. Throughout the loan process, circumstances may change and could materially affect the decisioning process. Authentication systems are valuable tools for maintaining a pulse on risk exposure during the loan process and over the life of the loan.
With the Internet and telephone becoming more mainstream channels for banking transactions, regulators have been pressing institutions to comply with new multi-factor authentication guidelines. These guidelines dictate the use of two or more identifiers to ensure customers are who they say they are. Under the new guidelines, simply asking customers to supply a user name and password is no longer considered effective.
As a result of widespread implementation of multi-factor authentication, certain types of fraud have been reduced by an estimated 30% to 40% in the online banking channel, lending validation to the benefits of this multi-pronged approach.
Authentication systems must strike the right balance between ease of use and effectiveness.
Overly cumbersome or expensive methods of authentication may either create customer dissatisfaction or be too cost-prohibitive to offer. Widely accepted methods of customer authentication include knowledge-based questions such as confirmation of a previous address or telephone number. These questions, culled from publicly available databases, are designed to thwart identity thieves who may have access to information typically stored in a wallet or purse.
In addition to KYC, other governmental regulations (OFAC, Identity Theft Red Flag Rules, etc.) are putting a greater onus on financial institutions to do a better job at knowing more about the consumers with whom they do business. As regulations are unlikely to become less stringent or decrease in number, it is critical for financial institutions to implement the proper identity risk management policies and procedures to both remain compliant and prevent undue risk or loss.
With thorough due diligence, information vetting and adherence to best practices, lenders can stay one step ahead of con artists who continue to pursue ever-evolving opportunities for fraud.
Denise James is the director of product marketing for ChoicePoint Financial and Mortgage Services and the Mortgage Asset Research Institute. She can be reached at Denise.James@choicepoint.com.