By Lukayn Hunsicker, BAE Systems Global Head of Banking Fraud Solutions
Covid-19 is unlike anything the world has ever experienced: a global healthcare and financial crisis rolled into one. Unlike the last financial crisis, the banking sector is not to blame for the impending worldwide recession. But it will play a vital role in helping to mitigate its worst effects. Financial institutions will be under intense scrutiny, as the gatekeepers of much-needed government business loans designed to prop up national economies.
This money is vital to minimise the economic fallout of the pandemic, including large-scale job losses. But banks also have a responsibility, to their shareholders and the taxpayers who will ultimately foot the bill for mistakes, to ensure only those deserving have their loan applications approved. This is why it’s important to understand the major fraud types likely to emerge over the coming months, and what can be done to minimise risk.
Around the world, governments are spending big to take the economic sting out of the current crisis. In the US, the CARES Act released around $2 trillion: the biggest rescue package the country has ever seen. This includes hundreds of billions dedicated so far to the Paycheck Protection Program (PPP), which provides loans of up to $10 million for eligible recipients, and the Economic Injury Disaster Loan, which offers up to $10,000 per business. Both schemes are meant to be limited to companies of under 500 employees.
In the UK, there are several initiatives, including the Coronavirus Business Interruption Loan Scheme (CBILS) which helps SMEs access loans of up to £5 million, and the Bounce Back Loan Scheme (BBLS) which offers sums of £2000 to £50,000. Across Europe and elsewhere similar schemes are in place.
Ones to watch
It’s essential that money finds its way from governments to businesses, especially SMEs that comprise the majority of private sector companies, employees and turnover in many countries. But banks also need to ensure these funds don’t find their way into the wrong hands. There have already been warnings of mass fraud attempts, with the US Justice Department launching a preliminary enquiry. Two New England businessmen were recently charged after allegedly applying for over $500,000 in loans for businesses that weren’t operating prior to the start of the pandemic and had no salaried employees.
The latter case sounds like classic shell company fraud, where firms are created with the sole purpose of obtaining SMB loans. However, there are several other typical fraud types. Another involves business owners inflating the number of employees and the value of their salaries in order to extract more money. They could also lie about criminal records, fail to disclose liabilities or debts, alter tax returns and engage in other fraudulent activity to secure the all-important loans.
Another class of fraud banks should be watching out for in these times is carried out by professional fraudsters rather than business owners. They could use phishing emails to harvest credentials and hijack business bank accounts in order to siphon funds away from the intended recipient. Or they may impersonate a legitimate business in loan applications, using forged documents with changed bank account details. There are also risks associated with shady loan agents enlisted by SME owners to apply for handouts on their behalf. They may be complicit in fraud attempted by the business owner, charge excessive fees, or else try to siphon some of the funds to their own business.
Unfortunately, traditional fraud filters may not be set-up to deal with the potential surge in scam applications. But there are things financial institutions can do if they take a more collaborative approach. Perhaps the best place to start is by reaching out to any government-level contacts for additional intelligence. This is arguable easier done in Europe than the US, where state and federal government siloes may cause extra delays. Things like employee count lists are not normally shared with banks, but datasets like this can go a long way to improving visibility into potential loan applicants. Now may be the time to reset some of those essential baseline profiles on which fraud models are built.
Reach out also to fintech or fraud prevention players which specialize in delivering intelligence feeds that profile what “normal” looks like, so you can better spot suspicious activity. Link analysis capabilities, meanwhile, are useful in helping to join the dots between malicious activity, to uncover and predict future fraud.
Collaboration is also important inside the organisation. Risk and compliance should be working closely with IT security so that any early warning signs of malicious behaviour are spotted and shared. The key here is to automate without losing accuracy or auditability. That means any workflow capability must be able to handle the huge volume of applications pouring in, and risk-based decisioning tools should be transparent in explaining why individual applications are rejected. A final factor to consider is what your regulatory SLAs are. Is your board taking a calculated risk in approving some loans, and is this acceptable to the organisation?
There’s plenty here to keep banking executives awake at night. But by reaching out to tap industry expertise and third-party data stores, there’s much that can be done to manage fraud risk down to acceptable levels.