Stopping Tax Refund Fraud in Its Tracks (June 2013)
Strong customer authentication and account monitoring are keys to preventing tax refund/benefits fraud on prepaid cards.
By Loraine DeBonis, Editor-in-Chief
As identity theft increases in the digital age, fraud perpetrated with stolen identities has risen dramatically. And, tax refunds have become a target for fraudsters. Tax-related identity theft jumped more than 650 percent between 2008 and 2012, according to the IRS Taxpayer Advocate, and proceeds from the crime often are transferred to bank accounts or prepaid cards. Last year, there were 1.8 million incidents of identity theft and fraudulent refunds, and in fiscal year 2012, the IRS initiated approximately 900 identity theft-related criminal investigations, tripling the number of investigations initiated in FY 2011.
To combat this growing threat—as well as government benefits load fraud—many providers in the prepaid industry are using enhanced authentication methods and account monitoring to reduce the likelihood that their cards will be used in this type of fraud.
“The fraudsters have become quite knowledgeable of the Customer Identification Program (CIP),” says John Dancu, CEO of identity-verification company IDology. “This is a huge problem because it impacts costs and revenue through the entire process—banks, program managers and processors.” Providers should focus on CIP as well as other tools to stop the fraud upfront, he says. “Adding deterrents in the beginning tends to discourage the fraudsters and they end up giving up and going elsewhere.”
Much of the GPR fraud begins with a stolen identity being used to open a prepaid card; therefore, a robust CIP program should be your first line of defense to mitigate fraud, according to John Morton, chief risk officer for Green Dot and chair of the Network Branded Prepaid Card Association’s Prepaid Anti-Fraud Forum. In a conference presentation earlier this year, Morton recommended enhanced verification processes, such as out-of-wallet questions for higher risk activations/transactions or even all activations. Out-of-wallet questions are things a consumer would know but a fraudster—even one who’s stolen your identity—would not. For example, questions include what kind of car did you buy five years ago or what county did you live in.
“CIP is meant to identify that the person is real, but what we’re trying to do is tie that identity to the other end of the phone or the computer—knowledge-based authentication.”
“We’ve put much tighter CIP standards and fraud metrics in place,” explains Debra Geister, senior vice president, financial intelligence unit at Meta Payment Systems. The bank, one of the largest prepaid issuers, has examined patterns associated with tax fraud and identified some key signs that something is amiss during the application process or when a refund is on its way to an account.
“One of the [fraud] patterns we found is refunds for consumers born before 1934, especially if the refund amounts are significantly higher than in the past,” Geister explains. “Or, if someone has always lived in the state of Vermont and all of the sudden we see a Texas address, a red flag goes up and we’ll look into it before enabling the funds transfer.”
Other red flags include younger refund recipients, such as kids or teenagers, or a refund or benefit payment for a Social Security number that doesn’t match the one collected during the CIP process.
Mercedes Tunstall, a partner in the Washington, D.C., office of Ballard Spahr LLP, suggests setting up system controls to flag such mismatches. “This approach should work for most federal government benefits programs and tax refunds since those reference a taxpayer’s Social Security number,” she explains. “However, this approach may not work for benefits at the state level that do not connect a Social Security number to the transfer.”
Watching for Red Flags
In its Prepaid Card Fraud Leading Practices, the Network Branded Prepaid Card Association (NBPCA) recommends that prepaid providers develop red flags for identity theft. The nonprofit industry group says, “It’s necessary to use third-party verification services that provide high-risk response codes to assist in alerting program managers and issuers, and prompt for additional research.” Examples of red flags include: Social Security number invalid or never issued, belonging to a deceased person, issued prior to date of birth, associated with multiple people; phone number is a pager or invalid; address is mail forwarding, mail drop, commercial or prison address.
Specifically related to tax fraud the NBPCA recommends:
NBPCA members can view the full document here.
If the benefits transfer does not carry a Social Security number with it, Tunstall recommends that “issuers and program managers audit such benefit transfers and watch that account for future suspicious activity,” she says. For example, if a cardholder receives a benefit that is usually paid monthly one month but not the next, it should be a red flag to the issuer or program manager. Another red flag is when a cardholder receives a government benefit for the first time and immediately withdraws the entire amount, or when an existing cardholder who ordinarily receives benefits and spends those funds over a series of transactions immediately withdraws all of the transferred funds, she says. (See “Watching for Red Flags” for more details.)
Although tax refund and benefits load fraud does happen with bank accounts, some experts suggest that fraudsters may be targeting prepaid because, depending on a provider’s systemic controls, it may be easier to obtain a prepaid card using a stolen ID. However, one large issuer tells Paybefore that its program managers must comply with rigorous CIP and AML monitoring requirements that are continually monitored.
Jay Johns, business development representative of security firm iovation notes that while tax refund and benefits fraud is a large problem, he says prepaid issuers are working hard to mitigate it. And, he says, the fraudsters don’t just hit a single industry. “We see the same fraudsters hitting online retailers, card issuers, social networks. We’ve seen these devices try to perpetuate fraud at multiple places.” iovation, which specializes in device recognition and reputation, and risk scoring, operates as a consortium so all its clients can share fraud data and react to trends, including devices with a reputation for fraud attempts.
Is It Really You?
Device recognition and other forms of authentication, such as out-of-wallet questions, can be powerful tools in helping businesses and the government make sure the person on the other end of the transaction is who he says he is.
“One of the big challenges with any type of cybercrime is distinguishing a real person from somebody who has stolen an identity or compromised a bank account,” Johns notes. “You rely on the input from the user, and if you have a fraudster who’s done a good job, it’s really hard to tell the good guys from the bad.”
iovation is working with prepaid providers to identify devices that consumers are using to sign up for or log into accounts. “Our platform evaluates the device and uses a risk-scoring model—based on predictive analysis, geo-location and other measures—to determine whether an application or transaction should be approved or declined.” One thing to look for is velocity of applications, Johns says. “If the same device is applying for a second card in less than 24 hours, our platform alerts the fraud team.”
Some experts believe that the government needs to be doing more to authenticate would-be recipients before initiating funds transfers for refunds or benefits. And while the industry might use address mismatch as a red flag, it’s harder for the IRS to do so because of the sheer volume it’s dealing with. The IRS is responsible for processing more than 145 million individual income tax returns annually, including more than 109 million requests for refunds.
“It’s hard for government agencies to match up address information because 45 million people move every year,” notes Andy Bucholz, senior director, government fraud solutions, LexisNexis. “If I ask for $10 million, there is a business rule for that and someone at the agency is going to look into it before releasing the funds. But, as long as I ask for an amount of money in the ballpark, it’s going to look pretty legit.” The agency also is constrained because it’s obligated to release funds in a timely manner.
That said, Bucholz believes the government could be doing more to authenticate claimants before authorizing refunds. “If I steal your ID, I’m going to have your name, address and Social Security number. I might even have your date of birth. Those things will match because I stole them.” What government and the private sector need to address is authentication, he says. As suggested above, Bucholz recommends out-of-wallet questions that would be difficult for fraudsters to answer but easy for the real person.
Looming Legislation Could Affect All FIs
As previously reported in Pay Gov, the Identity Theft and Tax Fraud Prevention Act of 2013 (US S 676) was introduced in April and referred to the Senate Committee on Finance. The bill, sponsored by Sen. Bill Nelson (D-Fla.) and co-sponsored by Sens. Benjamin Cardin (D-Md.), Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.), includes a number of provisions that will impact prepaid accounts and traditional bank accounts alike.
In a section entitled “Restrictions on Ability to Use Prepaid Cards for Tax Fraud,” the bill directs federal banking agencies and the Secretary of the Treasury to jointly issue regulations requiring “newly issued deposit or transaction account numbers … to be distinguishable between verified accounts and at-risk accounts” (emphasis added). The bill does not, however, currently impose any restrictions on such accounts, such as the ability to receive tax refunds; rather, the bill merely requires that such accounts be identifiable.
An “at-risk account” is defined as any deposit or transaction account, including an account associated with a prepaid access arrangement, that is not a verified account. A “verified account” is one for which the account holder’s identity (and the identity of any prepaid access customer associated with the account) has been verified by (1) customer identification procedures that comply with 31 USC 5318(l) (the Bank Secrecy Act) requirements for identification and verification of account holders) and (2) “direct review of an original, unexpired government-issued form of identification bearing a photograph or similar safeguard, such as a driver’s license or passport.”
The bill also directs the Government Accountability Office (GAO) to review and evaluate the effectiveness of the current customer identification program (CIP) requirements under 31 USC 5318(l) as such rules apply to the prepaid card industry. The review is to (1) consider whether current CIP weaknesses are contributing to identity theft and financial loss, particularly with respect to tax fraud; (2) review whether current risk-based standards for CIP are the best means to prevent criminal use of prepaid cards and provide sufficient guidance and certainty to providers and sellers of prepaid access; (3) review whether current CIP exclusions are appropriate, such as for government benefit programs; (4) review whether federal banking agencies exercise adequate oversight and supervision of CIP practices in the prepaid card industry. The GAO is to submit a report to Congress on the findings of its review and make recommendations or proposals for legislative or administrative action to “improve the customer identification practices of the prepaid card industry.”
The bill, if passed in its current form, would have serious impact on all financial institutions, whether or not they engage in the issuance of prepaid cards, according to Terry Maher, partner at Baird Holm LLP.
Among other things, all financial institutions will be forced to modify their account numbering schemes for all their account relationships, as directed by the federal regulators, at significant cost and expense, he says. “And financial institutions that wish to establish account relationships in other than a face-to-face environment will have such accounts designated as ‘at-risk’ and will potentially be subject to yet-to-be-defined liabilities and risks, as the proposed act does not designate what the impacts are to an account which is designated as ‘at-risk,’” he says.
Meta’s Geister agrees that the burden shouldn’t all be on the private sector. “There has to be some accountability at the government level as well,” she suggests. And she acknowledges that some of the safeguards the IRS has put in place, along with Meta’s enhanced CIP standards and fraud-fighting efforts, have contributed to an 83 percent reduction in the number of tax fraud cases attempted among the bank’s program managers year over year from tax year 2011 to tax year 2012.
“CIP is meant to identify that the person is real, but what we’re trying to do is tie that identity to the other end of the phone or the computer—knowledge-based authentication. For example, if you come up with an address mismatch, you’re automatically going to get questions,” she says. Some programs require questions on all card activations, while others ask questions after red flags pop up. Integrating knowledge-based questions into your CIP process does add cost to your program, but it also can reduce potential fraud losses.
And as Ballard Spahr’s Tunstall points out: “In the current regulatory environment, card issuers and program managers simply cannot afford to ignore this issue or fail to implement appropriate system controls to reduce potential AML and other fraud risks.”
State Benefits/Refunds Also Targets
While the potential spoils for fraudsters may be smaller with state refunds and benefits claims, Bucholz notes that identity thieves could more easily go undetected at the state level. For instance, if fraudsters attempt refunds/claims in a state the victim doesn’t live in, the victim may never realize his identity is being misused. And, an unknowing victim isn’t going to complain to the state.
LexisNexis is working with several states to combat the crime, which didn’t really exist seven years ago, Bucholz says. “Georgia was the first one to sign up [for LexisNexis fraud solutions] two years ago and our system has saved them $24 million in fraudulent refund requests.” Drawing on the LexisNexis public records database and identity-based filters, the company offers clients up to 64 questions to authenticate claimants—although Bucholz recommends asking three. Consumers who don’t have Internet access may be authenticated by phone. And, LexisNexis suggests leaving some room for failure because even legitimate people can get an answer wrong, particularly if the answer is case sensitive. The goal is to make authentication as convenient as possible for legitimate users, while deterring fraudsters, he explains.
Max Berman, executive vice president of business development for authentication company Authernative Inc., adds that financial institutions can improve their CIP process by using existing and newer verification service data sources, fraud analytics and vectors. “As fraudsters harness more and more personally identifiable information from the Internet, social networks and compromised organizations, the CIP and identity-proofing process must become more resilient,” he says.
Authernative provides credentialing, user authentication and identity-proofing integrated with the credentialing and account setup process for prepaid providers. The company also offers a verification solution using one-time identification data to identify the customer and link to benefits/tax refund, without the threat of this data being stolen and re-used by fraudsters. For example, Authernative’s patented embedded privacy and security layer (EPSL) solution enables the user to securely authenticate himself to a trusted identity provider and specify the type of transaction he wants to make (i.e., linking his prepaid card to their benefits account). The user then receives a one-time transaction number which he submits to the benefits provider along with the prepaid card information. The benefits provider electronically queries the trusted identity provider, checking if the one-time transaction number is legitimate. If it is, the transaction is complete, according to Berman.
The bottom line for the industry: You need a layered approach to preventing and detecting fraud. And you have to keep evolving.
Green Dot’s Morton told attendees at the Prepaid Expo USA earlier this year that companies need layers of fraud controls. “There isn’t one thing that will work,” he noted, recommending tighter CIP, better velocity monitoring and keeping an eye out for anything that looks suspicious. “It should look funny if someone activates a card, puts money on it and then quickly takes it off again.”
Nancy Baunis, principal of Connexem Consulting, adds, “The message that should be driven home is that prepaid card participants and bank service providers should operate just as if they were part of the bank. They should hire a qualified AML professional and establish a fraud group and good anti-fraud and AML policies and procedures, including suspicious activity reporting.” Nonbank providers also should require fraud and AML training for all of their employees. KYC and KYE (Know Your Employee) should be followed, she adds. “And, the AML program should be audited at least annually by an independent reviewer to be sure it’s still relevant and effective.”
IDology’s Dancu agrees. “Advancements in fraud technology are happening every day and companies should always be testing new processes,” he says. “The key is finding a solution that is flexible and can give you more insight into an ID so you can quickly pinpoint suspicious behavior and determine how best to handle the situation.”