Financial services companies need to file a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN) when they suspect fraud or money laundering. We’ve always known that some of these crimes are tied to criminals who compromise identities – but until this past month, we’ve never had a formal estimate detailing the scope of the problem.

At the Fed ID Forum on September 6, FinCEN and the U.S. Department of Justice (DOJ) releases some early findings on the impact of compromised identity verification to SARs – revealing that an estimated $212 billion in transactions reported in 2021 SARs were tied to failures in the identity verification process.

All told, 42% -- or 1.6 million -- of the SARs reported in 2021 were tied to identity – though the agencies were clear that think they are being conservative with those numbers, and they are higher. These breakdowns are split between those tied to account opening and those tied to account access.

Overall, the number of SARs filed by financial institutions has doubled over the last eight years, while the number of cyber-related SARs has gone up about five times over that same period. “Digital identity seems to be right at the center of any kind of solution in a variety of the segments of how this fraud is committed,” says Paul Hemesath, who is Counsel to the Digital Currency Initiative, Money Laundering & Asset Recovery Section, National Cryptocurrency Enforcement Team (NCET) at DOJ.

The FinCEN research looked at three instances where digital identity impacts the financial services sector:

  1. Account creation – when initial identity proofing is performed, and the account is opened. Fraud can happen here if an individual’s personal information is stolen, and proper checks are not performed; synthetic identity fraud is also a growing problem.
  2. Authentication – after an account is opened and a customer is accessing their account. Fraud can occur here if a username or password is stolen and/or if multi-factor authentication is not enabled or otherwise compromised.
  3. Transactions – when a customer is conducting transactions on the account. Fraud can happen if an individual’s debit or credit card information is stolen, and unauthorized purchases are made.

On top of a new Government Accountability Office (GAO) report estimating that $100-135 Billion in unemployment insurance benefits were lost to fraud during the pandemic – mostly due to identity verification compromises – these new FinCEN numbers demonstrate that inadequate digital identity infrastructure is a national problem that impacts nearly every sector of the economy.

And so long as the U.S. lacks a comprehensive strategy to accelerate improvements in digital identity infrastructure, we will continue to see other eye-popping numbers. Indeed, the real question for policymakers in the wake of these statistics is: just how much worse do the numbers need to get before they act?

Zack Martin

Read Next

Is it Time for Mandatory Multifactor Authentication?

In the wake of the Change Healthcare breach – caused by compromised credentials and no multifactor authentication (MFA) on a remote access server – is it time for government to mandate MFA for critical infrastructure organizations?

Is Phishing-Resistant MFA Table Stakes?

A token with a six-digit code was the ultimate in MFA but with the rise of AI and other sophisticated attacks organizations need to look at phishing-resistant authentication.

Event Recap: 2024 Identity, Authentication, and the Road Ahead Policy Forum

A recap of the "Identity, Authentication, and the Road Ahead” Policy Forum hosted by the Better Identity Coalition, FIDO Alliance, and the Identity Theft Resource Center.