How to Identify High-Risk Customers in The Online Lending Industry

Getting a loan used to be an exercise in patience, red-tape navigation, and resilience in the face of rejection. Of course, that’s if you actually had the credit and collateral to qualify at all.

Now, as banking experiences move increasingly towards purely digital environments, banks have seen the potential profits of offering small loans to a wider range of customers, even if they can’t assess their credit in a traditional way. Opening up the doors to more borrowers effectively democratizes spending power, but also exposes lenders to a greater risk of fraud and noncompliance.

As they cast these significantly larger nets over the market, banks and lenders have profited immensely from the catch they pull up. However, as these nets troll deeper depths, how many delicious and profitable shrimp are they bringing aboard? And how many high-risk sharks? 

More importantly, how do you tell the difference between a shark and a shrimp? SEON explores the depths and tells you how to mend your net.

Why Are High-Risk Customers a Problem for Online Lending?

Loan-providing institutions hoping to capture the juiciest part of the emerging microloan market have to balance including as many customers as possible with excluding bad actors, and giving a wide berth to risky ones. 

Before diving deeper, note that the lending industry could be seen as having two buckets of risky customers. One bucket is for loan applications that run too high a risk of ending in default. The other is for those customers who represent a legal high-risk and therefore should trigger a different internal response. While discussing customer segmentation, risk assessment, detection, and prevention in this article, we’ll be pouring both buckets into a larger single one.

Since brick-and-mortar banks have started falling by the wayside in favor of online and in-app banking experiences, financial institutions have realized the immense market potential of microloans and loans to the underbanked. People who were traditionally seen as unsafe borrowers – those who didn’t own a home to prop up their loan, for example – are now being presented with options to increase their personal spending power.

The problem is, these customers are often being offered these kinds of services for the first time, and may lack the credit history of a more traditional borrower.

To bridge the gap in their credentials, as well as maximize new customer sign-ups, some lenders may adopt a data-driven onboarding process that relies on digital information. That information may or may not provide as much underwriting security as an in-person risk assessment. Either way, this practice represents a wider portal for all customers, including risky ones. Bad actors who present risk by way of, for example, being sanctioned, can more easily slip through this portal under an assumed identity that is harder to detect in a digital credit checking environment.

Accepting customers who certainly constitute a high risk – that is, those who represent a potential compliance issue as opposed to those simply likely to default – also represents increased maintenance costs. Customers identified as risky, such as those appearing on a politically exposed person (PEP) list, should trigger Enhanced Due Diligence (EDD) protocols, which require more involved ID verification, verification of the intention for loans disbursed, and ongoing monitoring for suspicious behavior.

In short, high-risk borrowers offer two distinct problems for lending services:

• Practices around risky customers require more resources.
• Digital lending environments make it easier for entities to hide their riskiness, particularly if there aren’t strong onboarding measures for fraud-fighting and compliance in place.

These challenges are known throughout the industry, as well as to the lawmakers who design the safety mandates around them.

AML Lending Risks

Anti-money laundering (AML) regulations apply within the lending vertical, meaning lenders must carry out the associated due diligence. This includes:

• Achieving a strong framework for identity verification – more difficult in an online lending context, as well as perceived to be contrary to profit optimization.
• Cross-checking the verified name against sanctions lists, PEP lists, and any other relevant crime or watch lists.
• Unpacking ultimate beneficiaries of transactions and ownerships, through structured ownerships designed to make that specific task difficult.
• Being aware of any adverse media associated with that entity or entities already active in your customer base.

Controls like these help preclude money launderers and fraudsters from exploiting the anonymity of online loan applications. Lenders and microlenders that balance their friction and security with too much leniency towards identity verification risk falling out of grace with regulators as well as public sentiment. Failure to implement such a framework can result in massive fines and incalculable reputational damage.

How to Detect High-Risk Customers in Online Lending

Regardless of whether a customer represents an underwriting risk or a regulatory one, lenders have to break out their finest-toothed comb and their most polished magnifying glass. In an online context, it’s in their best interest to do those things at real-time speed or close to it.

Tools like SEON are basically digital combs and magnifying glasses. So, when scrutinizing a new borrowing account or loan application, what signs of risk should you be looking for?

Fraudsters know that they are trying to beat the risk assessment that happens when onboarding with a digital lender. They know these lenders, even ones who have adjusted their risk thresholds to cast a net with a much wider scope and finer weave, will be scrutinizing their identity for signifiers of malintent. Therefore, they must find a way to hide their malintent behind a trustworthy face.

First, consider the kind of fraudsters that companies disbursing loans digitally will likely have to contend with:

• Money launderers who know they have to stay off the radar of both the lender’s internal risk scoring and AML regulations and are therefore more likely to invest time and resources into hiding their identity and intentions.
• Synthetic identity fraudsters may acquire stolen IDs online, or else create a false persona based partially on stolen data and then apply for a loan with it. Either way, lenders find collecting the repayments from the wrong person or a totally fake person difficult.
• Phishing scammers that lead to account takeovers (ATOs) can be a particular problem, as digital techniques are not necessarily enough to keep customers safe from more low-tech fraud tactics, such as scammers masquerading as someone official or sending apparently legit text messages that request emergency login information.
• Friendly fraudsters who may have perfectly normal credit histories but receive a loan with no intention of paying it back, or else misappropriate funds for a purpose other than that which they stated in their application.

For all of these major issues, identity verification will be the most important frontline for both the fraudsters and the fraud fighters.

To address the particularities of online lending and microlending, including buy now pay later (BNPL) providers, identity verification should be stringent when it comes to detecting anomalies. Lenders should deploy fraud investigation software to assess each new account and loan, digitally asking questions like:

• Is this person who they say they are?
• Is the person who they say they are a real person?
• Does this person represent a regulatory risk? If so, what kind, and does the nature of their loan application compound this risk?
• Are the recipients and beneficiaries of this loan clearly defined or is there a complex structure in place?

To answer these potentially complicated questions, companies should be tailoring their fraud detection tools around these pain points. Risk-based prevention software like SEON does this in multiple ways:

• Device fingerprinting can help catch both synthetic ID fraud and ATO. To address ATOs, by looking at the particular unique configuration of a connecting device, fraud detection software will take pause if a user is suddenly connecting from a different device, and the loan application can be reviewed manually. For synthetic IDs, device fingerprinting could detect anomalies such as multiple users with different IDs and locations that all seem to be connecting from the same machine – a good sign of a professional fraudster scaling up their crime.
• IP geolocation is an important part of assessing the risk associated with synthetic IDs, regulatory risk, and ATOs. New accounts and loan applications that list a particular address but seem to be connecting from a totally different location could indicate a fake persona or an account takeover, particularly if the user is apparently connecting from a new location. If the IP location is in a high-risk area, regulated measures can step in or the user can be blocked. The presence of geolocation masking techniques can also be discovered by tools like SEON. These include things like the use of Tor or virtual private networks (VPNs), as well as various kinds of proxies. If these are in use, it should certainly factor strongly into lending risk assessments.
• Signifiers of risk that are revealed through data enrichment can help detect fake personas applying for loans. SEON, for example, can provide a robust idea of which users are likely synthetic versus those that are real, through indicators like a well-used email address, a realistic social media presence, or use of popular messaging apps like WhatsApp and Telegram.
• AML checks that screen incoming entities against sanctions lists, PEP lists, and other relevant crime and watch lists. Such a tool can also be used to manually review borrowers and, if applicable, the proposed beneficiary of the loan. This functionality will help lenders stay AML compliant by covering due diligence in terms of ongoing monitoring and determining ultimate beneficial ownership (UBO).

Notably, loan providers are generally required to carry out customer due diligence (CDD) and Know Your Customer (KYC) checks, which include the identity verification (IDV) process. These processes will require the submission of government-issued documents, which can be forged, but will be an important step in building identity confidence when underwriting a new customer.

When it comes to building the strongest levy against the flood of loan fraudsters, software that can perform these things is at least the sand, maybe even the bags themselves. However, there will always be a need for human counterparts to find and plug leaks, sometimes making the final call on who is risky, and whether or not that risk is worth it.

Top Three Custom Rules for High-Risk Customers in Online Lending

At a technical level, techniques for fraud detection such as device fingerprinting can detect and assess extremely minute data points to catch nefarious actors. They are granular enough that they’re either unnoticed or too cumbersome for fraudsters to work around, and therefore are great footholds for fraud detection. Here are three rules that online lenders can deploy.

#1: Multiple Geolocations with Same Device Hash

Loan fraudsters are aware their success depends on convincing lenders that they are who and where they say they are. A common tactic for a digital loan fraudster is to acquire or create an identity, then create a believable digital footprint that will roughly match that identity. As these false or stolen identities may be from anywhere in the world, many fraudsters may want to develop this footprint by spoofing an IP location near their falsified address, or else employing a nearby datacenter.

Device hashes are unique enough that if multiple users appear to be using the same device, alarm bells should sound, particularly with the increasing popularity of mobile banking and borrowing. Browser hashes perform a similar fraud detection function for desktop users. Such instances should, at least, be manually reviewed, or have the attached risk score pumped up significantly.

This screengrab from inside SEON’s custom rule editor shows a rule that has been tailored to this specific case. Here, the rule is scanning for instances of multiple accounts being used on the same device within a day – a good sign of a fraudster making several fraudulent loan applications coordinated from one computer. In the rule editor, the risk score this rule assigns can be adjusted, or this transaction could be escalated to manual review, and additional parameters like specific geolocations could be added to make the rule more specific and reduce the potential for false positives.

#2: Suspiciously Small Social Media Footprint, Free Phone Numbers

In pursuit of a synthetic ID that looks convincing to digital lending risk assessment, fraudsters will often attempt to flesh out their fake profiles with human-like qualities. Naturally, this includes things like mobile phone numbers and, of course, social media accounts.

However, building a realistic social media footprint is a time-consuming undertaking, especially for fraudsters hoping to scale their crime and maximize illicit profits. It is unlikely that such a setup will have the resources to add more than one social media profile, if any.

In this screengrab, a custom rule has been set up to detect such anomalies. This example is looking for small social media footprints of a specific variety, likely in response to a particular pain point. LinkedIn is a common social media account that also (obviously) presents a more professional facade than, say, Instagram, so is a good candidate for fraudsters who want to bypass social media presence checks. In 2023, however, it’s unlikely that an email account only has a LinkedIn account associated with it, and if the phone numbers used to register are online-only and free, fraud teams will want to take a second look.

Though this rule calls out LinkedIn and free phone services specifically, and currently is not set to assign a particular score, every field in the shot can be customized to scrutinize a particular social media site, over what period of time, and what action to take when it is triggered.

Notably, in the lending industry, this kind of social media footprint can also inform the loan applicant’s overall default risk assessment.

#3: Same User, New Device, New IP

Regardless of vertical, custom rules like these are specifically used to detect the possibility of an account takeover. High-risk customers, in particular, are both more likely to be targeted by ATO and, if the attack is successful, to expose the lender to huge compliance issues.

Though there may be any number of reasons why an already-onboarded customer might suddenly have a new IP and device hash – going on vacation with a new phone, for example – this situation should at least raise eyebrows for fraud teams with a well-defined risk appetite. For industries plagued by fraud, it’s likely to be a cause for concern. In the context of high-risk customers specifically, this is even more important, as high-risk customers should have their actions continuously monitored for just such a possibility. This monitoring is required by AML regulations, so failure to detect an ATO-backed unauthorized login could mean fines or worse for the lender.

How SEON Helps Online Lending with High-Risk Customers

When it comes to identifying high-risk customers and precluding fraudulent actions associated with them, SEON offers every piece of tackle needed to land the big bad fish.

SEON’s fraud management APIs and device fingerprinting provide a huge array of data points to scrutinize for risk. The typical risk indicators associated with high risk in the lending industry, as discussed above, are part of SEON’s wheelhouse. The resulting determinations by the machine learning-fueled risk assessment can segment high-risk customers or preclude them from continuing their application.

SEON’s AML screening functionality is a crucial component for lenders who want to minimize risk. What constitutes a high risk is, to a certain extent, up to the individual loan provider, but that definition should certainly align with the definition mandated by applicable legislation. Reaching AML compliance is not a process that can be fully automated, but SEON provides risk teams with the data necessary to carry out due diligence, including list screening, investigating beneficial ownership, and even informing adverse media checks by providing associated social media accounts.

SEON’s goal is to democratize fraud fighting, to create a collectively more fraud-free world. The democratization of spending power through low-friction loans and BNPL is a powerful and obviously worthwhile pursuit. Inevitably, however, the tide of fraudsters that swells up beneath it will be an issue. SEON is prepared to control the waves before they crash – that is, as early in the customer journey as possible – so loan providers can stay afloat.

Related Case Studies for Online Lending

• Solventa Leverages SEON’s Machine Learning to Reduce Fraudulent Transactions by 25%
• Revolut Leverages SEON’s Anti-Fraud Platform With Great ROI

Related Articles for Online Lending

• How To Detect Payment Fraud in Buy Now, Pay Later
• What You Need to Know About KYC in Online Lending
• How To Implement Digital Onboarding in Online Lending