Author: Ankur

Categories
Technology

How banks get away with paying little attention to identity theft

Originally posted via this Twitter thread

The story this week fromย @mikulajaย on how his identity was stolen and used to open bank accounts and loans is deep-dive into the ugly side of how KYC works.

There’s another side to this story of how ID fraud impacts some demographics disproportionately.

The burden of responding to the fallout of ID theft is squarely on the person whose ID is stolen.

Often, the person impacted isn’t even a customer of the financial institution where attempts have been made to open accounts, and therefore it’s low priority for those companies. happens to know the finance/fintech space, and had contacts that could elevate the customer support requests to higher-ups. Even then, he found the process challenging and slow.

I wonder how many hours of Jason’s time all this follow-up took ๐Ÿ˜”

At the best of times, I know many that find dealing with banks anxiety-inducing. If you up the stakes with potential future impact on credit scores etc, those stakes get raised.

Add the hurdles of paperwork, filing requests with police, waiting on hold on customer care

…and pretty soon, you start realising that banks have shifted the burden of this to:

– non-native speakers or immigrants
– anyone with mental health conditions or anxiety issues
– people who simply don’t have the time or patience (many of us)

I say this as someone who has generalised anxiety disorder and ADHD. I could deal with ID theft, since I know the fintech and ID verification space well enough to know how to even start unfucking the situation.

Many people don’t. And so they take the financial hit and move on. The reality is that a lot of fintechs/banks try to meet the bare minimum due diligence needed to open an account, and acknowledge that means there are some scammers in the mix.

They prioritise reducing barriers when signing up for an account since they care about user growth. Even if someone reports a financial crime to law enforcement, it’s so common, so white collar, and so hard to track down that even when people lose $10-100ks the best you get the paperwork and effort needed to get a police reference number and a ๐Ÿคท๐Ÿฝโ€โ™‚๏ธ from police. (There’s this phrase from the British show @Line_of_duty that to me sums up the ridiculousness and futility of most financial fraud reporting to the police: “I’ll have to generate a non-crime crime reference number” ๐Ÿฅฒ๐Ÿ˜ญ)

Banks/fintechs typically get fined if they didn’t follow the process of following bare minimum due diligence criteria when opening accounts.

They don’t get incentivised or fined for resolving cases where fraud or ID theft actually happens. An example of this is one of the many occasions in which HSBC was fined for failing to do effective AML.

Their solution? Turn the bank account opening form 5-6 pages long with questions like “Are you a terrorist?”, “Are you associated with drug cartels?”

Ridiculous financial regs mean HSBC gets to do minimal checks on top, wring their hands, and say “But we tried and the customer lied to us! ๐Ÿ˜จ”

@sytaylorย puts this well when he described AML as “a car that doesn’t work 99.9% of the time”

I wish I had screenshots for this form, it was circa 2015-2016 when I was opening an account with HSBC. (It doesn’t look like the form is that long or asks those questions any more.)

Rant over. I’m glad @mikulaja found some semblance of resolution, although it might unfortunately continue to haunt him in the future too. ๐Ÿ˜” (I hope it doesn’t)

Thanks to @AnaisCis for connecting us. โค๏ธ @NateSoffio, you might have some thoughts too on disproportionate impact ๐Ÿค”

Actually, one more thing: @mikulaja rightfully calls out the lack of data sharing on fraud and/or a reluctance to pay for commercial tools that track this as a reason why fraudsters can get away targetting this kind of fraud at companies they know have lax policies.

Data sharing of fraudsters, and even more intrusive forms like sharing biometrics of known fraudsters (๐Ÿ‘‹๐Ÿฝ@hare_brain) is a big priority for large banks.

But it’s also very inequitable because this kind of denylist is even more opaque than credit rating agencies with no redress

While banks are a whole lot more secretive about this kind of data sharing, one good example of this in a different sector is how bars/nightclubs often participate in secret biometric denylists of punters they’ve banned.

Maybe the people who are on the list “deserved” it. But who’s to check? You could’ve looked the bouncer the wrong way, or turned down advances from someone which led to them vengefully banning you.

Applying the same principles to banks could lead to financial exclusion ๐Ÿ˜•

Categories
Personal Reflections

Abandoning a blog for years and years

I’ve abandoned writing on this blog for nearly five years now. Surprisingly, I still get a few hundreds of unique visitors daily (?!) for posts on here that I’d have thought are entirely irrelevant by now.

In a classic case of procrastination I had told myself that I can’t blog until I had fixed a few things…

  • I wanted to move off my current hosting service – a shared GoDaddy service – over to my own servers on DigitalOcean. It’d be cheaper, more customisable service for me. It’s an item that has been sitting in my todo list with a due date of “next week” for all of these years. The hosting service restrictions (on the version of PHP installed on the server) were preventing me from upgrading my version of WordPress and I wanted to resolve this.
    • I also told myself that running my own server means I’d need to get it up and running securely. This was partly for intellectual curiosity in doing all the things I’ve normally been doing as security and hardening best practice at work for cloud deployments. A simple switch seemed long. (Did I really need a high availability Kubernetes cluster with media offloaded to a CDN? Probably not.)
    • I wanted to shift my domain name away from the ankurb.info domain to something new, without breaking any links. That takes a bit of database work and loads of re-checking.
https://twitter.com/Tixie_/status/1370091395017547777
This video sums up the overkill…
  • I really wanted to change the design template for the blog. I didn’t feel “at home” with the old design, and yes I know it’s a simple task to switch out. I didn’t feel like it made sense without doing everything else in terms of housekeeping above.
  • Whenever I did feel like writing, such as this blog post, I ended up using Medium. I loved the writing experience on Medium, which was distraction-free in comparison to the old version of WordPress I was stuck to.

More than anything to do with the technology though, I felt as if I didn’t have the headspace between personal and work life to write any more. I was already writing loads for work. I didn’t feel like I had the energy to do that during weekends.

And to be honest, the immediate but empty gratification of rolling into a hunched ball on my bed and watching another round of whatever was the latest obsession du jour on Netflix. I also felt guilty that these binge-watching sessions were often accompanied by binge-eating for me

Weirdly enough, living in lockdown during Covid-19 gave me the space to get back into therapy, ramp down on my antidepressants, build better habits in terms of making routines.

What I also realised through that process of taking time and space away is that there was one post in particular that always made me sad to come back here whenever I wanted to write: the time I went to Bhutan.

Here’s to a reset.