How banks get away with paying little attention to identity theft

Originally posted via this Twitter thread

The story this week fromย @mikulajaย on how his identity was stolen and used to open bank accounts and loans is deep-dive into the ugly side of how KYC works.

There’s another side to this story of how ID fraud impacts some demographics disproportionately.

The burden of responding to the fallout of ID theft is squarely on the person whose ID is stolen.

Often, the person impacted isn’t even a customer of the financial institution where attempts have been made to open accounts, and therefore it’s low priority for those companies. happens to know the finance/fintech space, and had contacts that could elevate the customer support requests to higher-ups. Even then, he found the process challenging and slow.

I wonder how many hours of Jason’s time all this follow-up took ๐Ÿ˜”

At the best of times, I know many that find dealing with banks anxiety-inducing. If you up the stakes with potential future impact on credit scores etc, those stakes get raised.

Add the hurdles of paperwork, filing requests with police, waiting on hold on customer care

…and pretty soon, you start realising that banks have shifted the burden of this to:

– non-native speakers or immigrants
– anyone with mental health conditions or anxiety issues
– people who simply don’t have the time or patience (many of us)

I say this as someone who has generalised anxiety disorder and ADHD. I could deal with ID theft, since I know the fintech and ID verification space well enough to know how to even start unfucking the situation.

Many people don’t. And so they take the financial hit and move on. The reality is that a lot of fintechs/banks try to meet the bare minimum due diligence needed to open an account, and acknowledge that means there are some scammers in the mix.

They prioritise reducing barriers when signing up for an account since they care about user growth. Even if someone reports a financial crime to law enforcement, it’s so common, so white collar, and so hard to track down that even when people lose $10-100ks the best you get the paperwork and effort needed to get a police reference number and a ๐Ÿคท๐Ÿฝโ€โ™‚๏ธ from police. (There’s this phrase from the British show @Line_of_duty that to me sums up the ridiculousness and futility of most financial fraud reporting to the police: “I’ll have to generate a non-crime crime reference number” ๐Ÿฅฒ๐Ÿ˜ญ)

Banks/fintechs typically get fined if they didn’t follow the process of following bare minimum due diligence criteria when opening accounts.

They don’t get incentivised or fined for resolving cases where fraud or ID theft actually happens. An example of this is one of the many occasions in which HSBC was fined for failing to do effective AML.

Their solution? Turn the bank account opening form 5-6 pages long with questions like “Are you a terrorist?”, “Are you associated with drug cartels?”

Ridiculous financial regs mean HSBC gets to do minimal checks on top, wring their hands, and say “But we tried and the customer lied to us! ๐Ÿ˜จ”

@sytaylorย puts this well when he described AML as “a car that doesn’t work 99.9% of the time”

I wish I had screenshots for this form, it was circa 2015-2016 when I was opening an account with HSBC. (It doesn’t look like the form is that long or asks those questions any more.)

Rant over. I’m glad @mikulaja found some semblance of resolution, although it might unfortunately continue to haunt him in the future too. ๐Ÿ˜” (I hope it doesn’t)

Thanks to @AnaisCis for connecting us. โค๏ธ @NateSoffio, you might have some thoughts too on disproportionate impact ๐Ÿค”

Actually, one more thing: @mikulaja rightfully calls out the lack of data sharing on fraud and/or a reluctance to pay for commercial tools that track this as a reason why fraudsters can get away targetting this kind of fraud at companies they know have lax policies.

Data sharing of fraudsters, and even more intrusive forms like sharing biometrics of known fraudsters (๐Ÿ‘‹๐Ÿฝ@hare_brain) is a big priority for large banks.

But it’s also very inequitable because this kind of denylist is even more opaque than credit rating agencies with no redress

While banks are a whole lot more secretive about this kind of data sharing, one good example of this in a different sector is how bars/nightclubs often participate in secret biometric denylists of punters they’ve banned.

Maybe the people who are on the list “deserved” it. But who’s to check? You could’ve looked the bouncer the wrong way, or turned down advances from someone which led to them vengefully banning you.

Applying the same principles to banks could lead to financial exclusion ๐Ÿ˜•