🚀 Check out the Q1 changelog for our latest product developments
Jun 18, 2024

Understanding & Combating Small Business Fraud for Lenders & FIs

Teddy Butz

In brief:

  • Small business fraud has spiked in the wake of the COVID-19 pandemic, due to factors such as the creation of government programs meant to keep small businesses afloat 
  • Financial institutions and fintechs are worried about small business fraud, with 91% experiencing increased fraud rates in 2022
  • Today, financial institutions must reconcile anti-fraud practices with customer expectations of frictionless onboarding by using the most up-to-date business identity verification technology available

The ways bad actors perpetuate fraud have changed, but so have the ways small businesses do business. This combination has created a Wild West for financial fraud, and business leaders are struggling to keep up. Consider the following two scenarios:

  1. A new customer walks up to a bank teller in Nevada. They present a check made out to “Acme Corp. Ltd.”, with a business address in Kentucky, and ask to open a business bank account. The bank verifies that a Kentucky-based “Acme Ltd.” exists.
  1. Someone applies for an online business bank account. Their S-corp is registered with the state of Florida, and all of the state registration and address info exactly matches the state’s database. But they are logging in from Lisbon, Portugal.

Now, which of these examples is small business fraud, and which is a legitimate modern small business attempting to grow? Or are they both one or the other? How can you, as a financial institution or fintech, tell the difference?

To solve this riddle, we dig into the modern state of small business, and what that means for the modern state of fraud via small business loans. Then we explain how financial institutions and fintechs can upgrade their compliance procedures to prevent fraud while onboarding the right customers. 

What is small business fraud?

Small business fraud occurs when a small business applies for a loan, but deliberately misrepresents or withholds information in order to obtain a loan it wouldn’t otherwise qualify for. In some cases, the “small business” is actually a criminal (group) pretending to be a legitimate business.

Lenders and financial institutions (FIs) need to concern themselves with how this can occur so they can understand how to identify it. Most importantly, they need to take steps to investigate the businesses they onboard as customers, and verify business information to ensure they are not working with fraudulent small businesses.

Small business fraud statistics in a post-COVID world

Technology advanced rapidly during the operational shutdowns of the COVID-19 pandemic. Accordingly, financial customers – including small businesses – now expect smoother digital onboarding experiences than ever.

But financial institutions and fintechs are struggling to keep pace with balancing what their customers want and what regulations require. In the US, for example, a 2016 amendment to the Bank Secrecy Act now requires financial institutions to vet businesses (as well as individual customers) in a process commonly called Know Your Business (KYB)

Things are particularly problematic when it comes to small businesses. Consider the following statistics from Alloy’s January 2023 State of Fraud Benchmark Report:

1. US small businesses applied for financial services 5.1 million times in 2022, 16% more often than in 2020

This rise in applications for financial assistance could be attributed to businesses trying to recover from the shocks of the COVID-19 pandemic. Or it could (also) have been from businesses seeing opportunities emerge to establish themselves once the pandemic was by-and-large under control.

2. Of the over 32 million small businesses in the US, over 80% are sole proprietorships

A sole proprietorship (i.e. a business where the owner is the only employee) can be difficult to verify for a number of reasons.

  • It may not have an EIN or other ID information that can be verified automatically
  • It may have a “doing business as” name that’s different from the owner’s name
  • It may not have a website or significant digital footprint
  • It may hire contractors from across multiple states
  • The owner may change their legal name for marriage or other reasons
  • The owner may work out of a residential building, rather than a commercial one
  • The owner may work remotely outside of their registered jurisdiction

All of these things that may have been red flags for fraud in the past are becoming commonplace now that the COVID-19 pandemic is over. Thus, it’s becoming even more challenging to tell if sole proprietors are legitimate business owners or potential fraudsters.

3. 91% of US financial institutions and fintechs experienced increased fraud rates in 2022 compared to the previous year 

More small businesses applying for financial aid means a higher chance of small business loan fraud cases, especially as financial institutions try to onboard them with less friction.

4. 70% of US financial institutions lost $500,000 or more to fraud in 2022

With fraud rates going up, and perhaps also individual fraud incidents becoming more costly, financial institutions and fintechs are losing more to fraud every year.

5. As of 2022, 67% of US financial institutions had over half their workforce involved in anti-fraud activities

With fraud becoming more prevalent and costly, financial institutions are devoting more personnel to curbing it. This includes retraining employees who may not have otherwise been involved in anti-fraud operations to be aware of what fraud looks like and how to deal with it.

6. Nearly 50% of US financial institutions expect fraud with small business loans – and other cases of business identity verification fraud – to be major problems in the coming years

This is perhaps the most concerning takeaway from Alloy’s report. Almost half of American FIs and fintechs think the tensions between smoother customer onboarding, better fraud prevention, and the increased prevalence/cost of fraud are not going away anytime soon.

So what does small business lending fraud actually look like in this new financial and economic environment? Let’s take a look.

The evolving face of small business fraud cases

In response to the COVID-19 pandemic, governments set up programs like the Paycheck Protection Program (PPP) and the Employee Retention Credit (ERC) to provide relief for small businesses. Unfortunately, this also made it attractive for criminals to commit small business stimulus fraud by creating fake businesses or impersonating real ones. To illustrate, let’s return to the two examples from the introduction for a moment. 

The small business owner who walked into the Nevada bank to open a commercial account for a Kentucky-based business could have actually been a bad actor. They may have intercepted a check made out to a legitimate Kentucky-based business in the mail, and then quickly registered a fake but seemingly-similar new business online to make the deposit look authentic. If not caught, this fraudster could open the bank account, deposit the check, withdraw the deposited money as cash, and disappear.

Now, how about the Florida-based small business owner trying to open an online bank account from Lisbon, Portugal? Well, they could simply be a digital nomad dissatisfied with the foreign transaction fees imposed by their current bank. In other words, there could actually be nothing fraudulent going on here.

So again, the question is: how do you tell the difference between a fraudster and a small business owner running their operations according to the “new normal”? 

What might help is remembering the three general ways in which fraud is accomplished.

First-party fraud

First-party fraud is when a financial customer misrepresents their identity or financial situation in order to commit fraud. This may include creating an illegitimate business (such as an illegal shell company) – or obfuscating who owns a genuine business – in order to steal, launder, or hide money. It’s the most prevalent type across all classes of financial institutions.

Second-party fraud

Second-party fraud is when an entity knowingly allows a fraudster to deceptively use their identity or account information in order to defraud a financial institution. The fraudster may falsely claim to be the entity, or – more commonly – the entity may carry out a financial transaction but fail to declare they are doing so on behalf of a business or other person. 

This is often used to launder money, or to secure loans a fraudster wouldn’t normally qualify for. It tends to target regional banks, as well as online financial institutions such as pure play lenders and crypto exchanges.

Third-party fraud

Third-party fraud is when a fraudster impersonates a financial customer in order to commit fraud without the customer being aware. One common method is an account takeover: a fraudster guesses, steals, or otherwise circumvents an account’s access credentials to appear as if they’re acting as the account’s rightful owner. 

Another is synthetic identity theft: a fraudster creates a fake persona and/or business profile, but uses genuine identity information stolen from legitimate individuals and businesses to make the fraud look authentic.

There are several ways fraudsters can obtain the information necessary for this type of fraud. They can:

  • Capture it from a data breach
  • Buy it off the black market
  • Intercept a person or business’s communications
  • Trick a company representative or other individual into revealing it (i.e. phishing)

This type of fraud often targets either national banks or community-level banks (such as credit unions).

How financial institutions can combat small business fraud

In order to onboard legitimate business customers and weed out the bad ones, financial institutions and fintechs have to ask businesses questions such as:

  • Is the potential customer a real business?
  • Is the person filling out the application an actual representative of the business?
  • Is the person filling out the application the person they claim to be?
  • Is the person filling out the application using an authentic identity?
  • Is this potential customer financially fit?
  • How likely is it that this potential customer will defraud us?

However, gleaning the above information can create an onboarding nightmare for both you and your customers. On your end, requiring more information makes it more difficult to corroborate, even if you’re using automated business verification. Discrepancies between data verification sources can necessitate manually analyzing certain pieces of data, which is costly and time-consuming.

Your target customers expect an efficient onboarding process, and aren’t always able to quickly provide their own documentation, or repeatedly answer questions (which don’t often give you hard proof anyway). They may opt for a competitor who can onboard them in 20 minutes if they think that process suits them better.

The data tells the story

This is why, at Middesk, we help your business look at the full data picture. This means creating customer profiles and determining your appetite for risk based on factors such as the types of customers your business serves, as well as the ways in which small businesses operate today.

Some pieces of information that need to be looked at in a broader context include the following:

1. Where is the business registered, and where does it operate? 

In the past, a Florida-based business with activity in Wyoming may have been automatically rejected as fraudulent. To Middesk, this is only one piece of the puzzle as to whether the business is legitimate or not.

2. How old is the business? When was its application submitted?

In the past, financial institutions were reluctant to work with brand-new businesses. With today’s technology, though, many types of businesses that require financial services can get up and running very quickly.

3. What do you know about the owners? Have you developed a picture of the person (or people) behind the business?

Is the business’s address a residential address? Does the owner have good credit? Is the owner on any watchlists? If the business isn’t registered, performing Know Your Customer (KYC) checks on the owner (or owners) may be the only way you can truly identify and assess the customer. 

4. What other signals are available? 

Have you exhausted every legitimate data source where you might find information about your customer? Let’s say you find a lien on the business, for example. In the past, that might have been a sign to auto-reject the customer. But these days, a lien could simply indicate that your customer is up and operating, or that the lender is just protecting themselves against credit exposure. You need more contextual information to determine if this is truly a risk factor.

Once you’ve searched legitimate high-quality data sources to discover what you can about the business and the person (or people) behind the business, you can then ask yourself questions to see if all the pieces fit together. Some example questions include: 

  • Does the location where the business operates make sense? 
  • Does the business information match the business data you have?
  • Does the overall narrative of the business tell a cohesive story?

Fraud prevention for small business lending

Now that you know what small business fraud prevention requires, how can you implement the right anti-fraud program? Here’s what Middesk recommends. 

Establish an acceptable risk profile

First, you need to decide what your acceptable risk threshold is. While legacy banks might not want to do business with a new company, a neobank geared toward single-proprietor businesses will not want to filter brand-new businesses out. 

Learn about your target customer, and make sure your onboarding process accommodates their needs. Don’t just rely on what has always worked for you in the past; it could cause you to turn away perfectly good customers without you realizing it.

Use high-quality, automated data

Legacy business identity verification solutions can have data outdated by up to a year. This means they don’t catch new business registrations, liens, bankruptcies, and other vital-to-know information your business needs to make informed onboarding decisions. 

The completeness and overall quality of data can vary between sources as well. You’ll need to be able to automatically determine how much weight to give each source, and how to compare one set of data to another.

Decide on additional controls

Every financial institution and fintech is different. Depending on your business’s internal operations, applicable regulations, and target customers, you may need additional rules and controls to match your risk tolerance. Our Policies product allows you to set your own rules and guards so you can automatically accept and reject customers according to your specific needs.

Rely on external innovation

The world is changing fast. Small business fraud today looks very different than it did just two years ago. Middesk’s purpose is to accelerate the economy by scaling trust between businesses, and in doing so, help our customers mitigate fraud and risk. That means we keep up with the latest fraud news, ensure our data sources are complete and accurate, and protect our customers so you can get back to serving yours.

Confront the rising tide of small business fraud with Middesk

Middesk stands ready to help your financial institution or fintech balance adapting to the new conventions of small businesses with minimizing small business loan fraud cases. Our Business Verification solution has direct connections to Secretary of State portals in each US state and territory, and a data refresh rate of about two hours. You can get up-to-date information on small businesses you need to verify, all straight from government registries.

Contact our sales team to learn more.

No items found.

Stay in the loop

Share article

Related articles

No items found.