The era of instant gratification is rapidly transforming the lending industry. Gone are the days when banking customers had to travel to a brick-and-mortar branch with physical copies of their financial documents, meet with a representative, wait weeks for a credit decision, and travel back to the branch to receive their funds. Modern-day banking customers apply for loans on their mobile devices and expect instant credit decisions within minutes and loan funds as quickly as the same day. As customers’ expectations evolve, banks and other financial institutions are increasingly implementing digital loan origination software to accelerate processing time and maintain competitiveness.
June 14, 2023 Feature
Automated Lending: Speed Sacrifices Security
Iga Todd
Traditional lending relied on human interaction and financial underwriting to mitigate the risk of loan fraud and borrower impersonation. Automating the lending process enables financial institutions to save time and costs associated with traditional lending, and to digitally collect and analyze loan applications. While efficient for financial institutions, cybercriminals can capitalize on predictive analytics and automation, manipulate automated lending controls, and induce loans based on stolen credentials. This article explores and discusses how financial institutions are applying predictive analytics to the lending process, how cybercriminals manipulate such systems, and the unique coverage issues presented by automated lending claims.
Predictive Analytics in the Lending Process
Digital loan origination software uses predictive analytics to fully automate the lending process, thereby allowing a financial institution to save the time and cost normally associated with application intake, loan underwriting, loan closing, and the disbursement process. This technology removes human interaction and manual analysis from the lending process and relies on algorithms to render automated credit decisions based on the financial institution’s preprogrammed underwriting criteria. Akin to traditional loan underwriting, digital loan origination software assesses a loan request based on the financial institution’s defined criteria and automatically approves loan applications that meet the defined parameters. That automated process focuses on analysis of numeric criteria—such as the customer’s credit score. In addition to assessing traditional metrics (e.g., FICO score and income) to predict the default probability, financial institutions can use digital loan origination software to evaluate the customer’s digital footprint (i.e., social media activity, browsing history, and geolocation data) and predict the likely rate of default based on digital behavior.
Cybercriminals Manipulate Automated Lending Systems
Automation streamlines the lending process, maximizes efficiency, reduces the cost of loan processing, increases profit margins, and improves customer satisfaction. Expediting the processing time allows financial institutions to process a higher volume of loan applications in a shorter amount of time. But, that accelerated processing time creates additional fraud risk. The nature of swift loan origination makes financial institutions vulnerable to cybercriminals. Cybercriminals can hack automated systems, exploit coding errors, or manipulate predictive analytics. As a result, automation increases the potential for loan losses. Two claim examples illustrate how cybercriminals seek out and exploit coding errors in the automated application process and use such errors to bypass security protocols and fraud prevention strategies.
In an effort to reduce the cost of the loan underwriting process and allow customers to borrow money at the click of a button, one financial institution deployed a loan application process that allowed customers to apply for loans online and receive approval in minutes. Seizing upon the use of algorithms, the perpetrators submitted online loan applications supported by fraudulently stolen information and credentials. The software was programmed to analyze the information as presented (and did not conduct any further background on the borrowers), causing the system to accept the data as accurate and apply the data to an automated credit risk formula. The identity verification tool generated a loan underwriting score and sent it to the financial institution’s internal point-of-sale system. Because the loan underwriting score exceeded the approval threshold, the system auto-approved the loans and processed them for payment.
While the financial institution believed that the software would verify the borrowers based on telephone records, the perpetrators circumvented that perceived control by using Voice over Internet Protocol (VoIP) phone numbers. In effect, an unknown coding error allowed the perpetrators to use VoIP phone numbers to bypass the intended verification of the borrowers. Because an employee did not review the loan applications and the software automatically approved and transmitted the loans to the treasury department for disbursement, the financial institution originated and funded hundreds of fraudulent loans—leading to a substantial loss.
Similarly, another financial institution suffered a loan loss after perpetrators circumvented its two-factor authentication. In that instance, the lender offered personal loans through an online portal. That portal allowed applicants to apply for a loan and receive funding on the same day. The perpetrators submitted thousands of online loan applications using stolen identities (including name, address, Social Security number, email, and phone number). While the system deployed a two-factor authentication process, a coding error allowed the applicants to change the phone number to authenticate the loan. The perpetrators identified this weakness in the application process and exploited the coding error by altering the phone number from the one used on the application (i.e., the phone number associated with the stolen identity) to their own phone number. The coding error allowed the perpetrators to bypass security protocols and fraud prevention strategies. As a result, the lender originated and disbursed hundreds of fraudulent personal loans.
In addition to cybercriminals exploiting coding errors and circumventing systems designed to verify the customers, the impersonal nature of automation makes it easier for cybercriminals to submit fraudulent information. To secure fraudulent loans, cybercriminals typically use synthetic or stolen identities. Requiring customers to appear in person at a local branch deters perpetrators from committing identity fraud. In contrast, automated lending allows cybercriminals to submit fraudulent loan applications online with multiple financial institutions—without producing the information or documentation necessary to authenticate the applicants.
Coverage under Financial Institution Bonds
The modernized lending industry has outpaced traditional financial institution bonds. Insuring Agreement (E) first appeared in the Financial Institution Bond in 1951 and was subsequently revised in 1969, 1980, and 1986. This was long before you could enter data on your mobile device and get approved for a loan within minutes. In 1951, home computers did not exist, and in 1986, less than 15% of households had a computer at home. The internet did not become accessible to the general public until the 1990s. In 1997, only 18% of households had access to the internet. The notion that you could borrow money from a bank without visiting a branch or speaking to a representative was unfathomable at the time.
While the industry adopted minor revisions in 2004 and 2011, the insuring agreement has not fundamentally changed. The 2011 version of Insuring Agreement (E) typically applies to loss resulting directly from loans originated and funded by an insured in good faith reliance on specified enumerated documents with a qualifying impairment, provided that the insured physically possesses the “Written, Original” of such documents. Financial institutions suffering from loan losses arising from automated lending likely cannot establish coverage under Insuring Agreement (E) for three reasons.
First, to establish coverage under Insuring Agreement (E), an insured must show that the loss involved a “Written, Original” covered document. In 2004, the Financial Institution Bond was revised to add the “Written, Original” requirement to clarify that electronic documents are not covered documents. The bond defines “Written” to mean “expressed through letters or marks placed upon paper and visible to the eye.” As such, documents that exist only in electronic form—not on paper—cannot be “Written.” The bond defines “Original” to mean “the first rendering or archetype and does not include photocopies or electronic transmissions even if received and printed.” Therefore, electronic documents uploaded and executed through an automated lending platform are not an “Original” and are not “Written.” Because a lender adopting automated lending cannot establish the “Written, Original” requirement, any resulting loan loss is not covered under Insuring Agreement (E).
Second, to establish coverage under Insuring Agreement (E), the insured must also prove that the loss involved a covered defect of an enumerated document (i.e., forgery, alteration, counterfeit, lost, or stolen). The bond defines “Forgery” to mean “affixing the handwritten signature, or a reproduction of the handwritten signature, of another natural person without authorization and with intent to deceive.” The definition of forgery clarifies that “[a]n electronic or digital signature is not a reproduction of a handwritten signature.” While cybercriminals create synthetic identities (i.e., fictitious persons), the purported signatures on the loan documents do not constitute a forgery under Insuring Agreement (E) because they are electronic—not handwritten—signatures.
A loan loss stemming from automated lending is also unlikely to involve altered, counterfeit, lost, or stolen loan documents. While the bond does not define the term “altered,” the alteration must be made to an original document in the insured’s possession to trigger coverage. The bond defines “Counterfeit” to mean “a Written imitation of an actual, valid Original which is intended to deceive and to be taken as the Original.” As such, there must be or must have been a preexisting original document that the alleged counterfeit document attempts to imitate. While the bond does not define the terms “lost” or “stolen,” the documents must be lost by the rightful owner or stolen from the owner and used by the perpetrators to induce the financial institution to extend credit. In the context of automated lending, cybercriminals typically fabricate wholly new, albeit fictitious, documents to electronically submit to the financial institutions.
Third, Insuring Agreement (E) requires that the insured have actual physical possession of the “Written, Original” covered document as a condition precedent to the insured having relied on the faith of such document. With automated lending, the financial institutions do not have actual physical possession of the original loan documents as the customers do not visit a branch with physical copies but upload such documents online. The insured’s reliance on electronic documents (or copies) in disbursing loan funds does not trigger coverage under Insuring Agreement (E).
Coverage under Crime Policies
While most assume that loans are originated by traditional lenders (i.e., banks and other financial institutions), software companies often deploy online lending systems. Because a software company is not a traditional bank or financial institution, it may purchase a commercial crime policy (and not a financial institution bond). Such insureds may attempt to bring loan loss claims under the computer fraud insuring agreement or computer and funds transfer fraud insuring agreement of a crime policy. The existence of coverage for such losses depends on the unique language of the policy and whether the insurer has updated its insuring agreements.
Traditionally, many computer fraud insuring agreements provide coverage for “loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: [t]o a person (other than a ‘messenger’) outside those ‘premises’; or [t]o a place outside those ‘premises.’” Cases under the computer fraud insuring agreement generally arise in the context of social engineering disputes, with the insureds asserting coverage where they received and relied on false instructions communicated via email. In that context, courts are split on whether coverage exists. Some courts find coverage on the basis that the transmission of an email constitutes “use of a computer” to induce a transfer of funds. In contrast, other courts hold that no coverage exists because the insured’s processing and approval of the payment breaks any causal nexus between the fraudulent email and the claimed loss (use of a computer did not directly cause the withdrawal or transfer of funds). These cases are arguably distinguishable as they involve instances where the insured received fraudulent emails, not fraudulent loan applications.
The U.S. Court of Appeals for the Fifth Circuit found that no coverage existed where the insured alleged that the perpetrators used a computer to fraudulently induce a premium finance loan. While acknowledging the use of a computer, the court ultimately concluded that the insured did not establish a loss covered under the computer fraud provision because the use of the computer did not directly cause the withdrawal or transfer of funds from the insured’s bank account. Instead, the insured reviewed and approved the issuance of a check to fund the loan:
Plaintiff argues that no computer actually caused the transfer of any funds from Defendant’s bank account, and instead the loss was caused by checks [which] Mr. McMahon Jr. duped Defendant into issuing, endorsed, and deposited. Thus, Plaintiff contends there would be no direct loss resulting from the use of a computer as required under the “Computer Fraud” provisions of the relevant policies. Defendant has not presented any evidence or arguments in opposition to Plaintiff’s assertion that the computer fraud provisions do not provide coverage for Defendant’s losses.
Automated lending claims are not directly analogous to the social engineering cases, assuming the insured’s employees played no role in the review or approval of the loans or issuance of funds, and the automated system reviewed and approved the loans and distributed funds without human intervention. Insureds will argue that the fraudulent use of its system to submit and induce fraudulent loans constitutes “use of a computer” and that the use of a computer fraudulently caused the claimed loss.
Some carriers have updated their language and replaced the phrase “use of a computer” as the trigger for coverage. For example, the Insurance Services Office (ISO) 2021 Commercial Crime Coverage Form’s Computer and Funds Transfer Fraud Insuring Agreement provides coverage for “[l]oss resulting directly from a fraudulent: [e]ntry of ‘electronic data’ or ‘computer program’ into; or [c]hange of ‘electronic data’ or ‘computer program’ within any ‘computer system.’” Under this provision, the fraudulent entry or fraudulent change must cause “‘[m]oney’, ‘securities’ or ‘other property’ to be transferred, paid or delivered to a person, entity or account beyond [the insured’s] control; or [the insured’s] account at a ‘financial institution’ to be debited or deleted; without [its] knowledge or consent.”
This insuring agreement limits coverage to hacking incidents. It requires the cybercriminal to access the insured’s computer system (computer, including any handheld device, or software). The definition of computer system explicitly states that the computer or software must be owned, leased, or operated by the insured; owned and operated by the insured’s employee; or operated by an authorized third party while performing services for the insured. With automated lending, cybercriminals are not necessarily hacking into the insured’s computer or software. Typically, cybercriminals submit fraudulent loan applications using their own computer or handheld device by exploiting a coding error in the application process.
Finally, lenders may also attempt to bring automated lending claims under the fraudulently induced transfer insuring agreement of a crime protection policy. The fraudulently induced transfer insuring agreement provides coverage for “loss of funds resulting directly from a fraudulently induced transfer causing the funds to be transferred from [the insured’s] premises or financial institution premises to a person, entity, place or account outside of [the insured’s] control.” The policy defines “fraudulently induced transfer” to mean
[a] transfer resulting from a payment order transmitted from [the insured] to a financial institution . . . made in good faith reliance upon an electronic, telefacsimile, telephone or written instruction received by [the insured] from a person purporting to be . . . [the insured’s] customer . . . establishing or changing the method, destination or account for payments to or on behalf of such . . . customer . . . that was in fact transmitted to [the insured] by someone impersonating the . . . customer . . . without [the insured’s] knowledge or consent and without the knowledge or consent of the . . . customer.”
Importantly, the insuring agreement applies to a payment order “transmitted from [the insured] to a financial institution.” Courts interpreting the phrase “transmitted from the insured” have recognized that it requires action by the insured’s employees and/or agents. Accordingly, a fraudulently induced transfer occurs only if a natural person, acting for the insured, transmits a payment order—such that an automatic transfer via software does not qualify as a fraudulently induced transfer. If no employee of the lender is involved in transmitting funds for the fraudulent loans and the online lending process is automated through digital loan origination software (i.e., not a natural person), the loss cannot trigger coverage under the fraudulently induced transfer insuring agreement.
Conclusion
The growing movement to automate the lending process leaves financial institutions vulnerable to fraud and insurance carriers vulnerable to additional exposure. Financial institutions can expect underwriters to require detailed information regarding their lending process. With reliance on digital platforms quickly rising, insurers should consider creating new coverage for electronic transactions to address evolving loan loss claims, or offering an endorsement addressing or sub-limiting coverage for automated lending. In the interim, insurers and insureds will grapple with little to no relevant case law surrounding automated lending claims.