The era of instant gratification is rapidly transforming the lending industry. Modern-day banking customers apply for loans on their mobile devices and expect instant credit decisions within minutes and As customers’ expectations evolve, banks and other financial institutions are increasingly implementing digital loan origination software to accelerate processing time and maintain competitiveness.
Traditional lending relied on human interaction and financial underwriting to mitigate the risk of loan fraud and borrower impersonation. Automating the lending process enables financial institutions to save time and costs associated with traditional lending, and to digitally collect and analyze loan applications. While efficient for financial institutions, cybercriminals can capitalize on predictive analytics and automation, manipulate automated lending controls, and induce loans based on stolen credentials. This article explores and discusses how financial institutions are applying predictive analytics to the lending process, how cybercriminals manipulate such systems, and the unique coverage issues presented by automated lending claims.
Predictive Analytics in the Lending Process
Digital loan origination software uses predictive analytics to fully automate the lending process, therebyThis technology removes human interaction and manual analysis from the lending process and Akin to traditional loan underwriting, digital loan origination software assesses a loan request based on the financial institution’s defined criteria and That automated process focuses on analysis of numeric criteria—such as In addition to assessing traditional metrics (e.g., FICO score and income) to predict the default probability, financial institutions can use digital loan origination software to evaluate the customer’s digital footprint (i.e., social media activity, browsing history, and geolocation data) and predict the likely rate of default based on
Cybercriminals Manipulate Automated Lending Systems
Automation streamlines the lending process, maximizes efficiency,Expediting the processing time allows financial institutions to But, that accelerated processing time creates additional fraud risk. T Cybercriminals can hack automated systems, exploit coding errors, or manipulate predictive analytics. As a result, automation increases the potential for loan losses. Two claim examples illustrate how cybercriminals seek out and exploit coding errors in the automated application process and use such errors to bypass security protocols and fraud prevention strategies.
In an effort to reduce the cost of the loan underwriting process and allow customers to borrow money at the click of a button, one financial institution deployed a loan application process that allowed customers to apply for loans online and receive approval in minutes. Seizing upon the use of algorithms, the perpetrators submitted online loan applications supported by fraudulently stolen information and credentials. The software was programmed to analyze the information as presented (and did not conduct any further background on the borrowers), causing the system to accept the data as accurate and apply the data to an automated credit risk formula. The identity verification tool generated a loan underwriting score and sent it to the financial institution’s internal point-of-sale system. Because the loan underwriting score exceeded the approval threshold, the system auto-approved the loans and processed them for payment.
While the financial institution believed that the software would verify the borrowers based on telephone records, the perpetrators circumvented that perceived control by using Voice over Internet Protocol (VoIP) phone numbers. In effect, an unknown coding error allowed the perpetrators to use VoIP phone numbers to bypass the intended verification of the borrowers. Because an employee did not review the loan applications and the software automatically approved and transmitted the loans to the treasury department for disbursement, the financial institution originated and funded hundreds of fraudulent loans—leading to a substantial loss.
Similarly, another financial institution suffered a loan loss after perpetrators circumvented its two-factor authentication. In that instance, the lender offered personal loans through an online portal. That portal allowed applicants to apply for a loan and receive funding on the same day. The perpetrators submitted thousands of online loan applications using stolen identities (including name, address, Social Security number, email, and phone number). While the system deployed a two-factor authentication process, a coding error allowed the applicants to change the phone number to authenticate the loan. The perpetrators identified this weakness in the application process and exploited the coding error by altering the phone number from the one used on the application (i.e., the phone number associated with the stolen identity) to their own phone number. The coding error allowed the perpetrators to bypass security protocols and fraud prevention strategies. As a result, the lender originated and disbursed hundreds of fraudulent personal loans.
In addition to cybercriminals exploiting coding errors and circumventing systems designed to verify the customers, the impersonal nature of automation makes it easier for cybercriminals to submit fraudulent information.or Requiring customers to appear in person at a local branch deters perpetrators from committing identity fraud. In contrast, automated lending allows cybercriminals to submit fraudulent loan applications online with multiple financial institutions—without producing the information or documentation necessary to authenticate the applicants.
Coverage under Financial Institution Bonds
The modernized lending industry has outpaced traditional financial institution bonds.This was long before you could enter data on your mobile device and get approved for a loan within minutes. The internet did not become accessible to the general public until the 1990s. In 1997, The notion that you could borrow money from a bank without visiting a branch or speaking to a representative was unfathomable at the time.
The 2011 version of Insuring Agreement (E) typically applies to loss resulting directly from loans originated and funded by an insured in good faith reliance on with a qualifying impairment, provided that Financial institutions suffering from loan losses arising from automated lending likely cannot establish coverage under Insuring Agreement (E) for three reasons.
First, to establish coverage under Insuring Agreement (E), an insured must show that the loss involved a “Written, Original” covered document.The bond defines “Written” to mean As such, documents that exist only in electronic form—not on paper—cannot be “Written.” The bond defines “Original” to mean Therefore, electronic documents uploaded and executed through an automated lending platform are not an “Original” and are not “Written.” Because a lender adopting automated lending cannot establish the “Written, Original” requirement, any resulting loan loss is not covered under Insuring Agreement (E).
Second, to establish coverage under Insuring Agreement (E),lost, or stolen). The bond defines “Forgery” to mean The definition of forgery clarifies that While cybercriminals create synthetic identities (i.e., fictitious persons), the purported signatures on the loan documents do not constitute a forgery under Insuring Agreement (E) because they are electronic—not handwritten—signatures.
A loan loss stemming from automated lending is also unlikely to involve altered, counterfeit, lost, or stolen loan documents. While the bond does not define the term “altered,” the alteration must be made to an original document in the insured’s possession toThe bond defines “Counterfeit” to mean “a Written imitation of an actual, valid Original which is As such, there must be or must have been a preexisting original document that the alleged While the bond does not define the terms “lost” or “stolen,” by the from the owner and used by the perpetrators to induce the financial institution to extend credit. In the context of automated lending, cybercriminals typically fabricate wholly new, albeit fictitious, documents to electronically submit to the financial institutions.
Third, Insuring Agreement (E) requires that the insured have actual physical possession of the “Written, Original” covered document as a condition precedent to the insured having relied on the faith of such document.The insured’s reliance on electronic documents (or copies) in disbursing loan funds does not trigger coverage under Insuring Agreement (E).
Coverage under Crime Policies
While most assume that loans are originated by traditional lenders (i.e., banks and other financial institutions), software companies often deploy online lending systems. Because a software company is not a traditional bank or financial institution, it may purchase a commercial crime policy (and not a financial institution bond). Such insureds may attempt to bring loan loss claims under the computer fraud insuring agreement or computer and funds transfer fraud insuring agreement of a crime policy. The existence of coverage for such losses depends on the unique language of the policy and whether the insurer has updated its insuring agreements.
Traditionally, many computer fraud insuring agreements provide coverage for “loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’:Cases under the computer fraud insuring agreement generally arise in the context of social engineering disputes, with the insureds asserting coverage where they received and relied on false instructions communicated via email. In that context, courts are split on whether coverage exists. Some courts find coverage on the basis that the transmission of an email constitutes In contrast, other courts hold that no coverage exists because the insured’s processing and approval of the payment breaks any causal nexus between the fraudulent email and the claimed loss These cases are arguably distinguishable as they involve instances where the insured received fraudulent emails, not fraudulent loan applications.
While acknowledging the use of a computer, the court ultimately concluded that the insured did not establish a loss covered under the computer fraud provision because the use of the computer did not directly cause the withdrawal or transfer of funds from the insured’s bank account. Instead, the insured reviewed and approved the issuance of a check to fund the loan:
Plaintiff argues that no computer actually caused the transfer of any funds from Defendant’s bank account, and instead the loss was caused by checks [which] Mr. McMahon Jr. duped Defendant into issuing, endorsed, and deposited. Thus, Plaintiff contends there would be no direct loss resulting from the use of a computer as required under the “Computer Fraud” provisions of the relevant policies. Defendant has not presented any evidence or arguments in opposition to Plaintiff’s assertion that the computer fraud provisions do not provide coverage for Defendant’s
Automated lending claims are not directly analogous to the social engineering cases, assuming the insured’s employees played no role in the review or approval of the loans or issuance of funds, and the automated system reviewed and approved the loans and distributed funds without human intervention. Insureds will argue that the fraudulent use of its system to submit and induce fraudulent loans constitutes “use of a computer” and that the use of a computer fraudulently caused the claimed loss.
Some carriers have updated their language and replaced the phrase “use of a computer” as the trigger for coverage. For example, the Insurance Services Office (ISO) 2021 Commercial Crime Coverage Form’s Computer and Funds Transfer Fraud Insuring Agreement provides coverage for “[l]oss resulting directly from a fraudulent:Under this provision, the fraudulent entry or fraudulent change must cause “‘[m]oney’, ‘securities’ or ‘other property’ to be transferred, paid or delivered to a person, entity or account beyond [the insured’s] control; or [the insured’s] account at a ‘financial institution’ to be debited or deleted;
This insuring agreement limits coverage to hacking incidents. It requires the cybercriminal to access the insured’s computer system (computer, including any handheld device, or software). The definition of computer system explicitly states that the computer or software must be owned, leased, or operated by the insured; owned and operated by the insured’s employee; or operated byWith automated lending, cybercriminals are not necessarily hacking into the insured’s computer or software. Typically, cybercriminals submit fraudulent loan applications using their own computer or handheld device by exploiting a coding error in the application process.
Finally, lenders may also attempt to bring automated lending claims under the fraudulently induced transfer insuring agreement of a crime protection policy. The fraudulently induced transfer insuring agreement provides coverage forThe policy defines “fraudulently induced transfer” to mean
[a] transfer resulting from a payment order transmitted from [the insured] to a financial institution . . . made in good faith reliance upon an electronic, telefacsimile, telephone or written instruction received by [the insured] from a person purporting to be . . . [the insured’s] customer . . . establishing or changing the method, destination or account for payments to or on behalf of such . . . customer . . . that was in fact transmitted to [the insured] by someone impersonating the . . . customer . . . without [the insured’s] knowledge or consent and without the knowledge or consent of the . . .
Importantly, the insuring agreement applies to a payment orderCourts interpreting the phrase “transmitted from the insured” have recognized that it Accordingly, a fraudulently induced transfer occurs only if a natural person, acting for the insured, transmits a payment order—such that an automatic transfer via software does not qualify as a fraudulently induced transfer. If no employee of the lender is involved in transmitting funds for the fraudulent loans and the online lending process is automated through digital loan origination software (i.e., not a natural person), the loss cannot trigger coverage under the fraudulently induced transfer insuring agreement.
The growing movement to automate the lending process leaves financial institutions vulnerable to fraud and insurance carriers vulnerable to additional exposure. Financial institutions can expect underwriters to require detailed information regarding their lending process. With reliance on digital platforms quickly rising, insurers should consider creating new coverage for electronic transactions to address evolving loan loss claims, or offering an endorsement addressing or sub-limiting coverage for automated lending. In the interim, insurers and insureds will grapple with little to no relevant case law surrounding automated lending claims.