Attack of the Synthetics

From a reporting entity perspective, implementing terrorist finance laws or attempting to curb the crime, amounts to a vigorous scanning and name-matching process. Names are obtained from open sources (media), government departments (such as OFAC), and law enforcement agencies or from several lists formulated by various governments or supra-national institutions (such as the United Nations).

These names are then "scrubbed" against the client database and if a match is found, the funds are frozen and the appropriate regulatory or law enforcement agency is informed in a timely manner.1

Terrorist finance regulatory reporting regimes are engineered around this core concept. The concept gained such popularity that it was extended to sanctions and embargos, and termed "Targeted Financial Sanctions."2

The key assumption underlying this reporting regime is that when a name is connected with certain material information (such as, date of birth, social security/insurance number, passport number, etc.), it will result in identifying an individual. However, what happens when a name which is connected to identifying information is virtual or if the name is synthetic (i.e., does not exist)?

This article questions the basic premise underlying the terrorist finance reporting regime by identifying a new and extremely disturbing trend — synthetic identity.

This is not about impersonation. The concept of impersonation entails a real individual (say, X) impersonating another (say, Y). Both individuals exist.

The scenario we are discussing is different — here X and Y do not exist, instead both are a virtual creation of another — Z — who itself is a virtual identity, and all these identities, upon identification, cease to "exist."

Equally remarkable, each of these synthetic identities are supported by authentic and valid Canadian government-issued documentation (i.e., driver's licenses and/or passports, etc.).

Undoubtedly it is a chilling scenario, and slightly similar to Steve Colls Ghost Wars3 —in as much as when an identity is detected, it blends into mist, as if it never existed. What remains is a paper trail reflecting an exorbitant amount of revenue it generated through a series of financial crime which, of course, is untraceable (for example, CAD $710,000.00 was raised through insurance scams in two days using synthetic identities, and both — identities and funds — are untraceable).

This article is based on the remarkable and cutting edge investigative work done by Michael Kelly and Timothy Trotter (Toronto Police), and without whose continuous assistance, it would not be possible. A special thanks to Peter Warrack (RBC) for his support and insights.

This article perhaps raises more questions than it answers. The first part details the process of identity creation as undertaken by the criminals. The second sketches how they commit crimes using synthetic identities. And the last notes the responses that exist to combat this formidable crime, which unfortunately, are deficient and ineffective. Further debate is encouraged to explore other options for combating this de-novo crime.

Part I

A crucial question surfaces during the identity creation stage, in terms of the cost and risk involved with obtaining government-issued documents: why take such an immense risk? Assuming financial enrichment is the "only" purpose, it can also be accomplished using fraudulent documents, so why take the risk of obtaining original government-issued documents?

The process of synthetic identity creation

Private sector — the Genesis

The steps involved to create a synthetic identity, prima facie, are disturbingly simple. A perpetrator usually begins by creating a faceless silhouette using a name, date of birth and address (say, John Doe, date of birth as Jan 1, 1977 and address XY Street, Z province, Canada).

Then he or she applies for a credit card with a major financial institution that typically scans a credit bureau to locate an individual's Personal Statement of Affairs (i.e., financial records, date of birth, address and credit rating).

At this stage no records exist with the credit bureau so the answer is typically negative. The rejection is a key step in the process of synthetic identity creation because a record has been created with the credit bureau with a particular name that is now linked to a date of birth and address.

It is this initial credit card rejection that serves as the genesis for synthetic identities in the finance world: personal information becomes documented at a credit bureau and progresses to being "real" without any flags being raised. That is because credit bureaus cannot determine if a person exists or not, neither can they differentiate or scrutinize an identity based on how or where it first surfaced. From the financial institution's perspective, anyone can be turned down for a credit card; so it is altogether normal that a "new person" is rejected.

Next, criminals apply for a store card with a nominal credit limit to avoid close scrutiny. These cards often require a "valid on its face" document that verifies an applicant's name, date of birth and address. The rejection document from the financial institution detailing this information is typically used for obtaining the store credit card.

Once obtained, the store card is used to improve credit rating by making regular purchases and payments. Over time, additional cards are applied for and usually acquired. All are used in a similar manner.

Time is on a criminal's side: the longer a store or credit card is used without default, the more unassailable the synthetic identity becomes. The prevailing attitude becomes: "John Doe has been a good and loyal customer for two years," thus further entrenching the identity.

To summarize: the private sector is initially and systematically exploited to construct a synthetic identity. When the synthetic identity is adequately mature, it is then used to access the public sector.

However, assuming that financial enrichment is the "only" purpose, then this purpose has theoretically been met. Therefore, the following steps (keeping in mind this assumed purpose) are seemingly unnecessary.

The "Face"

A real person that can be photographed is vital, if not indispensable, for most public sector documents. Criminals often use the faces of individuals unconnected to them for public sector documents. Sometimes, these individuals are visitors from another jurisdiction or province, and others are simply employed at minimum wages and promised a better job or significant sums of money for minor work (like accompanying someone to open a bank account).

There is one known instance where an individual whose face was used was an Indian diplomat's son previously employed at minimal wages at a coffee shop. The criminal (aka "Handler") visited the coffee shop, struck a conversation with the diplomat's son and was informed that he was in search of a better paying job. Needless to say, the diplomat's son was hired.

Investigators view these individuals as victims and call them "Face" because the information (name, addresses, date of birth, social insurance numbers, etc.) associated with them is false, and the only thing true is their face.

A Face plays an essential role in this cycle of crime because he or she facilitates the opening of bank accounts in person, the signing of financing contracts in person, the signing of apartment leases in person; everything else is done remotely by criminals.

Perpetuators distance themselves from their crimes by using a Face, who becomes associated with criminal activity that is not their own.

The public sector

The public sector is accessed either through bribery and corruption, or based on private sector documents and/or government (foreign or domestic) issued documents (legitimate or fraudulent).


In one case, two employees at a motor vehicle office were bribed approximately $225 per license to process and issue multiple driver's licenses for the same or different Faces. For example, one Face obtained 13 drivers licenses (using 13 different names and addresses) from the same location.

Investigators examined 300 driver's licenses issued by the two employees over a year and found that approximately 200 of those driver's licenses were fraudulent. As the investigation widened, employees at other motor vehicles locations were also identified as issuing multiple licenses to several Faces.

Other documentation used to obtain drivers licenses

The Ontario Motor Vehicles web site explains that to obtain an Ontario Driver's License the applicant is "…required to show proof of [your] legal name, date of birth (must state the day, month and year of birth) and signature. Documents must be original and valid."4

The primary proof criminals use for driver's license applications are store/credit cards, and rejection letters from financial institutions. If other documents are requested, then Canadian Citizenship Cards, Refuge status documents, foreign passports and fake foreign passports are used to support the application.

These supporting documents are inherently problematic because, despite training, differentiating between authentic and fraudulent documents is a challenge. Also, older Canadian Citizenship lack security features that make it impossible to verify authenticity.

Foreign passports (fake or genuine) that are used as supporting documents are also problematic due to the limited training, resources, out-of-date processes, and time constraints of the motor vehicle employees.

Criminals also apply for Canadian passports using different Faces. In some cases, they use inherently challenging Refugee status (due to the lack of documentation required for this process) documents, and in others, they file a police report for a "stolen passport" which is then used for "re-applying" for a Canadian passport.

Social Insurance Numbers

At times, to further enhance an identity, a Canadian Social Insurance Number ("SIN", the equivalent of a U.S. social security number) is used. However, a SIN is not required to obtain a credit card, open a bank account or conduct certain bank transactions (such as mortgage, line of credit, loan), apply for a driver's license, rent a car or even negotiate a lease.5

SINs are essentially required when dealing with the government (i.e., to file taxes and obtain medical and social services). Financial institutions and insurance companies may also request a SIN for their records6 or to conduct certain complex transactions.

But the point is: SINs have been used by criminals for financial transactions. Which begs the question, assuming financial enrichment is the "only" purpose of the crime, why obtain government-issued documents if they are not needed?

It is probably done to provide another veneer of authenticity to the criminal activity, or perhaps there is more to synthetic identity than "mere" illicit financial gain.

An intricate web of identities

Using these methods perpetuators create multiple synthetic identities, which in turn support other synthetic identities. Most of these identities have authentic government-issued identification documents and stellar credit ratings.

During one case, when investigators worked with the private and public sectors to analyze data associated with a handful of identity details (names, addresses, phone numbers, etc.), the synthetic identity list grew to approximately 1000 identities. For example, when investigators searched a phone number associated with one synthetic identity name, they discovered that the same phone number had been used to activate credit cards for another 50 synthetic identities. This intricate web-like process kept re-generating itself ad infinitum.

Part II

Committing crimes using synthetic identities

Revenue generation

Once created, a synthetic identity is utilized for diverse illegal purposes. The two primary purposes are revenue generation and logistics. Though this division is not etched in stone and uses often overlap, the former is painstakingly developed over prolonged periods of time, usually two to three years. Revenue generation is utilized with greater care, albeit, till busted, the credit ratings are consciously upgraded by the timely payments, and credit scores enhanced slowly but surely.

Once the credit rating is enhanced substantially and identity adequately matured, it is used to purchase high value goods (such as insurance products, etc.) that generate a tremendous amount of revenue before it is "busted out" and discarded.

Typically in "bust outs" financial crimes are committed in a synchronized and systematic manner for a very short duration, which may include stolen credit cards, cleaned out bank accounts, funds wired internationally, maximum credit cash advances, empty envelopes deposited into ATM's followed by cash withdraws, and one way airline tickets purchases.

"Bust outs" have the potential of raising a significant amount of funds. For example, a single synthetic identity can raise tens of thousands of dollars within a few hours. A prolonged (two days) scam involving a few identities has the potential of raising millions of dollars.7

Logistic use

Synthetic identities are used beyond the realm of "mere" financial crime. For example, anonymous safe houses are at times established (i.e., apartments rented under a synthetic identity and converted into safe houses for several individuals), trucks and other heavy vehicles bought or rented with synthetic identity names, and cell phone plans purchased using synthetic identities.

International travel with relative impunity has also been facilitated using synthetic identities. In one instance, Interpol contacted investigators to request further information concerning an individual in custody whose travel documents reflected a name flagged as a synthetic identity by the Toronto Police. Interpol was advised that the individual in custody was not the person described in the travel documents. The documents created a synthetic identity. However, take note: it is highly feasible that searches based on travel documents and other accompanying documents may not reveal any criminal or police record.

Logistic and revenue generation

The division between uses often blurs: revenue generation facilitates logistics and logistic results in revenue generation. Take, for example the online registration of a construction and trucking company. The credit card used to register will be per se "valid" (i.e., issued by a financial institution belonging to a synthetic identity). The registration address will also be per se "valid" (an existing location is leased to a synthetic identity) and the directors, shareholders and employees will be seemingly real individuals (however, they are all synthetic identities). In such circumstances, not only is the division blurred but it is also more problematic. The company is unlikely to attract attention if it purchases trucks, or transports restricted goods.

In one case, a 70-foot truck weighing 80,000 pounds was "purchased" by a synthetic identity. The registered owner was a synthetic identity and the driver was a synthetic identity. Goods were exported to Africa since all the required documentation was deemed "appropriate."

In another case, two-cement trucks were purchased and fully insured in Alberta by a company registered to a synthetic identity. The trucks were then placed on rail cars and transported to the Pacific coast and later shipped to Dubai. Subsequently, they were reported stolen and insurance was claimed. Assuming the trucks were sold in Dubai for half their value (they cost approx. $300,000 each) plus full insurance paid from the insurance company, the net profit would be 150 percent of the purchase price ($900,000), minus a few month's payments before they were reported "stolen."

Restricted goods

It is also alarming how readily restricted goods and commodities can be obtained using synthetic identities.

Acquiring chemical, industrial or restricted products entails a process that requires submitting identification before purchase in most jurisdictions. When a pre-determined benchmark amount is reached, a filing requirement comes into play. The requirement obligates the seller to inform the applicable authorities about the sale and provide certain details (i.e., that a particular company or individual has purchased the threshold amount of industrial or chemical product during the reporting period of time).

However, if ten "different" people buy restricted products over the applicable period, it is unlikely to be noticed because the same name will not appear more than once (even though all ten synthetic identities belong to the same person), the threshold level is not reached, and therefore, no flags are raised.

Each of these instances should ideally result in a stadium full of red furiously fluttering flags that demand immediate and extraordinary attention, but instead the current situation is the opposite.

Part III

Existing responses to combat synthetic identity

How is this formidable crime being combated?

Unfortunately, the response to combatting the crime is profoundly deficient. There are several reasons for that.

For one, synthetic identity is a de novo criminal trend — one that has yet to be comprehended by most, and/or granted a place in the criminal codes of jurisdictions. The response to the crime is therefore lagging in the sense that existing resources and abilities are being used to combat it. This is an acute limitation. Government departments are geared to address existing crime, most of which does not come close to this genre of crime in terms of potential or severity.

Departments work in silos

Government departments are inherently limited and restrained since they work in silos. Those that would potentially deal with such a crime — be it the police, intelligence, national security, etc. — are labouringly under curtailing bureaucratic barriers and others' concerns that stem real-time information exchange. Integration is imperative and a necessity, no longer a choice or option.

Integration and real-time information exchange was a key recommendation of the U.S. 9/11 Commission. However, most nations have yet to take cognizance of the recommendation. Most are still burdened with substantial and cumbersome information exchange barriers. In many cases, the police departments, immigration, social insurance and motor vehicles departments face bureaucratic barriers and privacy concerns that prevent, if not prohibit, real-time information exchange.

The silos clearly work to the criminals' advantage. Ideally, Passport Canada should access the same data as Canada Border Control, Immigration and other relevant departments. There is immense value in real-time information exchange.

For example, if synthetic identity named John Doe applies for a driver's license, the motor vehicles department (via the Ministry of Transportation) could ensure that John Doe's Canadian Passport or Refugee Status document matches the immigration information as available with immigration services.

Departments should integrate and be empowered to exchange real-time information, or be able to access the same information.

Controls focused on access points

Our security system has created controls that are focused on access points. Assuming security is compromised or breached at any one of those access points, the entire system is compromised and unfettered access is gained to the entire system. Once accessed, it is virtually impossible to separate a criminal from a legitimate user or even counter any of their actions. The motor vehicles bribery incident is indicative of this aspect.

When the controls at the motor vehicles department were breached and driver's licenses obtained, it provided unfretted access to acquire credit and build stellar ratings, open multiple bank accounts, conduct complex financial transactions, purchase insurance products, rent heavy vehicles and buy restricted goods, and sign leases without any flags being raised.

Upgrading systems

The technology used by various government departments is inadequate to deal with such a crime. In comparison, criminals use sophisticated technology and are knowledgeable about technological limitations.

Take, for example, the Photo Comparison Technology (PCT), which is used by the Ministry of Transportation and Passport Canada. It is built on flawed logic. Government officials believe that the PCT, if used correctly, will provide adequate information in a timely manner. It hinges on a Face or an iris existing multiple times in the same database in order to be flagged. So, if the Face or iris does not appear in the database, it is not deemed fraudulent.

In synthetic identity cases, multiple Faces are used. Faces, as mentioned, are often visitors from another province or jurisdiction so records don't exist for such individuals. When a new Face is used, the PCT is bypassed and defeated. Or, if there is a slight change in the angle of how a person holds their head or turns their eyes (for example, crosses eyes), the system is defeated again.

Even if the PCT technology is upgraded, it is debatable how effective it can truly be since it will not per se prevent the creation of a synthetic identity. But upgrading the PCT technology may limit criminals since they will not be able to use one Face to set up multiple identities (only one new face/set of eyes per identity). However, it will not prevent the criminals from creating a synthetic identity out of thin air and the system will not detect it because the face/eyes appear once under that name.

Having said that, it should be realized that technology is a tool, an essential one, but a tool nonetheless and ipso facto is not pari passu with human intelligence, skill or abilities. In addition, technology may lead to complacency if its inherent limitations are not understood as a priori. To respond to this crime effectively, a change of mindset is imperative. The key is agility and creative thinking beyond comfort zones and standard technological processes.

Other loop holes

Numerous loopholes exist that demand attention. The Refugee status category and process, for example, should be re-visited to prevent its misuse.

The Canadian Citizenship Cards issued decades ago were laminated cards lacking security features. Some are still in circulation and utilized to address the additional document requirements pertaining to driver's license or opening bank accounts. These should be promptly cancelled and discontinued.

Canada Immigration should undertake a comprehensive study of other jurisdictional processes. For example, certain jurisdictions instill bio-metric cards in identification documents (passports and licenses, etc.). Such options should be explored further.

Take another example, the Financial Transactions and Reports Analysis Centre of Canada is prohibited from accepting SIN numbers due to privacy and other concerns. This key information could make investigations potentially more efficient.


Synthetic identity is a de novo and extremely significant trend that has changed the traditional notions of financial crime.

The spectacular and extensive terrorist finance laws passed post 9/11 were closely followed by an equally excellent wave of regulations and guidelines that detailed the expected conduct of most commercial actors in our society. A core component of these laws demanded that reporting entities have in place comprehensive processes that search, scan and freeze a client's funds if suspicious activity is suspected. This process, despite its limitation, worked for a decade.

However, synthetic identity is a game changer. The conventional concepts that propelled those laws are now largely inapplicable. That is because synthetic identities are created out of thin air, have the potential of raising a significant ad hoc amounts of funds, and when identified have the capability of disappearing without a trace. The proscribing, searching, scanning and freezing of assets is of very limited assistance to combat such a serious crime.

This trend is also extremely significant because creating synthetic identities is an immense logistic undertaking — it is not an ad hoc one time endeavor perpetrated by a financially desperate or misguided group of individuals. Without a doubt, it is a methodized modus operandi undertaken by a highly disciplined, financially sophisticated and organized criminal group. This group, on one hand, has the ability to control significant logistic resources under the cover of anonymity, and on the other, generate an immense revenue stream when the logistical aspect is deemed unnecessary.

Equally alarming, this crime lacks precedent and no similar features or trends exist within this context. In other instances of serious crime, distinct similarities or trends have existed. However, individuals here (i.e., the "Faces," their "Handlers" and/or criminals) have nothing in common. They do not share an ideology, religion, culture, language, nationality or origin.

No common factors, patterns or trends exist among Faces and their Handlers. They originate from different nations, speak myriad languages and do not share a culture or religion, except that all are adult men, and most Faces are in financial dire straits.

In conclusion, this article clearly raises more questions than it answers. That is because my intent is not to provide a comprehensive analysis of the crime, its methodology or even the responses. Instead, I wish to draw attention to this new trend and to generate debate regarding how to combat it. 

Dr. Kalyani Munshani, senior manager, Global AML Compliance, Royal Bank of Canada, Toronto, Canada,

The ideas and opinions expressed in this article are solely those of the author and do not represent Royal Bank of Canada or its affiliates.

  1. See further, The Stockholm Process, online (Feb 19, 2013)
  2. See further, R. T. Naylor, " Economic Warfare: Sanctions, Embargos Busting, and Their Human Cost ((1999) Maple Press, York, Pennsylvania)
  3. Steve Coll, Ghost Wars: The secret history of the CIA, Afghanistan, and Bin Laden, from the Soviet invasion to September 10, 2011" Penguin Books, 2005
  4. Ontario Motor Vehicles web site online:
  5. Service Canada online:
  6. FI's and other reporting companies do not use SIN numbers or personal information when filing reports with FINTRAC or OSFI.
  7. See further, United States District Court, District of New Jersey, United States of America vs. Babar Qureshi et al. Criminal Complaint No. 13-8013 (MAC)

Leave a Reply