It's a crime from a criminal to scam the bank. Instead of the bank being held accountable for mistaking the identity (or don't do enough due diligent), the concept shifts the blame to the account owner, saying it's their fault for having their identity "stolen", despite them was not involved in the scam process.
Usually it's a bit more complicated than that, and a reason why it's a big problem in the US is we don't have good ways to reliably gauge identity. SSNs got pushed onto everything because it's actually the only thing everyone has. Everything else is fragmented and optional. DL? State-to-state, fragmented, optional. Passports? Very optional, and expensive. Phone numbers? Much more universal, but the telephony system is not secure by any means. Usernames? Passwords? Well, we all know those aren't perfect security measures.
Right, we have various add-on solutions because the core problem is unsolvable. How do you identify every person in the US? You can't, SSN is the only way to even try to do that. But SSN is just a number. No picture, no description, no renewals, no nothing.
So then we bolt-on these solutions to try to get it to work. The issue is we have multiple costs here - we have to balance security, but we also need to make sure customers can get their money most of the time they need to.
I recently signed up for Apple Enhanced Data Security or whatever it was called. It made it very clear that if I lose my password, my data can never be recovered. Ever. No email address can help, no recovery mechanisms. It's sealed and done for good. I'm tech-savvy and I can live with this. Can Nana? For my money, no.
We do things like security questions because they're easy and people understand them, and people use them all the time to recover accounts. Same reason we do SMS - everyone has a phone. These are imperfect solutions because perfect solutions have other issues. How many people will be locked permanently out of their bank account? How will the bank deal with those lawsuits?
A good resource for anyone dealing with credit issues due to identity theft. If I recall correctly, the advice boils down to notifying the bank that the transaction was fraudulent and then notifying credit unions that the bank has been notified that the transaction is fraudulent. Of course, doing all this through proper channels. It’s still bullshit how banks sabotaged public knowledge of it but at least the law favors the consumer.
It's a crime from a criminal to scam the bank. Instead of the bank being held accountable for mistaking the identity (or don't do enough due diligent), the concept shifts the blame to the account owner, saying it's their fault for having their identity "stolen", despite them was not involved in the scam process.