InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN releases notice on U.S. passport card’s counterfeit use in finance
On April 15, FinCEN, along with the Department of State, released its notice on the apparent rise of counterfeit use of U.S. passport cards at financial institutions. FinCEN urged financial institutions to be “vigilant” in the fight against identity theft and fraud schemes, especially under their BSA practices. Since 2018, the Department of State has identified a “concerning increase” in counterfeit use of U.S. passport cards with apparently over 4,000 victims. FinCEN released this notice to help financial institutions identify and report suspicious activity by promoting three areas: (i) providing an overview of common scenarios and typologies; (ii) highlighting several red flags in areas of concern; and (iii) reminding financial institutions of their BSA obligations.
The notice discussed suspicious behavior, namely how individuals and fraud rings are falsely “making, selling, and using” counterfeit U.S. passport cards to access accounts at financial institutions. FinCEN noted actors prefer using U.S. passport cards since they are a less familiar form of identification and cheaper to counterfeit (compared to passport books). On fraudulent activity, FinCEN stated actors will use counterfeit U.S. passport cards to impersonate the victim at the victim’s “known financial institution branch.” After accessing the account successfully, the Department of State highlighted three types of attempted transactions: (1) asking questions on account balance and withdrawal limits and withdrawing large amounts of cash below the Currency Transaction Reporting (CTR) threshold; (2) cashing stolen or forged checks to obtain funds; and (3) establishing a new joint account with a second illicit actor as a joint owner. FinCEN outlined technical, behavioral, and financial red flags to help financial institutions detect and report suspicious activity. Red flags may include technical issues with a U.S. passport card’s photo, such as lack of raised text, and discrepancies in its holographic seal, among others. Last, FinCEN reminded financial institutions of BSA obligations, including, but not limited to, filing Suspicious Activity Reports (SARs) and CTRs.
DOJ’s Covid-19 Fraud Enforcement reports ongoing civil fraud and consumer protection actions
On April 9, the DOJ released a report on Covid-19 fraud, organizing various federal enforcement agencies and inspectors general, as well as state strike forces, in their collective pursuits against civil fraud on financial remedies under Covid-19. The Department’s Covid-19 Fraud Enforcement Task Force (CFETF) reported over 400 settlements and judgments and seized over $1.4 billion in fraudulently obtained CARES Act funds.
The report noted that the Civil Fraud Section continues to investigate fraudulent claims under the False Claims Act (FCA) and FIRREA, including with respect to grant recipients, PPE procurement, and payment advances. As two notable examples, a Florida management company paid $9 million for knowingly violating the FCA to obtain PPP loan forgiveness, and a New Jersey public relations firm paid $2.24 million for similar violations where it was found ineligible for the loan since it was registered under the Foreign Agent Registration Act. The DOJ also acted against purveyors of faulty PPE, individuals who tampered with Covid-19 vaccines, and those who sold fraudulent covid products online—filing under the Covid-19 Consumer Protection Act. The DOJ touted its $1 million judgment against a company that marketed vitamins that allegedly protected against Covid-19. Further, the National Unemployment Insurance Fraud Tax Force found hundreds of pandemic fraud leads and has seized over $3.3 billion in suspected pandemic fraud.
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
New York Attorney General sues over 25 lenders for predatory lending operation
On March 5, New York Attorney General Letitia James released a verified petition against 27 lenders accusing them of a “large-scale, predatory lending” operation in which they allegedly misrepresented themselves in order to issue small businesses short-term loans at “sky-high interest rates” in violation of New York Executive Law §63(12). According to the petition, the 27 lenders (Respondents) have issued “illegal, usurious” and fraudulent loans in the form of Merchant Cash Advances (MCAs), which imposed triple-digit interest rates as high as 820 percent. The NYAG noted such rates are beyond both the maximum civil usury interest rate (16 percent) and the maximum criminal usury interest rate (25 percent). The petition also alleged the Respondents misrepresented their transactions in court, making the court an “unwitting part of their illegal scheme.”
The petition asked the court to permanently enjoin Respondents from committing any further fraudulent or illegal practices, cease all MCA collection payments, and void and rescind all MCAs. The NYAG also will seek and order that the Respondents disgorge all profits and award civil penalties of $5,000 for each fraudulent MCA transaction and $2,000 in costs from each Respondent.
FTC proposes two actions to combat AI impersonation fraud
On February 15, the FTC announced its supplemental notice of proposed rulemaking relating to the protection of consumers from impersonation fraud, especially from any impersonations of government entities. The first action from the FTC was a final rule that prohibited the impersonation of government, business, and their officials or agents in interstate commerce. The second action was a notice seeking public comment on a supplemental proposed rulemaking that would revise the first action and add a prohibition on, and penalties for, the impersonation of individuals for entities who provide goods and services (with the knowledge or reason to know that those goods or services will be used in impersonations) that are unlawful. In tandem, these actions sought to prohibit the impersonation of government and business officials.
The FTC notes that these two actions come from “surging complaints” on impersonation fraud, specifically from artificial intelligence-generated deep fakes. The final rule will expand the remedies and provide monetary relief, whereas the FTC stated this rule will provide a “shorter, faster and more efficient path” for injured consumers to recover money. The rule would enable the FTC to seek monetary relief from scammers that use government seals or business logos, spoof government and business emails, and impersonate a government official or falsely imply a business affiliation.
Senate Banking Committee hearing on P2P payment scams calls for updates to EFTA definitions
On February 1, the U.S. Senate Committee on Banking, Housing, and Urban Affairs held a hearing on “Examining Scams and Fraud in the Banking System and Their Impact on Consumers,” and invited three panelists to testify, including an attorney from a consumer law center and two vice presidents from banking associations. Chairman Sherrod Brown (D-OH) led the hearing by noting that peer-to-peer (P2) apps are a rising target among scammers, alongside a rise in check fraud. The Chairman noted a 2023 alert from FinCEN warning (as covered by InfoBytes here) of a surge in check fraud after a “drastic” rise in scams, and concluded with a statement that the P2P companies need “rules to make them” do better. Next, Ranking Member Senator Tim Scott (R-SC) called for the companies to spend more money developing security technologies to protect consumers from fraud. Sen. Scott then called for better education in financial literacy to learn about scams and methods.
At the hearing, Mr. John Breyault noted that reported losses from P2P payment platforms nearly doubled from $87 million in 2020 to $163 million in 2022. Mr. Breyault asked Congress to play a larger role in preventing fraud on P2P platforms and urged the passage of the Protecting Consumers from Payment Scams Act (which would expand EFTA’s definition of unauthorized electronic fund transfer to cover fraudulently induced payments). Ms. Carla Sanchez-Adams, in her testimony, asserted the entire burden of payment fraud should not fall on the customers and advocated for an updated Electronic Funds Transfer Act that protects consumers from fraudulently-induced transactions. She testified that receiving institutions should have more responsibility, and called for anti-fraud policies that protect consumers from having their accounts frozen, among others. Mr. Paul Benda testified to similar points: he called for an increase in consumer education and the closure of regulatory loopholes to stop impersonation scams. He testified in favor of improved information sharing and enhanced collaboration with law enforcement and regulators.
Securities regulators issue guidance and an RFC on AI trading scams
On January 25, FINRA and the CFTC released advisory guidance on artificial intelligence (AI) fraud, with the latter putting out a formal request for comment. FINRA released an advisory titled “Artificial Intelligence (AI) and Investment Fraud” to make investors aware of the growing popularity of scammers committing investment fraud using AI and other emerging technologies, posting the popular scam tactics, and then offering protective steps. The CFTC released a customer advisory called “AI Won’t Turn Trading Bots into Money Machines,” which focused on trading platforms that claim AI-created algorithms can guarantee huge returns.
Specifically in FINRA’s notice, the regulator stated that registration is a good indicator of sound investment advice, and offers the Investor.gov tool as a means to check; however, even registered firms and professionals can offer claims that sound too good to be true, so “be wary.” FINRA also warned about investing in companies involved in AI, often using catchy buzzwords or making claims to “guarantee huge gains.” Some companies may engage in pump-and-dump schemes where promoters “pump” up a stock price by spreading false information, then “dump” their own shares before the stock’s value drops. FINRA’s guidance additionally discussed the use of celebrity endorsements to promote an investment using social media; FINRA states that social media has become “more saturated with financial content than ever before” leading to the rise of “finfluencers.” Finally, FINRA mentioned how AI-enabled technology allows scammers to create “deepfake” videos and audio recordings to spread false information. Scammers have been using AI to impersonate a victim’s family members, a CEO announcing false news to manipulate a stock’s price, or how it can create realistic marketing materials.
The CFTC’s advisory highlighted how scammers use AI to create algorithmic trading platforms using “bots” that automatically buy and sell. In one case cited by the CFTC, a scammer defrauded customers into selling him nearly 30,000 bitcoins, worth over $1.7 billion at the time. The CFTC posted a Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. The Request listed eight questions addressing current and potential uses of AI by regulated entities, and several more addressing concerns regarding the use of AI in regulated markets and entities for the public to respond to.
FinCEN report on identity fraud in 2021 outlines statistics and processes
On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.
Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.
FTC settles with lead generator for deceiving consumers
On January 2, the FTC filed a complaint against a California-based lead generator (the “Company”), alleging that the Company operated as a “consent farm” that deceived consumers into providing their consent to be contacted for telemarketing purposes, then selling those consents to telemarketers, sellers, or intermediaries. Relying on the Company’s purported consent from consumers, those parties then inundated consumers with telemarketing calls. These calls included robocalls and calls made to telephone numbers on the National Do Not Call Registry. Since 2019, the defendants are alleged to have operated over 50 websites focused on lead generation.
The FTC charged the Company with violating the FTC Act for misrepresenting the collection of consumers’ personal information, and for violating the Telemarketing Sales Rule for assisting and facilitating telemarketers in breaking the Rule.
On the same day the complaint was filed, the FTC announced a proposed settlement in which the Company was ordered to pay $7 million for its alleged use of deception and dark patterns to trick consumers into providing personal information. Additionally, the proposed stipulated order banned the Company from initiating or helping anyone make telemarketing robocalls, calling phone numbers on the National Do Not Call Registry, and selling consumer information connected with lead generation. The stipulated order must first be approved by the court before it comes into effect. The Company neither admits nor denies any of the allegations
INTERPOL seizes $300 million in international financial crime operation
On December 19, INTERPOL announced the conclusion of a transcontinental police operation against online financial crime called HAECHI IV. The operation ended with around 3,500 arrests and seizures of $300 million USD worth of assets across 34 countries. Of the $300 million, about two-thirds of was hard currency and one-third was virtual assets. HAECHI IV targeted seven types of cyber scams, including voice phishing, romance scams, online sextortion, investment fraud, and money laundering associated with illegal online gambling, among others. Through INTERPOL’s stop-payment mechanism to block criminal proceeds, authorities blocked 82,112 “suspicious” bank accounts. Next on INTERPOL’s radar is a new scam in Korea that involves the sale of non-fungible tokens (NFTs) that are a “rug pull,” a crypto scam where developers abandon a project and investors lose their money. Interestingly, the UK team of the operation reported on how scammers used artificial intelligence to create synthetic content, which criminals primarily used for impersonation scams.