Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.
Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.
On December 5, the U.S. District Court of New Jersey dismissed an FDCPA suit brought against a debt collector. According to the opinion, plaintiff originally filed suit because they received a letter from defendant regarding an outstanding cell phone bill. The letter provided instructions on what to do if the recipient suspected identity theft. Additionally, the letter contained a summary of plaintiff’s account and a QR code that linked to defendant’s website for online payment. Plaintiff contended that the dual approach of offering assistance while simultaneously pursuing collection of a debt was false and misleading. A District Court judge, however, disagreed and dismissed the case, at which point the plaintiff filed an amended complaint.
The amended complaint alleges that the debt collector breached the FDCPA by using false, deceptive or misleading representations regarding the rights of the plaintiff and the obligations of the debt collector with respect to communications concerning identity theft. Specifically, plaintiff argued defendant was in violation of § 1681m(g) of the FDCPA, which obligates a debt collector to take certain steps upon being notified of identity theft, but the court disagreed, finding that the collector’s specific steps taken were in accordance with the Act.
The court emphasized that plaintiff did not introduce any new factual claims in the amended complaint, and merely clarified how the facts already outlined in the initial complaint breached the FDCPA. The judge ruled that the letter not only allows plaintiff to inform defendant about potential identity theft, but also may serve to bring potential identity theft to plaintiff’s attention. The ruling stated that there is no obligation to extensively explain recommended procedures in the case of an identity theft occurrence, and only an “idiosyncratic reading” of the letter would lead to the conclusion that the letter misrepresents defendant’s obligations.
On January 12, the CFPB released an Issue Spotlight discussing identity theft affecting servicemembers. According to the report, servicemembers, veterans, and military family members are more likely to report identity theft than civilians, with military consumers reporting almost 50,000 cases of identity theft to the FTC in 2021. The Bureau also noted that a steady income could make servicemembers a target for identity thieves looking to create fraudulent credit accounts or tap into bank accounts, and warned that frequent relocation may also increase servicemembers’ risk of identity theft.
Many servicemembers and all officers are required to pass a national security clearance check that includes a review of their credit history and ability to meet their financial obligations. The report found that security clearances are “continuously evaluated” with credit checks being part of the process. If a review reveals a history of failing to meet financial obligations, being in excessive debt, or having a high debt-to-income ratio, a servicemember’s security clearance may be revoked. Bad credit can also lead to rejected or higher-cost rental or mortgage applications, limiting housing options the Bureau said.
The report also found that unrecognized debt is often the first sign of identity theft. Between 2014 and 2022, military consumer complaints to the CFPB about debts that resulted from identity theft increased nearly fivefold, from more than 200 annually in 2014, to more than 1,000 in 2022. The Bureau noted that addressing credit report inaccuracies related to identity theft can be “a particularly complicated process.” The report also provided recommendations for servicemembers on how to protect their credit, such as reviewing credit reports regularly and disputing inaccurate information and taking advantage of free credit monitoring services.
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
On September 23, California’s governor signed AB 430, which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters the definition of “victim of identity theft” to include individuals who submit FTC identity theft reports; (ii) authorizes a debtor to send a copy of a police report, as specified, but prohibits a debt collector from also requiring a police report if the debtor submits an FTC identity theft report; and (iii) requires that “in order for a person to recover actual damages or attorney’s fees in an action or cross-complaint filed by a person alleging that they are a victim of identity theft, that the person, upon written request of the claimant, provided the claimant a valid, signed FTC identity theft report before filing the action or within their cross-complaint, as specified.”
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the FCRA and the FDCPA by failing to fulfill a reasonable investigation upon receipt of a dispute over an account that was allegedly opened in his name without his consent. According to the opinion, the plaintiff filed a suit against the defendant and three other companies, but “following various settlements,” the debt collection agency remained the sole defendant. The plaintiff was notified by the defendant that additional information was required to further investigate his claim, including a fraud and identity theft affidavit, proof of residence, a police report, and a valid government-issued ID, which was not allegedly provided to the defendant until after the plaintiff had filed the suit. The court dismissed the FCRA claim, finding that there was not enough evidence that the plaintiff submitted the necessary information to make his reported dispute a bona fide dispute, which is necessary to establish an FCRA violation. The court also dismissed the FDCPA claims stating that the plaintiff failed to identify false representation or deceptive means by the defendant in connection with the collection of the relevant debt.
On April 17, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s access-device fraud and aggravated identity theft convictions, finding that there was sufficient evidence to support the court’s factual findings on both charges. According to the opinion, the defendant applied for a debit card for his great-grandfather’s bank account without authorization and used the card to pay for his own expenses. The defendant was also seen multiple times on bank security cameras withdrawing money from an ATM using this card. The district court also heard testimony that the defendant opened accounts and applied for loans under his own name but used his great-grandfather’s social security number. The district convicted the defendant on one count of access-device fraud and two counts of aggravated identity theft. The defendant appealed, arguing that the district court failed to make adequate findings of fact and that the government failed to present sufficient evidence to support the charges for which he was convicted.
On appeal, the 6th Circuit reviewed the factual findings underlying the convictions, and first concluded that, with respect to the count of access-device fraud, the government proved each element: that the defendant (i) knowingly used an access device assigned to another individual; (ii) possessed an intent to defraud; (iii) obtained a thing or things with an aggregate value of $1,000 or more within a year using the access device; and (iv) affected interstate or foreign commerce in using the access device. The appellate court explained that there was ample circumstantial evidence to support lack of authorization from the proper owners of the accounts at issue, and that the card was issued in Kentucky and the bank issuing the card was headquartered in Minnesota. The appellate court next considered whether evidence supported the district court’s finding that the defendant committed aggravated identity theft under the bank-fraud statute by opening a checking account and applying for a loan using his great-grandfather’s social security number. The appellate court held that the defendant’s use of his great-grandfather’s social security number properly supported the district court’s finding that the defendant knowingly used, without lawful authority, another person’s means of identification and that the defendant committed a predicate felony under the bank-fraud statute.
States ask Treasury to exempt stimulus payments from garnishment and urge CFPB to “vigorously enforce” FCRA
On April 13, a coalition of state attorneys general and the Hawaii Office of Consumer Protection (states) sent a letter to Treasury Secretary Steven T. Mnuchin, calling for immediate action to ensure that stimulus checks issued under the CARES Act to consumers affected by the Covid-19 pandemic are not subject to garnishment by creditors and debt collectors. While the CARES Act does not “explicitly designate these emergency stimulus payments as exempt from garnishment,” the states claim that a “built-in mechanism” contained within a provision of the CARES Act can rectify the legislative oversight. Specifically, the states point to Section 2201(h), which “authoriz[es] Treasury to issue ‘regulations or other guidance as may be necessary to carry out the purposes of this section,’” and ask Treasury to immediately designate the stimulus checks as “‘benefit payments’ exempt from garnishment.”
The same day, another coalition of state attorneys general sent a letter to CFPB Director Kathy Kraninger urging the Bureau to rescind an April 1 policy statement directed at consumer reporting agencies (CRAs) and furnishers (covered by InfoBytes here) that stated the Bureau will take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the Fair Credit Reporting Act [(FCRA)] and Regulation V.” According to the states, the policy statement suggests that the Bureau does not plan on enforcing the CARES Act amendment to the FCRA, which requires lenders to report as current any loans subject to Covid-19 forbearance or other accommodation. The Bureau’s decision, the states contend, may discourage consumers from taking advantage of offered forbearances and other accommodations. The states also argue that allowing CRAs to take longer than the FCRA-prescribed 30 days to investigate consumer disputes puts consumers at risk. The states stress that the recent increase in Covid-19 scams has heightened the need for the Bureau to vigorously enforce the FCRA, and that, moreover, the thousands of complaints received by the states, FBI, FTC, and DOJ concerning phishing and other scams designed to gather consumers’ financial information have highlighted identity theft risks. The states emphasize “that even if the CFPB refuses to act. . .we will not hesitate to enforce the FCRA’s deadlines against companies that fail to comply with the law.”
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the Red Flags Rule and the Card Issuers Rule), which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. (Covered by InfoBytes here.)
In their response, the Attorneys General urge the FTC not to repeal the Rules, arguing that it “would place consumers at greater risk of identity theft, especially consumers in states that have not enacted” laws that complement the Rules. Instead, the response letter requests the FTC modify the Rules to “ensure their continued relevance” and “keep pace with the ingenuity of identity thieves.” The suggestions include: (i) that notices of changes to email addresses and cell phone numbers be sent to both the prior and updated addresses and phone numbers, an expansion of the current use of mailing addresses; (ii) the encouragement of more current forms of authentication, including multi-factor authentication, to replace examples which imply that knowledge-based authentication by itself is sufficient; and (iii) the addition of new suspicious activity examples related to the use of an account, such as a covered account accessed by unknown devices or IP addresses, an unauthorized user unsuccessfully trying to guess account passwords through multiple attempts, and attempts by foreign IP addresses to access multiple accounts in a close period of time.
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.