Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 23, California’s governor signed AB 430, which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters the definition of “victim of identity theft” to include individuals who submit FTC identity theft reports; (ii) authorizes a debtor to send a copy of a police report, as specified, but prohibits a debt collector from also requiring a police report if the debtor submits an FTC identity theft report; and (iii) requires that “in order for a person to recover actual damages or attorney’s fees in an action or cross-complaint filed by a person alleging that they are a victim of identity theft, that the person, upon written request of the claimant, provided the claimant a valid, signed FTC identity theft report before filing the action or within their cross-complaint, as specified.”
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the FCRA and the FDCPA by failing to fulfill a reasonable investigation upon receipt of a dispute over an account that was allegedly opened in his name without his consent. According to the opinion, the plaintiff filed a suit against the defendant and three other companies, but “following various settlements,” the debt collection agency remained the sole defendant. The plaintiff was notified by the defendant that additional information was required to further investigate his claim, including a fraud and identity theft affidavit, proof of residence, a police report, and a valid government-issued ID, which was not allegedly provided to the defendant until after the plaintiff had filed the suit. The court dismissed the FCRA claim, finding that there was not enough evidence that the plaintiff submitted the necessary information to make his reported dispute a bona fide dispute, which is necessary to establish an FCRA violation. The court also dismissed the FDCPA claims stating that the plaintiff failed to identify false representation or deceptive means by the defendant in connection with the collection of the relevant debt.
On April 17, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s access-device fraud and aggravated identity theft convictions, finding that there was sufficient evidence to support the court’s factual findings on both charges. According to the opinion, the defendant applied for a debit card for his great-grandfather’s bank account without authorization and used the card to pay for his own expenses. The defendant was also seen multiple times on bank security cameras withdrawing money from an ATM using this card. The district court also heard testimony that the defendant opened accounts and applied for loans under his own name but used his great-grandfather’s social security number. The district convicted the defendant on one count of access-device fraud and two counts of aggravated identity theft. The defendant appealed, arguing that the district court failed to make adequate findings of fact and that the government failed to present sufficient evidence to support the charges for which he was convicted.
On appeal, the 6th Circuit reviewed the factual findings underlying the convictions, and first concluded that, with respect to the count of access-device fraud, the government proved each element: that the defendant (i) knowingly used an access device assigned to another individual; (ii) possessed an intent to defraud; (iii) obtained a thing or things with an aggregate value of $1,000 or more within a year using the access device; and (iv) affected interstate or foreign commerce in using the access device. The appellate court explained that there was ample circumstantial evidence to support lack of authorization from the proper owners of the accounts at issue, and that the card was issued in Kentucky and the bank issuing the card was headquartered in Minnesota. The appellate court next considered whether evidence supported the district court’s finding that the defendant committed aggravated identity theft under the bank-fraud statute by opening a checking account and applying for a loan using his great-grandfather’s social security number. The appellate court held that the defendant’s use of his great-grandfather’s social security number properly supported the district court’s finding that the defendant knowingly used, without lawful authority, another person’s means of identification and that the defendant committed a predicate felony under the bank-fraud statute.
States ask Treasury to exempt stimulus payments from garnishment and urge CFPB to “vigorously enforce” FCRA
On April 13, a coalition of state attorneys general and the Hawaii Office of Consumer Protection (states) sent a letter to Treasury Secretary Steven T. Mnuchin, calling for immediate action to ensure that stimulus checks issued under the CARES Act to consumers affected by the Covid-19 pandemic are not subject to garnishment by creditors and debt collectors. While the CARES Act does not “explicitly designate these emergency stimulus payments as exempt from garnishment,” the states claim that a “built-in mechanism” contained within a provision of the CARES Act can rectify the legislative oversight. Specifically, the states point to Section 2201(h), which “authoriz[es] Treasury to issue ‘regulations or other guidance as may be necessary to carry out the purposes of this section,’” and ask Treasury to immediately designate the stimulus checks as “‘benefit payments’ exempt from garnishment.”
The same day, another coalition of state attorneys general sent a letter to CFPB Director Kathy Kraninger urging the Bureau to rescind an April 1 policy statement directed at consumer reporting agencies (CRAs) and furnishers (covered by InfoBytes here) that stated the Bureau will take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the Fair Credit Reporting Act [(FCRA)] and Regulation V.” According to the states, the policy statement suggests that the Bureau does not plan on enforcing the CARES Act amendment to the FCRA, which requires lenders to report as current any loans subject to Covid-19 forbearance or other accommodation. The Bureau’s decision, the states contend, may discourage consumers from taking advantage of offered forbearances and other accommodations. The states also argue that allowing CRAs to take longer than the FCRA-prescribed 30 days to investigate consumer disputes puts consumers at risk. The states stress that the recent increase in Covid-19 scams has heightened the need for the Bureau to vigorously enforce the FCRA, and that, moreover, the thousands of complaints received by the states, FBI, FTC, and DOJ concerning phishing and other scams designed to gather consumers’ financial information have highlighted identity theft risks. The states emphasize “that even if the CFPB refuses to act. . .we will not hesitate to enforce the FCRA’s deadlines against companies that fail to comply with the law.”
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the Red Flags Rule and the Card Issuers Rule), which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. (Covered by InfoBytes here.)
In their response, the Attorneys General urge the FTC not to repeal the Rules, arguing that it “would place consumers at greater risk of identity theft, especially consumers in states that have not enacted” laws that complement the Rules. Instead, the response letter requests the FTC modify the Rules to “ensure their continued relevance” and “keep pace with the ingenuity of identity thieves.” The suggestions include: (i) that notices of changes to email addresses and cell phone numbers be sent to both the prior and updated addresses and phone numbers, an expansion of the current use of mailing addresses; (ii) the encouragement of more current forms of authentication, including multi-factor authentication, to replace examples which imply that knowledge-based authentication by itself is sufficient; and (iii) the addition of new suspicious activity examples related to the use of an account, such as a covered account accessed by unknown devices or IP addresses, an unauthorized user unsuccessfully trying to guess account passwords through multiple attempts, and attempts by foreign IP addresses to access multiple accounts in a close period of time.
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.
On December 4, the FTC released a request for public comment on whether the agency should make changes to its identity theft detection rules—the Red Flags Rule and the Card Issuers Rule—which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. The FTC is seeking comment as part of its systematic review of all of its regulations and guides. According to the FTC, consumer complaints relating to identity theft represented the third largest category of consumer complaints made to the FTC through the first three quarters of 2018 and the second largest category in 2017. The FTC is seeking comment on all aspects of the two rules, but also poses specific questions for commenters to address, such as (i) whether there is a continuing need for the specific provisions of the rules; (ii) what significant costs have the rules imposed on consumers and businesses; and (iii) whether there are any types of creditors that are not currently covered by the Red Flags Rule but should be covered. The request for comment is due to be published in the Federal Register shortly, and comments must be received by February 11, 2019.
FTC announces settlements with website operators over the sale of fake documents allegedly used for fraud and identity theft
On September 18, the FTC announced three proposed settlements with the operators of websites who allegedly violated the FTC Act’s prohibition against unfair practices by selling fake financial documents used to facilitate identity theft and other frauds, including loan and tax fraud. As previously covered in InfoBytes, identity theft was the second largest category of consumer complaints reported in 2017 according to the FTC. The FTC brought charges against the first defendant, alleging the defendant engaged in the sale of fake pay stubs, bank statements, and profit-and-loss statements, as well as providing a product that allowed customers to edit existing (and authentic) bank statements. The second defendant’s charges include the alleged sale of fake pay stubs, auto insurance cards, and utility and cable bills, while the allegations against the third defendant also include the sale of fake tax forms, bank statements, and verifications of employment. While the defendants’ websites claimed that the fake documents were sold for “‘novelty’ and ‘entertainment’ purposes,” the FTC asserts that the defendants “failed to clearly and prominently mark such documents as being for such purposes and did not state on the documents themselves that they were fake.”
Under the terms of the proposed settlement agreements (see here, here, and here), monetary judgments are imposed against the defendants, who also are permanently prohibited from advertising, marketing, or selling similar fake documents.
On April 18, the House passed H.R. 2905 by a vote of 403-3. The “Justice for Victims of IRS Scams and Identity Theft Act of 2017,” would direct the DOJ and the Treasury Department to submit reports to Congress detailing identity theft prosecutions. The DOJ’s report must contain the number of identity theft cases referred to the agency during the previous five years, along with recommendations for improving fraud deterrence, prevention, and interagency collaboration. The bill would also require Treasury to report on efforts to assist in the prosecution of individuals who fraudulently posed as IRS agents, in addition to trends and resources needed to improve the prosecution of IRS impostors. All reports would be due 120 days after the bill's enactment.
On April 17, the House voted 420-1 to pass H.R. 5192, which would, among other things, require the Social Security Administration to provide a database for financial institutions to validate fraud protection data (an individual’s name, social security number, and date of birth) when attempting to “reduce the prevalence of synthetic identity fraud.” In particular, H.R 5192 is designed to protect the needs of vulnerable consumers, including minors and recent immigrants, and limits inquiries to those with a permissible purpose in accordance with section 604 of the Fair Credit Reporting Act. Further, prior to submitting a verification request, a financial institution must receive electronic consumer consent.
- Buckley Webcast: State supervision, enforcement, and multistate coordination
- Benjamin W. Hutten to discuss “Latest on AML regulations and impact of economic sanctions” at a Mortgage Bankers Association webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar