Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the Red Flags Rule and the Card Issuers Rule), which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. (Covered by InfoBytes here.)
In their response, the Attorneys General urge the FTC not to repeal the Rules, arguing that it “would place consumers at greater risk of identity theft, especially consumers in states that have not enacted” laws that complement the Rules. Instead, the response letter requests the FTC modify the Rules to “ensure their continued relevance” and “keep pace with the ingenuity of identity thieves.” The suggestions include: (i) that notices of changes to email addresses and cell phone numbers be sent to both the prior and updated addresses and phone numbers, an expansion of the current use of mailing addresses; (ii) the encouragement of more current forms of authentication, including multi-factor authentication, to replace examples which imply that knowledge-based authentication by itself is sufficient; and (iii) the addition of new suspicious activity examples related to the use of an account, such as a covered account accessed by unknown devices or IP addresses, an unauthorized user unsuccessfully trying to guess account passwords through multiple attempts, and attempts by foreign IP addresses to access multiple accounts in a close period of time.
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.
On December 4, the FTC released a request for public comment on whether the agency should make changes to its identity theft detection rules—the Red Flags Rule and the Card Issuers Rule—which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. The FTC is seeking comment as part of its systematic review of all of its regulations and guides. According to the FTC, consumer complaints relating to identity theft represented the third largest category of consumer complaints made to the FTC through the first three quarters of 2018 and the second largest category in 2017. The FTC is seeking comment on all aspects of the two rules, but also poses specific questions for commenters to address, such as (i) whether there is a continuing need for the specific provisions of the rules; (ii) what significant costs have the rules imposed on consumers and businesses; and (iii) whether there are any types of creditors that are not currently covered by the Red Flags Rule but should be covered. The request for comment is due to be published in the Federal Register shortly, and comments must be received by February 11, 2019.
FTC announces settlements with website operators over the sale of fake documents allegedly used for fraud and identity theft
On September 18, the FTC announced three proposed settlements with the operators of websites who allegedly violated the FTC Act’s prohibition against unfair practices by selling fake financial documents used to facilitate identity theft and other frauds, including loan and tax fraud. As previously covered in InfoBytes, identity theft was the second largest category of consumer complaints reported in 2017 according to the FTC. The FTC brought charges against the first defendant, alleging the defendant engaged in the sale of fake pay stubs, bank statements, and profit-and-loss statements, as well as providing a product that allowed customers to edit existing (and authentic) bank statements. The second defendant’s charges include the alleged sale of fake pay stubs, auto insurance cards, and utility and cable bills, while the allegations against the third defendant also include the sale of fake tax forms, bank statements, and verifications of employment. While the defendants’ websites claimed that the fake documents were sold for “‘novelty’ and ‘entertainment’ purposes,” the FTC asserts that the defendants “failed to clearly and prominently mark such documents as being for such purposes and did not state on the documents themselves that they were fake.”
Under the terms of the proposed settlement agreements (see here, here, and here), monetary judgments are imposed against the defendants, who also are permanently prohibited from advertising, marketing, or selling similar fake documents.
On April 18, the House passed H.R. 2905 by a vote of 403-3. The “Justice for Victims of IRS Scams and Identity Theft Act of 2017,” would direct the DOJ and the Treasury Department to submit reports to Congress detailing identity theft prosecutions. The DOJ’s report must contain the number of identity theft cases referred to the agency during the previous five years, along with recommendations for improving fraud deterrence, prevention, and interagency collaboration. The bill would also require Treasury to report on efforts to assist in the prosecution of individuals who fraudulently posed as IRS agents, in addition to trends and resources needed to improve the prosecution of IRS impostors. All reports would be due 120 days after the bill's enactment.
On April 17, the House voted 420-1 to pass H.R. 5192, which would, among other things, require the Social Security Administration to provide a database for financial institutions to validate fraud protection data (an individual’s name, social security number, and date of birth) when attempting to “reduce the prevalence of synthetic identity fraud.” In particular, H.R 5192 is designed to protect the needs of vulnerable consumers, including minors and recent immigrants, and limits inquiries to those with a permissible purpose in accordance with section 604 of the Fair Credit Reporting Act. Further, prior to submitting a verification request, a financial institution must receive electronic consumer consent.
- Daniel R. Alonso to discuss "The international compliance situation and new challenges" at the World Compliance Association Covid Compliance Conference
- Benjamin W. Hutten to discuss "Understanding OFAC sanctions" at a NAFCU webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference