Saturday, April 20, 2024

January 2024 OBA Legal Briefs

  • ’Tis Still the Season — Security and Fraud Losses
  • MLOs Hirable Now — Changes in Section 19
  • AI in Banking

’Tis Still the Season

By Andy Zavoina

Security and Fraud Losses

The holiday season has ended and now it is all about the returns. Side note – it is a great time not to be working at Amazon. What does all this have to do with banking? Money. Your depositors have it and there are thieves out there who want it even more than the retailers. When a retailer is paid by your customer, it is because your customer spent their money at that store. It is an honest buyer and seller relationship. But there are thieves out there waiting to scam and steal from your customer. In many cases, when the thieves steal your customer’s money, they are really stealing from the bank by using the weakest link, the customer, to get access to it. Some of these customers may be negligent and others fall for a good story filled with deception and technology tricks. The type of customer and type of loss will influence whether the customer or the bank will be taking this loss.

We have all seen check fraud increase even as the overall use of checks has declined by 7 percent according to the Federal Reserve. One report indicated that 70 percent of banks have experienced an increase in fraud over 2021. Fraud losses are increasing by about 65 percent from $2.3 million in 2022 to $3.8 million in 2023.
One barometer to see what is happening on this front is the growth in the numbers of Suspicious Activity Reports (SARs) for check fraud cases filed by banks. According to Financial Crimes Enforcement Network (FinCEN) data, it is up 201.2 percent between 2018 and 2022. With 447,525 SAR check fraud reports in 2023 through October, the year was on track to beat the 2022. Check fraud SARs have increased more for personal and business checks than for any other financial instrument. Check fraud accounts for one-third of all the fraud banks are experiencing, excluding mortgage fraud.

The Federal Trade Commission (FTC) estimates Americans lost $330 million to text scams in 2022. That is up from $86 million in 2020. Text messages are fast, cheap, and easy to send from anywhere. The median loss in cases like these is $1,000.

Your consumer customers are often the main target of these thieves, especially during peak sales seasons such as the holidays we are now recovering from. You may not have heard of all the fraud committed yet, as many customers will not be aware until they have their latest statements – that is, if they actually review them.
Scams accounted for 12 percent of the fraud transactions, with two key scams standing out. The first is a thief impersonating a bank security or support person and the other is an IRS scam. The former instills a fear of immediate loss with the hopes of an immediate recovery if they act fast, and the latter one of red tape and a never-ending issue of audit, collections and threats of arrest.

Let’s look at business customers. Say your business customer “A” regularly pays business “B” for services rendered. One day an employee in accounting receives an email from a person at “B” they frequently correspond with. The message says they have changed banks and provides new payment routing information. What is the proper procedure here? Should “A” verify these changes with a trusted source at “B” or make the changes and move on? Business email compromise (BEC) happens, and if that email is not questioned and verified, future payments will go to a thief and the payor will not be aware until “B” contacts them about the past due status. As soon as funds reach the thief’s account, they are almost immediately wired out and unrecoverable. If either the payor or payee is aware of the payment within a day, there is a chance for a recovery. In instances like this the payor still has to make a payment, and “B” may be having cash flow problems while this is figured out. The payor’s procedures will be questioned, and the bank may be held to blame if its customer is the payor in this scenario. Why the bank? Because it has deep pockets. and customers who demand privacy also believe the bank knows this payment is uncharacteristic for one or more reasons.

BECs often take the form of fake invoices from real vendors or business partners, fake requests from upper management to transfer funds to a bank account that actually belongs to the attacker, and fake notifications from real vendors and business partners of changes in banking account information. These bank customers are not protected by Reg E and the Electronic Fund Transfer Act, but they may be under the Uniform Commercial Code (UCC). That is their hope, and the bank may be their best chance for recovery. The fact that the bank followed the payment order it was given is a moot point. But there is hope for the bank. Review UCC 4A-207 in situations like this. This section provides that if a payment order (including wire transfers) received by the payee’s bank includes the payee’s name and a different account number than the payee’s real account number, the bank is not liable for the misdirected wire unless the bank had “actual knowledge” that the payee’s name and account number referred to different persons or entities. The bank does not need to affirmatively determine whether the name and number refer to the same person. UCC 4A-207(b)(1). But if someone in your wire room is keying in information on incoming transfers and your system displays the account owner name before the input date is checked and “enter” is clicked, it will be hard to claim the bank was not aware of a mismatched name and account number.

Much of the loss prevention effort employed by banks today is older technology dating back to the 1990s. Those banks experiencing sizable amounts of check fraud losses should invest in newer technology and these banks should see a significant return on the investment as losses are curtailed. Artificial Intelligence (AI) can be employed and will make it easier, for example, to detect unusual transactions in a customer’s account and immediately confirm those transactions with the consumer. This technology can play a dual role to both reduce fraud and indicate Bank Secrecy Act red flags on transactions and account relationships.

The customers can take another preventative measure themselves as banks tout the security of using electronic payments over paper. Businesses have many cost-effective options such as automated cash management services. At the end of the day, their loss exposure is lessened with each check they do not write.

Banks must do a more effective job of educating customers about security. A recent survey by PYMNTS.com indicated customers prefer multifactor authentication (MFA) each time they access their accounts and send or receive funds. According to the poll, eighty-three percent of respondents said they want MFA for riskier transactions, such as accessing a bank account from an unknown device, changing personal information in a bank account, and spending or sending larger sums of money electronically. Sixty-two percent wanted MFA for routine transactions such as accessing a bank account from any device or transferring money to family and friends. More than half said they prefer MFA for low-risk transactions such as paying bills, rent or loans. Smartphones are making this easier than ever with biometrics such as fingerprint and facial recognition to act as their MFA.

When I was in the military there was always the same lesson plan to be followed when teaching, which is what the bank should be doing here. Tell them what you’ll tell them, tell them, and tell them what you told them. It is difficult to get the attention of customers and to convince them that security of their access information is everyone’s job. So, you must constantly remind them and mix your messages about security protocols. Marketing needs to work with compliance, security and those who investigate fraud and other losses to deliver the message.

1. Does your bank encourage customers to review their statements or at least regularly review their balances and transactions online? Perhaps customers can be incented to do either or Marketing can make doing so fun in one way or another. But customers need to be reminded of this important responsibility.

2. When sending One Time Passwords (OTP), think of those six-digit codes to verify the device and access authorization to the account as the same, and ensure that each one clearly says, we will never ask you for this code. That is a very common technique for that thief to get access after sending thousands of text messages like “XYZ bank – we need to verify your $5,026 transaction at Big Box, reply “Y” to accept the charge and “N” to deny it. If you have a question, call the bank at 623-387-6862.” All the customer wants is to refuse the charge. The thief will get a verification that this a fish is ready to take the bait when they reply “N,” or the customer will call, and the hook will be set. The thief discusses how this happened and what needs to be done to save the customer their money and part of that is verifying they have the right customer. To do that the bank (thief) will send a six-digit code and the customer needs to give them that number back. That is when the customer must have had positive reinforcement TO NEVER GIVE THAT OTP CODE OUT. Even when the security officer says it is OK this time. The security officer/thief will immediately change that password to the account and clear out the balance. The bank is then carefully reviewing Reg E to see who is liable for the losses — the bank or the consumer. And by the way, the “bank’s phone number” above translates on the phone touch pad to “MAD EUP NMBR” and if your customer is calling the bank, they should look for a known number. That “direct” line is not to the bank in any way.

3. Check washing is very popular again. Blue or black gel pens are preferred for checks as that ink is much harder to remove. Like yard signs that tout protection services, they may be real or not, but it is easier to move to the next house than find out. Skipping the gel inked check for the next one is a logical move as even for thieves, time is money.” And remind customers to avoid dropping outbound mail in those blue boxes or leaving it in their mailbox with the flag up. Have it picked up by postal personnel or drop in a lobby slot at the Post Office.

4. Use the internet banking bill pay services when checks are needed for recurring payments.

5. If the customer transfers money using Zelle, PayPal and the like, have they verified who they are sending that money to? Sending $1 and getting verification that it was received with a call or verified text and then sending the rest can save money when there is a thief or just a wrong number.

6. When it comes to passwords, four-digit numerical PINs are terrible security even though there are 10,000 possible combinations. Hackers who steal phones are not sitting at the table trying 0 – 0 – 0 – 0, then 0 – 0 – 0 – 1, and so on until it works. A four-digit PIN can be cracked by a computer in less than a second. Six-digits are better but ‘real” passwords are better yet, and biometrics are best. If the desired security is “something they have” and biometrics is not acceptable to customers or is one part of a verification process, another option is a security key. These cost about $50, and a device will not unlock or a site requiring logon credentials will not work without the physical key. The less expensive way to accomplish this is with a OTP generator so the customer has to know where to go and to sign in to get the OTP.

Good security is a pain in wallet area, but also a great preventer of another pain in the wallet when a customer finds out their accounts have been drained, that lines of credit were accessed automatically to cure overdrafts, and that they still have to replace the phone they lost.

7. Teach customers not to click on links or respond to text messages from an unknown source. When a text comes in asking, “This is Tina. Are we still on for lunch tomorrow at 1?” They are setting that hook and looking for a sucker. If they find that elderly, lonely customer with a savings account, suddenly the thief is a caring and good person who is willing to talk and spend time with them. Have no doubt money is the motive and that thief has no remorse as to the effects of what they do. When such a text comes in, either block the number and delete the message, or reply, “wrong number” and then block and delete. If interested, the FTC asks that suspicious texts be reported to ReportFraud.ftc.gov or forwarded to 7726 (SPAM).

8. Remind commercial depositors about BEC and account takeover thefts and encourage them to protect themselves.

Customers, all customers, should be reminded with paper statements, e-statements, when they log on to internet banking and when they receive an email or text message from the bank. In some cases, just email or text the reminder solo, without any other message. Just like for scammers, email and text messages are easy to send in bulk and inexpensive.

Another common scam is the undeliverable package. Here is one from my spam box as I write this article.

“ZAVOINA, you have (1) package pending in our warehouse.

Unfortunately, we could not deliver your postal parcel on time because your address is not correct.

Please reply to us with the correct delivery address. ___ here ____

Best regards,

Track & Trace Rewards”

There were various emojis in this HTML email and the thieves wanted the receiver to click the HTML link. They will attempt to get more information, especially banking info, or infect the computer. When was the last time you received a computer-generated message like that from Fed Ex, UPS or another professional company? My old home, in the city limits and to which packages are regularly delivered, is not difficult to find. Yet the only reason the scam is being run is because it works. In a recent cybersecurity presentation I attended, one session discussed when law enforcement recovered the original mailing list from a thief. The police contacted those on the list and found that 18 percent of the recipients had responded favorably to the thief. Your Marketing department would be ecstatic to have a near 20 percent response to a mass mailing.

I recently taught on my own experience where my Apple password, then 10 characters long, had been cracked. MFA prevented the thieves from getting into my accounts. I simply added a character to what I had and went on with my business. Not 12 hours later they were at it again. I had not outsmarted anyone. Long story short I made painful changes, and that logon password is now 23 characters long and I have more security protocols in place. Are they problematic when I need quick access to something? Yes, but it is all less problematic than losing everything and having some or all financial liability on top of it.

If you really want your customer’s attention, ask them if they are using cloud services from a provider tied to their phone. In the case of the Apple ecosystem things just work seamlessly and life is good. But if a thief shoulder-surfs and sees that easy to remember four-digit code and then grabs the phone and runs, they can change that person’s security code and even their main password to their Apple accounts. The thief does not need the current password to change it and the real owner can be locked out forever in minutes. That includes email, photos and Apple TV. Emphasize “photos” to your customer. If they do not have a separate backup of those photos, there may be years and years of photos and videos documenting births, deaths, weddings, holidays, and general memories only in the cloud. When your customer is locked out of their own account because of the thief, Apple will tell them there is nothing they can do as it does not have the codes or master codes to access the photos. They’re gone. Money comes and goes, but those photos are gone forever. Now the customer has a genuine interest. As a side note, Apple is working on a fix for this security change issue in an upcoming update to the operating system.

MLOs Hirable Now

We generally do not get too involved in Human Resources issues but this one has some compliance crossover implications, so it is worth mentioning, especially since we are just through the annual renewal period. Section 19 of the Federal Deposit Insurance Act contains restrictions on hiring employees with criminal backgrounds. That is, Section 19 prohibits hiring individuals convicted of crimes of dishonesty, breach of trust, or money laundering, including theft, misappropriation, embezzlement, false identification, and writing of a bad check, among others, from working in a bank without written consent from the FDIC.

But in December 2022, President Biden signed the National Defense Authorization Act for Fiscal Year 2023. Section 5705 of that Act is the “Fair Hiring in Banking” section, which instructs banks to disregard certain criminal convictions. While this eases the restrictions on the hiring of individuals with criminal records, the changes open questions regarding the de minimis standard, and whether the changes to Section 19 effectively amended Reg Z, as it applies to mortgage loan originators because of Reg Z’s references to Section 19. Specifically, § 1026.36(f)(3)(ii) addresses the qualifications individual loan originator employees and requires the bank to review the person’s background as to meeting certain standards and states that if they do not meet these standards, “before the individual acts as a loan originator in a consumer credit transaction secured by a dwelling, that the individual loan originator:

(A)( 1 ) Has not been convicted of, or pleaded guilty or nolo contendere to, a felony in a domestic or military court during the preceding seven-year period or, in the case of a felony involving an act of fraud, dishonesty, a breach of trust, or money laundering, at any time;
( 2 ) For purposes of this paragraph (f)(3)(ii)(A):

( i ) A crime is a felony only if at the time of conviction, it was classified as a felony under the law of the jurisdiction under which the individual was convicted;

( ii ) Expunged convictions and pardoned convictions do not render an individual unqualified; and

( iii ) A conviction or plea of guilty or nolo contendere does not render an individual unqualified under this § 1026.36(f) if the loan originator organization has obtained consent to employ the individual from the Federal Deposit Insurance Corporation (or the Board of Governors of the Federal Reserve System, as applicable) pursuant to section 19 of the Federal Deposit Insurance Act (FDIA), 12 U.S.C. 1829, the National Credit Union Administration pursuant to section 205 of the Federal Credit Union Act (FCUA), 12 U.S.C. 1785(d), or the Farm Credit Administration pursuant to section 5.65(d) of the Farm Credit Act of 1971 (FCA), 12 U.S.C. 227a-14(d), notwithstanding the bars posed with respect to that conviction or plea by the FDIA, FCUA, and FCA, as applicable; and

(B) Has demonstrated financial responsibility, character, and general fitness such as to warrant a determination that the individual loan originator will operate honestly, fairly, and efficiently…”

So, there are the rules and some exceptions now. Section 5705 provides that an individual no longer needs the consent of the FDIC (or NCUA if you are keeping score. Add NCUA in most places when you read FDIC here) to become employed with an insured bank or credit union for “Certain Older Offenses.” These exceptions apply where:

1. It has been seven years or more since the individual committed the offense; or
2. The individual was incarcerated with respect to the offense, and it has been five years or more since the individual was released from incarceration; or
3. The individual committed the offense when they were 21 years of age or younger, if more than 30 months have passed since the sentencing for the offense occurred.

These are lower thresholds than recognized under prior law and FDIC rules. In addition, other de minimis offenses may be exempt, subject to the FDIC rulemaking capabilities and meeting the following criteria:

1. Punishable by a term of three years or less confined in a correctional facility;”
2. Offenses for writing insufficient funds checks must require that the aggregate total face value of all insufficient funds checks (regardless of the number of convictions or program entries at issue) be $2,000 or less; and
3. Other lesser offenses, like the use of a fake ID, shoplifting, trespass, fare evasion, and driving with an expired license or tag, if at least one year has passed since the conviction or program entry for such offense.

There is greater opportunity for exempting de minimis offenses. Banks are now able to move through the hiring process more easily for individuals with lesser, minor convictions than in the past. I will draw attention to the fact that the rules do not say “may consider” or “may waive,” as in “this is optional.” It says banks should disregard prior requirements where these conditions exist. Theoretically if a young employee embezzled from the bank and has been released and meets these conditions, the bank could not stand on Section 19 of the FDI Act and refuse employment.

Under the current Section 19 rules, offenses are considered de minimis and a waiver is automatically granted if the maximum punishment for the crime was:

1. imprisonment of one year or less, and the individual served three days or less of jail time, and
2. a fine of $2,500 or less.
3. Offenses for writing “bad checks” are considered de minimis so long as the aggregate value of the “bad checks” written is less than $1,000 and the payees were not an insured depository institution (IDI) or a credit union.

For a direct comparison, the Fair Hiring in Banking changes this auto-exception to:

1. if the maximum punishment for the crime were three years, calculated based on the time an individual spent incarcerated and not including pretrial detention, probation, or parole.
2. The fine is not referenced.
3. The aggregate amount of the bad checks was increased to $2,000.

Now the Reg Z issues. Reg Z prohibits banks from employing individuals in loan originator positions if that individual was:

1. convicted of a felony in the preceding seven years, or
2. “at any time” for felonies “involving an act of fraud, dishonesty, a breach of trust, or money laundering,”
3. unless they have received consent from the FDIC pursuant to Section 19.

But now the Fair Hiring in Banking provisions removed the requirement that an individual must obtain consent under Section 19 for offenses where:

1. it has been seven years or more since the offense occurred, or
2. the individual was incarcerated for the offense, and it has been five years or more since the individual was released from incarceration; and (ii) the individual was 21 years or younger when he or she committed the offense and 30 months or more have passed since the individual was sentenced.

The result is a set of convictions that would require FDIC consent under Reg Z that are no longer covered convictions under Section 19. Fast forward to October 23, 2023, and the FDIC’s Notice of Proposed Rulemaking Concerning Section 19. The NPRM states:

The proposed rule would incorporate statutory changes to Section 19, including the following:

• Certain older offenses. The Act excludes certain offenses from the scope of Section 19 based on the amount of time that has passed since the offense occurred or since the individual was released from incarceration.

• Designated lesser offenses. Under the Act, Section 19 does not apply to the following offenses, if one year or more has passed since the applicable conviction or program entry: using fake identification; shoplifting; trespassing; fare evasion; and driving with an expired license or tag.

• Criminal offenses involving dishonesty. The Act excludes certain offenses from the definition of “criminal offenses involving dishonesty,” including “an offense involving the possession of controlled substances.” Historically, the FDIC has required an application as to drug-related offenses—aside from simple-possession offenses. In light of the Act, however, the FDIC believes that Congress intended to exclude, at least, the offenses of simple possession and possession with intent to distribute from the “involving dishonesty” category because of the statute’s use of the phrase “involving the possession of controlled substances.” Additionally, the FDIC believes it should shift from the presumption that other drug-related offenses are subject to Section 19 as crimes involving dishonesty, breach of trust, or money laundering. This revised approach would treat drug offenses the same as all other types of crimes, which do not automatically trigger the need for an application, but which may require an application depending on the elements of the underlying criminal offense.

• Expunged, sealed, and dismissed criminal records. The Act excludes certain convictions from the scope of Section 19 that have been expunged, sealed, or dismissed. The existing FDIC regulations already exclude most of those offenses. The proposed rule would modestly broaden the statutory language concerning such offenses to harmonize the FDIC’s current regulations concerning expunged and sealed records with the statutory language.

• Standards for FDIC review of Section 19 applications. The Act prescribes standards for the FDIC’s review of applications submitted under Section 19.

The proposed rule also provides interpretive language that addresses, among other topics, when an offense “occurs” under the Act, whether otherwise-covered offenses that occurred in foreign jurisdictions are covered by Section 19, and offenses that involve controlled substances.

Comments are due by January 16, 2024, as this appeared in the Federal Register on November 14. https://www.federalregister.gov/documents/2023/11/14/2023-23853/fair-hiring-in-banking-act. Compliance may want to coordinate with Human Resources on a comment letter if there are questions your bank has, clarifications you want, or changes to recommend.

AI in Banking

Is your bank an early adopter of technology? I do not see many community banks jumping on to the cutting edge of technology but soon it will become a more commonly offered service from vendors. Now is the time to become familiar with what is happening in this arena. Not banking but looking for shortcuts could be dangerous. If a “techie auditor” wants to use a ChatGPT or similar program to dress up an audit report, who fact checks it? In December the CEO of The Arena Group, which publishes Sports Illustrated, was fired weeks after the magazine was accused of publishing articles generated using artificial intelligence (AI).

The CFPB in June reported on consumer dissatisfaction with chatbots, another common use of AI. The report noted that about 37 percent of the U.S. population has interacted with chatbots. In banking, the use of chatbots raised several risks including: (i) noncompliance with federal consumer financial protection laws; (ii) diminished customer service and trust; and (iii) harm to customers. There have been complaints received by the CFPB. We have also seen AI result in fair lending cases based on poorly targeted marketing. You can find the CPPB’s report here: https://www.consumerfinance.gov/data-research/research-reports/chatbots-in-consumer-finance/chatbots-in-consumer-finance/