InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California regulator advises businesses to only collect needed data under CCPA
On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.
District Court grants MSJ in FCRA case in favor of defendant
Recently, a plaintiff sued under the FCRA, alleging that the defendant debt collector failed to conduct a reasonable investigation into a disputed credit report item. The plaintiff claimed to be a victim of identity theft and contended that an outstanding telephone debt should not have been listed on his credit report. The defendant maintained that it had performed its duties reasonably, relying on information from the phone company for which it acted as a debt collector. The defendant moved for summary judgment on the grounds that the plaintiff had not provided any evidence to support the claim of an unreasonable investigation by defendant. The U.S. District Court for the Southern District of Florida granted the motion for summary judgment, agreeing with the defendant that the plaintiff had failed to provide any substantial evidence regarding how the defendant’s investigation was conducted or why it was unreasonable.
FinCEN report on identity fraud in 2021 outlines statistics and processes
On January 9, FinCEN published a report titled “Identity-Related Suspicious Activity: 2021 Threats and Trends” which focuses on patterns in reported Bank Secrecy Act (BSA) data linked to suspicious activity from 2021. The report is part of a broader set of financial trend analyses conducted by FinCEN under section 6206 of the Anti-Money Laundering Act of 2020. During 2021, about 1.6 million of all BSA reports (or 42 percent) on suspicious activity were related to identity, equaling $212 billion in suspicious activity.
Key findings in the report included: (i) 69 percent of identity-related BSA reports indicate attackers have impersonated others; (ii) depository institutions have filed the most BSA reports at 54 percent, with the next highest being money services businesses at 21 percent; (iii) general fraud was the most reported typology with 1.2 million BSA reports totaling $149 billion in suspicious amounts, with the next two being false records and identity theft, respectively; and (iv) there were a significant number of identity-related exploitations based on BSA report volumes and dollar values. FinCEN reported three identity-related exploitations, including how attackers (a) impersonate others; (b) dodge or exploit verification processes; and (c) use compromised credentials. A model on page six of the report provides further clarity on how attackers undermine identity processes, such as through bust out schemes (attackers open credit card accounts then max out the cards), check fraud, credit and debit card fraud, and Covid-19 fraud.
District Court dismisses FDCPA suit; clarifies debt collector communication on identity theft
On December 5, the U.S. District Court of New Jersey dismissed an FDCPA suit brought against a debt collector. According to the opinion, plaintiff originally filed suit because they received a letter from defendant regarding an outstanding cell phone bill. The letter provided instructions on what to do if the recipient suspected identity theft. Additionally, the letter contained a summary of plaintiff’s account and a QR code that linked to defendant’s website for online payment. Plaintiff contended that the dual approach of offering assistance while simultaneously pursuing collection of a debt was false and misleading. A District Court judge, however, disagreed and dismissed the case, at which point the plaintiff filed an amended complaint.
The amended complaint alleges that the debt collector breached the FDCPA by using false, deceptive or misleading representations regarding the rights of the plaintiff and the obligations of the debt collector with respect to communications concerning identity theft. Specifically, plaintiff argued defendant was in violation of § 1681m(g) of the FDCPA, which obligates a debt collector to take certain steps upon being notified of identity theft, but the court disagreed, finding that the collector’s specific steps taken were in accordance with the Act.
The court emphasized that plaintiff did not introduce any new factual claims in the amended complaint, and merely clarified how the facts already outlined in the initial complaint breached the FDCPA. The judge ruled that the letter not only allows plaintiff to inform defendant about potential identity theft, but also may serve to bring potential identity theft to plaintiff’s attention. The ruling stated that there is no obligation to extensively explain recommended procedures in the case of an identity theft occurrence, and only an “idiosyncratic reading” of the letter would lead to the conclusion that the letter misrepresents defendant’s obligations.
CFPB reports on servicemember identity theft
On January 12, the CFPB released an Issue Spotlight discussing identity theft affecting servicemembers. According to the report, servicemembers, veterans, and military family members are more likely to report identity theft than civilians, with military consumers reporting almost 50,000 cases of identity theft to the FTC in 2021. The Bureau also noted that a steady income could make servicemembers a target for identity thieves looking to create fraudulent credit accounts or tap into bank accounts, and warned that frequent relocation may also increase servicemembers’ risk of identity theft.
Many servicemembers and all officers are required to pass a national security clearance check that includes a review of their credit history and ability to meet their financial obligations. The report found that security clearances are “continuously evaluated” with credit checks being part of the process. If a review reveals a history of failing to meet financial obligations, being in excessive debt, or having a high debt-to-income ratio, a servicemember’s security clearance may be revoked. Bad credit can also lead to rejected or higher-cost rental or mortgage applications, limiting housing options the Bureau said.
The report also found that unrecognized debt is often the first sign of identity theft. Between 2014 and 2022, military consumer complaints to the CFPB about debts that resulted from identity theft increased nearly fivefold, from more than 200 annually in 2014, to more than 1,000 in 2022. The Bureau noted that addressing credit report inaccuracies related to identity theft can be “a particularly complicated process.” The report also provided recommendations for servicemembers on how to protect their credit, such as reviewing credit reports regularly and disputing inaccurate information and taking advantage of free credit monitoring services.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
California governor signs legislation on identity theft
On September 23, California’s governor signed AB 430, which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters the definition of “victim of identity theft” to include individuals who submit FTC identity theft reports; (ii) authorizes a debtor to send a copy of a police report, as specified, but prohibits a debt collector from also requiring a police report if the debtor submits an FTC identity theft report; and (iii) requires that “in order for a person to recover actual damages or attorney’s fees in an action or cross-complaint filed by a person alleging that they are a victim of identity theft, that the person, upon written request of the claimant, provided the claimant a valid, signed FTC identity theft report before filing the action or within their cross-complaint, as specified.”
District Court grants summary judgment for defendant in identity theft case
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the FCRA and the FDCPA by failing to fulfill a reasonable investigation upon receipt of a dispute over an account that was allegedly opened in his name without his consent. According to the opinion, the plaintiff filed a suit against the defendant and three other companies, but “following various settlements,” the debt collection agency remained the sole defendant. The plaintiff was notified by the defendant that additional information was required to further investigate his claim, including a fraud and identity theft affidavit, proof of residence, a police report, and a valid government-issued ID, which was not allegedly provided to the defendant until after the plaintiff had filed the suit. The court dismissed the FCRA claim, finding that there was not enough evidence that the plaintiff submitted the necessary information to make his reported dispute a bona fide dispute, which is necessary to establish an FCRA violation. The court also dismissed the FDCPA claims stating that the plaintiff failed to identify false representation or deceptive means by the defendant in connection with the collection of the relevant debt.
6th Circuit affirms access-device fraud and identity theft convictions
On April 17, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s access-device fraud and aggravated identity theft convictions, finding that there was sufficient evidence to support the court’s factual findings on both charges. According to the opinion, the defendant applied for a debit card for his great-grandfather’s bank account without authorization and used the card to pay for his own expenses. The defendant was also seen multiple times on bank security cameras withdrawing money from an ATM using this card. The district court also heard testimony that the defendant opened accounts and applied for loans under his own name but used his great-grandfather’s social security number. The district convicted the defendant on one count of access-device fraud and two counts of aggravated identity theft. The defendant appealed, arguing that the district court failed to make adequate findings of fact and that the government failed to present sufficient evidence to support the charges for which he was convicted.
On appeal, the 6th Circuit reviewed the factual findings underlying the convictions, and first concluded that, with respect to the count of access-device fraud, the government proved each element: that the defendant (i) knowingly used an access device assigned to another individual; (ii) possessed an intent to defraud; (iii) obtained a thing or things with an aggregate value of $1,000 or more within a year using the access device; and (iv) affected interstate or foreign commerce in using the access device. The appellate court explained that there was ample circumstantial evidence to support lack of authorization from the proper owners of the accounts at issue, and that the card was issued in Kentucky and the bank issuing the card was headquartered in Minnesota. The appellate court next considered whether evidence supported the district court’s finding that the defendant committed aggravated identity theft under the bank-fraud statute by opening a checking account and applying for a loan using his great-grandfather’s social security number. The appellate court held that the defendant’s use of his great-grandfather’s social security number properly supported the district court’s finding that the defendant knowingly used, without lawful authority, another person’s means of identification and that the defendant committed a predicate felony under the bank-fraud statute.
States ask Treasury to exempt stimulus payments from garnishment and urge CFPB to “vigorously enforce” FCRA
On April 13, a coalition of state attorneys general and the Hawaii Office of Consumer Protection (states) sent a letter to Treasury Secretary Steven T. Mnuchin, calling for immediate action to ensure that stimulus checks issued under the CARES Act to consumers affected by the Covid-19 pandemic are not subject to garnishment by creditors and debt collectors. While the CARES Act does not “explicitly designate these emergency stimulus payments as exempt from garnishment,” the states claim that a “built-in mechanism” contained within a provision of the CARES Act can rectify the legislative oversight. Specifically, the states point to Section 2201(h), which “authoriz[es] Treasury to issue ‘regulations or other guidance as may be necessary to carry out the purposes of this section,’” and ask Treasury to immediately designate the stimulus checks as “‘benefit payments’ exempt from garnishment.”
The same day, another coalition of state attorneys general sent a letter to CFPB Director Kathy Kraninger urging the Bureau to rescind an April 1 policy statement directed at consumer reporting agencies (CRAs) and furnishers (covered by InfoBytes here) that stated the Bureau will take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the Fair Credit Reporting Act [(FCRA)] and Regulation V.” According to the states, the policy statement suggests that the Bureau does not plan on enforcing the CARES Act amendment to the FCRA, which requires lenders to report as current any loans subject to Covid-19 forbearance or other accommodation. The Bureau’s decision, the states contend, may discourage consumers from taking advantage of offered forbearances and other accommodations. The states also argue that allowing CRAs to take longer than the FCRA-prescribed 30 days to investigate consumer disputes puts consumers at risk. The states stress that the recent increase in Covid-19 scams has heightened the need for the Bureau to vigorously enforce the FCRA, and that, moreover, the thousands of complaints received by the states, FBI, FTC, and DOJ concerning phishing and other scams designed to gather consumers’ financial information have highlighted identity theft risks. The states emphasize “that even if the CFPB refuses to act. . .we will not hesitate to enforce the FCRA’s deadlines against companies that fail to comply with the law.”