InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC charges investment operation targeting Muslim community
On November 2, the SEC filed a complaint against the founder of a capital investment company, alleging that the defendant targeted Muslim investors in a multimillion dollar fraudulent scheme. According to the complaint, the defendant started the company with the intention of providing purported investment expertise to members of the New York metropolitan area’s Muslim community. The defendant allegedly “offered investors promissory notes that claimed to offer guaranteed, significant returns on investments” in the company. The SEC claimed the defendant received roughly $8 million from investors by promising that the funds would be invested in Quran-compliant investments. However, the defendant allegedly misappropriated all of the funds to either make Ponzi-like payments to investors or to be used for his own personal use, including purchasing luxury vehicles and expensive jewelry or paying gambling debts. The complaint charges the defendant with violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC’s announcement noted that the defendant consented to the entry of a judgment (subject to court approval) that imposes a permanent injunction and monetary relief to be determined at a later date. Concurrently, in a parallel action involving the same conduct, the DOJ announced criminal charges against the defendant who pleaded guilty to wire fraud, wire fraud conspiracy, and money laundering.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
SEC files charges against crypto-asset seminar operation
On September 19, the SEC filed a complaint against a two individuals and the companies they controlled (collectively, “defendants”) in the U.S. District Court for the Southern District of Texas for allegedly operating an on-going fraudulent and unregistered crypto-asset offering targeting Latino investors. According to the SEC, the defendants allegedly raised more than $12 million from over 5,000 investors who paid for seminars to learn how to build wealth through crypto-asset trading. However, the SEC claimed that one of the individual defendants—who founded the company and actually had no education or training in investments or crypto assets—used the seminars to solicit investors to give their money to the company and then supposedly used the funds to conduct crypto asset and foreign exchange trading. In total, the SEC alleged the individual defendants made roughly $2.7 million in Ponzi payments, diverting nearly $8 million for their own personal use. The complaint charges the defendants with violating, or aiding and abetting violations of, the antifraud provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and the Securities Act. The company’s founder is also charged with violating the Investment Advisers Act of 1940. The complaint seeks a permanent injunction against the defendants, civil penalties, disgorgement of ill-gotten gains with prejudgment interest, and bars. The SEC stated in its announcement that, at the Commission’s request, the court issued a temporary restraining order to stop the offering, in addition to temporary orders freezing assets and granting additional emergency relief.
District Court rules beneficiary bank without actual knowledge of wire transfer misdescription is not liable
On September 22, the U.S. District Court for the Middle District of Louisiana granted summary judgment to a defendant beneficiary bank in an action concerning a fraudulent wire transfer that was allegedly sent to a hacker instead of the intended recipient. According to the opinion, the originating bank executed a wire transfer on behalf of the commercial plaintiff to a supplier. However, a hacker had inserted false account information into the supplier’s email to the plaintiff, causing the plaintiff’s instruction to the originating bank to indicate the wrong account at the beneficiary bank. As a result, the funds were deposited by the beneficiary bank into an account for which the account number did not match its account name. A large sum of the plaintiff’s money was thereupon withdrawn by a hacker from the account into which the funds had been deposited. The plaintiff sued asserting several claims, including, negligence and gross negligence, violations of the EFTA and the Louisiana’s Uniform Commercial Code (UCC), and aiding fraud. After all the claims except for the UCC claim were dismissed, the defendant moved for summary judgment on the grounds that it did not violate the UCC “because it did not have actual knowledge that the wire transfer at issue misdescribed the beneficiary prior to payment of the wire transfer as contemplated by that statute.”
The court ruled that based on the evidence, no reasonable juror could find that the defendant had actual knowledge of the misdescription at the time it made the transfer, explaining that the defendant did not have actual knowledge that a hacker had accessed the plaintiff’s wire transfer order, provided false instructions, and changed the target account number to its own. The court stated that under Louisiana law, a bank’s liability for completing a wire transfer that misidentifies a beneficiary or account number depends on whether it has “actual knowledge prior to payment that there was a misdescription of a beneficiary”—constructive knowledge is not actionable, the court said. The defendant also did not have actual knowledge of the misdescription prior to the payment, but rather acquired actual knowledge of the misdescription roughly two weeks later when the originating bank alerted the defendant of the alleged fraud. The court further contended that under Louisiana law a beneficiary bank that uses a fully automated payment system for wire transfers is allowed “to act on the basis of the number without regard to the name if the bank does not know that the name and number refer to different persons.”
Final judgment entered in alleged misappropriated funds suit
On September 19, the U.S. District Court for the District of Southern Florida granted final judgment against an individual to resolve SEC allegations regarding her involvement in a company that allegedly fraudulently misappropriated funds from investors. As previously covered by InfoBytes, the SEC’s complaint claimed that the individual was employed by the company and was the wife of a chief executive officer who falsely represented to many Venezuelan-American investors that the company would use their funds to finance payday loans through the offer and sale of “safe and secured or guaranteed” promissory notes. The complaint noted that the defendant “received at least $1.2 million of [the company’s] investor funds for no apparent legitimate business purpose,” in violation of the federal securities laws or any regulation or order issued under such laws, as set forth in the Bankruptcy Code. According to the order, the defendant must pay $994,000 in disgorgement and $83,000 in interest.
FTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were reported nationwide from the beginning of 2017 through the middle of 2022, with consumers reporting losses of more than $2 billion. These impersonation scams include persons posing as government officials or employees, or persons claiming that they represent well-known businesses or charities who may use “misleading domain names and URLs and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment, and often request that funds be paid through wire transfer, gift cards, or cryptocurrency.
The NPRM follows an advanced notice of proposed rulemaking issued last December (covered by InfoBytes here), for which the FTC received more than 160 comments from members of the public, as well as a coalition of 49 state attorneys general and many companies and industry organizations. According to the FTC, the NPRM would codify the principle that impersonation scams violate the FTC Act, allowing the Commission to seek civil penalties and recover money from those who violate the rule. Among other things, the NPRM would ban scammers from (i) using government identifiers when communicating with consumers via mail or online; (ii) spoofing government and business email and web addresses “or using lookalike email addresses or websites that rely on misspellings of a company’s name”; or (iii) falsely implying an affiliation with a government or a business by using commonly known terms. The FTC noted that the NPRM would also apply to persons who provide the “means or instrumentalities” for scammers, such as suppliers who manufacture the fake government credentials used by scammers. Additionally, non-profit organizations would be included in the definition of a business under the NPRM, so that the FTC can take action against scammers impersonating charities. Comments on the NPRM are due 60 days after publication in the Federal Register.
CFPB studying BNPL growth
On September 15, the CFPB announced plans to consider issuing interpretive guidance or regulations to ensure that buy now, pay later (BNPL) lenders follow many of the same consumer protection measures that exist for credit cards. “We will be working to ensure that borrowers have similar protections, regardless of whether they use a credit card or a Buy Now, Pay Later loan,” CFPB Director Rohit Chopra said in the announcement. The Bureau described BNPL products as a form of interest-free credit that “serves as a close substitute for credit cards” and allows consumers to split a retail transaction into smaller, interest-free installments that are repaid over time.
Recognizing that BNPL products are a rapidly growing alternative form of credit for online retail purchases, the Bureau published a report providing key insights into the industry. According to the report, the number of BNPL loans originated from 2019 to 2021 in the US grew 970 percent, from 16.8 million to 180 million. The total dollar volume of these loans grew by 1,092 percent in that period, from $2 billion in 2019 to $24.2 billion in 2021, the report said, noting that 73 percent of applicants were approved for credit in 2021, up from 69 percent in 2020. Additionally, the report found that 89 percent of consumers using BNPL loans linked their accounts to their debit cards, and that late fee policies vary by issuer.
The Bureau raised several concerns with BNPL products in the report, including (i) inconsistent standardized cost-of-credit disclosures, minimal dispute resolution rights, a forced opt-in to autopay, and occurrences where consumers are assessed multiple late fees on the same missed payment; (ii) risks related to data harvesting and monetization, as many BNPL lenders shift business models toward proprietary app usage, allowing lenders “to build a valuable digital profile of each user’s shopping preferences and behavior”; and (iii) concerns over consumers taking out several loans during a short period of time at multiple lenders. According to the Bureau, because most BNPL lenders currently do not furnish data to the major credit reporting companies, many lenders are unaware of a consumer’s current liabilities when deciding whether to originate new loans.
The Bureau noted in its announcement that while BNPL lenders are currently subject to some federal and state oversight, compliance and licensing requirements vary. In addition to exploring potential new regulatory guidance, the Bureau said it plans to identify surveillance practices that BNPL lenders should seek to avoid, and it will continue to address the development of appropriate and accurate credit reporting practices for the industry. Chopra further announced that the Bureau is inviting BNPL lenders to self-identify if they wish to be examined for any potentially problematic business practices. The Bureau is also reviewing its authorities to conduct examinations on a compulsory basis and will work with state regulators that license nonbank finance companies on examinations of BNPL firms.
11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter[] the terms bargained to by parties to a contract.”
11th Circuit says one-year statutory notice period cannot be varied
On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela) maintained personal and commercial bank accounts at a Florida branch of the bank. According to the plaintiffs, a bank employee changed the email account associated with the bank accounts to a new fraudulent email. Identity thieves were later able to bypass security measures on the account, gave correct answers to security questions, and sent documents with signatures that matched ones the bank had on file, resulting in roughly $850,000 being transferred out of one of the accounts. Plaintiffs contended they were locked out of their accounts and struggled to contact the bank for months without success. After eventually regaining access to their accounts, plaintiffs discovered the stolen money and sued for a variety of claims, including fraud, negligence, and breach of contract. They also claimed that the bank was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. The bank argued, among other things, that the plaintiffs’ claims were time-barred because they failed to notify the bank about the alleged fraud within 30 days of receiving a bank statement. Plaintiffs responded that the Florida Statutes provide a one-year time period to notify a bank of an unauthorized wire transfer and stated that the time-period could not be modified by agreement. The district court entered summary judgment for the bank, concluding “that the one-year period was modifiable and that the parties had modified it.” The district court also determined that because the bank’s procedures were “commercially reasonable” and followed “in good faith” it was not liable to the plaintiffs to repay the wire transfers.
On appeal, the 11th Circuit held that the plaintiffs were still within their statutory one-year notification period when they notified the bank of the fraudulent wire transfers, and rejected the bank’s argument that it could shorten the notification period to 30 days. The 11th Circuit, in rejecting the bank’s argument determined that it cannot “shift the loss of an unauthorized order to the customer during the statutorily determined period,” adding that “if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period.” Pointing out that the bank was unable to identify a limiting principal at oral argument, the appellate court concluded that “if banks could modify the one-year period, there’s no principled way to draw the line as to how short of a refund period is too short.” On remand, the 11th Circuit also instructed the district court to review whether the bank’s security procedures are “commercially reasonable.”
District Court dismisses EFTA claims concerning fraudulent transactions
On August 18, the U.S. District Court for the Eastern District of Michigan dismissed a class action alleging violations of the EFTA brought against a national bank on behalf of consumers who were issued prepaid debit cards providing Covid-19 pandemic unemployment insurance payments. Two of the plaintiffs alleged they experienced fraudulent transactions on their accounts. According to the plaintiffs, the bank froze one of the defendant’s accounts but failed to credit his account for the allegedly fraudulent transaction. In response to a second plaintiff’s fraud report, the bank allegedly froze her account and informed her that she had “to contact the unemployment agency because an unauthorized person had ‘gained access to the card and was using the unemployment benefits.’” The third plaintiff alleged that the bank froze her account based on suspected fraud and was informed that she would have to contact someone else to unfreeze the account. Plaintiffs sued for violations of the EFTA and raised several breach of contract and negligence claims.
The court dismissed the EFTA claim on several grounds, including that (i) the second plaintiff’s claim is time-barred; (ii) the other two plaintiffs’ claims stem from the bank’s alleged errors related to unauthorized transactions, yet neither requested information or clarification about an electronic funds transfer; (iii) one of the plaintiffs never actually experienced fraud (the court emphasized that the EFTA does not regulate account freezes; it regulates electronic funds transfers); and (iv) one of the plaintiff’s failed to plausibly plead that he complied with the EFTA’s notification requirements that must be met before a defendant conducts an investigation. The court also determined that the breach of contract claims failed, citing, among other things, that if an account did not have an unauthorized transaction a defendant cannot breach its reimbursement duties. Nor did the other two plaintiffs provide proper notice to trigger the bank’s duty to investigate, the court wrote, adding that the negligence claims also failed because the plaintiffs failed to respond to a request asking them to show how the bank’s actions caused them injury.