InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses EFTA claims over prepaid debit card fraud
On August 11, the U.S. District Court for the District of Maryland dismissed a putative class action alleging violations of the EFTA and state privacy and consumer protection laws brought against a national bank on behalf of consumers who were issued prepaid debit cards providing pandemic unemployment benefits. The named plaintiff—a self-employed individual who did not qualify for state unemployment insurance but who was eligible to receive temporary Pandemic Unemployment Assistance (PUA) benefits—alleged that he lost nearly $15,000 when an unauthorized user fraudulently used a prepaid debit card containing PUA funds that were intended for him. The court dismissed the class claims with respect to the EFTA and Regulation E, finding that the Covid-19 pandemic was a “qualified disaster” under applicable law and regulations (i.e. PUA payments were “qualified disaster relief payments”), and that as such, the payments satisfied the CFPB’s official interpretation of Regulation E and were excluded from the definition of a “prepaid account.” The court further explained that while relevant CFPB regulations define an “account” to include a prepaid account, Regulation E excludes “any ‘account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments.’” Because the prepaid debit card in question was established through a third party and was loaded only with PUA funds, it did not meet the definition of a “prepaid account” and therefore fell outside the EFTA’s definition of a covered account. The court also disagreed with the plaintiff’s contention that PUA payments were authorized by Congress in the CARES Act due to the public health emergency rather than a disaster.
DOJ charges six with crypto fraud
On June 30, the DOJ charged six individuals in four separate cases for allegedly playing a role in several cryptocurrency-related fraud schemes. In its press release announcing the indictments, the DOJ said these schemes include “the largest known Non-Fungible Token (NFT) scheme charged to date, a fraudulent investment fund that purportedly traded on cryptocurrency exchanges, a global Ponzi scheme involving the sale of unregistered crypto securities, and a fraudulent initial coin offering.”
- Crypto NFT Scheme: The DOJ charged a Vietnamese national with one count of conspiracy to commit wire fraud and one count of conspiracy to commit international money laundering related to his involvement in an NFT project, in which the individual and his co-conspirators allegedly engaged in a “rug pull” that ended the investment project and stole roughly $2.6 million from investors. Shortly after the rug pull, the DOJ said in its announcement that the individuals allegedly “laundered investors’ funds through ‘chain-hopping,’ a form of money laundering in which one type of coin is converted to another type and funds are moved across multiple cryptocurrency blockchains.” The individuals also allegedly used decentralized cryptocurrency swap services to hide the trail of investors’ stolen funds.
- Crypto Ponzi and Unregistered Securities Scheme: The DOJ charged two Brazilian nationals and a Florida resident with one count of conspiracy to commit wire fraud and one count of conspiracy to commit securities fraud in connection with a global cryptocurrency-based Ponzi scheme that generated approximately $100 million from investors. The Brazilian nationals were also charged with conspiracy to commit international money laundering. According to the DOJ, the individuals fraudulently promoted a cryptocurrency investment platform and unregistered securities offering by misrepresenting a purported proprietary trading bot and falsely guaranteeing returns to investors. The Brazilian nationals allegedly laundered investors’ funds through a foreign-based cryptocurrency exchange and paid earlier platform investors with money obtained from later investors, the DOJ said. The SEC also filed a lawsuit against all three individuals and their company in the U.S. District Court for the Southern District of Florida.
- Crypto Initial Coin Offering Scheme: A California resident who founded a cryptocurrency investment platform was charged by the DOJ with one count of securities fraud for his role in a cryptocurrency fraud scheme involving the platform’s initial coin offering (ICO), which raised roughly $21 million from investors globally. According to the DOJ, the individual falsified information in company white papers for prospective investors, promoted fake testimonials, and fabricated purported business relationships with the Federal Reserve Board and dozens of major companies to appear legitimate.
- Crypto Commodities Scheme: The DOJ charged the owner of a cryptocurrency investment platform with one count of conspiracy to commit wire fraud, four counts of wire fraud, one count of conspiracy to commit commodities fraud, and one count of obstruction of justice. The Nevada resident allegedly raised approximately $12 million from investors by using the platform to solicit investors’ participation in an unregistered commodity pool (“a fund that combines investors’ contributions to trade on the futures and commodity markets”), told investors that he used a trading bot that “could execute over 17,000 transactions per hour on various cryptocurrency exchanges” to earn profits, and falsely represented that this trading bot would generate between 500 to 600 percent returns on the amount invested.
“Our office is committed to protecting investors from sophisticated scammers seeking to capitalize on the relative novelty of digital currency,” U.S. Attorney Juan Antonio Gonzalez for the Southern District of Florida stated. “As with any emerging technology, those who invest in cryptocurrency must beware of profit-making opportunities that appear too good to be true.”
FTC sues national retailer for allegedly facilitating money transfer fraud
On June 28, the FTC filed a complaint against a national retailer for allegedly allowing its money-transfer services to facilitate fraud. The complaint alleges the retailer knew about the role money transfer services play in scams but failed to properly secure the services offered at its stores, thus allowing money to be sent to “domestic and international fraud rings.” According to the FTC, at least 226,679 complaints totaling more than $197 million were received by several money transfer services companies about fraud-induced money transfers that were sent from or received at one of the retailer’s stores between January 1, 2013 and December 31, 2018. An investigation by the FTC purportedly revealed that the retailer’s practices allegedly harmed consumers by, among other things, (i) allowing the payout of suspicious money transfers, which allowed scammers to retrieve fraud proceeds at one of the retailer’s stores; (ii) failing to have in place a written anti-fraud policy or consumer protection program until November 2014; (iii) allowing cash pickups for large payments, often through the use of fake IDs; (iv) failing to display or provide materials warning consumers about potential frauds; (v) failing to effectively train or retrain employees; and (vi) allowing money transfers to be used for telemarketing purchases, which are prohibited under the Telemarketing Sales Rule (TSR) due to the high risk of fraud.
According to the complaint, the retailer “is well aware that telemarketing and other mass marketing frauds, such as ‘grandparent’ scams, lottery scams, and government agent impersonator scams, induce people to use [the retailer’s] money transfer services to send money to domestic and international fraud rings. Nevertheless, [the retailer] has continued processing fraud-induced money transfers at its stores—funding telemarketing and other scams—without adopting policies and practices that effectively detect and prevent these transfers.”
The complaint seeks a permanent injunction, monetary relief, civil penalties, restitution, and other relief for each violation of the FTC Act and the TSR. The FTC also requests the “rescission or reformation of contracts, the refund of money, the return of property, the payment of damages, public notification, or other relief necessary to redress injury to consumers damages.”
The retailer issued a press release following the FTC’s announcement, stating that it considers the agency’s claims to be “misguided and legally flawed,” and that the civil lawsuit “was approved by the FTC by the narrowest of margins after Chair Lina Khan refused [the retailer] the due process of hearing directly from the company.” The retailer noted that the FTC’s decision comes after DOJ declined to pursue the case in court. Among other thing, the retailer contended that because it maintains robust anti-fraud measures there is no need for injunctive relief requiring the retailer to change its practices. The retailer pointed to the U.S. Supreme Court’s ruling in AMG Capital Management LLC v. FTC, which limited the FTC’s ability to obtain monetary relief in federal court (covered by InfoBytes here), to argue that the FTC “pivoted their focus in this case after AMG to a distorted interpretation of the TSR to effectively try and hold [the retailer] strictly liable for money transfers that third-party criminals reportedly persuaded some consumers to send.” The retailer added that “[s]witching their main legal theory to the TSR is an obvious attempt to get around the Supreme Court’s ruling in AMG.”
FTC says consumers lost more than $1 billion to crypto fraud
On June 3, the FTC reported that consumers lost over $1 billion to fraud involving cryptocurrencies from January 2021 through March 2022. The FTC’s recent Consumer Protection Data Spotlight found that cryptocurrency is becoming the payment of choice for many scammers and that most reported cryptocurrency losses involved fake investment opportunities (totaling $575 million in reported losses since January 2021). The spotlight stated that nearly four out of every ten dollars reported lost to a fraud originating on social media was lost in crypto, far more than any other payment method. Following losses related to cryptocurrency schemes, the next largest losses involved romance scams ($185 million) and business and government impersonation scams ($133 million collectively).
FTC sues sales organization in business opportunity scam
On March 15, the FTC filed an administrative complaint against an independent sales organization and its owners (collectively, “respondents”) for allegedly opening merchant accounts for fictitious companies on behalf of a business opportunity scam previously sued by the FTC in 2013. According to the complaint, the scammers promoted business opportunities to consumers that falsely promised they would earn thousands of dollars. From its previous 2013 lawsuit, the FTC obtained judgments and settlements of over $7.3 million (covered by InfoBytes here). The complaint alleged that respondents violated the FTC Act and the Telemarketing Sales Rule by helping the scammers launder millions of dollars of consumers’ credit card payments from 2012 to 2013 and ignoring warning signs that the merchants were fake. The FTC claimed that the respondents, among other things, (i) opened merchant accounts based on “vague” business descriptions; (ii) ignored the fact that for most of the merchants, the principals or business owners had poor credit ratings, which should have raised questions about the financial health of the merchants; (iii) neglected to obtain merchants’ marketing materials or follow up on signs that the merchants were engaged in telemarketing; and (iv) ignored inconsistencies related to the bank accounts listed on several of the merchants’ applications. The FTC further claimed that the respondents created 43 different merchant accounts for fictitious companies on behalf of the scam and even provided advice to the organizers of the scam on how to spread out the transactions among different accounts to evade detection.
Under the terms of the proposed consent order (which is subject to public comment and final FTC approval), the respondents would be prohibited from engaging in credit card laundering, as well as any other tactics to evade fraud and risk monitoring programs. The respondents would also be banned from providing payment processing services to any merchant that is, or is likely to be, engaged in deceptive or unfair conduct, and to any merchant that is flagged as high-risk by credit-card industry monitoring programs. Furthermore, the respondents would be required to screen potential merchants and monitor the sales activity and marketing practices of current merchants engaged in certain activities that could harm consumers. The FTC noted that it is unable to obtain a monetary judgment due to the U.S. Supreme Court’s decision in AMG Capital Management v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.)
9th Circuit affirms dismissal of investors’ data breach disclosures suit
On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K amounted to securities fraud. The plaintiffs asserted that certain statements, including statements that the company maintained “a comprehensive security program,” “were misleading because they created the impression that [the company] implemented the data security best practices described in those statements no later than 2016, when in fact, the company did not implement those practices until later.” The plaintiffs argued that based on these statements, “a reasonable investor could have concluded that any data security improvements [the company] described would have been put in place in response to the two public hacks [the company] had experienced in the past, one in 2013 and one in 2016.” The 9th Circuit determined that the plaintiffs had failed to show that the company had misled investors into believing that it had made data security improvements specifically in response to the 2013 and 2016 data breaches and had “plead no facts supporting a reasonable inference that either of those hacks was a prominent enough milestone in company history that the average investor would be led to believe every data security improvement directly followed them.”
The plaintiffs further alleged that other statements in the 10-K were misleading because they “created the impression that it was unlikely [the company] had suffered an undetected data breach in the past, when in reality it was somewhat likely.” The appellate court rejected the plaintiffs’ argument and noted that “these statements would not give an ordinary investor reason to believe that [the company] was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.” The 9th Circuit further agreed with the district court that the plaintiffs had failed to specifically allege that the company acted with the intent to deceive, manipulate, or defraud, or engage in “deliberate recklessness.”
State AGs urge FTC to take action on impersonation scams
On February 23, a coalition of state attorneys general sent a letter to FTC Chair Lina M. Khan, responding to the Commission’s advance notice of proposed rulemaking and urging the FTC to target “impersonation scams” to ensure consumers are protected from harm. As previously covered by InfoBytes, last December the FTC issued a request for comments on a wide range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. The AGs commented that overall, they “believe there is a pressing need for FTC rulemaking to address the scourge of impersonation scams impacting consumers across the United States,” noting that “[a] national rule that encompasses and outlaws such commonly experienced scams discussed [within the letter] would assist attorneys general and their partners in reducing consumer harm, maximizing consumer benefits, and holding bad actors to account.” Among other things, the letter discussed state-specific consumer complaints related to business impersonation, document preparation, regulatory compliance, and lead generation scams, and warned that the FTC should explore the means and instrumentalities used in these types of fraud. One example, the AGs pointed out, is impersonators using third-party payment processing services to effectuate their scams, often times requiring certain payment methods for fictitious overdue mortgage, utility, and student loan debts. In stressing the “burgeoning need for a robust standard outlawing impersonation scams,” the AGs stated that “[w]hen a specific type of unfair or deceptive business practice becomes so prevalent, Commission rulemaking is appropriate.” They further added that these efforts are welcomed as part of their ongoing collaborative relationship with the FTC.
SEC: Taking remedial actions may help companies avoid penalties
On January 28, the SEC announced a settlement subject to court approval with a private technology company to resolve allegations that the company, through its former CEO, falsely inflated key financial metrics and doctored internal sales records. The complaint, which alleged violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, claimed that the CEO significantly inflated the value of numerous customer deals, and then masked the inflation by creating fake invoices and altering real invoices to make it seem as if customers had been billed higher amounts. The company’s board of directors conducted an internal investigation, which led to the removal of the CEO, a revised company valuation, and remedial efforts including repaying investors. The company also hired new senior management, expanded its board, and implemented processes and procedures to ensure transparency and accuracy of deal reporting and associated revenues. While the company neither admitted nor denied the allegations, it agreed to be permanently enjoined from violations of the antifraud provisions. The SEC highlighted that the lack of a penalty in the settlement is significant, and demonstrates the Commission’s position that a company may receive credit if it makes significant remedial efforts in the wake of an internal investigation. “For companies wondering what types of remedial actions and cooperation might be credited by the Commission after a company uncovers fraud, this case offers an excellent example,” stated Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “[The company’s] remediation and cooperation included not just its internal investigation and revised valuation, but also repaying harmed investors and improving its governance—all of which were factors that counseled against the imposition of a penalty in this case.”
FTC reports on social media fraud
On January 27, the FTC released a blog post regarding scam data usage on social media. Reports to the FTC showed that social media is increasingly used by scammers and “that social media was far more profitable to scammers in 2021 than any other method of reaching people.” The blog post, Social media a gold mine for scammers in 2021, reported that more than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. Additionally, the FTC noted that investment scams and romance scams had the most reported dollars lost.
FTC proposes rule to combat impersonation fraud
On December 16, the FTC issued an advanced notice of proposed rulemaking (ANPR) seeking comments on a wide-range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. These impersonation scams include persons posing as government officials or employees or persons claiming they represent well-known businesses or charities, and may use “misleading domain names, URLs, and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment and often request that funds be paid through wire transfer, gift cards, or cryptocurrency. Government impersonators also often threaten consumers with severe consequences, while business impersonators regularly use ploys claiming they have identified suspicious activity on a consumer’s account or computer.
The ANPR - the FTC’s first action under its streamlined rulemaking procedures announced earlier this year (covered by InfoBytes here) - seeks feedback, data, and arguments from the public concerning the need for rulemaking to prevent this type of fraud.” Comments on the ANPR are due within 60 days of publication in the Federal Register.