While some forms of payments fraud have existed for centuries (like forged checks), others have emerged more recently. And as banking technology and payment methods evolve, fraudsters are doing their part to keep pace, including by updating classic payment fraud schemes to take advantage of the COVID-19 pandemic. Payments fraud generally falls into two categories:
- unauthorized payments – such as unauthorized ACH debits, altered or forged checks, or transactions initiated after an account takeover; and
- scams – such as fraudulently induced payments, “bad check” scams, and revocable payment fraud.
Some of these traditional fraud schemes have been tailored to take advantage of the pandemic situation by targeting vulnerable consumers (e.g., through imposter or work-from-home scams) and state unemployment agencies, which are defrauded when criminals use consumers’ stolen personally identifiable information (PII) to fraudulently apply for unemployment insurance in the victim’s name, then transfer funds through a “money mule” account.
A variety of different laws, regulations, and payment system rules are relevant to payments fraud, and different rules apply based on the type of transaction and nature of the fraud.
Core laws applicable to payments fraud include:
- For check transactions: UCC Article 3 – Negotiable Instruments[1], and Article 4 – Bank Deposits and Collections[2];
- For consumer electronic fund transfers: the Electronic Fund Transfer Act[3] and its implementing regulation, Regulation E[4]; and
- For commercial funds transfers: UCC Article 4A – Funds Transfers.
Other laws may also have relevance, such as the various prohibitions on unfair, deceptive and abusive acts or practices (UDAAP), anti-money laundering requirements under the Bank Secrecy Act[5] (BSA), and the privacy and data security requirements for financial institutions under the Gramm-Leach-Bliley Act[6] (GLBA). Further, private sector payment system rules, such as the NACHA Operating Rules for ACH[7], may also apply, particularly with respect to the allocation of loss between financial institutions. Which laws apply, and how, may depend on characteristics of the transaction, including the payment channel, whether the payment was unauthorized or resulted from a scam, and whether it is a consumer or commercial transaction.
CHECK FRAUD
Traditional types of check fraud include check alteration (e.g. changes to the payee or amount of a check), check forgery (a forged drawer’s signature), counterfeit checks, and bad check scams (where a consumer receives a bad check, deposits it, and is asked to send some or all of the provisionally credited funds to a third party).
The UCC generally requires a paying bank to recredit its customer’s account when it pays an unauthorized check, which provides customers protection against checks that are not properly payable. In addition, transfer and presentment warranties determine the allocation of loss between the depositary bank and the paying bank.[8] Whereas, in a bad check scam, the loss is likely to fall on the consumer who deposited the bad check when the check is returned unpaid by the paying bank. In these bad check schemes, fraudsters take advantage of a victim’s lack of understanding of payment system functionality and applicable legal framework by instructing the victim to transfer funds through an irrevocable payment channel (wire transfer) or a method that is difficult to trace and recover (purchasing and mailing a prepaid card) once the depositary bank provisionally credits the funds.
WIRE TRANSFER SCAMS
Business email compromise (BEC) is a sophisticated form of payments fraud that has emerged in recent years. BEC targets businesses in which employees are tricked into sending funds to a fraudster (typically by wire transfer, but sometimes an ACH credit transfer). BEC is carried out through the compromise of legitimate email accounts and social engineering. Many large banks have taken action to try and prevent their customers from falling victim to BEC, including extensive education campaigns.
For commercial transactions, the allocation of loss that results from a BEC scam between the commercial customer and the bank is determined by Article 4A’s security procedure framework. In particular, the commercial customer (Sender) is not liable to the Sending Bank for a funds transfer that was not authorized. However, the transfer can be deemed “authorized” if the Sending Bank verified the authenticity of the instruction using a mutually agreed upon “security procedure,” the security procedure is commercially reasonable, and the bank accepted the payment order in “good faith” and in compliance with the security procedure.
COVID-19 SCAMS
Fraudsters have taken advantage of the COVID-19 pandemic to target vulnerable consumers, such as the elderly and unemployed. These scams provide a new twist on classic payment fraud schemes, and have taken various forms, including:
- those involving government impersonators;
- fraudulent cures, medical equipment or charities;
- work-from-home fraud;
- contact tracing scams; and
- scams relating to the CARES Act Economic Impact Payments.
These criminal acts may involve an “imposter scam” scenario, or utilize the “bad check” or fraudulently induced wire transfer schemes, with legal responsibility for the loss determined by existing payment laws and regulations as applicable.
Fraudsters have also targeted state unemployment agencies with scams in which a criminal submits fraudulent unemployment insurance claims using consumers’ stolen personally identifiable information (PII), and instructs payments to accounts controlled by money mules (generally by ACH), who themselves may be either witting or unwitting participants and may be lured to participate through good-Samaritan, romance, and work-from-home schemes. This type of fraud has been facilitated by recent large scale data breaches that led to widespread access to consumer PII that can be used to perpetrate payments fraud and for other illicit purposes, such as identity theft.
Notably, FinCEN has released advisories providing financial institutions guidance on potential red flags of such schemes for purposes of Suspicious Activity Reporting obligations under the Bank Secrecy Act, including where a customer receives multiple state unemployment insurance payments to their account within the same disbursement timeframe from one or multiple states, or receives an unemployment insurance payment from a different state from where the customer lives or works.[9]
POLICY CONSIDERATIONS
As banks undertake more measures to help customers avoid becoming victims of payments fraud schemes, it is important to consider whether by doing so they are altering the “delicate balance” of interests contemplated under existing loss allocation rules for fraudulent payments and, if so, how that may impact the availability and pricing of certain types of payments in the future.
[7] See https://www.nacha.org/rules/operating-rules.
[8] For example, under the UCC, the depositary bank generally bears the loss for improper endorsements and alterations, while the paying bank generally bears the loss for a forged drawer’s signature or a counterfeit check. These UCC provisions reflect the long-standing rule from Price v. Neal, 3 Burr. 1354, 97 Eng. Rep. 872 (KB. 1763).
[9] FIN-2020-A003, 2020 Advisory on Imposter Scams and Money Mule Schemes Related to Coronavirus Disease 2019 (COVID-19) (July 7, 2020), available at: https://www.fincen.gov/sites/default/files/advisory/2020-07-07/Advisory_%20Imposter_and_Money_Mule_COVID_19_508_FINAL.pdf.