Prepaid Card Compliance - Conference Materials

© 2012 Baird Holm LLP

Fraud/Identity Theft

Legal Issues

Terrence P. Maher

[email protected]


Treasury IG for Tax Administration

• There Are Billions of Dollars in Undetected Tax Refund Fraud Resulting From Identity Theft - Reference Number: 2012-42-080 - July 19, 2012

• Processes for the Direct Deposit of Tax Refunds Need Improvement to Increase Accuracy and Minimize Fraud - Reference Number: 2012-40-118 - September 25, 2012

• Further Efforts Are Needed to Ensure the Internal Revenue Service Prisoner File Is Accurate and Complete - Reference Number: 2013-40-011- December 18, 2012


Findings

• IG estimated that the IRS could issue $21 billion in potentially fraudulent tax refunds resulting from identity theft over the next five years

• In addition to returns flagged by the IRS, the IG identified approximately 1.5 million additional undetected tax returns with potentially fraudulent tax refunds totaling in excess of $5.2 billion

• Of the approximately 1.5 million tax returns the IG identified, 1.2 million (82 percent) used direct deposit to obtain tax refunds totaling approximately $4.5 billion


Findings

• IG found that the IRS was not in compliance with direct deposit regulations that require tax refunds to be deposited to an account only in the name of the individual listed on the tax return

• Deposits to debit card accounts are being used by identity thieves committing tax return filing fraud

• Investigators working the Tampa scheme identified that most of the fraudulent tax refunds were direct deposited to a debit card account


Findings

• The number of fraudulent tax returns filed by prisoners and identified by the Internal Revenue Service has increased from more than 18,000 tax returns in Calendar Year 2004 to more than 91,000 tax returns in Calendar Year 2010

• The refunds claimed on these tax returns increased from $68 million to $757 million

• Although the IRS prevented the issuance of $722 million in fraudulent tax refunds during Calendar Year 2010, it released more than $35 million

• The prisoner file supplied to the IRS is incomplete and inaccurate


Recommendations

• IG recommendation #5 – the IRS should coordinate with responsible Federal agencies and banking institutions to develop a process to ensure that tax refunds issued via direct deposit to either a bank account or a debit card account are made only to an account in the taxpayer‟s name

• IG recommendation #6 - limit the number of tax refunds issued via direct deposit to the same bank account or debit card account in an attempt to reduce the potential for fraud


Recommendations

• “Secret” recommendation #7 – Develop processes to identify and quantify direct deposits of tax refunds to accounts associated with a debit card as well as the ability to associate tax refunds deposited to a debit card to a specific tax account

• Recommendation #8 - Work with the Department of the Treasury to ensure financial institutions and debit card administration companies authenticate the identity of individuals purchasing a debit card. Furthermore, prevent the direct deposit of tax refunds to debit cards issued or administered by financial institutions and debit card administration companies that do not take reasonable steps to authenticate individuals‟ identities.

• Implementation Dates – October 15, 2013


Social Security Administration

Office of the Inspector General

• Controls over the Enrollment Process with the Direct Express® Debit Card Program (Limited Distribution)(A-15-12-21273)

• Direct Deposit Changes Initiated Through Financial Institutions and the Social Security Administration‟s Internet and Automated 800-Number Applications (Limited Distribution) (A-14-12-21271)




• Direct Express

– In May 2011, the IG began receiving multiple

allegations that Social Security benefits were being

improperly diverted to Direct Express

– Comerica subsequently alerted the IG to fraudulent

activity it detected regarding Social Security benefits

– The IG initiated five audits to evaluate controls in

place at various points in the direct deposit process

and identify vulnerabilities




• Direct Express – The IG review demonstrated that one or more individuals

successfully enrolled beneficiaries in the Direct Express program and/or changed their direct deposit information without the beneficiaries‟ knowledge

– As Treasury requires that beneficiaries receive their benefit payments through direct deposit or Direct Express, it is likely that the number of SSA beneficiaries whose payments are vulnerable to fraud will increase

– To prevent fraudulent changes to a beneficiary‟s account in the future, the IG recommend that SSA work with Treasury and Comerica to enhance the authentication process between the parties for the Direct Express card




• Direct Deposit – In October 2011, the IG began tracking allegations that indicated

individuals other than the beneficiaries or their representatives had redirected benefit payments from the beneficiaries‟ bank accounts to accounts the individuals controlled

– As of August 31, 2012, the IG had received over 19,000 reports concerning direct deposit changes to an SSA beneficiary‟s record

– These reports involved either an unauthorized change or a suspected attempt to make an unauthorized change

– Based on these allegations, the IG initiated audits to evaluate controls in the direct deposit process and identify vulnerabilities




• Direct Deposit – When the IG asked 29 beneficiaries who did not authorize the

direct deposit changes how someone might have gained access to their private information to make a change, the results were as follows:

• Thirteen beneficiaries reported they were told they had won a lottery, but they needed to provide some private information before they could receive their prize.

• Three beneficiaries said they provided their private information to someone claiming to be an official from a Government agency or someone they knew

• Two beneficiaries reported their wallets or credit cards had been lost or stolen

• Eleven beneficiaries reported they were unsure how someone might have acquired their private information.




• Direct Deposit – Of the 29 beneficiaries in the IG sample with misdirected benefit

payments, the suspicious direct deposit changes for 19 beneficiaries originated at FIs through the ENR process, for 9 beneficiaries the direct deposit change originated through SSA‟s Direct Deposit automated 800-number application with knowledge-based authentication, and for 1 beneficiary the direct deposit change originated through the Agency‟s Direct Deposit Internet application

– For the 19 beneficiaries with changes originating at FIs, the IG determined that changes for 9 beneficiaries redirected benefits to prepaid debit cards and changes for the remaining 10 beneficiaries redirected benefits to accounts it could not identify as prepaid debit cards




• Direct Deposit – The IG determined that the controls over direct deposit changes

originating through FIs or the Agency‟s Direct Deposit Internet and automated 800-number applications did not ensure all changes were authorized

– Based on beneficiary interviews, data analysis, and the IG review of systems documentation, the IG identified instances of unauthorized account changes and weaknesses in SSA and FI‟s authentication or identity verification processes

– The IG made 9 confidential recommendations, 8 of which the SSA agreed with


Financial Management Services

Regulations


Deposit of Federal Benefits to Prepaid

Cards

• Treasury FMS issued an Interim Final Rule effective January 21, 2011, to allow Federal payments to be delivered to prepaid debit card or similar card accounts meeting certain consumer protection requirements

• The NBPCA submitted comments on the IFR, but, to date, no final rule has been issued

• FMS regulations have long provided that Federal payments made by ACH had to be deposited into an account „„in the name of the recipient‟‟ – the payment recipient‟s name must appear in the account title

• With the use of pooled accounts in prepaid, it was not clear that prepaid cards could meet this requirement



Cards

• Under the IFR, a Federal payment may be deposited to an account accessed by the recipient through a prepaid card that meets the following requirements: – The account is held at an insured financial institution;

– The account is set up to meet the requirements for pass-through deposit or share insurance such that the funds accessible through the card are insured for the benefit of the recipient by the Federal Deposit Insurance Corporation or the National Credit Union Share Insurance Fund in accordance with applicable law (12 CFR part 330 or 12 CFR part 745);

– The account is not attached to a line of credit or loan agreement under which repayment from the account is triggered upon delivery of the Federal payments; and

– The issuer of the card complies with all of the requirements, and provides the holder of the card with all of the consumer protections, that apply to a payroll card account under the rules implementing the Electronic Fund Transfer Act, as amended



Cards

• No person or entity may issue a prepaid

card that receives Federal payments in

violation of the IFR, and no financial

institution may maintain an account for or

on behalf of an issuer of a prepaid card

that receives Federal payments if the

issuer violates the IFR


Erroneous/Unauthorized ENRs

• 31 C.F.R. Part 210 addresses the Federal Government's participation in the ACH system

• 31 C.F.R. Sec. 210.4(a) provides: – "(1) The agency or the RDFI that accepts the recipient‟s

authorization [for example, an ENR entry] shall verify the identity of the recipient and, in the case of a written authorization requiring the recipient‟s signature, the validity of the recipient‟s signature.

– (2) Unless authorized in writing, or similarly authenticated, by an agency, no person or entity shall initiate or transmit a debit entry to that agency, other than a reversal of a credit entry previously sent to the agency."


Erroneous/Unauthorized ENRs

• Under 31 C.F.R. Sec. 210.8(2), a financial institution that accepts an authorization in violation of § 210.4(a) is liable to the Federal Government for all credits or debits made in reliance on the authorization

• A financial institution that transmits to an agency an authorization containing an incorrect account number is liable to the Federal Government for any resulting loss, up to the amount of the payment(s) made on the basis of the incorrect number

• If an agency determines, after appropriate investigation, that a loss has occurred because the financial institution transmitted an authorization or notification of change containing an incorrect account number, the benefits paying agency may instruct the Financial Management Service to direct a Federal Reserve Bank to debit the financial institution's account for the amount of the payments made on the basis of the incorrect number

• The agency must notify the financial institution of the results of its investigation and provide the financial institution with a reasonable opportunity to respond before initiating such a debit.


Identity Theft and Tax Fraud Prevention

Act - S3432


S 3432

• The bipartisan bill is intended to reduce the incidence of fraudulent tax returns by protecting SSNs from disclosure and providing new protections for identity theft victims

• Section 8 of the bill would require the U.S. Comptroller General to conduct a study within one year that examines the role of prepaid debit cards and commercial tax preparation software in facilitating fraudulent tax returns through identity theft – The report must be submitted to the Senate Finance and the House

Ways and Means committees, together with any recommendations

– The bill does not identify the specific concerns that the Senators have with prepaid cards utilized with tax returns

• The bill also requires a study by the U.S. Treasury on information sharing barriers to deterring tax fraud through identity theft


FACTA ID Theft Red Flags Rule



• The rule requires many businesses and organizations to implement and adopt written identity theft prevention programs to detect the warning signs - or "red flags"- of identity theft in their day-to-day operations, take steps to prevent the crime of identity theft, and mitigate the damage identity theft inflicts

• The rule only applies to "financial institutions" and "creditors." – "Financial institutions" are banks, savings and loans, credit

unions, and other entities that maintain consumer transaction accounts



• A transaction account is a deposit or other

account from which the owner makes payments

or transfers

• Transaction accounts include checking

accounts, negotiable order of withdrawal

accounts, savings deposits subject to automatic

transfers, and share draft accounts

– Are GPR cards covered?



• The rule requires that the written program include four basic elements – The program must include reasonable policies and

procedures to identify "red flags" of identity theft

– The program must be designed to detect the red flags you‟ve identified

– The program must spell out appropriate actions you will take when you detect red flags

– Because identity theft is an ever-changing threat, you must address how you will re-evaluate the program periodically to reflect new risks from ID theft



• Although there are no criminal penalties for failing to comply with the rule, financial institutions and creditors may be liable for civil monetary penalties – What will the CFPB do?

• Under the FAQs, there is no private right of action for a violation of FACTA

• Other than in Alabama, courts have generally refused to impose liability on an FI to a victim of ID theft where the FI established accounts in the name of the victim through the actions of a fraudster


FinCEN CIP Rule


FinCEN

• 31 CFR

103.121 sets forth the rule regarding

customer identification programs for FIs

• The regulation defines an account as “a formal

banking relationship established to provide or

engage in services, dealings, or other financial

transactions including a deposit account, a

transaction or asset account, a credit account, or

other extension of credit”


FinCEN

• The CIP must include risk-based

procedures for verifying the identity of

each customer to the extent reasonable

and practicable

• The procedures must enable the bank to

form a reasonable belief that it knows the

true identity of each customer


FinCEN

• These procedures must be based on the bank's assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank's size, location, and customer base

• The CIP must contain procedures for verifying the identity of the customer, using information obtained, within a reasonable time after the account is opened

• At what point does establishing prepaid card accounts for fraudsters indicate that the FIs CIP is inadequate? Will regulators take action?

• Courts have held that there is no private right of action for BSA violations


Questions?

Date post:	06-May-2015
Category:	Technology
Upload:	rachel-hamilton
View:	460 times
Download:	0 times

Prepaid Card Compliance - Conference Materials

Technology