Payment App Fraud on Servicemembers

QUESTION 

We make loans exclusively to servicemembers. In our recent banking department audit, we were told we do not have sufficient protection to avoid fraud in our payment app. This app was launched a couple of years ago, and we did not think there was a problem. 

Until, that is, the CFPB contacted us about getting a consumer complaint about it. We found out that a group of fraudsters had copied the way our payment app looks and acts, which caused servicemembers to be lured into fraudulent transactions. 

The result of that complaint was a big update to the payment app, adding a lot of additional consumer requirements to do transactions. We constantly monitor the payment app and have updated our monitoring and testing procedures. 

We still don't know the extent that the complaint affected our business. Being a lender to servicemembers, we want to ensure that our payment app is fully capable of ferreting out fraud. We hope you can provide some insight into how payment apps cause fraudulent transactions. 

What challenges do servicemembers face due to fraud caused by payment apps? 

How can we ensure that our digital payment app protects servicemembers from fraud? 

ANSWER 

There has been a steady increase in the use of digital payment applications ("app(s)") in the servicemember community. The Consumer Financial Protection Bureau (CFPB) has been very active in protecting servicemembers from fraudulent transactions caused by digital payment apps.[i] 

Servicemembers have unique financial risks associated with these services with respect to potential abuse from bad actors. Some servicemembers have also complained that they have incurred serious financial harm from scams and fraud when using these services, and their complaints suggest digital payment app providers often fail to provide timely and substantive resolutions. 

Payment apps allow a consumer to send money to another person without needing to write a check, swipe a physical card, or exchange cash. Depending on the provider, a payment app transfer can be initiated from a consumer's online bank account portal, prepaid account portal, or mobile app. 

The onset of the COVID-19 pandemic in the spring of 2020 led to a significant increase in the adoption and usage of payment apps (both bank and nonbank). According to an analysis of data collected in the 2019 and 2020 Federal Reserve payment study, in early 2020, the number of accounts with first-time payment app activity surged by almost 18% from the first quarter to the second quarter of 2020; growth in the number of accounts with activity similarly rose at a high rate of 12.4% over the same period. 

Consumer Complaints

In 2022, of all the complaints submitted to the CFPB regarding payment apps, the most common complaints were fraud-related. Other federal agencies have reported similar growth, particularly between 2018 and 2021. Additional research using internal banking data has shown that fraud is a growing problem in this market that often leaves the consumer with little or no recourse. 

One common type of fraud is induced fraud. You may not have heard this term before, but it is a popular play used by fraudsters. "Induced fraud" occurs when a consumer is tricked into sending money to a fraudster or otherwise unwittingly facilitating a transaction, generally because the fraudster misrepresents their identity. 

Unauthorized transfers are also a growing issue seen in CFPB complaints. This type of transaction can occur when the user's payment app account is accessed without their permission, and money is transferred out. Sometimes unauthorized transfers result from a consumer being tricked into providing their login credentials or their credentials being taken fraudulently. 

Servicemembers, veterans, and their families have submitted more than 323,000 consumer complaints since the CFPB opened its doors in 2011. In 2022, they submitted more than 1,100 complaints about digital payment apps, which makes this one of the fastest-growing complaint types submitted to the CFPB. Many reported issues and complaints about digital payment apps relate to frauds and scams, suggesting it is a rapidly growing financial threat to military families. 

Financial Risks to Servicemembers

The financial risks to servicemembers and their families who use digital payment apps are considerable. Here are the top three that the CFPB has determined. 

1.   Serious financial harm from fraud and scams when using digital payment apps. 

During a permanent change of duty station, servicemembers often face the need to secure housing, a new automobile, or daycare during a short window, which usually requires them to conduct more online transactions using digital payment apps. Servicemembers' complaints concerned being scammed online using payment apps, which affected their overall financial stability; indeed, such consequences may impact servicemembers' ability to continue service or keep a security clearance. 

2.   Identity theft and unauthorized account access. 

Servicemembers' steady income may make them a target for identity thieves looking to tap into bank accounts often linked to a digital payment app. The CFPB has received complaints about servicemembers having their identities stolen, followed by unauthorized money transfers from their digital payment app accounts. 

3.   Digital payment app providers fail to provide timely and substantive resolutions to servicemember complaints. 

Complaints indicate that servicemembers and veterans who lost money due to unauthorized transfers still struggle to get their money back due to digital payment app providers failing to provide timely and substantive resolutions. 

Financial Protection for Servicemembers

Protecting servicemembers from fraudulent transactions involving payment apps takes several forms. 

·     Improve the safety and security of your networks to prevent fraud. 

As a provider of a digital payment app, you can improve the overall safety and security of this app by investing in privacy and security technology and by preventing, identifying, and limiting fraudulent activity, including detecting and removing repeat offenders from your systems. 

·     Improve their responsiveness if fraud does occur. 

When fraud involves multiple entities, financial institutions and digital payment app providers should coordinate more closely to resolve fraud-related problems quickly. By helping to expedite the process, they can help reduce the time that someone must wait to access locked funds or to reclaim funds. For military families, accessing these funds can be particularly critical during a permanent change of station or deployment. 

·     Customize refund policies for fraud losses that recognize the unique experiences of military families. 

Servicemembers experiencing fraud on digital payment apps may be unable to recognize or respond to fraud quickly. Digital payment app providers should identify these challenges and take a comprehensive approach to reimbursement when all types of fraud occur.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Office of Servcemember Affairs Annual Report, January-December 2022, Issued June 2023, Consumer Financial Protection Bureau

Counteroffer or Adverse Action: Timing Requirements

QUESTION 

I am in the underwriting department and have a question about notifying the borrower about our decision to approve or adverse their loan. 

We provide an approval, counteroffer, or we adverse the loan. We underwriters here have a system that does not correctly differentiate the notification timing for counteroffers versus adverse action. But I believe counteroffers get additional time on notifications. 

I think this also has to do with how we define a counteroffer and adverse action. Our system works with a set of rules, and I think the rules are incorrectly defined. So, here are my questions. 

What are the notification requirements for our decision to approve, counteroffer, or adverse a loan? 

What is a “counteroffer?” 

What is “adverse action?” 

ANSWER 

Creditors are subject to specific notification requirements under the Equal Credit Opportunity Act (ECOA) in connection with credit applications, with the notice requirements varying based on the action taken by the creditor and whether the application is for consumer credit or business credit. 

Under the ECOA, there are four notification timing requirements for consumer credit. 

1.    Thirty (30) days after receiving a completed application concerning the creditor’s approval of, counteroffer to, or adverse action on the application; 

2.    Thirty (30) days after taking adverse action on an incomplete application, unless an incomplete application notice is provided under procedures specified in Regulation B, the implementing regulation of the ECOA [see section 202.9(c)]; 

3.    Thirty (3) days after taking adverse action on an existing account; or 

4.    Ninety (90) days after notifying the applicant of a counteroffer if the applicant does not expressly accept or use the credit offered.[i] 

With respect to defining a “counteroffer,” it refers to when a creditor offers to grant credit in a different amount or on other terms than the amount or terms requested by the applicant.[ii] 

You might want to know that, pursuant to the ECOA, a counteroffer need not be held open for any particular length of time.[iii] 

Defining adverse action is a bit tricky, so I will provide what it means and doesn’t mean. 

What does “adverse action” mean: 

1.    A refusal to grant credit in substantially the amount or on substantially the terms requested in an application unless the creditor makes a counteroffer and the applicant uses or expressly accepts the credit offered; 

2.    A termination of an account or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts; or 

3.    A refusal to increase the amount of credit available to an applicant who has applied for an increase.[iv] 

What “adverse action” does not include: 

1.    A change in the terms of an account expressly agreed to by an applicant; 

2.    Any action or forbearance relating to an account taken in connection with inactivity, default, or delinquency as to that account; 

3.    A refusal or failure to authorize an account transaction at the point of sale or loan, except when the refusal is a termination or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts, or when the refusal is a denial of an application for an increase in the amount of credit available under the account; 

4.    A refusal to extend credit because applicable law prohibits the creditor from extending the credit requested; or 

5.    A refusal to extend credit because the creditor does not offer the type of credit or credit plan requested.[v] 

Finally, there is the matter of determining when a notification occurs. Notification occurs when a creditor delivers or mails a notice to the applicant’s last known address or, in the case of an oral notification, when the creditor communicates the credit decision to the applicant.[vi] 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 12 CFR § 202.9(a)

[ii] 12 CFR § 202.2(c)(1)

[iii] 12 CFR, Supplement I to Part 202 – Official Staff Interpretations § 202.9(a)(1)-5

[iv] 12 CFR § 202.2(c)(1)

[v] 12 CFR § 202.2(c)(2)

[vi] 12 CFR, Supplement I to Part 202 – Official Staff Interpretations § 202.9-3

AML Compliance: Violations Bait and Land Mines

QUESTION 

I am updating our Anti-Money Laundering Program. It was last updated three years ago. We had an AML test last year, and the report showed problems with the written program, yet we did not update it even then. This delay has happened because of staff turnover. 

My concern is what areas I should emphasize in this new update. I would like to know what kinds of issues and challenges are critical, so I can identify them in the program and provide procedures for resolving them. Since your firm is known for conducting AML tests for mortgage companies, I thought you would list important AML issues. 

What challenges do you see occurring in your AML audit tests? 

ANSWER 

If you do not review your Anti-Money Laundering Program (Program) for updates, as needed, and at least annually, you are not complying with Bank Secrecy Act (BSA) guidelines. You are violating the applicable statute if you are not conducting an Anti-Money Laundering (AML) test annually but no later than eighteen months from the previous test. 

If you are not implementing AML training annually, including, when needed, for new hires, you have caused a statutory violation. 

And, if you do not have a responsible, designated, and ratified AML Officer, you have not complied with the BSA mandates. 

The Program is the written structure on which the four pillars of AML compliance rest. Those pillars are (1) ratifying the Program itself, (2) establishing an AML Officer, (3) conducting the AML test, and (4) implementing AML training. 

Lenders Compliance Group was the first compliance firm in the country to provide AML audit tests for Residential Mortgage Lenders and Originators (RMLOs), the specific term used in the BSA. RMLOs were required to develop and implement a Program and begin filing Suspicious Activity Reports (SARs) by August 13, 2012. If you want LCG to conduct an AML test or provide other AML Compliance support, please contact us. 

The test may be conducted internally, following FinCEN guidelines, or by an external auditor entirely independent of the AML Officer. If the findings report recommends that you go further by conducting an AML Risk Assessment, do it. 

In using the term RMLOs, I am referring to two types of entities that are considered loan or finance companies: the mortgage lender, the entity that is explicitly stated in the note as being the initial payee in connection with a mortgage transaction, and the mortgage originator, the party that accepts a mortgage loan application or offers or negotiates the terms of a residential mortgage loan. 

Each RMLO must adopt a policy and procedure for AML compliance in recognition of its obligations under BSA, other related money laundering regulations, the Financial Crimes Enforcement Network requirements, and federal and state licensing agencies. 

That you are not revising policies and procedures pursuant to a competent AML test may put your firm at considerable regulatory risk. The audit results must be reported to the audit committee of the RMLO's management and the BSA/AML Officer. It is the responsibility of the AML Officer to take appropriate action to correct any problems found as a result of the audit and promptly respond to the RMLO's audit committee or appropriate senior management. 

Crooks and bandits continue changing tactics, and your organization must adjust your AML program accordingly. Several "land mines" can be anticipated in BSA/AML examinations. 

We keep a record of evolving money laundering schemes. At this point, our due diligence auditors avail themselves of an extensive database that keeps us alert to the nefarious money laundering tactics the crooks have developed and, unfortunately, continue to develop. 

I will provide several actions and non-actions – what some organizations do or don't do – that trigger regulatory violations. My focus is on RMLOs. 

Violations Bait and Land Mines 

1.     314(a) searches aren't completed promptly. RMLOs should make certain that the U.S. Patriot Act contacts listed in their online profiles are current and that they certify these profiles when contacts are updated. Moreover, companies must ensure that their policies and procedures name a point of contact. 

They should also provide the following: 

 a.     steps for when the primary contact is unavailable; 

 b.     ways to ensure information confidentiality; 

 c.     how to respond to FinCEN requests; 

 d.     how to determine if and when to file a SAR; and 

 e.     the process for independent testing of 314(a) compliance. 

2.     Inadequate AML training for appropriate personnel. Board members and the AML Officer do not always receive the appropriate BSA/AML training for their roles. Failure to educate staff on illicit financial activities to keep members safe and the organization compliant. We believe financial institutions should train new staff as soon as possible. 

To prevent staff-related issues, AML functions and responsibilities should encompass adequate resources, a sufficient level of aggregate AML expertise, and an appropriate allocation of time to AML tasks. 

3.     An AML Officer must be designated to own the system and ensure that processes are followed and updated, reports are filed, training is robust, and the entire system is running effectively. The board should grant the AML Officer the duties and authority to implement AML processes and policies. 

4.     AML training should include examples of money laundering and suspicious activity monitoring relevant to each operational area. This training also should provide officials with a sufficient understanding of the institution's risk profile and BSA/AML regulatory requirements. 

Additionally, companies must document all training, including the following: 

 a.     testing materials; 

 b.     attendance records; 

 c.     employees that fail to participate; and 

 d.     corrective actions taken concerning employees who fail to attend training. 

5.     A lack of independent testing. Avoid utilizing in-house staff that does not satisfy the "qualified" and "independent" criteria for independent testing. If staff is not qualified and independent, the work product is worthless and will likely be rejected by regulators. Not using an external resource to conduct the independent review causes delays in the required testing. 

6.     No written and approved Program. BSA/AML compliance programs must be in writing, approved by the board, and documented in board meeting minutes. It should be comprehensive. Off-the-shelf AML policies are notoriously defective. 

Additionally, the Program must set forth requirements for internal controls, independent testing, a designated AML Officer, training for appropriate personnel, member due diligence, and customer identification data. AML policies and procedures should be documented, comprehensive, consistent with best practices, approved by stakeholders, and regularly updated. 

7.     Stay alert to sanctions issued by the Office of Foreign Assets Control (OFAC). To be compliant with OFAC-governed sanctions regulations, your firm must ensure it is not engaging in trade or transaction activities that violate the rules behind OFAC's country-based sanctions programs or engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons. 

The linkage to AML compliance requires an organization's policies and procedures to address aspects of OFAC compliance and controls, including customer onboarding, screening, and even specialized training. 

Customer Identification Program (CIP) requirements should be applied to all customers opening a new account as that term is defined in the Bank Secrecy Act and implementing regulations. The CIP must include procedures for making and maintaining a record of all information obtained to verify a customer's identity. At a minimum, the record must include all the identifying information gathered by the firm about a customer. 

8.     Noncompliant SARs. SARs are not filed within 30 or 60 days and are not complete or accurate, particularly SAR narratives. Failure to promptly detect, escalate, investigate, and file SARs. Include appropriate risk-based procedures for conducting ongoing customer due diligence, including (i) understanding the nature and purpose of customer relationships to develop a customer risk profile and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. 

9.     Know Your Customer (KYC) practices do not clearly define and align with customer attributes and risks (i.e., customer identification programs, customer due diligence, enhanced due diligence, and special circumstances due diligence). 

10.  Certain loan products pose a higher risk of criminal activity than others and attract money laundering criminality. You must document processes for monitoring your high-risk products and services for potential money-laundering activity. A "best practice" is to ensure that the AML Officer and compliance department are part of product plans at your institution.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Appraiser Selection and Independence

QUESTION 

We had a problem recently with one of our appraisers. Long story short, he had a criminal background that we did not know about. We found out about it when he got caught falsifying his evaluations by getting bribed by a loan officer. 

Both the appraiser and the loan officer were fired. As the one and only compliance manager in our company, it is up to me to revise our appraiser independence policy. I need to know how to select appraisers and how to manage our appraiser list. 

What criteria should I use to select appraisers? 

How do I manage the appraiser list? 

ANSWER 

Don't be too hard on yourself. You might have a decent appraiser independence policy; however, people who are set on committing crimes will tend to ignore your standards and do whatever they can to defeat your protective systems. 

This is why it is not sufficient just to have a good appraiser independence policy. You must monitor it and conduct risk assessments. We offer the AIR Tune-up to give you the feedback you need about Appraiser Independence Requirements. Contact us and we'll send you information about it. 

An institution's collateral valuation program should establish criteria to select, evaluate, and monitor the performance of appraisers and persons who perform evaluations. 

The criteria should ensure that: 

·     The person selected possesses the requisite education, expertise, and experience to complete the assignment competently; 

·     The institution periodically reviews the work performed by appraisers and persons providing evaluation services; 

·     The person selected is capable of rendering an unbiased opinion; and 

·     The person selected is independent and has no direct, indirect, or prospective interest, financial or otherwise, in the property or the transaction. 

The appraiser selected to perform an appraisal must hold the appropriate state certification or license at the time of the assignment. 

Importantly, persons who perform evaluations should possess the appropriate appraisal or collateral valuation education, expertise, and experience relevant to the type of property being valued. Such persons may include appraisers, real estate lending professionals, agricultural extension agents, or foresters.[i] 

An institution or its agent must directly select and engage appraisers. The only exception to this requirement is that the Agencies' appraisal regulations allow an institution to use an appraisal prepared for another financial services institution, provided certain conditions are met. 

An institution or its agents also should directly select and engage persons who perform evaluations. Independence is compromised when a borrower recommends an appraiser or a person to perform an evaluation. 

Independence is also compromised when loan production staff selects a person to perform an appraisal or evaluation for a specific transaction. For certain transactions, an institution also must comply with the provisions addressing valuation independence in Regulation Z (Truth in Lending Act).[ii] 

An institution's selection process should also ensure that a qualified, competent, and independent person is selected for a valuation assignment. An institution should maintain documentation to demonstrate that the appraiser or person performing an evaluation is competent, independent, and has the relevant experience and knowledge for the market, location, and type of real property being valued. 

Furthermore, the person who selects or oversees the selection of appraisers or persons providing evaluation services should be independent from the loan production area. 

Your institution should prohibit the use of borrower-ordered or borrower-provided appraisals, as this would violate the Agencies' appraisal regulations. However, a borrower can inform an institution that a current appraisal exists, and the institution may request it directly from the other financial services institution. 

With respect to managing the approved appraiser list, if an institution establishes an approved appraiser list for selecting an appraiser for a particular assignment, it should have appropriate procedures for the development and administration of the list. 

These procedures should include a process for qualifying an appraiser for initial placement on the list and periodic monitoring of the appraiser's performance and credentials to assess whether to retain the appraiser on the list. 

There should be periodic internal reviews of the approved appraiser list to confirm that appropriate procedures and controls exist to ensure independence in the list's development, administration, and maintenance. 

For residential transactions, loan production staff can use a revolving, pre-approved appraiser list, provided the development and maintenance of the list are not under their control. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Although not required, an institution may use state certified or licensed appraisers to perform evaluations. Institutions should refer to USPAP Advisory Opinion 13 for guidance on appraisers performing evaluations of real property collateral

[ii] See 12 CFR § 1026.42