AI Credit Score Underwriting

QUESTION 

Thank you for your recent columns on artificial intelligence in mortgage banking. I want to know how to handle credit scores using AI. I am the SVP Operations of a large wholesale lender. We want to include AI in our underwriting. In particular, we want to use it to evaluate a borrower's creditworthiness. However, our legal department has advised us that there are huge privacy issues. 

We do not want to be dependent on the credit reporting agencies for AI information. And we do not want to outsource AI in our credit score underwriting. The AI evaluation methods we discussed with legal have been shut down due to potential privacy violations. 

What are the privacy risks in using AI to determine a borrower's credit score? 

COMPLIANCE SOLUTION 

AI Policy Program for Mortgage Banking 

A well-constructed AI Policy Program is a proactive means designed to avoid and mitigate risks associated with Artificial Intelligence (AI). AI risk management is a key component of responsible development and use of AI systems. Responsible AI practices can help align the decisions about AI system design, development, and use with intended aims and values.

RESPONSE 

The privacy challenges associated with artificial intelligence are enormous, and the risks will only become more and more difficult to mitigate. In our recently issued AI Policy Program for Mortgage Banking, we sought to provide a comprehensive policy framework for using AI in mortgage banking. Indeed, one of the policies in the Policy Program is titled "Artificial Intelligence Credit Underwriting Policy." 

If you need a policy framework for AI, please request information about our Policy Program. 

AI credit score underwriting is an uncharted legal and regulatory territory! 

You will find that most of your legal department's concerns about AI in mortgage lending involve the collection and potential misuse of vast amounts of sensitive personal data, heightened cybersecurity vulnerabilities, and a lack of transparency that can lead to a loss of consumer trust and potential regulatory non-compliance. 

Broadening this out, AI in credit score underwriting stems from the extensive collection of sensitive, alternative data, the potential for unauthorized access and data breaches, and the difficulty in ensuring transparency and consumer control over how personal information is used. 

Whatever you do, you will need to be in lockstep with your legal advisors. This "territory" is dotted with legal minefields! Let's consider these risks. 

AI models require vast amounts of data, often going beyond traditional financial information to include "alternative data" such as geolocation, social media activity, online behavior, transaction histories, and even biometric data. The sheer volume and sensitive nature of this extensive data collection increase the overall risk to consumer privacy. 

Zero in on that data! It can be collected for one purpose but might be used for other, unforeseen purposes without the user's explicit consent. This lack of control over how personal data is processed raises significant privacy issues. From the legal perspective, this amounts to unauthorized use and repurposing. 

The large datasets used to train AI models are attractive targets for cyber attackers. Inadequate security measures or vulnerabilities in third-party vendor systems can lead to data breaches, exposing sensitive personal and financial information and increasing the risk of identity theft or fraud. Data security must be failsafe. 

AI algorithms can analyze seemingly innocuous data to infer highly personal attributes, such as health status, political views, or ethnic origin (a "predictive harm"). From a regulatory perspective, this risk arises from the inference of sensitive Information. In other words, this capability to derive sensitive insights can lead to potential discrimination and privacy infringements. 

Complex AI algorithms can be difficult to explain, even for their developers, creating a Black Box where it is unclear exactly how a specific credit decision was reached. This opacity, its lack of transparency, deprives consumers of understanding why they were denied credit and of exercising their right to an explanation or an appeal. I have written here about the Black Box "model" or "problem". 

Do not assume that so-called "anonymized" data effectively mitigates risk. Even when data is "anonymized," AI can sometimes de-anonymize individuals by cross-referencing various data points, compromising individual privacy.

Stablecoin Mortgage Payments

QUESTION 

I have been reading your articles about cryptocurrency and mortgage banking. Thank you for providing these articles. I have shared your website with many people, and I get the hard copy of your articles, which I use in our management meetings. 

I am a member of senior management and on the Board. We are a large lender and servicer in the northeast, with offices in almost all states. Recently, our servicing CFO asked the Board to consider accepting stablecoins for mortgage payments. Our attorneys gave us a demonstration of the various legal complexities. But I want a high-level outline, such as only you can do! 

You should know that most of the Board was not convinced that now is the time to adopt stablecoins (or any crypto) for mortgage payments. We have also been researching crypto-backed mortgages, which seems like a path some of us want to follow. I'm interested in your thoughts on allowing borrowers to make mortgage payments in stablecoin. Maybe, also, you could tell us what you think about crypto-backed mortgages. 

Should lenders accept stablecoin for mortgage payments? 

Are crypto-backed mortgages a better option? 

COMPLIANCE SOLUTION 

CMS Tune-up 

RESPONSE 

The idea of lenders accepting stablecoin for mortgage payments is emerging. Still, it is not a widespread practice and carries significant risks that have prevented adoption by most traditional financial institutions. Some Fintech companies, however, are exploring crypto-backed mortgages, which typically use stablecoins as collateral rather than for monthly payments. For traditional lenders, the risks involved generally outweigh the benefits. 

Please get in touch with me to discuss your plans. Legal risk is only one of several risk variables. We can help you develop rollout implementation strategies. The issues involved cover a wide range of variables, such as legal, regulatory, interest rate, liquidity, operational, market, compliance, reputational, strategic, and prepayment risks. Please view my response as a conversation starter. 

Here are some recent articles I have published on cryptocurrency vis-à-vis mortgage banking. 

·       GENIUS Act: Fool's Gold, 

·       GENIUS Act: Mortgage Banking Ambush, 

·       Cryptocurrency: Risks to Mortgage Banking, 

·       Cryptocurrency Dilemma, and 

·       Challenges of Cryptocurrency Compliance.  

Two types of lenders 

There are two types of lenders in crypto-related mortgage banking. These are: 

Traditional Lenders: Traditional financial institutions are highly regulated and cautious with cryptocurrencies. They typically require that any crypto used for mortgage transactions—including stablecoins—be liquidated into U.S. dollars and held in a verifiable bank account for a period of 30 to 120 days. 

Fintech Crypto Lenders: A niche market of Fintech firms that specialize in crypto-backed mortgages. These lenders offer loans secured by cryptocurrency collateral, often including major stablecoins. Borrowers pledge their crypto assets, and the lender issues the loan in fiat currency. 

Whether a lender should accept stablecoin payments depends on their risk tolerance, regulatory environment, and technological capabilities. 

·       For traditional banks, the regulatory and operational hurdles are high, and the risks often outweigh the potential benefits. Federal mortgage regulations and investor demands for stable, traditional assets reinforce their current cautious approach. 

·       For a niche Fintech lender, the calculation is different. By specializing in crypto-backed loans, they build the necessary infrastructure and accept the higher risks for a target demographic. 

For most borrowers, the most practical approach today is to convert stablecoins into cash well before applying for a mortgage through a traditional lender. As the regulatory landscape and market maturity evolve, perhaps the widespread acceptance of stablecoin mortgage payments may become more common.

Mortgage Fraud: Basic Categories

QUESTION 

We are reviewing our branch and home office procedures for identifying mortgage fraud. As the Compliance Officer, I receive all allegations of mortgage fraud for review. However, I can't be at all the branches all the time, and I want to be able to categorize some basic areas related to mortgage fraud. 

Each branch has a Branch Manager who works with a senior underwriter to identify potential mortgage fraud. The senior underwriter conducts a second review, and the Branch Manager provides oversight. Even with the training we do, there is no standardization for a categorical approach. What I am looking for is a list of the most likely areas of mortgage fraud. We would like to distribute the list so that it can be used throughout the company. It will help us to set basic standards. 

What are some of the basic categories of mortgage fraud? 

COMPLIANCE SOLUTION 

QC Tune-up® 

Forensic Mortgage Audit®

RESPONSE 

Mortgage fraud prevention is an area in which we have extensive expertise. Indeed, we invented the Forensic Mortgage Audit®, which uses loan-level reviews to detect mortgage fraud. I've provided expert witness representation and given testimony in cases related to mortgage fraud. Our clients regularly discuss potential cases of it with us. We've written policies and procedures to prevent it. I've spoken about it at conferences and written extensively on the topic, for instance, here. 

Here's my published article, with linked sections, entitled Mortgage Fraud Challenges: How to Catch a Crook. 

And I can tell you, based on my experience, crooks continue to find new ways to commit mortgage fraud all the time. To identify the means and methods of these crooks requires staying one step ahead of them – and, even then, they devise new plans to scam, deceive, rip off, con, double-deal, cheat, and skunk their way toward new contrivances of chicanery. 

For instance, request information about our Identity Theft Prevention Program – a program which, by the way, is a statutory requirement. Our policy provides an extensive list of the various nefarious methods by which thieves commit mortgage fraud. 

If you are a subscriber to our newsletters, we will be happy to provide our checklist of Common Red Flags for Mortgage Fraud. Just request it here! 

BASIC CATEGORIES

The basic features of mortgage fraud revolve around intentional deception or misrepresentation to obtain a mortgage loan or to profit from the lending process. 

If you're looking for a basic set of mortgage fraud categories, it is possible to group them into a few areas, with the proviso that this construct is a very high-level outline. The outline should not be taken as comprehensive. But if you want to offer it to the affected personnel, it might help to streamline the review process. 

I think you should still be notified that a mortgage fraud review is taking place, even if the second review clears it. Be aware of potential false positives! 

In my opinion, mortgage fraud can be categorized into fraud for housing, fraud against homeowners, and fraud for profit. Unfortunately, industry professionals are often involved in mortgage fraud activities in pursuit of profits. 

So, let's outline these categories. 

Fraud for Housing 

This illicit activity happens when a borrower provides false information to acquire or maintain ownership of a home. A borrower commits this type of fraud to obtain or maintain ownership of a home in an illegal manner. They may misrepresent their financial standing to qualify for a loan they would not otherwise be able to get. 

Categories of Fraud For Housing 

Income and Employment Fraud 

Falsifying or inflating income, fabricating employment history, or creating forged documents like W-2s, tax returns, and bank statements to qualify for a larger loan or a better interest rate.

Common Red Flags in Money Laundering

QUESTION

I am the COO of a mid-sized lender in the Midwest. We have contacted your firm to do an Anti-Money Laundering Risk Assessment. One of the big issues we have is trying to identify the most common red flags. 

In streamlining our system AML reporting, we are using AI to determine common red flags. Unfortunately, AI is not able to provide real-world data. We need practical experience, which is why I would like you to let me know the kinds of common red flags you find in your audits. 

What are the common red flags for money laundering in mortgage banking? 

SOLUTIONS 

• AML TESTING
• AML TRAINING
• AML RISK ASSESSMENT 
• AML PROGRAM [Written Policy]

RESPONSE 

Since 2003, FinCEN has issued a number of analyses, reports, and advisories regarding emerging trends in mortgage fraud, money laundering, and terrorist financing activity involving residential mortgage loans. 

While FinCEN publishes a list of potential red flags, we often find that our list of activities that could trigger the filing of Suspicious Activity Reports continues to expand. At this point, we have hundreds of such findings. 

Thank you for retaining us to provide the AML Risk Assessment. 

Lenders Compliance Group was the first compliance firm in the country to provide AML audit tests to non-bank residential mortgage lenders and originators. Of course, we have also offered AML audits to banks involved in residential mortgage banking for many years. 

So, by this point, we have rock-solid indicia and identifiers that help us review for AML compliance. There are many common red flags. I am going to provide a half-dozen of them that keep turning up in our audits with the proviso that the list is not comprehensive. 

Activities considered red flags in mortgage banking include: 

(1) A loan secured by pledged assets held by a third party unrelated to the borrower. 

(2) A loan secured by deposits or other readily marketable assets, such as securities, when owned by apparently unrelated third parties. 

(3) A borrower default on a case-secured loan or any loan that is secured by assets that are readily convertible into currency. 

(4) A loan made for, or paid on behalf of, a third party with no reasonable explanation. 

(5) A customer, to secure a loan, purchases a certificate of deposit using an unknown source of funds, particularly when funds are provided via currency or multiple monetary instruments. 

(6) A loan that lacks a legitimate business purpose, provides the depository institution with significant fees for assuming little or no risk, or tends to obscure the movement of funds (i.e., loans made to a borrower and immediately sold to an entity related to the borrower). 

It is important to ensure that your system solution requires the reporting of any activity that is suspected of violating a criminal statute. Additionally, the federal money laundering criminal statutes consider money laundering to be the handling of the proceeds of criminal activity, with mortgage fraud considered to be a predicate offense for the money laundering criminal statutes. Mortgage-related criminal activity is a specific predicate offense. 

Jonathan Foxx PhD., MBA
Chairman & Managing Director

Lenders Compliance Group

Elder Theft and Elder Scams

QUESTION 

Our bank formed a group to prevent elder financial exploitation. Most of our clients are seniors and elderly, so we want to be sure our customers are protected from being exploited. They revised a number of screening procedures to catch fraud. They report directly to our Chief Compliance Officer. 

In the last year, we have seen a substantial increase in elder financial exploitation. What bothers me is that most of the crooks seem to get away with financially exploiting older people because we sometimes catch the crooks after the fraud happens. This means we are constantly revising the filters, and we are continually having to update our training. 

As a member of the group, I have been asked to contact you to help us further develop our policy and procedures involving the prevention of elder financial exploitation. In particular, we are interested in outlining the difference between Elder Theft and Elder Scams because we plan to separate the policy into those two primary parts. We have read your articles on elder financial exploitation and have heard you speak on this subject. We need some assistance in developing better filters. 

What is the difference between Elder Theft and Elder Scams? 

COMPLIANCE SOLUTIONS 

EFE TUNE-UP®

Elder Financial Exploitation - Prevention 

POLICIES AND PROCEDURES 

ANSWER 

I have published extensively on the financial abuse and scams referred to as Elder Financial Exploitation (EFE). My efforts have included numerous articles and published White Papers, lectures, and webinars, being a panelist in organizational conferences, and, of course, working with clients who needed to file a Strategic Activity Report (SAR) or notify the FBI with respect to EFE concerns. 

Here are a few of my writings on this subject: 

Suspicious Activity and Elder Financial Abuse 

Elder Financial Abuse: Disclosure, Schemes, and “Red Flags” 

Elder Financial Exploitation 

Elder Financial Exploitation: Prevention and Filing SARs 

Elder Financial Abuse Epidemic 

Elder Financial Abuse: Prevention and Remedies (PDF) 

Elder Financial Abuse (PDF) 

The Articles section of our website has several articles that directly and indirectly relate to Elder Financial Exploitation. Use them to help build your policy and procedures document. 

My firm even provides a free checklist of Behavioral and Financial Red Flags – Elder Financial Abuse! Contact us for a copy! 

I will tell you straight out: EFE seems to keep happening relentlessly – and growing rapidly. 

My answer here is going to be in the form of a “preamble” to your policy. Consider using these preambles as a base for the further formulation of your policies and procedures relating to Elder Theft and Elder Scams. 

For many years, amid rampant fraud and abuse targeting older adults, FinCEN has urged financial institutions to detect, prevent, and report suspicious financial transactions. Every year since 2006, FinCEN has issued an advisory in support of World Elder Abuse Awareness Day[i], commemorated on June 15^th. The statistics are not getting better. They are worsening. 

For instance, depository institutions filed 46,888 EFE-related BSA reports from March 2023 to May 2023, accounting for nearly 30 percent of the total EFE-related reports filed in the review period. This pace appears to be continuing, as FinCEN received an average of 15,993 EFE BSA reports per month between 15 June 2023 and 15 January 2024.[ii] You do the math! 

Before we get too far into my response, let me put down a working definition of EFE: 

Elder Financial Exploitation (EFE) is the illegal or improper use of an older adult’s funds, property, or assets. Older adults are typically considered individuals aged 60 or older. EFE consists of two primary subcategories: elder theft and elder scams. 

Elder theft consists of schemes involving the theft of an older adult’s assets, funds, or income by a trusted person. Elder scams involve the transfer of money to a stranger or imposter for a promised benefit or good that the older adult did not receive. EFE is one type of elder abuse, which includes physical, emotional, and financial abuse. Elder abuse and EFE definitions vary statutorily by state.[iii] 

Elder theft often occurs when persons known and trusted by older adults steal victim funds, while elder scams involve fraudsters with no known relationship to their victims. Indeed, some scammers are located outside the United States.[iv] Sadly, elder theft is likely to be underreported and can go undetected because the perpetrators are typically individuals whom the victim trusts.[v] 

FinCEN analysis of Bank Secrecy Act (BSA) information indicates that elder scams mostly rely on less sophisticated scam typologies. However, some scammers make their scams more complex by blending multiple scam types into one victimization and using victims both as a source of funds and to launder illicit gains.[vi] 

Scammers are often organized, with fraud rings ranging from small groups of individuals to organizations with hundreds of members. There are violent criminal organizations known to carry out fraud schemes, including EFE-related fraud. 

Unfortunately, perpetrators of EFE schemes often do not stop after first exploiting their victims. In both elder theft and elder scams, older adults are frequently re-victimized[vii] and subject to potentially further financial loss, isolation, and emotional or physical abuse long after the initial exploitation due to the significant illicit gains at stake. Scammers may also sell victims’ Personally Identifiable Information (PII) on the black market to other criminals who continue to target the victims using new and emerging scam typologies.[viii] 

ELDER THEFT 

Elder theft is so insidious because the family of the victim is often the perpetrator. Another form of elder theft is where a non-family caregiver financially abuses the relationship from t a position of trust. In 2019, FinCEN analyzed SARs based on elder theft narratives.[ix] The analysis found that a family member was involved in the theft of assets from older adults in 46 percent of elder theft cases reported between 2013 and 2019. 

Who were these perpetrators? Family members, familiar associates, acquaintances such as neighbors, friends, financial services providers, business associates, or those in routine close proximity to the victims. 

Considerable studies have been undertaken by senior citizen organizations, FinCEN, DOJ, and many state governmental authorities to find a pattern to this criminality. It turns out elder theft often follows a similar methodology in which trusted persons may use deception, intimidation, and coercion against older adults in order to access, control, and misuse their finances. Criminals frequently exploit victims’ reliance on support and services and will take advantage of any cognitive and physical disabilities.[x] Environmental factors such as social isolation lead to elder theft. 

The criminal’s goal is to establish control over the victims’ accounts, assets, or identity.[xi] Here are just a few of the ways in which financial exploration takes place. The elder may be financially abused by the exploitation of legal guardianships[xii] and power of attorney arrangements[xiii] or the use of fraudulent investments such as Ponzi schemes[xiv] to defraud older adults of their income and retirement savings. These relationships lead to repeated abuse, as the trusted person repeatedly abuses the victims by liquidating their savings and retirement accounts, stealing Social Security benefit checks and other income, transferring property and other assets, or maxing out credit cards in the name of the victims until most of their assets are stolen.[xv] 

ELDER SCAMS 

Criminals involved in elder scams defraud victims into sending payments and disclosing PII under false pretenses or for a promised benefit or good the victims will never receive. These scammers are often located outside of the United States and have no known previous relationship with the victims. 

Like Elder Theft, a pattern of criminality can be identified. Elder scams often follow a similar methodology in which scammers contact older adults under a fictitious persona via phone call, robocall, text message, email, mail, in-person communication, online dating apps and websites, or social media platforms. In order to appear legitimate and establish trust with older adults, scammers commonly impersonate government officials, law enforcement agencies, technical and customer support representatives, social media connections, or family, friends, and other trusted persons. 

There are several typical types of elder scams. To name but a few: 

·       Government Imposter Scams; 

·       Romance Scams;[xvi] 

·       Emergency or Person-in-Need Scams; 

·       Lottery and Sweepstakes Scams; 

·       Tech and Customer Support Scams. 

This set-up is a con that evokes stress in the victim. Perpetrators often create high-pressure situations by appealing to their victims’ emotions and taking advantage of their trust or by instilling fear to solicit payments and PII. This is, in effect, an Imposter Scam.[xvii] Scammers often request victims to make payments through wire transfers at money services businesses (MSBs) but are increasingly requesting payments via prepaid access cards, gift cards, money orders, tracked delivery of cash and high-valued personal items through the U.S. Postal Service, ATM deposits, cash pick-up at the victims’ houses, and convertible virtual currency (CVC).[xviii] 

Money Mules are a particularly deceitful way to trap victims into an elder scam.[xix] A money mule is a person who, wittingly or unwittingly, transfers or moves illicit funds at the direction of or on behalf of another, in this case, transfers or moves illicit funds at the direction of the scammers. The victim of an elder scam can also serve as a money mule: the scammer convinces the victim to set up a bank account or Limited Liability Corporation (LLC) in the victim’s name to receive, withdraw, deposit, or transfer multiple third-party payments from other victimized older adults to accounts controlled by the scammer under the illusion of a “business opportunity.” In some circumstances, victims of EFE acting as money mules may be prosecuted for this illegal activity and are liable for repaying the other victims. They may also be subject to damaged credit and further victimized through their stolen PII.[xx] 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

---

[i] World Elder Abuse Awareness Day, Administration for Community Living, launched by the International Network for the Prevention of Elder Abuse and the World Health Organization at the United Nations.

[ii] Financial Trend Analysis, Elder Financial Exploitation: Threat Pattern & Trend Information, June 2022 to June 2023, April 2024, Financial Crimes Enforcement Network.

[iii] Memorandum on Financial Institution and Law Enforcement Efforts to Combat Elder Financial Exploitation, Consumer Financial Protection Bureau (CFPB) and FinCEN, August 30, 2017; see also, Elder Abuse and Elder Financial Exploitation Statutes, U.S. Department of Justice (DOJ).

[iv] Advisory on Elder Financial Exploitation, FinCEN Advisory, FIN-2022-A002, June 15, 2022

[v] Recovering from Elder Financial Exploitation, A Framework for Policy and Research, September 2022, Consumer Financial Protection Bureau

[vi] Phantom Hacker Scams Target Senior Citizens and Result in Victims Losing their Life Savings, Alert Number I-091223-PSA, September 29, 2023, Federal Bureau of Investigations Internet Crime Complaint Center

[vii] For additional information on re-victimization in EFE schemes, see Addressing the Challenge of Chronic Fraud Victimization, March 2021, FINRA Investor Education Foundation (FINRA Foundation), American Association of Retired Persons (AARP), and Heart+Mind Strategies.

[viii] List Brokerage Firm Pleads Guilty to Facilitating Elder Fraud Schemes, September 28, 2020, Department of Justice

[ix] Elders Face Increased Financial Threat from Domestic and Foreign Actors, December 2019, FinCEN Financial Trend Analysis

[x] Idem

[xi] Associate Deputy Attorney General Paul R. Perkins Delivers Remarks at the ABA/ABA Financial Crimes Enforcement Conference, December 9, 2020, Department of Justice

[xii] Court-Appointed Pennsylvania Guardian and Virginia Co-Conspirators Indicted for Stealing Over $1 Million from Elderly Wards, June 30, 2021, Department of Justice

[xiii] Franklin, Tennessee Couple Charged With Defrauding Elderly Widow of $1.7 Million, May 12, 2021, Department of Justice; and Former Waterloo Medicaid Provider Sentenced to More than Five Years in Federal Prison for Defrauding Elderly Victim, June 28, 2021, Department of Justice

[xiv] Arizona Man Sentenced for Multimillion-Dollar Nationwide Investment Fraud Scheme, March 15, 2021, Department of Justice

[xv] Annual Report to Congress on Department of Justice Activities to Combat Elder Fraud and Abuse, October 18, 2021, Department of Justice

[xvi] In Romance Gone Awry: A Tale of AML and Negligence, April 14, 2022, I outline litigation involving a Romance Scam. Visit https://mortgage-faqs.blogspot.com/2022/04/romance-gone-awry-tale-of-aml-and.html. See O’Rourke v. PNC Bank, 2022 Del. Super. (Del. Sup. Ct. February 15, 2022)

[xvii] The Federal Trade Commission provides extensive information about Imposter Scams. Visit its webpage How To Avoid Imposter Scams, https://consumer.ftc.gov/features/how-avoid-imposter-scams. See my articles, such as Imposter Robocalls, February 9, 2023, https://mortgage-faqs.blogspot.com/2023/02/imposter-robocalls.html and COVID-19: Imposters and Money Mules, August 6, 2020, https://mortgage-faqs.blogspot.com/2020/08/covid-19-imposters-and-money-mules.html.

[xviii] FBI Warns of a Grandparent Fraud Scheme Using Couriers, Alert Number I-072921-PSAJuly 29, 2021, FBI; New Twist to Grandparent Scam: Mail Cash, December 3, 2018, Federal Trade Commission

[xix] See my article Op. cit. xvi COVID-19: Imposters and Money Mules.

[xx] The FBI maintains a website to increase public awareness of money mules. Visit Money Mules at https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/money-mules

Money Mules: ID Theft and AML Compliance

QUESTION 

Our company is under investigation by the banking department and law enforcement for allowing "money mules" to use our financial services. They managed to use our mortgage and depository services. The crooks targeted people in nursing homes and hospice care facilities. 

The banking department is now determining if we properly implemented an Identity Theft Protection Program and Anti-Money Laundering Program. They're looking back at the procedures as well as the level of testing and training. Our CEO has told us that she expects an administrative action against us. 

We haven't updated our Identity Theft Protection Program and Red Flags Rule in years. We're reviewing it now. Well, better late than never! 

But we do the Anti-Money Laundering Program testing and training as required. The banking department is closely scrutinizing both written policies. Yesterday, we received a notice from FinCEN that they are investigating our SAR filings. 

The news fallout has been devastating. We have been in business for decades and have never had a hit to our reputation, let alone something as shocking as being an unwitting accessory to an identity theft and money-laundering scheme. There's not enough money in the world to reestablish trust! 

How do "money mules" operate? 

How do "money mules" exploit the stealing of identities? 

How do "money mules" undermine anti-money laundering procedures? 

ANSWER 

Your situation reminds me of a recent arrest in California involving money mules. The victims' money is often initially handled by "money mules," individuals who permit their addresses or bank accounts to be used or agree to receive or negotiate cashier's checks. In brief, a money mule moves money obtained illegally on behalf of another individual. Funds are transferred in person, digitally, or through mail or courier. 

I have discussed money mules previously. Here is one about how the COVID pandemic was used by criminals to bilk the public: COVID-19: Imposters and Money Mules. 

Money mules can be – but are not always! – aware they are involved in laundering money obtained illegally. The purpose of this illegal activity is to obscure the source of funds. They are a key element in the money laundering and identity theft process. 

Scheme 

With some variance and nuances here and there, the following are the steps to money mule schemes: 

Step 1: Criminal looking to launder money employs a money mule to layer illicit funds. 

Step 2: Criminal transfers the funds to the money mule in person or electronically. 

Step 3: Money mule either places[i] the money into the financial system or receives money that has already been integrated[ii] into the financial system. 

Step 4: Money mule uses a series of transfers and transactions to layer[iii] the money. 

Step 5: Money mule returns the layered funds to the criminal. 

In the case I have in mind,[iv] the FBI arrested money mules involved in scams that bilked grandparents. This is brutal, wicked, and heartless, of course, but crooks will do what crooks will do! A con is a con. A mark is a mark. As Hamlet observed, "one may smile, and smile, and be a villain!"[v] 

Two money mules were arrested and indicted for their scheme to launder at least $2 million in proceeds obtained from victims of grandparent scams who were defrauded with false claims that their relatives were in distress and urgently needed funds. 

The indictment detailed how perpetrators of grandparent scams convince victims to send money – purportedly to help relatives, frequently their grandchildren, who are typically described as being in legal trouble – "to bank accounts, business entities, and physical addresses specified by the scammers, using interstate wires and cashier's checks…for the supposed purpose of assisting the relatives in distress." 

One of the money mules is said to be a manager of money mules, and the other, thus recruited, recruited his own money mules. Federal prosecutors further assert that the manager created business entities and opened bank accounts using information stolen from identity theft victims. 

Once the money was in the accounts associated with the money mules or identity theft victims, the two money mules allegedly engaged in transactions designed to conceal the true nature of the funds, which, in this case, had been obtained via wire fraud. 

The indictment specifically alleges that the scheme laundered funds obtained from victims of grandparent scams who live in California and Pennsylvania. The bank fraud scheme alleged in the indictment involves fraudulently obtained funds held in suspense in an account set up in the name of an identity theft victim. 

The two money mules and a co-conspirator allegedly worked in concert to contact the bank and impersonate the identity theft victim to secure the issuance of a check for nearly $83,000 that was remaining in the account. 

As I noted above, money mules can be unwittingly involved in a money mule scam. That seems hard to believe. Investigators find that the trail usually ends with the money mule, who might not have realized that they are laundering money for crime gangs. Unfortunately, the process often depends on the unwitting money mule for its effectuation. The enforcement authorities have found at least three primary types of money mules: (1) unwitting, (2) witting, and (3) complicit. Here's a synopsis of each type. 

Types 

(1) Unwitting Individuals are unaware they are involved in criminal activity and engage in it thinking it's legal. They are often deceived into doing the activity for someone they believe to be an employer, acquaintance, perhaps a romance scammer, or somebody in a position of some trust. 

(2) Witting Individuals who should be aware they are involved in suspicious activity but engage in it anyway. While they aren't fully aware of the extent to which they are involved in criminal activity, they typically ignore clear indicators that what they do is illegal or suspicious. 

(3) Complicit Individuals know they are involved in criminal activity yet still engage in it willfully. This type of money mule ranges from inexperienced individuals unaware of their involvement to experienced and adept fraudsters who run entire money mule rings. 

Identity Theft Prevention Program 

Beyond the legal ramifications of acting as a money mule,[vi] the people who serve as money mules may open themselves up to identity theft. All of their personally identifiable information ("PII") can be stolen by criminals, leading to the theft of their financial assets. Victims often wind up with drained accounts, damaged credit, and deprivation of medical treatment due to loss of cash liquidity. 

Stealing an individual's identity is a fraud committed or attempted using the identifying information of another person without authority.[vii] The "identifying information" of a victim is particularly onerous because such information means "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person."[viii] 

The Red Flags Rule (" Rule") goes back to 2007 under a section in the Fair and Accurate Credit Transaction Act (FACTA), which amended the Fair Credit Reporting Act (FCRA).[ix] The Rule was promulgated in 2010.[x] 

If you haven't reviewed your written Identity Theft Protection Program – which is statutorily required – it is a bit late now, given that the regulators are currently involved in an investigation. In compliance, it is not the case to throw up your hands and, as you do, declare it is "better late than never." Indeed, that phrase harks all the way back to Geoffrey Chaucer in the 14^th century, who said, "For better than never is late; never to succeed would be too long a period."[xi] 

In compliance, virtually everything has a tail, a trace, a remnant, a vestige, some lingering scintilla of activity, a dash of evidence that cannot escape discovery at some point and in some way. Thus, "better late than never" is not functionally good enough in compliance. 

Pay attention to the second half of Chaucer's statement, "never to succeed would be too long a period." There are no viable exceptions to maintaining regulatory vigilance, and if there is a systemic or some other failure, admitting the mistake and fixing it permanently. Regulators are sometimes sympathetic to companies that recognize and willingly fix mistakes. But be assured that most of the time, they will find out about the errors you prefer not to tell them about. To succeed in compliance, you must proactively review, monitor, test, train, and implement regulatory requirements. 

There are notorious correlations between money mules and identity theft. I have been discussing "traditional" money mules, but there are "synthetic identities" used by money mules. Synthetic identities are created using a discrete combination of PII to fabricate a person or entity. Given the availability of stolen data on the dark web, these identities are easy to create on a large scale. 

If you haven't reviewed your Identity Theft Prevention Program in some time, you are quite remiss, and, from a regulatory compliance perspective, you are not only opening yourself to regulator scrutiny but may also be recklessly endangering your customers. 

Anti-Money Laundering Program 

You asked, How do "money mules" undermine anti-money laundering procedures? In our Anti-Money Laundering test audits, we have noted weaknesses in screening for money mules. The results of our findings are provided in our Executive Summary, and we offer our work papers so that you can see how deep we have gone to evaluate your AML program. We provide recommendations to fix the weaknesses. 

Our reviews have uncovered many money mule schemes. However, catching the scams is a never-ending task because the crooks are remarkably inventive in finding ways to undercut even the best AML programs. 

There are telltale elements that might indicate a money mule has landed on your AML radar. We are always adding to our audit list as crooks invent new schemes and scams. You should do the same! These scams come up repeatedly in our AML test audits to the point that we consider them triggers to conducting an investigation to determine if a Suspicious Activity Report (SAR) should be filed with FinCEN[xii]. 

Our organization maintains a list of warning signs that a money mule may be making their way onto a client's AML radar. Our list contains elements provided by CISA[xiii], and we build on these elements continually. In our estimation, AML compliance must include, among other things, periodic testing, employee training, due diligence, transaction monitoring, Identity Theft Protection Program mandates, KYC and KYB[xiv] requirements, CIP[xv], OFAC[xvi], identity theft[xvii] "frozen credit" alerts, and historical SAR filings. 

An example of due diligence is conducting your own investigation. Money mules can contaminate PII. During an investigation, a client of ours discovered that a money mule group used fake websites and social media profiles to trick victims into providing their personal information. It then used that PII to open bank accounts, apply for mortgage loans, and set up cryptocurrency wallets. This criminal group then laundered the stolen funds through a network of money mules, who received and transferred the funds on behalf of the criminals.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Placement is where illegitimate funds are introduced to the legitimate financial system.

[ii] Integration is where layered funds (which now appear legitimate) are returned to the criminal.

[iii] Layering is where the criminal intentionally moves funds to disguise where the money actually originated.

[iv] Two Indicted in Scheme that Allegedly Laundered over $2 Million Generated by ‘Grandparent Scams’ Targeting Elderly Victims, Press Release, Department of Justice, U.S. Attorney's Office, Central District of California, December 12, 2023

[v] Hamlet, Act 1, Scene 5, Shakespeare

[vi] For instance, among other things, the charge of conspiracy to commit money laundering carries a statutory maximum penalty of 20 years in federal prison, and the charge of conspiracy to commit bank fraud carries a sentence of up to 30 years.

[vii] 16 CFR 603.2(a)

[viii] 16 CFR 603.2(b)

[ix] The Red Flags Rule was issued in 2007 under § 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 USC 1681m(e). The Red Flags Rule is published at 16 CFR 681.1. See also 72 FR, Nov. 9, 2007.

[x] The Rule was amended in 2010 by the Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457 (December 18, 2010).

[xi] Actually, the phrase is a direct translation from the Latin “potiusque sero quam nunquam” (viz., and better late than never) in Livy’s fourth book Ab Urbe Condita (History of Rome), 27 BC. The full quote in Livy is “Their insolence and recklessness must be opposed, and better late than never.” (My translation.)

[xii] Financial Crimes Enforcement Network (FinCEN), for nonbanks, see Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Residential Mortgage Lenders and Originators, Financial Crimes Enforcement Network, 77 FR 8148-8160 (February 14, 2012), as revised from time to time.

[xiii] CISA provides several publications involving money mules and other schemes. One example is Understanding and Protecting Yourself Against Money Mule Schemes, Matthew DeSantis, Chad Dougherty, Mindi McDowell, US-CERT, Cybersecurity & Infrastructure Security Agency

[xiv] Respectively, Know Your Customer (KYC) and Know Your Business (KYB)

[xv] Customer Information Program (CIP)

[xvi] Office of Foreign Assets Control (OFAC)

[xvii] FCRA Identity Theft Rules, Op. cit. ix