Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Prepaid Card Compliance - Conference Materials


Published on

n Prepaid Card Compliance will bring together an unparalleled faculty of regulatory and enforcement officials, compliance experts from industry leaders, and outside counsel specializing in prepaid card regulatory compliance who will provide you with best practices and targeted guidance in these most uncertain times for the industry.

Published in: Technology, Business
  • Be the first to comment

Prepaid Card Compliance - Conference Materials

  1. 1. Fraud/Identity Theft Legal Issues Terrence P. Maher © 2012 Baird Holm LLP
  2. 2. Treasury IG for Tax Administration • There Are Billions of Dollars in Undetected Tax Refund Fraud Resulting From Identity Theft - Reference Number: 2012-42-080 - July 19, 2012 • Processes for the Direct Deposit of Tax Refunds Need Improvement to Increase Accuracy and Minimize Fraud Reference Number: 2012-40-118 - September 25, 2012 • Further Efforts Are Needed to Ensure the Internal Revenue Service Prisoner File Is Accurate and Complete - Reference Number: 2013-40-011- December 18, 2012 © 2012 Baird Holm LLP
  3. 3. Findings • IG estimated that the IRS could issue $21 billion in potentially fraudulent tax refunds resulting from identity theft over the next five years • In addition to returns flagged by the IRS, the IG identified approximately 1.5 million additional undetected tax returns with potentially fraudulent tax refunds totaling in excess of $5.2 billion • Of the approximately 1.5 million tax returns the IG identified, 1.2 million (82 percent) used direct deposit to obtain tax refunds totaling approximately $4.5 billion © 2012 Baird Holm LLP
  4. 4. Findings • IG found that the IRS was not in compliance with direct deposit regulations that require tax refunds to be deposited to an account only in the name of the individual listed on the tax return • Deposits to debit card accounts are being used by identity thieves committing tax return filing fraud • Investigators working the Tampa scheme identified that most of the fraudulent tax refunds were direct deposited to a debit card account © 2012 Baird Holm LLP
  5. 5. Findings • The number of fraudulent tax returns filed by prisoners and identified by the Internal Revenue Service has increased from more than 18,000 tax returns in Calendar Year 2004 to more than 91,000 tax returns in Calendar Year 2010 • The refunds claimed on these tax returns increased from $68 million to $757 million • Although the IRS prevented the issuance of $722 million in fraudulent tax refunds during Calendar Year 2010, it released more than $35 million • The prisoner file supplied to the IRS is incomplete and inaccurate © 2012 Baird Holm LLP
  6. 6. Recommendations • IG recommendation #5 – the IRS should coordinate with responsible Federal agencies and banking institutions to develop a process to ensure that tax refunds issued via direct deposit to either a bank account or a debit card account are made only to an account in the taxpayer‟s name • IG recommendation #6 - limit the number of tax refunds issued via direct deposit to the same bank account or debit card account in an attempt to reduce the potential for fraud © 2012 Baird Holm LLP
  7. 7. Recommendations • “Secret” recommendation #7 – Develop processes to identify and quantify direct deposits of tax refunds to accounts associated with a debit card as well as the ability to associate tax refunds deposited to a debit card to a specific tax account • Recommendation #8 - Work with the Department of the Treasury to ensure financial institutions and debit card administration companies authenticate the identity of individuals purchasing a debit card. Furthermore, prevent the direct deposit of tax refunds to debit cards issued or administered by financial institutions and debit card administration companies that do not take reasonable steps to authenticate individuals‟ identities. • Implementation Dates – October 15, 2013 © 2012 Baird Holm LLP
  8. 8. Social Security Administration Office of the Inspector General • Controls over the Enrollment Process with the Direct Express® Debit Card Program (Limited Distribution)(A-15-12-21273) • Direct Deposit Changes Initiated Through Financial Institutions and the Social Security Administration‟s Internet and Automated 800-Number Applications (Limited Distribution) (A-14-12-21271) © 2012 Baird Holm LLP
  9. 9. Social Security Administration Office of the Inspector General • Direct Express – In May 2011, the IG began receiving multiple allegations that Social Security benefits were being improperly diverted to Direct Express – Comerica subsequently alerted the IG to fraudulent activity it detected regarding Social Security benefits – The IG initiated five audits to evaluate controls in place at various points in the direct deposit process and identify vulnerabilities © 2012 Baird Holm LLP
  10. 10. Social Security Administration Office of the Inspector General • Direct Express – The IG review demonstrated that one or more individuals successfully enrolled beneficiaries in the Direct Express program and/or changed their direct deposit information without the beneficiaries‟ knowledge – As Treasury requires that beneficiaries receive their benefit payments through direct deposit or Direct Express, it is likely that the number of SSA beneficiaries whose payments are vulnerable to fraud will increase – To prevent fraudulent changes to a beneficiary‟s account in the future, the IG recommend that SSA work with Treasury and Comerica to enhance the authentication process between the parties for the Direct Express card © 2012 Baird Holm LLP
  11. 11. Social Security Administration Office of the Inspector General • Direct Deposit – In October 2011, the IG began tracking allegations that indicated individuals other than the beneficiaries or their representatives had redirected benefit payments from the beneficiaries‟ bank accounts to accounts the individuals controlled – As of August 31, 2012, the IG had received over 19,000 reports concerning direct deposit changes to an SSA beneficiary‟s record – These reports involved either an unauthorized change or a suspected attempt to make an unauthorized change – Based on these allegations, the IG initiated audits to evaluate controls in the direct deposit process and identify vulnerabilities © 2012 Baird Holm LLP
  12. 12. Social Security Administration Office of the Inspector General • Direct Deposit – When the IG asked 29 beneficiaries who did not authorize the direct deposit changes how someone might have gained access to their private information to make a change, the results were as follows: • Thirteen beneficiaries reported they were told they had won a lottery, but they needed to provide some private information before they could receive their prize. • Three beneficiaries said they provided their private information to someone claiming to be an official from a Government agency or someone they knew • Two beneficiaries reported their wallets or credit cards had been lost or stolen • Eleven beneficiaries reported they were unsure how someone might have acquired their private information. © 2012 Baird Holm LLP
  13. 13. Social Security Administration Office of the Inspector General • Direct Deposit – Of the 29 beneficiaries in the IG sample with misdirected benefit payments, the suspicious direct deposit changes for 19 beneficiaries originated at FIs through the ENR process, for 9 beneficiaries the direct deposit change originated through SSA‟s Direct Deposit automated 800-number application with knowledge-based authentication, and for 1 beneficiary the direct deposit change originated through the Agency‟s Direct Deposit Internet application – For the 19 beneficiaries with changes originating at FIs, the IG determined that changes for 9 beneficiaries redirected benefits to prepaid debit cards and changes for the remaining 10 beneficiaries redirected benefits to accounts it could not identify as prepaid debit cards © 2012 Baird Holm LLP
  14. 14. Social Security Administration Office of the Inspector General • Direct Deposit – The IG determined that the controls over direct deposit changes originating through FIs or the Agency‟s Direct Deposit Internet and automated 800-number applications did not ensure all changes were authorized – Based on beneficiary interviews, data analysis, and the IG review of systems documentation, the IG identified instances of unauthorized account changes and weaknesses in SSA and FI‟s authentication or identity verification processes – The IG made 9 confidential recommendations, 8 of which the SSA agreed with © 2012 Baird Holm LLP
  15. 15. Financial Management Services Regulations © 2012 Baird Holm LLP
  16. 16. Deposit of Federal Benefits to Prepaid Cards • Treasury FMS issued an Interim Final Rule effective January 21, 2011, to allow Federal payments to be delivered to prepaid debit card or similar card accounts meeting certain consumer protection requirements • The NBPCA submitted comments on the IFR, but, to date, no final rule has been issued • FMS regulations have long provided that Federal payments made by ACH had to be deposited into an account „„in the name of the recipient‟‟ – the payment recipient‟s name must appear in the account title • With the use of pooled accounts in prepaid, it was not clear that prepaid cards could meet this requirement © 2012 Baird Holm LLP
  17. 17. Deposit of Federal Benefits to Prepaid Cards • Under the IFR, a Federal payment may be deposited to an account accessed by the recipient through a prepaid card that meets the following requirements: – The account is held at an insured financial institution; – The account is set up to meet the requirements for pass-through deposit or share insurance such that the funds accessible through the card are insured for the benefit of the recipient by the Federal Deposit Insurance Corporation or the National Credit Union Share Insurance Fund in accordance with applicable law (12 CFR part 330 or 12 CFR part 745); – The account is not attached to a line of credit or loan agreement under which repayment from the account is triggered upon delivery of the Federal payments; and – The issuer of the card complies with all of the requirements, and provides the holder of the card with all of the consumer protections, that apply to a payroll card account under the rules implementing the Electronic Fund Transfer Act, as amended © 2012 Baird Holm LLP
  18. 18. Deposit of Federal Benefits to Prepaid Cards • No person or entity may issue a prepaid card that receives Federal payments in violation of the IFR, and no financial institution may maintain an account for or on behalf of an issuer of a prepaid card that receives Federal payments if the issuer violates the IFR © 2012 Baird Holm LLP
  19. 19. Erroneous/Unauthorized ENRs • 31 C.F.R. Part 210 addresses the Federal Government's participation in the ACH system • 31 C.F.R. Sec. 210.4(a) provides: – "(1) The agency or the RDFI that accepts the recipient‟s authorization [for example, an ENR entry] shall verify the identity of the recipient and, in the case of a written authorization requiring the recipient‟s signature, the validity of the recipient‟s signature. – (2) Unless authorized in writing, or similarly authenticated, by an agency, no person or entity shall initiate or transmit a debit entry to that agency, other than a reversal of a credit entry previously sent to the agency." © 2012 Baird Holm LLP
  20. 20. Erroneous/Unauthorized ENRs • • • • Under 31 C.F.R. Sec. 210.8(2), a financial institution that accepts an authorization in violation of § 210.4(a) is liable to the Federal Government for all credits or debits made in reliance on the authorization A financial institution that transmits to an agency an authorization containing an incorrect account number is liable to the Federal Government for any resulting loss, up to the amount of the payment(s) made on the basis of the incorrect number If an agency determines, after appropriate investigation, that a loss has occurred because the financial institution transmitted an authorization or notification of change containing an incorrect account number, the benefits paying agency may instruct the Financial Management Service to direct a Federal Reserve Bank to debit the financial institution's account for the amount of the payments made on the basis of the incorrect number The agency must notify the financial institution of the results of its investigation and provide the financial institution with a reasonable opportunity to respond before initiating such a debit. © 2012 Baird Holm LLP
  21. 21. Identity Theft and Tax Fraud Prevention Act - S3432 © 2012 Baird Holm LLP
  22. 22. S 3432 • The bipartisan bill is intended to reduce the incidence of fraudulent tax returns by protecting SSNs from disclosure and providing new protections for identity theft victims • Section 8 of the bill would require the U.S. Comptroller General to conduct a study within one year that examines the role of prepaid debit cards and commercial tax preparation software in facilitating fraudulent tax returns through identity theft – The report must be submitted to the Senate Finance and the House Ways and Means committees, together with any recommendations – The bill does not identify the specific concerns that the Senators have with prepaid cards utilized with tax returns • The bill also requires a study by the U.S. Treasury on information sharing barriers to deterring tax fraud through identity theft © 2012 Baird Holm LLP
  23. 23. FACTA ID Theft Red Flags Rule © 2012 Baird Holm LLP
  24. 24. FACTA ID Theft Red Flags Rule • The rule requires many businesses and organizations to implement and adopt written identity theft prevention programs to detect the warning signs - or "red flags"- of identity theft in their day-to-day operations, take steps to prevent the crime of identity theft, and mitigate the damage identity theft inflicts • The rule only applies to "financial institutions" and "creditors." – "Financial institutions" are banks, savings and loans, credit unions, and other entities that maintain consumer transaction accounts © 2012 Baird Holm LLP
  25. 25. FACTA ID Theft Red Flags Rule • A transaction account is a deposit or other account from which the owner makes payments or transfers • Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts – Are GPR cards covered? © 2012 Baird Holm LLP
  26. 26. FACTA ID Theft Red Flags Rule • The rule requires that the written program include four basic elements – The program must include reasonable policies and procedures to identify "red flags" of identity theft – The program must be designed to detect the red flags you‟ve identified – The program must spell out appropriate actions you will take when you detect red flags – Because identity theft is an ever-changing threat, you must address how you will re-evaluate the program periodically to reflect new risks from ID theft © 2012 Baird Holm LLP
  27. 27. FACTA ID Theft Red Flags Rule • Although there are no criminal penalties for failing to comply with the rule, financial institutions and creditors may be liable for civil monetary penalties – What will the CFPB do? • Under the FAQs, there is no private right of action for a violation of FACTA • Other than in Alabama, courts have generally refused to impose liability on an FI to a victim of ID theft where the FI established accounts in the name of the victim through the actions of a fraudster © 2012 Baird Holm LLP
  28. 28. FinCEN CIP Rule © 2012 Baird Holm LLP
  29. 29. FinCEN • 31 CFR 103.121 sets forth the rule regarding customer identification programs for FIs • The regulation defines an account as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit” © 2012 Baird Holm LLP
  30. 30. FinCEN • The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable • The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer © 2012 Baird Holm LLP
  31. 31. FinCEN • These procedures must be based on the bank's assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank's size, location, and customer base • The CIP must contain procedures for verifying the identity of the customer, using information obtained, within a reasonable time after the account is opened • At what point does establishing prepaid card accounts for fraudsters indicate that the FIs CIP is inadequate? Will regulators take action? • Courts have held that there is no private right of action for BSA violations © 2012 Baird Holm LLP
  32. 32. Questions? © 2012 Baird Holm LLP