CSBS takes OCC to court over nonbank charter plan
T he controversy over the U.S. Office of the Comptroller of the Currency's proposal to create a new charter for nonbanks is drawing heat from bank regulators. On April 26, 2017, the Conference of State Bank Supervisors filed a complaint in the United States District Court for the District of Columbia against the OCC. The CSBS wants to stop the OCC from moving forward with what it believes is an unlawful attempt to create a national nonbank charter that will harm markets, innovation and consumers.
The CSBS is the national organization of bank regulators from all 50 states, American Samoa, District of Columbia, Guam, Puerto Rico and U.S. Virgin Islands. “The OCC’s action is an unprecedented, unlawful expansion of the chartering authority given to it by Congress for national banks," said John W. Ryan, CSBS President and Chief Executive Officer. "If Congress had intended it to be used for another purpose, it would have explicitly authorized the OCC to do so."
According to the CSBS, the complaint asserts that "by creating a national bank charter for nonbank companies, the OCC has gone far beyond the limited authority granted to it by Congress under the National Bank Act and other federal banking laws. Those laws authorize the OCC to only charter institutions that engage in the 'business of banking,' which under the National Bank Act requires an institution, at minimum, to receive deposits. Yet the OCC is attempting to create a new special purpose charter for nonbank companies that do not take deposits, without express statutory authorization. The OCC does not have the authority to create a special purpose charter for nonbanks without specific congressional approval."
Ryan further noted that if the OCC is allowed to proceed with the creation of a special purpose nonbank charter it will "set a dangerous precedent that any federal agency can act beyond the legal limits of its authority. We are confident that we will prevail on the merits. … The OCC’s proposed action ignores Congress, seeks to preempt state consumer protection laws, harms markets and innovation, and puts taxpayers at risk of inevitable fintech failures. This is a dangerous combination and one the court should decisively halt. To protect consumers and taxpayers, to promote innovation, and to ensure fair and open competition, CSBS was forced to take legal action against the OCC charter.”
CSBS on the job
Additionally, Ryan pointed out that state regulators already supervise a vibrant financial services marketplace that includes nonbanks and banks. State regulators supervise roughly three-quarters of all U.S. banks and a variety of non-depository financial services. CSBS, on behalf of state regulators, also operates the Nationwide Multistate Licensing System to license and register non-depository financial service providers in the mortgage, money services businesses, consumer finance and debt industries.
"Tens of thousands of mortgage, money transmission, debt collection and consumer finance companies – not to mention over 75 percent of this nation's banks ‒ already operate under the state system,” Ryan said. “That regulatory structure has produced a robust platform for innovation. Moving forward, state regulators will continue to streamline regulation and automate licensing across state lines, ensuring the system will work even better for state-licensed companies and consumers while protecting taxpayers.”
The CSBS complaint, with exhibits, is available at https://bankcsbs.files.wordpress.com/2017/04/csbs-occ-complaint-final.pdf .
One hacker down, law enforcement ramps up
Tuesday, April 25, 2017
T he April 21, 2017, sentencing of a Russian hacker to 27 years in prison reflects an escalating global fight against cybercrime. The U.S. Secret Service Electronic Crimes Task Force initially investigated the case, receiving assistance from the CCIPS Cyber Crime Lab and the Office of International Affairs and U.S. Attorney's Office for the District of Guam. Combined efforts of government agencies and law enforcement led to the arrest and trial of 32-year-old Roman Valeryevich Seleznev, authorities stated.
Seleznev, operating under the alias Track2, had infected POS systems with malware to steal and resell credit card data on dark websites. When taken into custody in the Maldives in April 2014, he reportedly had more than 1.7 million stolen credit card accounts stored in his laptop, mostly from small merchants in the western area of Washington State. The breaches affected approximately 3,700 financial institutions and more than 500 small merchants, representing more than $169 million in combined losses, according to sources familiar with the investigation.
Crime has no borders
Judge Richard A. Jones, of the U.S. Western District of Washington State, convicted 32-year-old Seleznev on 38 counts, as follows:
- 10 counts of wire fraud
- 8 counts of intentional damage to a protected computer
- 9 counts of obtaining information from a protected computer
- 9 counts of possession of 15 or more unauthorized access devices
- 2 counts of aggravated identity theft
Seleznev may face additional charges in other U.S. jurisdictions, including racketeering and possession of illegal access devices in the District of Nevada and bank and wire fraud charges in the Northern District of Georgia.
Seattle Chief of Police Kathleen O'Toole said, "Crime has no borders. This individual is responsible for defrauding victims out of millions of dollars in Seattle alone, and we are proud to work with our federal partners to bring him to justice."
David Vergara, Head of Global Product Marketing at Vasco Data Security, said the Seleznev case reinforces the point that cybercrime comes in many shapes, sizes and channels, but is all designed to monetize stolen data, using malware as the primary transmission vehicle.
"The escalating threat of cybercrime is clearly galvanizing government agencies to increase collaboration and share talented resources," he said. "This is evident in the effort required to nab this Russian hacker that single-handedly caused $169 million in financial losses, and even drove some businesses under."
Vergara further noted that small businesses, with typically weak security, represent the path of least resistance to most hackers, who leverage disciplined coding skills, extensive networks and knowledge of their targets to maximize results.
For Seleznev, it was "a simple volume game, peeling millions of credit card numbers from point-of-sale systems at smaller restaurants, for example, with well-crafted malware," Vergara said. "Although this hacker generated tens of millions in personal gains through sophisticated POS attacks, increased focus and collaboration between government agencies ultimately won him 27 years behind bars."
Improved security, vigilance
Adam Atlas, Attorney at Law expressed a hope shared by numerous industry experts that "chip-and-PIN adoption, as well as better PCI compliance on the part of merchants, will result in this kind of criminal activity being less tempting for bad actors."
Atlas said victims of crimes should never be held responsible for crimes, but he emphasized the need for all payments industry stakeholders to understand and implement security guidelines, such as the Payment Card Industry Data Security Standard (PCI DSS).
"I think issuers also have a role to play in terms of connecting the dots between the IP addresses where cards are usually used and where they are suddenly used for criminal purposes," he added. "In short, all parts of the payment system are part of the solution to fight cybercrime."
Renewed interest in money order fraud
Monday, April 24, 2017
W hat’s old is new again, even in payments. A pair of indictments handed down this month by the Brooklyn District Attorney, in New York City, shows fraudsters are still attracted to check scams. The two indictments allege fraud involving money order transactions totaling close to a half million dollars over the course of several years.
The alleged fraudsters, nine in all, are accused of taking advantage of recent innovations, like mobile check deposit, and availability schedules that can, at times, provide customers with access to funds from deposits before deposited items are deemed fraudulent.
Face amounts altered
One indictment alleges that two Brooklyn residents undertook a rather traditional fraud. The two are accused of depositing forged and doctored money orders (issued by the U.S. Postal Service and Western Union) totaling over $375,000 at local branches of Bank of America, Citibank and TD Bank between 2013 and 2017. Some of the doctored money orders were also cashed at local check cashing establishments. The original face amounts were between $1 and $6, but were altered to reflect face values of $1,000, according to the indictment.
“These defendants allegedly carried out an elaborate scheme to systematically steal hundreds of thousands of dollar,” Acting District Attorney Eric Gonzalez said in an April 20, 2017, statement about the indictments. “Financial crimes of this scale not only hurt our banks – they undermine the public’s trust in institutions we all rely upon for our livelihoods and our economy.”
Mobile deposits multiplied
The other indictment alleges seven Brooklyn residents took advantage of mobile deposit options to deposit the same forged postal money orders into multiple bank accounts, withdraw those funds as soon as possible, and then cash the paper items at local USPS locations. The scam is alleged to have involved more than 150 money order deposits and over $100,000 in losses.
The indictment, handed down on April 13, alleges the seven defendants enticed 47 people with accounts at TD Bank, Santander and Bancorp to relinquish control of those accounts (including debit cards and PINs) for a promised sum of money. Then they allegedly purchased postal money orders for amounts ranging from $700 to $12,000 to carry out the scam, which involved depositing the same items into multiple accounts using smartphones.
“Mobile check deposit schemes are one of many fraud schemes gaining popularity in recent yearsm” said U.S. Postal Inspector in Charge Philip R. Bartlett. “These schemes present a real challenge for financial institutions and law enforcement.” Bartlett’s office led the investigation that resulted in the seven being indicted.
A 2016 report by Guardian Analytics revealed that 72 percent of mobile banking fraud involves mobile deposits. The trend is particularly concerning given the growing availability of mobile deposit, as both the number of banks offering and number of consumers using mobile deposit have been charting double-digit growth rates, the report stated.
However, a study last year by RemoteDepositCapture.com found problems with and losses from so-called “duplicate deposits” are minimal and isolated. Only 25 percent of banks and credit unions surveyed by the remote deposit capture (RDC)-centric website reported losses from duplicate deposits. What’s more, better than half of those that did incur losses (51 percent) said the losses fell within their risk tolerance levels, so they made no changes to procedures as a result.
“Most FIs see RDC as a homerun,” said John Leekley, founder and Chief Executive Officer of RemoteDepositCapture.com. “Better than 90 percent of those surveyed said the benefits of mobile RDC outweigh the costs and risks, while 52 percent indicated the benefits far outweigh the costs and risks.”
Experian study finds increased ecommerce fraud
Friday, April 21, 2017
A new study by Experian Information Solutions Inc. found a 33 percent increase in ecommerce fraud in 2016, compared with the previous year. The findings were consistent with Experian's forecasts and not surprising to security analysts.
Analyzing millions of ecommerce transactions, researchers concluded certain geographical regions were hot spots for cybercriminals. Miami, Houston, and South El Monte, Calif., earned the dubious distinction of being top-ranked cities for fraud. The states with the highest concentration of billing and shipping fraud were Delaware, Oregon and Florida, company representatives stated. They also attributed a record number of data breaches in 2016 to vulnerabilities in security infrastructures.
"There were 1,093 data breaches last year, a 40 percent increase from 2015, according to the Identity Theft Resource Center," Experian stated. "The recent Federal Trade Commission (FTC) 2016 Consumer Sentinel Network Data Book announced a jump in consumers who reported that their stolen data was used for credit card fraud, from 16 percent in 2015 to more than 32 percent in 2016. The record number of data breaches is a signal that future fraudulent activities will take place."
EMV pushes fraud online
Payment analysts anticipated the U.S. EMV (Europay, Mastercard and Visa) migration would push fraudsters to ecommerce, which was the case in other regions that previously achieved widespread EMV adoption. Experian found evidence that fraudsters who trafficked in counterfeit POS fraud have, indeed, shifted focus to digital channels. Experian expects more thieves to follow suit.
"Criminals rob banks because that's where the money is," said Monica Eaton-Cardone, Chief Operations Officer and co-founder at Chargebacks911. "It's the same thing for fraudsters, hackers and career criminals; they are all seeking the quickest possible path to someone else's money, and the widespread usage of EMV is driving them online."
Eaton-Cardone said ecommerce fraud skyrocketed by 80 to 100 percent in Australia, Canada and the United Kingdom during early-stage EMV adoption. "Predictably, the same trend lines are now taking root in the United States," she said. "What we've learned is criminals don't abandon their desire to commit crime, but they do modify their behavior. Online merchants and e-stores would be wise to modify their behavior, as well, because the threat of cyber fraud is rapidly rising."
Evolving threat landscape
Fraudsters' resourcefulness and creativity is reflected in the sophisticated ways in which packages are rerouted. They reportedly use re-shippers or shipping "mules," freight forwarders, and international ports and airports where fraudulent order can be picked up and quickly dispatched to final destinations. "From a shipping perspective, 10 states saw at least a 100 percent increase in fraudulent orders, having a significant impact on the overall population attack rate," Experian stated.
Eaton-Cardone added, "Every single link in the transactional chain has vulnerabilities that can be exploited. Merchants must relentlessly and methodically examine and strengthen each individual link in their transactional chain until it's no longer a tempting target for fraudsters and criminals to exploit.
Eaton-Cardone said payment acquirers can also play an important role because they have a vested interest in helping merchants avoid exposure to fraud. Without a magic bullet or one-size-fits-all solution, payments industry stakeholders must remain vigilant in this ongoing game of cat-and-mouse, and merchants should consider working with a third-party expert consultant when necessary, she noted.
"Fighting fraud requires a specialized knowledge of proactive tactics and preventive options," Eaton-Cardone said. "But the absolute worst thing you can do is ignore the problem because that incentivizes more attacks. Once the criminals smell blood in the water, you're in real trouble."
Current, future trends
Experian researchers warned that 2017 is perpetuating the same accelerating fraud trends, with a 56 percent increase in reported data breaches year-to-date, compared with the same period in 2016. "Our annual fraud attack rate data brings to light the increase of e-commerce attacks over the last year across the U.S.," the company's researchers stated. "This latest data is a strong indicator that other types of fraud have already occurred and can help businesses understand how to better protect themselves and their customers."
Eaton-Cardone said the U.S. chargeback issuance rate is 240 percent higher than in Japan or China, a disadvantage for American merchants. "Chargeback fraud, also called friendly fraud, costs online merchants over $40 billion annually, and the problem is growing by 20 percent each year," she said. "Friendly fraud is considerably different than criminal fraud; the same fraud filters that shield you from criminal fraud are largely ineffective at stopping chargebacks."
We're on the front lines in the war against chargeback fraud, she added, and clearly, the threat-level is rising. "If you sell a product or service online, you need to protect yourself," she stated. "This is no longer an option, but a business necessity."
Facebook Messenger bots emerge in commerce
Thursday, April 20, 2017
A year after launching the Messenger Platform, Facebook unveiled version 2.0 at the mid-April F8 Facebook Developer Conference held in San Jose, Calif. One notable difference at this year's conference was heightened activity within the financial community to integrate Messenger customer engagement and commerce initiatives. Over 1.2 billion people globally use the Messenger app each month, according to Facebook.
When the instant messaging and chat platform initially rolled out, developers gained access to Facebook's Wit.ai Bot Engine, which converts natural language into structured data for automating conversations using artificial intelligence (AI). The bot engine apparently becomes more intelligent with each interaction. For businesses, the service provides automated response tools to more efficiently interact with customers.
With version 2.0, multiple customers can now chat simultaneously with a business or revisit businesses through the built-in Discover tab. Businesses can respond to frequently asked questions using the new Smart Replies for Pages. It also produces multiple parametric QR codes to add more choices while shopping. Businesses are able to create separate personal shopping and customer service bots useful in commerce applications.
Card brand, bank support
After opening up its experimental Masterpass Chatbot API on the Mastercard Developers platform earlier this year, Mastercard then collaborated with Turkish mobile retailer Getir to develop a Masterpass-enabled bot that allows shoppers to purchase items within Messenger and receive 10-minute guaranteed delivery.
At the F8 conference, Mastercard revealed Masterpass-enabled bot service collaborations with Fresh Direct LLC, Subway IP Inc. and The Cheesecake Factory Co. LLC. Mastercard noted that the bots leverage AI technologies to enable consumers to interact with merchant brands, build orders and securely checkout via Masterpass and supported wallets without exiting the Messenger platform.
"Our bot for Messenger, deployed in more than 26,500 U.S. Subway restaurants, is the largest deployment of a Messenger bot in the restaurant industry," said Carman Wenkoff, Chief Information and Digital Officer at Subway. "We're proud to offer our guests an innovative new way to order and pay outside the restaurants."
American Express Co. released an updated version of its Amex bot for Facebook Messenger during the conference that will allow U.S. Consumer and OPEN Card Members to receive on-demand answers to account and card queries.
Wells Fargo & Co. just pilot launched a bot for Messenger that deploys AI-driven customer chat experiences. "Our goal is to deliver information 'in the moment' to help customers make better informed financial decisions," said Steve Ellis, Head of Wells Fargo's Innovation Group. "AI technology allows us to take an experience that would have required our customers to navigate through several pages on our website, and turn it into a simple conversation in a chat environment."
Western Union, MoneyGram on board
During the F8 conference, both Western Union Co. and MoneyGram unveiled new services that incorporate Messenger. Western Union developed a money transfer bot for Messenger that makes it possible for users in the United States to send money to over 200 countries and territories across 130 currencies.
According to Western Union, the entire experience occurs within the Western Union cross-border money transfer platform, which is embedded inside Messenger. "Our Messenger community in the U.S. can now connect with the rest of the world via Western Union's services – either digitally or to a physical location – when sending money," said David Marcus, Vice President of Messenger.
With the newly launched MoneyGram Sendbot service, customers can now transfer money to any of MoneyGram's 350,000 agent locations globally by texting the desired recipient on Facebook Messenger. Built into MoneyGram's service is the Messenger's intuitive thinking software, a money transfer tracking tool and a dedicated agency location finder, MoneyGram noted.
In summarizing Messenger's expanded capabilities, Marcus said. "We think of Messenger as being like the new social living room for the world, where people can hang out, share, chat, play games or buy things, while still being able to reach nearly everyone, wherever they are. We now think we are combining two tools of the past — the telephone directory (the way we used to find people) with the Yellow Pages (the way we used to find businesses)."
View prior breaking news