Criminal Activity

SEC and CFTC issue final identity theft rules to protect investors

On April 10, 2013, the Securities and Exchange Commission (the “SEC”) and the Commodity Futures Trading Commission (the “CFTC”) issued joint Identity Theft Red Flags Rules requiring broker-dealers, mutual funds, investment advisers, and certain other entities to adopt programs to detect red flags and prevent identity theft. Notably, certain state laws may also require the adoption of similar guidelines.

Additionally, entities that retain service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. A financial institution may be found in violation of the Rules if it fails to exercise appropriate and effective oversight over the engagement.

Broker-dealers fall short in knowing their clients

It looks like broker-dealers are failing in their due diligence efforts on clients, as required by FINRA’s new Rule 2090. (FINRA is the largest non-governmental regulator of all securities firms doing business in the United States, and handles nearly every aspect of securities-related matters, from registering and educating industry participants, to writing and enforcing rules and the federal securities laws.)

According to several industry reports, the most violated rule this year has been a failure by broker-dealers to comply with FINRA’s know-your-customer obligations, now under Rule 2090 issued in July 2012. The rule, which is generally modeled after the former NYSE Rule 405(1), requires firms to use reasonable diligence regarding the opening and maintenance of every account in order to “know the essential facts concerning every customer.” The rule explains that “essential facts” are those required to:

  • effectively service the customer’s account;
  • act in accordance with any special handling instructions for the account;
  • understand the authority of each person acting on behalf of the customer; and
  • comply with applicable laws, regulations, and rules.

The know-your-customer requirements arise at the beginning of the relationship and do not depend on whether the broker has made a recommendation. Unlike the former NYSE Rule 405, Rule 2090 does not specifically address orders, supervision or account opening, which are areas that are explicitly covered by other rules.

In conjunction with this know-your-customer rule, FINRA has adopted transaction suitability Rule 2111, framed after the former NASD Rule 2310, which requires that a firm or associated person “have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information obtained through the reasonable diligence of the member or associated person to ascertain the customer’s investment profile.” According to FINRA, the measures constituting a reasonable diligence will vary depending on, among other factors, the complexity of and risks associated with the security or investment strategy and the firm’s or associated person’s familiarity with the security or investment strategy.

Rule 2111 further defines a customer’s investment profile, specifying that it includes, but is not limited to, the customer’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the customer may disclose to the member or associated person in connection with such recommendation. Accordingly, a broker must attempt to obtain and analyze a broad array of customer-specific factors, and also determine quantitative suitability if the broker has actual or de facto control over a customer account.

FINRA now makes it clear that a broker must have a firm understanding of both the product and the customer, and that the lack of such an understanding itself violates the suitability rule.

Business identity theft: a crime that often goes unreported

According to the Federal Trade Commission (FTC) data from its Consumer Sentinel Network (CSN), an online database of consumer complaints available only to law enforcement, identity theft was the top consumer complaint in 2011, accounting for 17% or 287,232 complaints of the 1.8 million received; 990,242 of these cases involved fraud.

There are no reliable federal or state statistics that specifically track business identity theft, but various studies suggest that businesses do not report the crime because of the stigma attached to it. The company’s credibility and trust of its clients may never recover if they admit to being a victim.

Business identity theft comes in many forms. Posing as a look-alike or sound-alike business, and impersonating owners, officers or employees to illegally get cash, credit, and loans, is just one example. Thieves typically steal a business’ identity by gaining access to its bank accounts and credit cards, or by stealing sensitive company information, such as its tax identification number (TIN) and the owners’ personal information. Elaine Marshall, North Carolina’s Secretary of State, sees an increasing number of cases involving falsified documents. Marshall says that “the easiest targets are dissolved corporations, because whoever ran those defunct businesses usually no longer pays attention. Somebody comes 20 years later and reinstates it, and it looks like it’s a 40-year-old corporation. And if it was in good standing financially when it was dissolved, then

[the thief] will capitalize on that good standing.”

Indeed businesses have become easy targets for identity theft. Almost anyone can obtain a business’ tax identification number. A merchant’s basic financial information, including bank account numbers, may be known to hundreds of its customers and suppliers. Data access can be exploited by employees and insider theft, and fraud is often difficult to detect, especially when carried out by trusted employees. Many businesses do not review their own credit information for fraud and may be lax in shredding or disposing of documents. Although more businesses are conducting background checks on employees and suppliers, only a few ensure the integrity of their commercial shredding contractors and even fewer conduct background checks on in-house or contracted cleaning staff. And many companies are simply complacent in data security.

The Internet carries the highest perpetration of criminal theft and fraud. Since 2002, the FBI has recorded an 84% increase in the number of computer intrusion investigations. Cyber thieves use the web to obtain goods, services, and money while exploiting time-lags in discovery and investigation. They also prowl for valuable non-ID specific business data including confidential e-mails, customer and marketing data, bid and pricing sheets, and trade-secrets. In the financial services sector, the vast majority of transactions, including credit cards and debit cards, and even mortgage funding, occur online in virtual anonymity without the risks associated with in-person transactions. Because such identity theft crimes take place in cyber-space, police often must coordinate with other state, federal, or international agencies. And even when jurisdictional issues are resolved, often only high-profile offenders actually face criminal prosecution.

In this complex and dangerous environment, a proactive approach to preventing business identity theft is critical, and should include:

  • Security policies based on the highest reasonably assessed risk, including limiting the number of persons with a valid need to access sensitive information;
  • Corporate governance which advocates strong security planning;
  • System audits and tests to ensure detection of inappropriate usage and other vulnerabilities;
  • Background checks of all employees, key vendors, and contractors including document shredding entities, cleaning personnel, etc.;
  • Annual reviews of Secretary of State and other public filings;
  • Annual or more frequent reviews of Dun & Bradstreet reports, and if applicable, small business reports with Equifax, Experian and TransUnion;
  • Practice of excluding sensitive personal or business information in public filings;
  • Shredding or destroying business records as applicable;
  • Securing paper documents in locked cabinets in restricted areas;
  • Using privacy screens with smart phones, laptops, etc., when accessing sensitive information while traveling; and
  • Obtaining business insurance that covers potential business identity theft losses.

There are many online information and action resources for identity theft. The FTC provides comprehensive guidelines for prevention and recovery from identity theft, along with complaint forms. The Identity Theft Resource Center also contains excellent reference materials, including links to state and local agencies, as do the Privacy Rights Clearinghouse and the National Consumers League. 

Overview of identity theft related crime laws

Below is an overview of federal laws in connection with identity theft crimes.

  • The Identity Theft and Assumption Deterrence Act (the “ITADA”)

The ITADA, passed in 1998, makes identity theft a distinct crime from wire fraud, covers theft of data (as well as documents), and encompasses businesses and persons that seek access to personal records through banks, state and federal agencies, or insurance companies. The ITADA mandates significant fines and imprisonment even for first offenders. The federal criminal jurisdiction requires an underlying felony (such as fraud or conspiracy) and involvement of an “identification document” that: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce.

  • The Fair and Accurate Credit Transactions Act (the “FACTA”)

The FACTA was established as a national detection system to deter fraud resulting from identity theft in its early stages with or without subsequent law enforcement investigation. The FACTA, among other rights, allows victims to alert all three major credit rating agencies of suspected criminal use of their financial data or accounts affecting a credit rating. The FACTA created the rights to “free” annual credit reports, and requirements that mortgage lenders provide actual FICO credit scores (not just credit account data) if that score is used to determine interest rates for a housing loan. The FACTA also mandates that merchants show only the last five digits of credit card numbers on receipts. The FACTA further is responsible for developing a system to “red flag” suspicious requests for consumer data, and allows military personnel to “freeze” credit files when they are deployed overseas.

Under the FACTA, consumer “red flags” include fraud alerts from a reporting business that has identified a data breach, unusual patterns in credit usage, suspicious documentation, credit usage after long periods of inactivity, known mail drop addresses, and other anomalies.

The FACTA also requires employers to shred documents containing employee data; any business that supplies or facilitates consumer credit must secure or destroy consumer information. This “disposal rule” requires reasonable and appropriate destruction of all information derived from a consumer credit report, prior to its disposal. Failure to comply with destruction requirements (i.e. shredding) carries penalties of up to $2,500 per violation. There is an implied obligation within the FACTA disposal rule to conduct due diligence for hiring or contracting data disposal personnel, which includes reference checking, physical inspection of licenses or certificates, and audits.

 

  • The Fair Credit Reporting Act (the “FCRA”)

The FCRA requires consumer reporting agencies (CRAs) to adopt reasonable procedures to maintain and report consumer data with confidentiality, accuracy, relevancy, and reasonable security. CRAs must ensure “reasonable procedures to assure maximum possible accuracy of the information concerning the subject of the report.”

Victims may sue for willful or negligent failure to verify the accuracy of disputed information or correct inaccurate information resulting from a stolen identity. Consumers who report errors or fraudulent transactions are entitled to a “reasonable investigation” and an expectation that errors will be corrected and reported back promptly. The statute provides for attorney’s fees and punitive damages for willful violations. Under the FCRA, identity theft victims may authorize law enforcement agencies to obtain their credit reports and other records without obtaining a subpoena and at no personal cost. The FCRA imposes a two-year statute of limitations that begins when an inaccurate disclosure or report is filed, not when the consumer actually becomes aware of inaccuracies.

The FCRA also includes a “disposal rule” requiring any business that has access to or which utilizes consumer reporting information to dispose of this sensitive information properly.  The FCRA’s disposal rule is broader than FACTA’s in that it targets any company that complies, sells or purchases reports containing private personal or medical information. This includes employment agencies, banks, private investigators, landlords, auto dealers, insurance agents and others. The FCRA disposal rule applies to any information, in any format, and mandates that the disposal method must render the documents or information unreadable and incapable of being reconstructed.

  • The Gramm-Leach-Bliley Act (the “GLBA”)

The GLBA directs eight federal regulatory agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule to ensure that financial institutions prevent unauthorized disclosure of consumer financial information, including fraudulent access, by implementing appropriate policies, procedures and controls. Also known as the Financial Services Modernization Act of 1999, the GLBA defines financial institutions as a “business significantly engaged in providing financial services or products for personal, family, or household use.” The GLBA is relevant to traditional banks and credit unions, and also includes check-cashing and payday loan services, non-bank lenders, real estate appraisers, tax preparers, debt collectors, financial advisors, and insurance agents and brokers.

  • The Right to Financial Privacy Act (the “RFPA”)

The RFPA falls under the ambit of the FDIC and targets industrial loan companies, trust companies, savings associations, credit unions and consumer finance institutions. The RFPA creates statutory Fourth Amendment protection for personal bank records by providing that ‘no government authority

[state or federal] may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described and the customer authorizes access; there is an appropriate administrative subpoena or summons; there is a qualified search warrant; there is an appropriate judicial subpoena, or there is a written request from an authorized government authority.

The RFPA prohibits banks and other covered entities from requiring customers to release financial records as a condition of doing business, and mandates banks to provide customers with access to records of all disclosures made to third parties.

  • The Health Insurance Portability and Accountability Act (the “HIPAA”)

The HIPAA, which is administered by the U.S. Department of Health and Human Services (HHS), establishes nationwide security standards for electronic health care information. This ‘security rule’ requires all covered entities to be compliant with specific administrative, technical, and physical security standards and procedures for electronic data. HIPAA rules apply not only to doctors, clinics, hospitals, pharmacies, and laboratories, but may also apply to certain collection agencies, health insurers, and lawyers, and also to any businesses that maintain self-insured employee health care plans.

In addition to federal laws, each state has its own law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

Thirty-four states have introduced or have pending legislation regarding identity theft during the 2012 legislative session, including Louisiana which enacted its Business Identity Theft Prevention Act. For more information on state laws, visit the website of National Council of State Legislatures.

Diploma mill ordered to pay $22.7 million to 30,000 scam victims

On August 31, 2012, Belford High School, Belford University and several of their co-conspirators were ordered to pay $22.7 million to a class of more than 30,000 U.S. residents who were duped into purchasing fake high school diplomas from Belford. The defendants were also ordered to forfeit the websites used to perpetrate the scam, including www.belfordhighscool.com, www.belfordhighschool.org, www.belforduniversity.org, and www.belforduniversity.com.

The lawsuit, filed on November 5, 2009, charged that Belford High School is an Internet scam that defrauded students of their money by offering them a supposedly “valid” and “accredited” high school diploma. As affirmed by the judgment, the school is a fake and the diplomas are not valid. The lawsuit also alleged that the two accrediting agencies by which Belford claimed to be accredited – International Accreditation Agency for Online Universities and the Universal Council for Online Education Accreditation – are not legitimate accrediting agencies.

Notably, we came across Belford University in 2010 when a bachelor’s degree from the “school” was listed on an employment application by a candidate for a professional level position with one of our clients. Click here to read the 2010 blog.

 

Highlights of ACFE’s 2012 report on occupational fraud

The Association of Certified Fraud Examiners (ACFE) recently released its Report to the Nations on Occupational Fraud and Abuse – 2012 Global Fraud Study. The ACFE states that the Report is based on data from 94 countries compiled from studies of 1,388 occupational fraud cases that occurred between January 2010 and December 2011, and were investigated by certified fraud examiners. The ACFE conducts global occupational fraud studies every two years. According to the Report, a typical organization loses 5% of its revenues to fraud each year, which translates to more than $3.5 trillion if applied to the estimated 2011 Gross World Product. As in its prior studies, the Report shows that the industries most commonly affected by occupational fraud are banking and financial services, government and public administration, and manufacturing. Small organizations suffered the largest median losses. The Report indicates that asset misappropriation continued to be the most frequently committed fraud, yet least costly, with a median loss of $120,000, while financial statement fraud remained the least frequent but the most costly, with a median loss of $1,000,000. Below are the Report’s findings about the fraud perpetrators:

  • Perpetrators with higher authority levels tend to cause much larger losses. The median loss among frauds committed by owner/executive was $573,000, by managers it was $180,000, and by employees, $60,000.
  • Vast majority (77%) of all frauds were committed by individuals working in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.
  • In 81% of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct: living beyond means (36%), financial difficulties (27%), close association with vendors or customers (19%) and excessive control issues (18%).
  • Approximately 87% of the fraudsters had never been charged or convicted of a fraud-related crime, and 84% had never been punished or terminated for fraud-related conduct.

The Report further notes that the most frequent method of detection continued to be by tip, which occurred in 43.3% of the cases, followed by management review and then by internal audit detection. For entities with fraud hotlines, the likelihood that the fraud would be found by tip was 50.1% whereas for entities without a fraud hotline, that likelihood decreased to 35%, according to the Report. Overall, the median duration of a fraud before being discovered remained consistent with the ACFE’s 2010 study, at 18 months. Nearly half of victim organizations do not recover any losses suffered from a fraud.

The Report confirms that the nature and threat of occupational fraud is universal. Though its research noted some regional differences in the methods used to commit fraud – as well as organizational approaches to preventing and detecting it – many trends and characteristics are similar regardless of where the fraud occurred. The Report recommends that management should continually assess the organization’s specific risks and establish or revise compliance and fraud prevention programs accordingly.

Identity theft again tops FTC’s top complaints list for 2011

Identity theft again tops FTC’s top complaints list for 2011

The Federal Trade Commission (FTC) on February 27, 2012 released its list of top consumer complaints received by the agency in 2011. For the twelfth year in a row, identity theft topped the list at 279,156 complaints or 15%. The breakdown for the next nine complaint categories (from a list of 30) is as follows:

Category Number Percentage
Debt collection 180,928 10
Prizes, sweepstakes, and lotteries 100,208 6
Shop-at-home and catalog sales 98,306 5
Banks and lenders 89,341 5
Internet services 81,805 5
Automobile-related 77,435 4
Imposter scams 73,281 4
Telephone and mobile services 70,024 4
Advance-fee loans and credit protection/repair 47,414 3

 
The FTC records the complaints in its Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. Other federal and state law enforcement including the U.S. Postal Inspection Service, the Department of Justice’s Internet Crime Complaint Center, and the attorneys general offices of Idaho, Michigan, Mississippi, North Carolina, Ohio, Oregon, Tennessee, and Washington also contribute to the database content, along with private-sector organizations such as U.S. and Canadian members of the Better Business Bureau, Western Union and Moneygram, and the Lawyers Committee for Civil Rights Under Law.

Federal Sentencing Guidelines: a lure to organizational compliance

About 20 years ago, the United States Sentencing Commission (USSC) enacted the Federal Sentencing Guidelines (FSGs) for organizations with the intent to govern the sentencing of companies convicted of federal crimes. The FSGs, which have been amended several times, hold that organizations can act only through agents and, under federal criminal law, generally are vicariously liable for offenses committed by their agents.

A proactive approach to prevent, detect and report illegal and unethical activities can substantially reduce fines and punishment, in some cases up to 95% according to a commentary by the USSC. The USSC specifies that the two factors that mitigate an organization’s ultimate punishment are “the existence of an effective compliance and ethics program, and self-reporting, cooperation, or acceptance of responsibility.” In contrast, the absence of solid compliance mechanisms can increase fines and punishment, as verdict determination is based on “the organization’s involvement in or tolerance of criminal activity, its prior history, violation of an order, and obstruction of justice.”

The compliance incentives provided by the FSGs and the proliferation of new regulations mandate a cultural imperative for ethical and law-abiding conduct by all companies, large and small. High-level attention, leadership and sufficient resources must be dedicated to meet the strict requirements of a compliance program defined by the USSC as “effective.” In its manual, the USSC emphasizes the necessity of strong due diligence to prevent and detect criminal conduct. Among its guidelines, a provision in Chapter 8 notes that:

“The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

Comprehensive background investigations, whether for employment purposes, evaluation of prospective clients, existing relationships and third-parties, or for other business transactions, are essential for compelling due diligence which actualizes a masterful compliance strategy. Although various committees and officials are calling for a complete review of the FSGs which the 2005 landmark case U.S. vs. Booker held as discretionary rather than mandatory, well-developed compliance programs are here to stay.

Scherzer International is on the forefront of the quick-changing regulations regime with a portfolio of background investigation products designed to facilitate purposeful risk management and compliance protocols. Visit us often at www.scherzer.com as we continuously analyze and test new elements and incorporate them into our products if they have proven value. And stay tuned for a Dodd-Frank regulations product which we will introduce within the next few months.

Department of Justice filed a record number of criminal cases in 2011

Acting Assistant Attorney General Sharis A. Pozen in a November 17, 2011 published speech reported that in the fiscal year 2011, the DOJ filed 90 criminal cases — the highest number in the past 20 years. The DOJ agreed to more than $520 million in criminal fines, which is close to the amount in 2010 (which totaled 60 cases.) In this year’s 90 cases, 27 corporations in the real estate, optical disk drives, auto parts, air cargo, and financial services industries were charged along with 82 individuals.

Pozen also disclosed that the DOJ has been conducting an international cartel investigation into price fixing and bid rigging in the auto parts industry, which already resulted in the guilty pleas of one corporation and three individuals, $200 million in fines, and three jail terms for the executives involved in the conspiracy.

In the real estate industry, Pozen said that the DOJ continues its investigations into bid rigging conspiracies at public real estate foreclosure auctions and tax lien auctions. With the help of the FBI, the DOJ agents ferreted out the ways in which the participants coordinated their bids. To date, 32 defendants have pleaded guilty to conspiracy charges, according to Pozen.

The DOJ remains focused on criminal activity in the financial services sector. Pozen noted that together with several federal and state agencies, the DOJ has been investigating a criminal conspiracy involving bid rigging in the municipal bond investments market, resulting in nine pleas of individuals this year. These investigations, which are ongoing, impelled JPMorgan Chase to enter into an agreement to resolve its role in the conspiracy, and agree to pay $228 million in restitution, penalties, and disgorgement to federal and state agencies. Earlier in the year, UBS AG also agreed to pay a total of $160 million and Bank of America previously consented to $137.3 million.

Bribing for business: Russia and China score lowest in fighting corruption

According to a survey released on November 3, 2011, by Transparency International, a non-profit, corruption watchdog, Russia and China got the lowest scores in its 2011 Bribe Payers Index, which ranked the top 28 largest economies according to the probability of companies headquartered in these countries practicing bribery. The scores were calculated from responses of 3,016 executives in 30 countries who had business dealings in those economies.

Companies based in China and Russia scored below 7 on a scale of 10, at 6.5 and 6.1, respectively. Mexico, with a 7.0 score, was third from the bottom. Companies in the Netherlands and Switzerland tied for first place with scores of 8.8, with Belgium, Germany, and Japan rounding out the top five.
The survey also ranked the business sectors in which bribery was perceived to be prevalent. Public works and construction were reported as the most pullulated along with oil and gas. Agriculture and light manufacturing were ranked as the cleanest.

The report noted that “there is no country among the 28 major economics whose companies are perceived to be wholly clean and do not engage in bribery.” And the scores, on average, have not improved significantly from the 2008 Bribe Payers Index. The average score of 22 countries increased only 0.1 points to 7.9 in the latest edition.

The survey also found that “international business leaders reported the widespread practice of companies paying bribes to public officials in order to, for example, win public tenders, avoid regulation, speed up government processes or influence policy.” However, companies are almost as likely to pay bribes to other businesses, according to the survey, which looked at business-to-business bribery for the first time. This suggests that corruption is not only a concern for the public sector, but for many businesses, and carries major reputational and financial risks.

Go to Top