The Evolution of Cost Fraud within the Age of COVID-19: Hacks, Fraud and Fraud Enterprise Legislation Immediately by ABA
While some forms of payment fraud have existed for centuries (such as counterfeit checks), others have emerged more recently. And as banking technology and payment methods evolve, scammers are doing their part to keep pace by updating classic payment fraud programs to take advantage of the COVID-19 pandemic. Payment fraud generally falls into two categories:
- unauthorized payments – such as unauthorized ACH charges, altered or counterfeit checks, or transactions initiated after an account takeover; and
- Fraud – such as fraudulent payments, bad check fraud, and revocable payment fraud.
Some of these traditional scam programs have been tailored to take advantage of the pandemic situation by targeting vulnerable consumers (e.g., by scammers or home fraud) and government employment agencies who are scammed when criminals use stolen personal information from consumers (PII ) fraudulently apply for unemployment insurance on behalf of the victim and then transfer money through a “money mule” account.
Various laws, regulations and rules for payment systems are relevant to payment fraud. Different rules apply depending on the type of transaction and the type of fraud.
The core laws for payment fraud include:
- For check transactions: UCC Article 3 – Tradable Instrumentsand Article 4 – Bank Deposits and Collections;;
- For electronic money transfers: the law on electronic money transfers and its implementing regulation, regulation E.;; and
- For commercial money transfers: UCC Article 4A – Money transfers.
Other laws may also be relevant, such as the various prohibitions on unfair, misleading and abusive acts or practices (UDAAP), as well as the anti-money laundering requirements under the Banking Secrecy Act (BSA) and the data protection and data security requirements for financial institutions under the Gramm-Leach-Bliley Act (GLBA). In addition, rules apply to the private sector payment system, such as the NACHA operating rules for ACHmay also apply, particularly with regard to the distribution of losses among financial institutions. Which laws apply and how may depend on the characteristics of the transaction, including the payment channel, whether the payment was unauthorized or a result of fraud, and whether the transaction is a consumer or commercial transaction.
Check for fraud
Traditional types of check fraud include check alterations (such as changes to the payee or the amount of a check), forged checks (signature of a counterfeit drawer), counterfeit checks, and bad check fraud (when a consumer receives a bad check, deposits it and will be asked to send some or all of the Provisional Funds to a third party).
The UCC generally requires a paying bank to re-debit their customer’s account when paying an unauthorized check, which protects the customer from checks that are improperly paid. In addition, transfer and presentation guarantees determine the distribution of losses between the custodian bank and the paying bank. Whereas in the case of bad check fraud, the loss is likely to fall on the consumer who deposited the bad check if the check is returned unpaid by the paying bank. In these bad check schemes, fraudsters take advantage of a victim’s lack of understanding of the functionality of the payment system and the legal framework in place by instructing the victim to transfer money through an irrevocable payment channel (wire transfer) or a method that is difficult to track and recover (purchase and dispatch of a prepaid card) as soon as the custodian bank credits the money provisionally.
Business Email Compromise (BEC) is a sophisticated form of payment fraud that has emerged in recent years. BEC is aimed at companies where employees are tricked into sending funds to a scammer (usually via wire transfer, but sometimes via ACH transfer). BEC is done through the compromise of legitimate email accounts and social engineering. Many large banks have taken steps to prevent their customers from falling victim to BEC, including extensive educational campaigns.
For commercial transactions, the sharing of the loss resulting from a BEC fraud between the commercial customer and the bank is determined by the security procedure of Article 4A. In particular, the commercial customer (sender) is not liable to the sending bank for an unauthorized transfer. The transfer can, however, be regarded as “approved” if the sending bank has verified the authenticity of the instruction using a mutually agreed “security procedure”, the security procedure is economically reasonable and the bank has “accepted” the payment order in “good faith” Compliance with the security procedure.
Fraudsters have used the COVID-19 pandemic to target vulnerable consumers such as the elderly and the unemployed. These scams offer a new twist on classic payment fraud programs and have taken several forms including:
- those in which government impersonators are involved;
- fraudulent remedies, medical devices, or charities;
- Fraud at work from home;
- Contact tracing fraud; and
- CARES Act Economic Impact Payments Fraud.
These criminal acts may involve a “scam” scenario or use the “bad checks” or fraudulently induced remittance systems with legal responsibility for loss as determined by applicable payment laws and regulations.
Fraudsters have also attacked government employment agencies with fraud in which a criminal files fraudulent unemployment insurance claims using the stolen personal information (PII) of consumers and directs payments to accounts controlled by money mules (generally ACH) who are either hilarious themselves or ignorant participants and can be enticed to participate through Good Samaritan, Romance and Work-from-Home programs. This type of fraud has been facilitated by the recent major data breaches that resulted in widespread access to consumers’ personal information that can be used to commit payment fraud and for other illegal purposes such as identity theft.
In particular, FinCEN has published recommendations that provide guidance to financial institutions on potential red flags of such systems for the purposes of reporting suspicious activity under the Bank Secrecy Act, including cases where a customer receives multiple state unemployment insurance payments to their account within the same payout period, or multiple states or receives unemployment insurance from another state in which the customer lives or works.
As banks take more steps to help customers avoid falling victim to payment fraud programs, it is important to consider whether and how to change the “delicate balance of interests” that exists in the existing loss sharing rules for fraudulent payments is provided, and if so, how this may affect the availability and pricing of certain payment types in the future.
 UCC §§ 3-101 ff.
 UCC §§ 4-101 ff.
 15 USC §§ 1693 ff.
 12 CFR Part 1005
 31 USC §§ 5311 ff.
 15 USC §§ 6801 ff.
 See https://www.nacha.org/rules/operating-rules.
 For example, under the UCC, the custodian generally bears the loss for inadmissible endorsements and changes, while the paying bank generally bears the loss for signing a counterfeit drawer or check. These UCC regulations reflect Price’s longstanding rule against Neal, 3 Burr. 1354, 97 Eng. Rep. 872 (KB. 1763).
 FIN-2020-A003, 2020 Advice on Fraud and Money Mule Programs Related to Coronavirus Disease 2019 (COVID-19) (July 7, 2020), available at: https://www.fincen.gov/ sites / default / files /advisory/2020-07-07/Advisory_%20Imposter_and_Money_Mule_COVID_19_508_FINAL.pdf.