There will be no shortage of ways to try to scare yourself through the first half of this week — scary movies, scary costumes, scary receipts for all of the other scary stuff you picked up. And there is the fact that chocolate will be getting more expensive this year, as candy makers are haunted by the specter of higher shipping costs.
But for payments and commerce pros, there are two surefire ways to always elicit screams: stories about the two scariest things in the business.
Fraudsters and fines.
And lucky for you, we have both for the Halloween edition of the data dive.
Faster Payments Hit By Faster Fraud
In the getting-off-to-a-bumpy-start file, Hong Kong’s Faster Payment (FPS) system has only been up and running for a few weeks, but allegations are already rolling in that fraudsters have jumped on board. Reports indicate that the new system has been used to make fraudulent transactions ranging from $1,280 to $12,750.
Complaints that have now been referred to law enforcement include allegations that fraudsters stole a woman’s personal ID and bank account number and used them to initiate a real-time payment using FPS’s Autopay service. Other allegations include claims that fraudsters have stolen personal information to set up an eWallet accounts and activate electronic direct debit authorizations by leveraging a feature of the faster payments system that allows users to link bank accounts to eWallets.
In response, the Hong Kong Monetary Authority (HKMA) said it has suspended the Autopay service under FPS. The HKMA stressed, however, that these instances of fraud are not related to a security shortfall within FPS itself. The HKMA further added that bank account holders are not typically held liable for any fraudulent transfers if they did not authorize a transaction.
When Hong Kong’s FPS went live in September, HSBC Hong Kong CEO Diana Cesar said the system supports faster transactions that can be made “anytime, anywhere, and contributes to the efficiency of businesses by making real-time settlements possible.”
She added that the system brings “unprecedented convenience and security to our daily fund transfers among friends and family, as well as the day-to-day operations of businesses.”
It seems, unfortunately, it has also inadvertently made things a bit more convenient for fraudsters, and perhaps will need a few bolts to tighten the system.
Wells Fargo And Capital One Face Fines
Some big names in banking took on some pretty substantial fines this week.
Capital One was tapped by the Office of the Comptroller of the Currency (OCC) for $100 million due to shortcomings in the company’s compliance with the Bank Secrecy Act and anti-money laundering programs.
“The deficiencies, cited in the OCC’s 2015 order against the bank, included weaknesses in its compliance program and related controls; deficiencies in its risk assessment, remote deposit capture and correspondent banking processes; and failing to file suspicious activity reports. In assessing this civil money penalty, the agency found that the bank failed to achieve timely compliance with the OCC’s 2015 order, as required,” the regulator explained in a press release.
Capital One has reportedly already paid the fine to the U.S. Treasury.
Capital One joins a list of notable names in banking hit with fines over violations of the Bank Secrecy Act.
In February, U.S. Bank was served with a $185 million civil penalty after joint determinations of the Financial Crimes Enforcement Network (FinCEN), the OCC and the U.S. Department of Justice (DOJ) that the bank was in violation of the legislation.
In 2017, the OCC warned that banks were at a high risk of non-compliance, with Bank Secrecy Act and Anti-Money Laundering act, particularly, in the face of new technologies that support open access to financial services data. Banks, according to the OCC, may be facing additional money-laundering risk.
“Moreover,” the report continued, “ongoing changes in payment technologies and criminal typologies increase the challenges for banks to maintain effective systems to keep pace with these changes.”
Capital One was not the only bank that found itself on the wrong side of a regulatory ruling.
The New York attorney general announced that Wells Fargo & Company has agreed to pay a $65 million fine in connection with its “cross-sell” business model.
“The misconduct at Wells Fargo was widespread across the bank and at every level of management — impacting both customers and investors who were misled,” Attorney General Barbara D. Underwood said in a press release. “State securities laws are vital to protecting the hard-earned savings of working families and Main Street investors from financial fraud, and my office will continue to do what’s necessary to protect the public and the integrity of our markets.”
Wells Fargo faced additional scrutiny for the years it spent lauding the effectiveness of its cross-selling methodology in both increasing revenues and recruiting and retaining customers. The AG report noted that to support those claims, Wells Fargo falsely reported inflated cross-selling metrics to its investors.
“Driven by strict and unrealistic sales goals, employees in Wells Fargo’s Community Bank division engaged in fraudulent sales practices, including the opening of millions of fake deposit and credit card accounts without customers’ knowledge. Through a significant incentive compensation program, employees who met these targets were eligible for promotions and bonuses, while employees who did not meet the sales targets faced relentless pressure and even termination,” according to the release.
The AG report also notes the Wells Fargo Board of Directors received reports detailing the misconduct as early as 2011, but failed to report it to investors.
The attorney general’s office added that the settlement has no impact on its other investigation into Wells Fargo related to its practice of opening unauthorized accounts and enrolling consumers in services without their knowledge or consent.
Fraudsters Face Some Jail Time
Sometimes the news is not only scary for law-abiding folks — on occasion the law catches up to fraudsters and injects a bit of fright into them.
Case in point, two hackers were indicted in Florida this month on charges of extortion and hacking in connect to a data breach at learning platform Lynda in 2016. One alleged hacker lived in Florida, while the other was a Canadian citizen.
According to reports the two hackers were able to gain access to thousands of users' accounts, at which point they emailed Lynda’s parent company LinkedIn, as well as HackerOne, the cybersecurity program the company uses. After a representative of LinkedIn replied to their email, the hackers allegedly said, “keep in mind, we expect a big payment, as this was hard work for us.”
And it seems Canadian Vasile Mereacre and Floridian Brandon Glover were not riding in their first rodeo when they went after Lynda. The hack was nearly identical to one that hit Uber a few months before the Lynda hack in 2016. That hack saw the names, email addresses and phone numbers of 50 million Uber riders around the world compromised, as well as the information of about seven million drivers worldwide.
In that case, not many details had emerged until Uber’s chief information security officer opted to try to conceal the hack and pay the hackers — though he did later note in a Senate Commerce Committee hearing that the two hackers in its breach were from Canada and Florida.
The two were released on a bond, in the Florida case — on condition that they are not permitted to use the internet. The case is now being heard in a California court where they will face charges in connection with the Uber case in November.
So what did we learn this week? Fraudsters are always around, sowing fear in their wake and trick-or-treating in systems that don’t want them. Always best to on the lookout, even if they don’t make a bumping sound in the night,.
Happy Halloween, and don’t eat too much candy. But if you do, make it chocolate.