Insights into ACH Fraud - Punishment of First Bank of Delaware
On Monday the FDIC announced severe punishments of First Bank of Delaware. The punishments were so severe that it's almost as if the bank has failed, but technically, it wasn't a bank failure. According to the FDIC press release:
The Delaware Office of State Bank Commissioner terminated First Bank of Delaware’s charter and the FDIC terminated its deposit insurance.
In addition to the charter and deposit insurance termination, the bank will have fines to pay. The Justice Department has details of the fines in its press release:
Under a settlement reached with First Bank of Delaware, the bank will pay a civil money penalty of $15 million to the United States Treasury. The bank also will maintain an account with $500,000 to pay consumer claims arising from the alleged conduct.
Customers of First Bank of Delaware don't have to worry since another bank, Bryn Mawr Trust Company, assumed deposit liabilities from the First Bank. Bryn Mawr Trust Company has some information on its website for First Bank customers. There's no mention about rates on existing CDs.
First Bank of Delaware was a small bank so there are not many bank customers who will be directly affected by this. However, there may be many people who were indirectly affected by First Bank due to what was going on at the bank. The Justice Department's press release has some details about how fraudulent merchants use banks with weak internal controls:
The Department of Justice alleges that from 2009 to 2011, First Bank of Delaware violated the Financial Institutions Reform, Recovery and Enforcement Act (“FIRREA”) by originating withdrawal transactions on behalf of fraudulent merchants and causing money to be taken from the bank accounts of consumer victims. The government alleges that the bank knew – or turned a blind eye to the fact – that consumer authorization for the withdrawals had been obtained by fraud.
“We are committed to protecting consumers from unscrupulous merchants who use Internet and telemarketing schemes to defraud them. Such merchants need payment processors and banks to help them obtain the victim consumers’ money. This settlement should serve as notice to the banking community that when banks allow themselves to be used to perpetrate these frauds, we will target our enforcement efforts accordingly to hold the banks accountable,” stated United States Attorney Memeger.
“To make money, First Bank of Delaware entered into risky lines of business and chose to disregard its Bank Secrecy Act responsibilities,” said FinCEN Director Jennifer Shasky Calvery. “As a result of its failure to implement systems and controls to identify and report suspicious activities, as required by the BSA, financial predators were able to victimize consumers.”
Banks are a critical key in many consumer fraud schemes. After a fraudster obtains bank account information from a consumer, the fraudster still needs to gain access to the banking system in order to take the consumer’s money. Fraudulent merchants have a difficult time opening their own bank accounts because of laws designed to prevent criminals from accessing the banking system. To overcome this obstacle, fraudulent merchants often obtain indirect access to the banking system through a third-party payment processor that can more easily establish a relationship with a bank.
The Department of Justice alleges that First Bank of Delaware established direct relationships with several fraudulent merchants and third-party payment processors working in cahoots with a large number of additional fraudulent merchants. On behalf of the processors and fraudulent merchants, First Bank of Delaware originated hundreds of thousands of debit transactions against consumers’ bank accounts. The payment processors named in the Complaint include Automated Electronic Checking, Inc., Check Site, Inc., Check 21.com, LLC, and Landmark Clearing, Inc.
First Bank of Delaware originated many of the debit transactions using “remotely-created checks” – a transaction instrument widely-known in the banking industry and by the consumer protection and law enforcement community to be favored by fraudulent merchants. At the time of the conduct alleged, First Bank of Delaware and the rest of the banking industry were well-aware of the consumer fraud risks posed by third-party processors and remotely-created checks.
This type of fraud may also explain why many banks have restrictive limits on their ACH transfer service. Several internet banks limit how much money can be transferred using their ACH system. For example, Incredible Bank only "allows a maximum of $10,000 ACH transferred out per day and a maximum of $50,000 ACH in per day." As I explained in this 2009 blog post, a bank that initiates an ACH credit to another bank cannot have that ACH credit recalled. On the other hand, if another bank initiates an ACH debit, the rules allow the bank that received the ACH debit to reverse the transaction.
The issue of reversing ACH transactions is important to note for two reasons. First, if you spot a fraudulent ACH debit from your account, your bank should be able to reverse the debit based on the rules I mentioned above. Second, these types of ACH reversals appear to have been one of the indicators that First Bank failed to monitor. A PDF document from the Financial Crimes Enforcement Network (that was linked to by the FDIC press release) describes this:
First Bank's Remotely Created Check ("RCC") service was created as a major component of its E-Payments business line. First Bank served as the depository institution for five RCC third-party payment processors. From the earliest activity in the RCC service, potential BSA/AML compliance risks were evident, including much higher transaction rates than originally anticipated as the program experienced rapid growth, as well as high rates of unauthorized returns. Merchants utilizing the RCC service were responsible for total return rates of over 60% which vastly exceeded any reasonably expected rate for such activity.
Everyone who banks online knows how easy it is to move money with ACH transfers. It appears it's this money transfer system that scammers were able to abuse. As the Justice Department describes, the scammers "need payment processors and banks to help them obtain the victim consumers’ money."
I've seen some readers who have described cases in which banks have closed their accounts with no apparent reasons and with no explanation. Some of these account closures may have been due to suspected fraud. As in this case with First Bank of Delaware shows, banks are required to monitor accounts for any suspicious activity. I wouldn't be surprised if there are some false positives.