Technology, Insurance And Fraud Prevention

SecureMyTransaction from Alliant National is reshaping fraud prevention in real estate. Listen in as Alliant National Risk Management and Data Privacy Officer Tom Weyant, and Jerome Magana with Select Specialty Insurance, discuss how cutting-edge technologies and business insurance coverages work together to help you safeguard transactions, protect clients, and preserve your business.

Tom Weyant,Vice President Risk Management & Data Privacy Officer for Alliant National

VP, Risk Management and Data Privacy Officer
CQA, CFE
American Society for Quality (ASQ®) Member
Association of Certified Fraud Examiners (ACFE®) Member
d: 303.682.9800 x530 | c: 720.534.6235
e: tweyant@alliantnational.com

Jerome Magana
c: 281.989.3426
e: Jerome@selectspecialtyinsurance.com
www.SSIS1.com

FBI agents on a football field working together as a team to fight cyber criminals.

BEC Fraud Nears $3B Mark In 2023 In Latest IC3 Report

Calling cybersecurity “the ultimate team sport,” the FBI’s Internet Crime Complaint Center (IC3) emphasized its ongoing commitment to working with local law enforcement and private industry to combat evolving cyber threats in the U.S. in its recent 2023 Internet Crime Report.

The report, released in March, highlighted investment fraud and business email compromise (BEC) fraud as the two most expensive fraud types in 2023, with investment fraud increasing from $3.31 billion in 2022 to $4.57 billion in 2023 — a 38% increase, and BEC logging 21,489 complaints amounting to $2.9 billion in reported losses.

“Today’s cyber landscape is threatened by a multitude of malicious actors who have the tools to conduct large-scale fraud schemes, hold our money and data for ransom, and endanger our national security,” the FBI noted in its executive summary. “The FBI continues to combat this evolving cyber threat. Our strategy focuses on building strong partnerships with the private sector; removing threats from U.S. networks; pulling back the cloak of anonymity many of these actors hide behind; and hitting cybercriminals where it hurts: their wallets, including their virtual wallets.”

IC3’s Recovery Asset Team (RAT), established in 2018 to facilitate the freezing of funds involved in cybercrime, was able to initiate the Financial Fraud Kill Chain (FFKC) on 3,008 incidents in 2023, with potential losses of $758.05 million. A monetary hold was placed on $538.39 million, representing a success rate of 71%.

In its report, the FBI emphasized the importance and value of victims reporting cyber incidents to IC3.

“Your reporting is critical for our efforts to pursue adversaries, share intelligence with our partners, and protect your fellow citizens,” the FBI noted. “Cybersecurity is the ultimate team sport, and we are in this fight together.”

For professionals involved in real estate transactions, RAT is a significant ally, as the organization has developed the deep insight and resources needed to identify, track and convict cyber criminals.

By creating a strong liaison between law enforcement and financial institutions, RAT is able to assist in the identification of potentially fraudulent accounts, stay at the forefront of emerging trends, and foster a symbiotic relationship where information is shared.

New concerns emerge

The IC3 report noted increasing concern for situations where fraudsters prompt victims to send wires directly to third-party payment processors. Funds are quickly dispersed in such cases, making it more difficult to recover the money.

The FBI is also seeing an increase in fraudsters using custodial accounts at financial institutions or cryptocurrency platforms, where the funds are quickly swallowed up.

“With these increased tactics of funds going directly to cryptocurrency platforms and third-party payment processors or through a custodial account held at a financial institution, it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer,” the agency noted. “Procedures should be put in place to verify payments and purchase requests outside of email communication and can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the email communication.”

Other best practices include:

  • Carefully examining the email address and URL
  • Reviewing the wording and spelling in the correspondence
  • Refraining from clicking on links requesting you update or verify account information
  • Refusing requests to supply login credentials or personal information via email
  • Training employees on the red flags of fraud
  • Providing staff with ongoing training on how to handle suspected fraud

Wire fraud guidance

As in past years, the FBI reminded real estate professionals involved in wiring funds to put in place strict verification measures should a wire change be requested during the course of a transaction.

In addition, the FBI emphasized the critical need for title agents who are victims of wire fraud to act quickly when the fraud is detected, advising they contact the originating financial institution to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity.

They also encouraged victims to file a detailed complaint with www.ic3.gov providing as much data as possible to broaden the organization’s ability to track cybercriminals.

Ransomware on the rise

Ransomware incidents were also on the rise in 2023, with 2,825 complaints reported and losses up 74% from $34.3 million to $59.6 million.

In its report, the FBI emphasized that it does not encourage paying the ransom since it will effectively embolden criminals to target more victims.

“Paying the ransom also does not guarantee that an entity’s files will be recovered,” the FBI reminded. “Regardless of whether you or your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to the IC3. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Light Gray Divider Line

At Alliant National, we are committed to keeping you updated on the latest cybersecurity threats and providing you and your staff with information and tools to help protect your customers and your agency. SecureMyTransaction from Alliant National is an advanced fraud prevention solution built exclusively for independent title professionals. The system helps agents avoid risks posed by wire fraud, identity fraud and vacant property fraud by automating the information you need to move transactions forward with confidence. SecureMyTransaction leverages AI technology that covers and crosschecks:

  • Identification
  • ID instrument validation (US and 200 countries)
  • Bank account validation and ownership
  • Payoff and proceeds verification
  • OFAC searches (FinCEN included in the OFAC feed)
  • Alliant National Underwriting alerts

Learn more at www.securemytransaction.com or contact your agency representative to schedule a demo.

man peering over a desk with the words "who you gonna call?"

Data Breach Prep: Texas

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

TEXAS NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION  

Contact Information Pursuant to State Data Breach Notification Laws
Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151-152 (these are all sections of the Identity Theft Enforcement and Protection Act but note that Tex. Bus. & Com. Code § 521.053 is the statute pertaining to actual notification / reporting requirements).

When breach affects ≥ 250 residents, notify: * TX Attorney General whose informational webpage for data breach reporting is https://texasattorneygeneral.gov/consumer-protection/data-breach-reporting; from there, access online data breach reporting form at https://oag.my.site.com/datasecuritybreachreport/s/.  

When breach affects > 10,000 residents, notify: *Consumer Reporting Agencies (see contact information provided above)
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law. 

However, Commissioner’s Bulletin #B-0009-23 requires data breach reporting to the Texas Department of Insurance (TDI): *For all other regulated entities and individuals (besides domestic insurance companies and HMOs), send breach notices to CyberReporting@tdi.texas.gov.
dark photo of a disheveled man in a business suit standing next to washing machines that are laundering money

Beyond GTOs: FinCEN Proposes Expansion Of Industry Reporting Requirements

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) on Feb. 7 to expand its efforts on a permanent basis to combat and deter money laundering through the residential real estate sector.

According to the FinCEN announcement, the proposed rule would require professionals involved in real estate closings and settlements to report information to FinCEN about non-financed transfers of residential real estate to legal entities and trusts.

“Illicit actors are exploiting the U.S. residential real estate market to launder and hide the proceeds of serious crimes with anonymity, while law-abiding Americans bear the cost of inflated housing prices,” said FinCEN Director Andrea Gacki. “Today marks an important step toward not only curbing abuse of the U.S. residential real estate sector but safeguarding our economic and national security.”

Expansion of GTO efforts

Since 2016, FinCEN has issued multiple Geographic Targeting Orders (GTOs) requiring title insurance companies to file reports on all-cash purchases having specific dollar thresholds in designated geographic areas. These GTOs last for six months at a time. The most recent GTO was issued in October 2023 and expanded the list of affected venues.

According to FinCEN’s proposed rule, expanded reporting requirements would apply on a permanent basis across the entire country, without limit to specific geographic locations or a dollar threshold. The agency will accept comments on the new proposed rule for a 60-day period following its publication in the Federal Register, scheduled for Feb. 16. According to the American Land Title Association’s (ALTA) blog of Feb. 8, FinCEN has proposed that the final rule become effective one year after it is issued.

“We are still reviewing the proposed rule and will work to ensure that FinCEN considers the information they are collecting under the new Beneficial Ownership rule, among other things, so as not to be unnecessarily duplicative and also provide clarity regarding the obligations of all real estate parties under the rule,” said Diane Tomb, ALTA’s chief executive officer. “We also appreciate, and intend to continue, the ongoing dialogue with FinCEN to craft a tailored approach limiting the transactions that must be reported to those of the greatest concern and providing avenues to help reduce the compliance burden on title and settlement companies.”

Proposed reporting structure

The proposed rule would require reporting on transfers of single-family houses, townhouses, condominiums, and cooperatives, as well as buildings designed for occupancy by one to four families. Going a step beyond the GTOs, it would also require reporting on transfers of vacant or unimproved land that is zoned, or for which a permit has been issued, for occupancy by one to four families.  Furthermore, both purchasing entities and transferee trusts are reportable unless a specific exception is applicable.

ALTA’s Feb. 8 blog summarizes reportable information under the proposed rule to include (but is not limited to) the following:

  • Name, address and taxpayer identification number (TIN) for the transferee and transferor.
  • Beneficial owner information for the transferee and anyone signing the transfer documents. (names, date of birth, addresses and TINs for those individuals).
  • Name, DOB, address and TIN for all transferors on title or the beneficial owners if the seller is an entity.
  • Address and legal description of the property.
  • information about the payments made by or on behalf of the transferee.
  • Information about any hard money or other lender not subject to anti-money laundering rules. That participated in the deal.
  • Individuals representing the transferee entity or transferee trust.
  • The business filing the report.

For a more detailed summary of requirements and exceptions under the proposed rule, please see the  Fact Sheet published by FinCEN. At Alliant National, we are committed to keeping you updated on legislation and regulations that affect your business. Stay tuned for more, as the comment period progresses.

foreboding cyborg

AI Safety For Small Business

The rapid rise of AI in business sometimes evokes memories of the 1984 sci-fi classic The Terminator, and particularly its description of a technology that “can’t be reasoned with,” “can’t be bargained with,” and which “will not stop, ever” until it completes its mission.

We’re obviously a long way off from cyborgs, but all signs indicate that AI’s march forward will inevitably disrupt the way people work in our industry. This disruption will come − ready or not. Fostering a culture of adaptability will be important as we position our teams to capitalize on tomorrow’s opportunities. The good news is that, with appropriate safeguards in place, people can work in parallel with AI to radically increase productivity. Let’s discuss some steps you can take to keep people, processes and data safe as you consider AI use in your business.  

AI: Amazing promise with potential pitfalls

You have likely already dipped your toe into applications like Chat GPT and Google Bard, and you’ve probably been amazed by the results. Leveraging sophisticated language models, these applications have an uncanny ability to understand user input and to generate responses that mimic human communication. End users have put these tools to work generating content, conducting research, designing graphics and even producing full application and website code.  

The ChatGPTs of the world are undoubtedly marvels of engineering, but using these programs without restraint may imperil sensitive consumer and company data. Moreover, AI models are not an exact science, with research pointing to how outputs are often marred by programmer bias and inaccurate information. Finally, relying on AI-generated code without additional review can cause problems with your website or other digital real estate. Safe to say, it is wise to proceed with caution.             

Cover your bases

So how then can you unleash AI’s power while maintaining your security posture? I wish I could say there was a silver bullet, but in reality, it requires a multi-prong security approach. Here are some areas to consider when developing a plan your business:

  • Information classification and hierarchy: A great place for title agencies to begin is to build a classification hierarchy for the data held within your corporate ecosystem. Apart from our consideration of AI, a classification system like can be deeply important for risk management and creating customized data controls. Once you have this in place, it is much easier to instruct your team regarding the types of data that can be used within an AI system and what must be kept sequestered.
  • End user education: Unless you have extensive experience with language models, it can be difficult to understand how AI applications work and how to use them safely. Seeking out resources and training can be an important step toward making the most of specific AI tools while still adhering to corporate policies and procedures.
  • Incident response: This is a standard part of your typical cybersecurity plan. Designed to encompass all actions your organization will take in the event of data breach or other security problem, it is advisable to expand your incident response plan to also include AI. That way, you will be able to execute efficiently in the event of an issue and mitigate potential negative impacts.

  • Compliance and regulations: Given the rapid rise of AI, it’s not surprising that lawmakers and regulators have lagged in their attempts to address the potential negative consequences of these new technologies. But you can bet regulation is coming.Considering the large volume of personal data title professionals deal with every day, it is enormously important to stay apprised of regulatory developments so you can respond appropriately and remain compliant.

AI will be back, but we can be ready

Easily one of the most memorable quotes from The Terminator comes when Arnold Schwarzenegger remarks in a complete deadpan, “I’ll be back.” This iconic line also describes where we currently are with the AI revolution. When ChatGPT was released on November 30, 2022, it was lauded as a revolution in the modern workforce. While some of that early hoopla has now died down, there is no doubt that the AI will come roaring back as it continues to integrate into our workflows. The only real question is whether we will be ready to deploy future iterations of this technology to maximize efficiency without sacrificing safety. By updating your security plan now, you will be better positioned to embrace AI advancements, ensuring a balance between technological progress and cybersecurity.

Let's Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM