In a November report to Congress on business email compromise (BEC) and real estate wire fraud (REWF), the FBI announced enhanced efforts to put the brakes on what has become one of the most financially damaging crimes in the United States.
According to the FBI report, BEC has been the largest dollar loss by victim crime typology reported to IC3 in the past several years, with over $2.4 billion of losses in 2021.
“For comparison, the second highest dollar loss category reported to IC3 was investment fraud, with losses of approximately $1.45 billion,” the FBI reported. “In other words, dollar losses associated with BEC were over 65% more than dollar losses associated with investment fraud.”
The FBI noted in its report that criminals have been refining their exploitation of technology, especially the internet, to carry out financial crimes, logging substantial increases in internet-enabled financial frauds such as bank account takeovers, synthetic identity related frauds, money laundering through virtual currency, and BEC.
“The FBI has pivoted its approach to address this issue through gathering intelligence, utilizing advanced investigative techniques in conjunction with traditional financial crimes investigative techniques, using proactive public and private partnerships, and education and awareness campaigns,” the agency noted in the report.
Real estate wire fraud in the crosshairs
REWF is a sub-category of BEC, in which criminal actors target individuals or companies executing large wires related to real estate transactions. As our agents are aware, the criminals pose as parties to the transaction and directly communicate with the other parties to steal funds intended to pay for the real estate.
According to IC3 complaint data, victims participating at all levels of a real estate transaction have reported such activity, including title companies, law firms, real estate agents, buyers, and sellers. The FBI has specifically focused on addressing REWF due to its prevalence in the U. S. and the effect it can have on the individual victims of the REWF schemes, who may be home buyers wiring their life savings.
In its report to Congress, the FBI updated its preventative measures to include the following recommendations:
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
First published in 2017 and fully updated by Alliant National’s Compliance, Risk and Education teams, the paper provides information, tips and suggestions to help you better understand the current threat environment and create a comprehensive plan that addresses the realities we face in our industry.
Filling in the Gaps
The FBI has had considerable success in reclaiming lost funds through the IC3’s Recovery Asset Team (RAT) program, since its inception in 2018.
The RAT is designed to assist FBI field offices with the rapid recovery of funds for victims who made transfers to domestic accounts. In 2021, the RAT reported just over 1,700 incidents, with losses approaching $445 million. According to the FBI, the RAT was able to recover more than $328 million of the $445 million.
But there is more work to be done and the FBI has identified vulnerabilities which, if addressed, would bolster the ability of U.S. law enforcement to effectively address a wide range of threats, including BEC.
The first is getting access to beneficial ownership information to track funds that end up in accounts controlled by shell companies.
“The Corporate Transparency Act (CTA) provides for the creation of a national, non-public database of underlying beneficial ownership information for U.S.-registered businesses that meet specific criteria,” the FBI noted. “The data collected will be made available to U.S. law enforcement, subject to certain guardrails, offering a critical resource for identifying participants in a BEC scheme.”
On Sept. 29, the Financial Crimes Enforcement Network (FinCEN) issued the first of three rulemakings to implement the CTA, governing who must report and what information they must report to FinCEN. The final rule will take effect on January 1, 2024.
The effectiveness of this reporting requirement is as yet unknown, and there is some concern that the CTA exempts from its reporting requirements various types of entities, including trusts, which may affect efforts to identify the beneficial owners of trusts or other entities engaged in REWF.
The FBI is also recommending that UCC 4A-207 be redrafted to require banks to properly identify the name and number of the beneficiary and to determine they are in fact the same individual or entity. Currently, a bank may simply rely on the number as the identifier, without requiring a check to see if it is actually connected to the named beneficiary.
Cyber security #1 priority in 2023
As the threat from cyber criminals continues to escalate, it is imperative that our agents review their procedures for protecting client funds.
You can begin today to assess your systems and educate your staff to make sure every possible precaution has been put into place. We hope our Escrow Fraud/Social Engineering White Paper will be helpful in this work. Alliant National is committed to updating our agents to help you understand and respond to the current threat environment. Feel free to reach out to your agency representative, or any member of the Alliant National team if you have any concerns.
Forecasters Remain Cautious Given Inflation, Interest Rate Uncertainty
The real estate market has cooled over the past quarter, as buyers face mounting economic pressure from inflation, bloated housing prices, and escalating interest rates. But the question in most forecasters’ minds is what will happen in 2023 with inflation and interest rate projections in – as yet – unknowable territory.
Although experts are all over the map when it comes to predicting interest rates – projections for 2023 are currently ranging from 5% to 9% – everyone agrees that it largely depends on the Consumer Price Index and the Federal Reserve’s interest rate decisions that result from that data.
Economic predictions are often based on “the way it happened in the past,” but economic fundamentals are rarely exactly the same mix as in the past. Such is the case today, where economic fundamentals are largely stable and housing inventory remains tight – a promising recipe for a decent, albeit softer, purchase market in 2023.
Rodney Anderson, Executive Vice President, National Agency Manager with Alliant National, noted on a recent October Research webinar that while we are currently experiencing a slowdown in the market, it’s difficult to say what portion of that is seasonal and how much is interest rate-related.
“We’ve had a sellers’ market for a long time, and now, we are returning to equilibrium,” he said. “But if you look at the number of houses on the market, we are still in a sellers’ market, with a lot of regions experiencing only a 3-months’ supply, so there is continued support for prices to remain fairly stable.”
Although there remain a lot of unknowns, many economic forecasters retain a sense of cautious optimism based on what we do know, while lenders and real estate professionals are facing the reality of lower sales and originations in 2023.
Key Factors: CPI and FOMC
The Federal Reserve’s battle against inflation remains one of the key factors in the overall economic outlook for next year, as well as the outlook for the real estate markets, since with each incremental rise in the interest rates, a new segment of buyers will be priced out of the market.
The Federal Reserve has maintained a hard line with regard to inflation, and Federal Reserve Chairman Jerome Powell did not soften his tone during his Dec. 14 presentation following the December meeting of the FOMC, where he announced the Fed would be raising the interest rate another half percent.
“Price stability is the responsibility of the Federal Reserve and serves as the bedrock of our economy,” Powell said at the outset of his speech. “Without price stability, the economy does not work for anyone and without price stability we will not achieve a sustained period of strong labor market conditions that benefit all.”
In addition, Powell said he anticipated that “ongoing increases would be appropriate in order to attain a stance of market stability that is sufficiently restrictive to return inflation to 2% over time.”
One positive indicator in December was the Consumer Price Index, which showed inflation had slowed to 7.1%. While that stat was encouraging, Powell said it was not enough to deter further interest rate hikes.
“It will take substantially more evidence to provide confidence that inflation is on a sustained downward path,” he said.
With the target federal funds rate range now at 4.25-4.5% and Powell suggesting further hikes, it is now anticipated that the federal funds rate could rise to 5.5% in 2023, adding some further deterioration to the pool of potential buyers.
Federal Reserve reports stable economic activity
The Federal Reserve’s Nov. 30 release reported economic activity was flat or up slightly across most of the districts, a sign that the economy continues to hold its own despite the known headwinds of inflation, high interest rates and global issues.
Reports across sectors were uneven. Not surprisingly, lending, home sales, apartment leasing and construction all exhibited slowing trends while improving inventory in the auto industry has resulted in an increase in sales in some districts. In addition, spending was up in travel and tourism, and as well as in restaurants and hospitality. Manufacturing was also up slightly on average.
Employment numbers remain steady
Total nonfarm payroll employment increased by 263,000 in November, and the unemployment rate was unchanged at 3.7%, according to the Dec. 2 release from the U.S. Bureau of Labor Statistics. Notable job gains occurred in leisure and hospitality, health care, and government. Employment declined in retail trade and in transportation and warehousing.
Consumer confidence concerns were largely allayed by record Black Friday and Cyber Monday spending. Although inflation has taken its toll on consumers, low unemployment has kept spending steady across many sectors, including mortgage and rent payments, a factor that is keeping foreclosures contained.
Employment is also a major factor in keeping foreclosures down, and while labor demand is weakening, according to the Federal Reserve, businesses are expressing a reluctance to lay off due to hiring difficulties. Most importantly, most districts reported a fairly positive outlook, pointing to stable or slowing employment growth and at least modest further wage growth moving forward.
Real estate and lending projections
While the economy overall appears to be stable, the real estate market continues to decelerate.
According to the National Association Realtors (NAR) Nov. 30 report, pending home sales slid for the fifth consecutive month in October, falling 4.6%. Three of four U.S. regions recorded month-over-month decreases, and all four regions recorded year-over-year declines in transactions.
While there are always seasonal declines in the fall, the year-over-year number was more dramatic, with pending transactions down 37%.
“October was a difficult month for home buyers as they faced 20-year-high mortgage rates,” said NAR Chief Economist Lawrence Yun. “The West region, in particular, suffered from the combination of high interest rates and expensive home prices. Only the Midwest squeaked out a gain.”
On the upside, Yun was hopeful that the upcoming months will see buyers returning to the market if mortgage rates moderate, as they have in the past few weeks.
Taking a hard look at the numbers, Freddie Mac, in its most recent analysis, noted that home sales have fallen to a forecasted 5.4 million units at a seasonally adjusted annual rate in the third quarter of 2022 from 7 million earlier this year. The GSE forecasts that home sales activity will bottom at around 5 million units at the end of 2023.
“We expect house prices to decline modestly, but the downside risks are elevated,” Freddie Mac noted. “As the labor market cools off, housing demand will remain weak in 2023, potentially resulting in declines in prices next year. However, home price forecast uncertainty is wide due to interest rate volatility and the potential of a recession on the horizon.”
Freddie Mac predictions include:
Overall originations are expected to hit $2.6 trillion in 2022 and slow to $1.9 trillion in 2023
Mortgage originations will end the year at $1.9 trillion and slow to $1.6 trillion
Refinance originations slowed to $747 billion and will deteriorate to $310 billion in 2023
The Wild Card: Consumer confidence
Data can certainly tell us a lot, but at the end of the day, consumer experience and assessments can impact the long-range reality, and consumer confidence is decreasing, according to the Conference Board Consumer Confidence Index.
While not dramatic, the index backtracked to 100.2 from 102.2 in October. In addition, consumers assessment of the current conditions decreased to 137.4 from 138.7 last month, and consumers’ short-term outlook declined to 75.4 from 77.9.
Consumer confidence can keep the economy and the real estate market moving forward, while hubris can take us into unsustainable territory, as we learned in 2008. A little reality check may not be a bad thing as we all continue to keep tabs on the data and plan for a softer market in 2023.
The cost of fraud to title and settlement services companies far exceeds the actual face value of a fraud incident, according to the 2022 LexisNexis True Cost of Fraud Study released recently.
The 57-page report provides information on current fraud trends in the mortgage, title and settlement industries and details some of struggles companies face in addressing fraud detection, prevention and customer experience.
In terms of the cost of fraud, research indicates that for every $1 lost in an actual fraud incident, the cost to a title company is $4.19 or four times that of the face amount of the loss. The number rises to $5.34 for originators.
According to the research, the additional cost is related to the labor required for fraud detection, plus the expense of investigation, reporting and recovery following an incident.
For title companies, the biggest cost is labor, with the actual breakout of related costs as follows:
35% attributed to labor costs
21% for detection, investigation and recovery
18% related to fines and legal fees
13% covering fees during application and processing
13% accounting for the face amount of the actual fraud
The actual cost is extraordinary, given that title companies reported a staggering 77% increase in fraud over the past three years. The growth in fraud is attributed in part to COVID, as a substantial portion of both mortgage and settlement services transactions moved to online and mobile-only transactions.
According to the LexisNexis report, although fraud originates largely in online and mobile-only transactions, it often the moves to the call center or phone-based point of interaction, which further adds to the risk, with the growth of remote workers handling these transactions.
For title companies working in the online and mobile transaction world, identity verification is the number one challenge.
“The challenge involves assessing digital identity attributes such as email and phone number,” the report states. “That is contributing to challenges with identifying malicious bots and the ability to determine the source of the transaction. Synthetic identities are a key driver of identity verification challenges, particularly among organizations that do not use fraud solutions that assess digital identities and behaviors.”
LexisNexis noted that the mobile channel especially is contributing to the high volumes in recent years.
“This channel brings device-related risks that are unique from online browser transactions (SIM card swapping, malware, SMS phishing). This allows fraudsters to gain entry through anonymous remote transactions at the very start of the mortgage process.”
Title companies walk a bit of a tightrope, determined to invest in strong fraud prevention, while striving to create a positive customer experience. Customers reportedly get frustrated with the passwords, qualifying questions and multiple identifiers it takes to get through the transaction and have been known to give up and drop out of online and mobile device-related processes out of frustration.
Balancing these two necessities of doing business has been challenging, but title companies that put forth the effort can dramatically reduce their exposure to fraud.
To help our agents assess their efforts, Alliant National released a white paper this year, titled Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips. The white paper provides agents with useful information, risk factors to consider, and practical action steps that will help you partner with consumers, real estate agents and lenders to defend against the fraudsters.
In addition, the LexisNexis report identifies four recommendations agents should consider, including remaining vigilant to increased fraud, increasing the use of technology, creating multi-layered solutions, and integrating cybersecurity and digital customer experience with your fraud processes.
Here are a few highlights from their list of recommendations:
Accelerated movement to online/mobile transactions will continue to grow; therefore, title/settlement companies should continue to buildout and enhance the digital customer experience while protecting against fraud.
Best practice fraud detection and prevention includes a multi-layered solutions approach, and the integration of fraud prevention with cybersecurity operations and the digital customer experience.
Layering in supportive capabilities such as Social Media intelligence and AI/ML further strengthens fraud prevention.
While fraud prevention in the current environment is challenging, the report concludes that “firms which use a multi-layered solutions approach that is integrated with cybersecurity and digital customer experience operations can lower their cost and volume of successful fraud while improving identity verification and fraud detection effectiveness.”
Every wire fraud defense expert says the number one factor in recovering diverted funds is time. Every minute counts when fraud has been detected, and hesitations or delays can impede efforts to track down and restore lost funds.
That’s why a Wire Fraud Response Plan is imperative for every title agent.
Before you create your plan, or if you are undergoing a review of your current plan, we encourage you to download Alliant National’s recently updated Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tipswhite paper. This 23-page guide provides an in-depth review of the current schemes and offers a wealth of tools and resources for building a strong defense against fraudsters.
Here are some things to consider when creating your response plan.
Elements of a Wire Fraud Response Plan
The first step in preventing wire fraud is to maintain policies and procedures for verification of wire instructions for the protection of everyone involved in the real estate transaction.
But should the unthinkable happen, remember that the most successful response strategies are those established well in advance and communicated to staff members and your bank.
Like a well-trained sports team, every member of your team must know their role and be prepared to leap into action.
General protocols
Establish a close relationship with your bank representatives and continually dialogue regarding updated fraud threats.
Discuss wire retrieval scenarios and establish emergency contacts in the bank’s fraud department, whom you can call at a moment’s notice day or night.
Download and fill in the Wire Fraud Contacts form in our Escrow Fraud/Social Engineeringwhite paper and provide it to staff members charged with addressing suspected fraud.
Action steps
Notify management the moment suspicion arises that a wire may have been misdirected.
If funds have been transferred to the receiving bank and cannot be recalled, ask your bank (the sending bank) to formally request that the receiving bank freeze the funds.
Agents may also attempt to directly contact the receiving bank to ask that the funds be frozen.
Contact local police in your jurisdiction and the jurisdiction of the receiving bank.
Report the fraud immediately to your local FBI office.
File a complaint with the FBI’s Internet Crime Complaint Center (IC3).
Contact the underwriter involved in the transaction. Alliant National is available to help you evaluate the situation.
Contact your corporate attorney to let him or her know about the events taking place.
Depending on the nature of the fraud, contact the appropriate insurance provider (Cyber-Liability, Escrow Security Bond or Errors & Omissions).
Putting all of these resources in motion immediately can be extremely useful, as anyone of these professionals or organizations may have information that could assist you in recovering your funds.
IC3 may be one of your most important contacts. In 2018, IC3 established its Recovery Asset Team (RAT) to streamline communications with financial institutions and FBI field offices to assist freezing of funds for victims.
In 2021, RAT initiated the Financial Fraud Kill Chain (FFKC) on 1,726 Business Email Compromise (BEC) complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.
The efficiency of this organization’s work is largely dependent on the speed with which they are advised, so it’s critical that they be an important part of your Wire Fraud Response Plan.
Even the most vigilant companies may fall prey to fraud, but putting protocols in place can greatly reduce your exposure and give you a pathway to recovering lost funds.
As always, call your Alliant National underwriting team if you have any questions or concerns. We are here to help!
The Federal Trade Commission (FTC) updated a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized in October 2021 require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.
Before discussing the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.
GLBA, state law and the Safeguards Rule
The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.
As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it.
Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:
Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;
Security Protections consisting of a written security program, including administrative, technical, and physical safeguards;
Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control.
The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program. The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the ISP, including risk assessment, management and control, oversight of service providers, evaluation and adjustment.
On Oct. 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the publication of the final rule’s amendments in the Federal Register. The agency later posted a webpage to help businesses understand their compliance obligations under the rule.
There have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.
There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses that may qualify for limited exemptions. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms.
The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:
designating a single, qualified individual as responsible for overseeing, implementing, and enforcing the ISP;
base the ISP on a written risk assessment which includes specific criteria described in the amendment;
designing and implementing safeguards, including:
access controls;
system inventory (i.e. knowing where the data is kept, and how everything is connected);
encryption;
secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
multi-factor authentication;
disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
periodically reviewing record retention policies to minimize unnecessary retention of information;
change management procedures;
monitoring and logging user activity;
biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
establish a written incident response plan which addresses specific areas described in the amendment;
required regular reporting, in writing, by the qualified individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
314.4(b)(1) – a written risk assessment
314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
314.4(h) – a written incident response plan
314.4(i) – an annual report by the Qualified Individual
Effective dates
The FTC is phasing implementation of the final rule, with certain parts having already taken effect Jan. 10, 2022. Other rule provisions that had been scheduled to take effect Dec. 9, 2022, were delayed six months to June 9, 2023 as announced in the Federal Register’s Supplementary Information. Provisions taking effect June 9 included (referring to sections of 16 CFR Part 314, as amended by the final rule):
314.4(a) – appointment of a qualified individual
314.4(b)(1) – conducting a written risk assessment
314.4(c)(1)-(8) new elements of the ISP
314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
314.4(e) – training for personnel
314.4(f)(3) – periodic assessment of service providers
314.4(h) – a written incident response plan
314.4(i) – annual written reports from the qualified individual
This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.