19 minute read
Security Risk: Fraudulent Closing Transfer Instructions Stealing Mortgage Pay-Offs
SECURITY RISK:
Fraudulent Closing Transfer Instructions Stealing Mortgage Pay-Offs
By Ted Claypoole & Dominic Panakal, Womble Bond Dickinson
The past decade has seen the growth of an especially painful and pernicious type of fraud. Criminals have been inserting themselves into the middle of real estate closings, sending believable money transfer instructions to the buyer’s bank or the escrow agent, and absconding with the money. This money was supposed to pay off the remainder of the seller’s mortgage, and has the potential to affect any mortgage banker.
Court cases in this space describe a third party pretending to be a known and trusted vendor and instructing purchase payments sent to a supposedly new account, and the payer bank following that instruction without verifying the account change.1
This article will define and explain this problem, legal underpinnings of claims against the criminals, and how companies are guarding against this type of disaster. We also discuss what mortgage bankers should do to minimize their risks of taking the loss for such thefts at the end of the day.
HOW COULD THIS HAPPEN AND HOW CAN WE STOP IT?
Consumers, real estate agents, and closing lawyers are vulnerable to these attacks through automated phone calls and phishing text messages. Sophisticated versions of these attacks will trick the recipient into clicking a link or installing or downloading an infected attachment. Bad guys gather information that will make their fraudulent instructions look like they genuinely arise from the appropriate parties, such
as the lawyer handling the closing or the agent representing the buyer. Fraudulent email or other official-seeming correspondence contain wire transfer payment instructions usually regarding the down payment or closing costs.
With the money gone, all the parties scramble to avoid being left holding the bag for the error, and forced to pay for their mistakes by paying the home buyers back their missing money. The bank paying the money or the lawyer/agent who was impersonated by the fraudsters are the most likely patsies in the chain, as they dealt most closely with the wrongdoer and had the greatest opportunity to catch the fraud before money was lost.
For buyers’ bankers, a confirming phone call to the right party, not using the number on the fraudulent request, but looking up that number directly, is the best move to minimize risk for all parties and to avoid liability for the loss. At this stage, ANY change of payment data or suspicious looking payment request should be questioned with a follow-up call before payments are made. Adding this one step to the mortgage payment process can save immeasurable heartbreak and entirely measurable money losses.
WHAT LAWS ARE VIOLATED?
In 2018, cyber-crime victims across the United States lost an estimated $1.2 billion. In the last quarter of 2018, the companies most targeted received approximately 120 fraudulent emails. In fiscal year 2017, $969 million was either diverted or attempted to be diverted from real estate purchase transactions to fraudulent accounts.2
This criminal conduct falls squarely into the wire fraud statute, but the accounts receiving the payments usually belong to criminals overseas, and out of the reach of U.S. law enforcement according to Rahul Gupta.3 Federal law “prohibits, during and in relation to felony violations of certain laws (including, but not limited to, embezzlement or misapplication of bank funds; fraud or false statements; mail, bank, and wire fraud), the knowing use, transfer or possession, without lawful authority, of a means of identification, such as an individual’s social security number or date of birth, of another person with the intent to commit a crime.”4 This statute has been used in the past to prosecute fraudulent real estate transaction schemes, upholding wire fraud conviction for transferring $22,000 via wire with the intent to defraud their creditor.5
Why do they target real estate transactions?
The Gentleman Thief, Willy Sutton, claimed that he robbed backs because “that’s where the money is.” Think how much money can be skimmed by stealing the final payouts of residential house sales, at least hundreds of thousands of dollars each time. And if you convince the buyer’s bank to transfer to a safe account overseas, or you can quickly move the money to one remotely, then the risks are minimal.
Home sales involve significant amount of money that can be easily diverted. The median price of homes that have sold now exceeds $220,000.6 The market value of the commercial and industrial real estate in the United States is approximately $2.655 trillion, according to the Real Estate Investor's Deskbook § 1:5 (3d ed.). Because there are multiple parties in every real estate transaction with no definite party to always provide payment information, that data may come to the payor bank from the closing lawyer, the alleged receiving bank or mortgage company, any real estate agent in the transaction, or from the buyers themselves; fraudsters can rely on the confusing array of options to fool a payor bank. Much of the information a bad actor needs to impersonate the parties and launch this fraud can be found online.
The issue of wire fraud in real estate is metastasizing. The FBI reported that from 2015 to 2017, there was over an 1,100 percent rise in the number of crimes using business e-mails in the real estate transaction context and an almost 2,200 percent rise in the reported monetary loss.
The FBI also reported nearly $150 million in real estate fraud losses in 2018. According to the FTC, consumers reported losing $1.48 billion to fraud in 2018, which marks an increase of 38 percent over 2017. The FTC defines wire fraud is any event where an individual is tricked into sending money via wire transfer to a fraudster.
As participants in real estate transactions, lawyers and real estate brokers are vulnerable to information theft leading to impersonation. According to the Ponemon Institute’s report, 2017 State of Cybersecurity in Small and Medium Sized Businesses, 61 percent of small businesses experienced a cyberattack in 2017, up from 55 percent in 2016. That same research indicated that 43 percent of malware victims are small businesses. During the course of a recent real estate transaction, an associate of a large North American law firm wired $2.5 million of a client's money to a Hong Kong bank account.7 Cybercriminals had set up the account and induced the associate to send the funds by pretending to be employees of a legitimate mortgage company. WHAT ABOUT INSURANCE?
Victims of this type of crime may expect their insurance to assist in compensating for the stolen payment. However, the insurance industry has made adjustments as a result of the prevalence of this crime. Direct mail or email fraud is generally not covered under cyber insurance policies, even though the crucial information to impersonate a legitimate party may have been secured through hacking or phishing. A payor bank’s errors and omissions policies may cover this, although more insurance companies are requiring a set of procedures to confirm payment destinations before money is sent. If your bank does not have the right procedures, it may not be insured for the loss.
Insurance companies have reacted to this wave of crime by adjusting coverage types and caps to minimize their exposure. Bankers, buyers, brokers, and lawyers should carefully review their insurance policies to find coverage, risk allocation, and coverage limitations. WHAT IS BEING DONE ABOUT IT?
State and local governments are beginning to raise awareness of the issue of wire fraud in the real estate industry. The Utah Division of Real Estate, for example, launched a campaign to call attention to email scams that “target property transactions to force people into wiring down payments and other high dollar real estate proceeds to con artists’ accounts.” According to its website, the Colorado Division of Real Estate at the Department of Regulatory Agencies also warned Colorado consumers to “beware of a national cyber-scam currently taking place that steals money directly from home buyers and sellers.”
In July 2019, American Land Title Association, Community Mortgage Lenders of America, American Escrow Association, Real Estate Services Providers Counsel, created a group called a Coalition to Stop Real Estate Wire Fraud. The group has a stated goal of educating consumers and real estate professionals about the risks of wire fraud.
However, much of the risk of these crimes can be reduced or eliminated by a few extra incidences of careful communication between the payor bank and either its client or the client’s representative in the transaction. The bad guys profit from the complexities of the payment instruction process and lazy assumptions made by all parties. Minimizing your risks of this fraud may be as easy as a phone call. MBM
END NOTES
1 Am. Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., No. 16-12108, 2017 WL 3263356 (E.D. Mich.), appeal docketed, No. 17-2014 (6th Cir. Aug. 29, 2017) 2 TXCLE-ARED 5.I, 2018 WL 3447285. In 2016, $19 million in wire transfer frauds affected home buyers. Id. 3 Business Email Compromise (BEC): The Cyber Crime Threat Turning Dreams into Nightmares, Orange County Law., August 2019 4 18 U.S.C. § 1028A 5 United States v. Van Doren, 800 F.3d 998 (8th Cir. 2015) 6 50 No. 4 Mortgage & Real Estate Executives Report NL 2 7 30 No. 6 Tex. Emp. L. Letter 6
Moving Beyond Quality Control
QMS delivers on all of your mortgage QC and audit technology needs.
An industry standard, Quality Mortgage Services (QMS), continues to evolve as you do. Offering a robust line of quality control and audit services, delivered through the innovative MARS, Mortgage Analyst Review Software, QMS provides solutions that are designed to meet your individual needs, as well as those of the industry. QMS prides itself on being a genuine partner, with a demonstrated track record of commitment to providing an exemplary customer experience, in addition to proven workfl ow, process automation, analytical tools, reporting, and audits for QC.
QMS is THE MORTGAGE QUALITY CONTROL AND AUDIT TECHNOLOGY SOLUTIONS COMPANY, extending professional results and fl exible solutions to assist you and your team in navigating mortgage compliance. Whether you’re looking for a partner in QC, or considering outsourced processes, we are here to help.
QMS covers the full cycle of QC.
• QUALITY CONTROL AGENCY AUDITS • POST-CLOSING • PRE-FUNDING • MERS® • OTHER UNIQUE AUDITS • QC VERIFY REVERIFICATION SERVICES • REVERIFICATION BUNDLING SERVICES AND FULL FOLLOW UP • QC SOFTWARE TECHNOLOGY • INTUITIVE WEB-BASED AUDIT TECHNOLOGY SOLUTIONS
Contact us today to learn more. 615-591-2528 ext. 124 or info@qcmortgage.com
IS IT TIME TO RE-EVALUATE YOUR CMS?
BY FELECIA BOWERS, HOMEOWNERS FINANCIAL GROUP
Thirty-five years ago, I was the compliance officer (CO) for a midsized bank. At that time, COs were relegated to the deep recessed corridors of the company, had the furniture that wasn’t pretty enough for the bank lobby, and when the examiners showed up, were taken into the light so the Board could say “See, we have a CO.” I was actually housed in a basement for a while with dust bunnies the size of a small horse. The first industry melt-down occurred in the late ’80s liberating COs to a cubicle. This was followed by the next industry hiccup in the early ’90s followed by the mid-2000s. These hiccups built up and continue to reinforce to executive management that a strong and well-documented compliance management system (CMS) is something everyone needs to have in place.
Sometimes even the most seasoned compliance professional needs to, or should, take a step back and re-evaluate their institution’s CMS. When was the last time you completely re-evaluated your CMS? Have operations or sales made changes within their programs, which may include using a new vendor with whom you share customer information? Are LOs getting the Taxpayer First Act disclosure signed at the pre-qual process? A CMS program is more than answering a few questions: CMS documented in paper —check; training program—check; complaint monitoring—check; or, policies and procedures—check. Those issues are important to have in place, but what about the bigger picture? Do you have monitoring and testing in place based on an assessment of risk? Where in the heck would this be document?
When I accepted the job at my current employer, the first thing I did was start interviewing
the managers and various department personnel. This process took weeks but was well worth the effort. From the interviewee’s perspective, my questions were invasive and annoying. They don’t call me “Flea” for nothing! Talking to personnel allowed me to ascertain what they did and didn’t know about the routine they followed with each loan. Routines are good but they tend to become, well, routine. The individual loses interest in compliance flags or warnings and starts to ignore them completely. Nothing substitutes a good training program and that interview process opened my eyes to additional training opportunities.
This groundwork allowed me to develop an outline of the flow of a loan throughout the manufacturing process. Of utmost importance was identifying the automated controls that were in place vs. those that are a flag (reminder) vs. processes that rely heavily on training. I also discovered the multiple ways people had invented to arrive at the same goal: A closed loan. I then created a diagram of the flow of the loan.
The result looked something like this:
Application Process Map
In-house application, all 6 items received
Application date auto populates in E360 – going to lock down the ability to back date.
Application
Customer
If customer email received & Esign consent obtained If online application, Esign consent question built in. If not online application, E-consent alert when borrower name and email address is entered on the application. LMP must send econsent disclosure to customer.
MLO
Processing
Disclosures requested or Re-disclosures
• TILA • RESPA • ECOA • FACTA • Privacy/GLBA • HMDA • State • Esign • Fair Lending Initial disclosures alert sent. Initial disclosures due in 3 day period. Alert stays present if not physically sent to customer. 48 hour queue in Encompass if MLO doesn’t order disclosures.
YES Disclosures sent electronically thru secure delivery method
NO Once e-consent is received, date auto populates in E360.
4 day mailbox rule will apply for delivery if we have e-consent and the disclosures are not opened. Disclosures sent via snail mail Customer opens disclosures
Customer does not open documents with consent – Mailbox rule applies Encompass automatically pre-sets dates regardless of delivery mechanism December 2017
Loan Estimate Expires Alert, if applicable.
Intent to proceed NO End/LMP to1 requests file cancellation
YES
Collect Appraisal funds
Mavent Run Hard stop – Data verify for required fields to be completed before milestone handoff to Processing.
Alert – If Mavent fail, caution trigger/runs on automated basis every time upon save of the loan file @ milestone completion.
Proceed to Disclosures & Processing Processing Milestone - LMP read only access to loan data.
This simple chart spoke volumes: The type of control, such as consumer focus, risk related, regulatory, etc. Is the control automated or manual? Remember that an automated control (aka hard stop) is not good enough and will never serve as a substitute to training and knowledge. Systems can and do have hiccups and it feels great to know the sharp eye of personnel can catch a hiccup in the system because of their training. As the recipient of several CFPB exams and many more state exams, I know examiners will tell you that hard stops are good, but they cannot replace old fashioned knowledge. Testing of any hard stop in the system. Can I cause the system to hiccup and forget a step? Trust me when I state that there is a creative person within your organization who can and will find a short-cut around a process. The frequency and the documentation going out. Are we missing disclosures? If the system issued a simple flag/reminder on a loan, the mapping process allowed me to ascertain whether this needed to be a hard stop to comply with or could remain as a flag. The frequency of the control. Did the CHARM booklet go out on every loan or is it issued only when the transaction was truly an ARM loan? I compared my diagram to policies and procedures for a match in processes and activities. SURPRISE, initially there was no match. I even looked backward in time and looked at the LOS’s recent updates to ensure any “fix” they implement was functioning correctly. Sometimes they are not vetted as thoroughly as they should be.
I went on to create one of these charts for all areas of the company: Pre-qualifications/prospects, application (all six items), disclosures, set-up and processing, underwriting, brokering a loan, the cancellation queue (withdrawn & declined loans), lock Desk, on-boarding and off-boarding, closing, and post-closing.
A functioning CMS mitigates risk. It allows your organization to develop a process to manage regulatory changes quickly and efficiently with the added benefit that you know where a new box needs to be placed in the flow chart. Another benefit of the one-on-one interviews? Getting to know your personnel and sending the message that you are genuinely concerned about their job and how they are doing it. Priceless.
The Cannabis Industry is a hot topic lately. No pun intended. And see how nicely I transitioned from something stressful as the CMS program to something calming (so I’ve heard)? The marijuana business is now legal in many states and still more states have medicinal marijuana laws on the books. Unfortunately, there still exists conflicts between state and federal laws placing the banking community and independent mortgage bankers in the precarious position of trying to provide financial services to participants, employees, and the business in general. The hybrid oils and by-products of the hemp industry post additional challenges in legitimately separating them from actual cannabis. This industry is garnering significant revenue and opportunities for employees if only they could buy homes from these gains. Unfortunately, the secondary market has not embraced this income source, which includes the actual self-employed borrower and employees. The exclusion can extend to the outlier businesses catering to the industry. Points to ponder if you are opening the door for lending to employees in this area should focus on: • Making sure your investor(s) will accept a borrower whose income is derived from this industry and making sure there are no loopholes that a loan originator, underwriter, or closer could miss rendering the loan un-saleable. There are only 2-3 investors that consider buying the loan and with very strict rules, for example, W2 employee who has filed tax returns. The FNMA will consider the loan only if the person isn’t the owner that grows/sells. They will discuss specific loans with them via their underwriting help line. • The BSA/AML aspect and requirements that still exist: A limited SAR. How are you going to
cover this in your BSA/AML program under the money laundering aspect since, by default of the industry not being legal under federal law, this could be construed as money launder? Which routes you back to the first bullet point: Will the investor reject the sale of the loan? Strict policies and procedures that identify and address how to handle the potential connections to this industry, such as a borrower whose sole source of income is from selling hydroponic equipment to cannabis growers, consultants, and attorneys that cater to the industry, etc. Are you going to require verification of the entities’ licenses to do business and learn the depth of the various cannabis licenses? The California Department of Business Oversight (CA DBO) has issued cannabis lending guidance for state-chartered financial institutions. Worth the read and how you can apply certain aspects to mortgage banking. Industry groups have seminars available that may be worthwhile to invest an hour of your time.
CURRENT EVENTS AND TRIGGERS
Does anyone remember discussing current events in your social studies or civics classes? Am I that old? I miss ‘Show and Tell’ too.
The best current event was the January article from the FTC stating that in a complaint filed by the DOJ, a loan broker had to pay a $120,000 fine. It seems the loan broker responded to negative social media reviews by revealing nonpublic information about the person making the complaint. His posts would reveal their delinquent credit down to the entity the to which the payments were late, credit scores, and enough information to allow identification of the consumer. Not only did his actions violate GLBA but they violated California’s strict privacy rules. Now is a good time to restate to loan staff the need to resist the urge to reply to any negative review with any comments other than those with the utmost in professionalism. The door is open for these clients to possibly sue on their own. Seriously, remind staff to simply reply “Federal and state privacy laws prohibit us from replying in a public venue. We would be happy to discuss with you in private.” Simple and non-confrontational.
In case you missed it, the new deadline to begin using the revised URLA is November 1, 2020. An interactive URLA form (Fillable PDF) was supposed to go live on the FNMA’s website in January 2020, but I have not confirmed that. Full functional testing is scheduled to start March 2020. June 1 through August 31, 2020 have been designated as a test phase with the GSE’s accepting the MISMO V3.4 loan application submission files on a limited basis. Starting September 1, 2020, all lenders may submit the MISMO loan application files to the GSEs’ AUS production environments and begin using the redesigned URLA. Be sure to visit the FNMA’s dedicated URLA page or the FHLMC’s dedicated page on this subject, and to read current developments about the new URLA form. Also, make sure you stay in close contact with your LOS provider relative to its implementation date meeting the new requirements. November 1, 2021 will be the sunset date for the old URLA.
Did you set a flag in February to make sure the Taxpayer Relief Act permission/disclosure was in place in January? If not, now is a good time to issue a reminder.
With some areas of the country deep in snow, now is a good time to poke loan originators to knock out their 2020 continuing education requirements while sitting around that toasty fire.
The CA DBO passed SB 1235 requiring commercial loan disclosures. It’s worthy of a peek at the requirements and an opportunity to provide the CA DBO with comments on the rule. Comments can be submitted to regulations@dbo. ca.gov.
CFPB re-issued the Loan Originator Rules Compliance Guidance (November 2019 update).
MBM
