Newsletter – January 2025 – RGS Global Advisors

Click here to download

Regulatory Risk Perspectives

FinCEN Alert about Deepfake Media Fraud Schemes

In November 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Alert[1] regarding fraud schemes that use deepfake media created with generative artificial intelligence (GenAI) tools. The alert is very useful for Financial Institutions (“Fis) as it includes typologies associated with these schemes and provides red flag indicators to the Fis so that they can better identify possible suspicious activities and ensure timely reporting. Possible red flag indicators include:

Customer’s photo being inconsistent with identifying information (e.g. age).
Providing multiple identity documents provided by the customer appears to be inconsistent with each other.
Customer uses a third-party webcam plugin during a live verification check.
Customer attempts to change communication methods during a live verification check.
Customer declines to use multifactor authentication to verify their identity.
A reverse-image or open-source search matches an online image of GenAI-produced faces.
Customer’s photo or video is flagged by deepfake detection software.
Customer’s geographic or device data is inconsistent with the customer’s identity documents.

FinCEN’s alert is based on its analysis of BSA data which indicates that criminals have increasingly used GenAI to create falsified documents, photographs, and videos to circumvent financial institutions’ customer identification programs.

As noted by FinCEN, criminals may also target FI’s customers and employees through sophisticated, GenAI-enabled social engineering attempts in support of other scams and fraud typologies, such as business email compromise (BEC) schemes, spear phishing attacks, elder financial exploitation, romance scams, and virtual currency investment scams.

Given the rapid rise in the use of GenAI and other similar tools, ongoing evaluation of controls and processes designed to identify and avert such fraudulent activity is becoming quite challenging and FIs have to be more cautious than ever before.

Enforcement Actions Updates

Several Enforcement Actions during the last quarter of 2024, which despite being institution specific provide insights into possible gaps and the severity with which they are viewed by the regulators. Some of the Enforcement Actions were:

Southeast Bank, Farragut, Tennessee – FDIC issued a Consent Order[2] related to the AML/CFT Program. Areas cited included the BSA Officer and Staffing, Training, Risk Assessment, Customer Due Diligence (“CDD”), Suspicious Activity Monitoring and Reporting, and Independent Testing.

Bank of Frankewing, Tennessee – FDIC issued a Consent Order[3] related to Loan Concentrations, Watchlists, Loan Risk Ratings, Allowance for Credit Losses (“ACL”) and the Loan Review Program.

Bank of America, N.A. – OCC issued a Consent Order[4] regrading deficiencies in the BSA Program concerning BSA Officer and Staffing, Suspicious Activity Reporting, Case Investigations, CDD, Risk Assessments, Independent Testing, Training and Sanctions Compliance. Various enhancements were mandated including enhanced Board and Management Oversight, Independent Transaction Monitoring Systems evaluation, Transaction Monitoring and Negotiable Instruments Lookbacks, validation and negotiable instrument look backs and corrective actions for related SAR filings.

The Fairfield National Bank, N.A., Fairfield, Illinois entered into a Formal Agreement with the OCC[5] for unsafe or unsound banking practices concerning Staffing and Training, Credit Risk Rating, Credit Underwriting, Credit Administration, ACL and the filing of incorrect Call Reports.

The First National Bank of Williamson, N.A., Williamson, West Virginia entered into a Formal Agreement with the OCC[6] which requires various corrective actions in Board Reporting and Staffing, Capital Planning, Strategic Planning, Interest Rate Risk Management, Current Expected Credit Losses/ACL, Audit Program, Audit Issue Tracking and Board/Audit Committee Oversight, etc.

In January 2025, OCC imposed Civil Money Penalties against 3 former Wells Fargo Executives for unsound banking practices related to the bank’s systemic and widespread sales practices misconduct[7].

In addition, FinCEN issued a Consent Order against TD Bank and assessed a record $1.3 billion penalty for violations of the Bank Secrecy Act, as detailed in our Newsletter dated October 2024[8].

CFPB Updates

The Consumer Financial Protection Bureau (CFPB) has issued various final/ proposed rules, and sued entities, including large banks and service providers. Some of these include:

CFPB Issues Final Rule on Federal Oversight of Digital Payment Apps

CFPB finalized a rule in November 2024[9] that will allow supervision of the largest nonbank companies providing digital funds transfer and payment wallet solutions through apps. The CFPB estimates that the volume of consumer payment activity processed through apps has increased to over 13 billion annually. These payment methods have become fully embedded in daily commerce and rival traditional payment methods like credit cards and debit cards for both online and in-store purchases. Some of these apps are owned by the world’s largest technology companies. The final rule will enable the CFPB to supervise these companies to ensure that applicable consumer protections are in place, including for:

Data collection and sharing.
Compliance with the right of consumers to dispute incorrect or fraudulent transactions.
Addressing concerns about freezes that result in disruption and the consumers’ potential inability to make or receive payments.

CFPB Issues Final Rule Closing Overdraft Loophole

The CFPB issued a final rule in December 2024[10] closing a loophole that exempted overdraft loans from lending laws. The final rule applies to the banks and credit unions with more than $10 billion in assets. The new rule will allow large banks the following options to manage their overdraft lending program:

Cap their overdraft fee at $5,
Offer overdraft as a courtesy by charging a fee that covers no more than costs or losses,
Continue to extend profit-generating overdrafts only if they comply with standard requirements governing other loans, like credit cards.

The final rule is expected to result in $5 billion annual overdraft fee savings for consumers, or $225 per household that pays overdraft fees.

CFPB Finalizes Rule Removing Medical Bills from Credit Reports

On January 7, 2025, CFPB issued a final rule[11] that bans the inclusion of medical bills on credit reports used by lenders and prohibit lenders from using medical information in their lending decisions. This rule is expected to remove about $49 billion in medical bills from the credit reports of about 15 million Americans.

CFPB Proposes Rule Banning Contract Clauses that Limit Fundamental Freedoms

On January 13, 2025, CFPB proposed a rule[12] that would stop financial companies from using a variety of contract clauses that limit fundamental freedoms, including waivers of substantive legal rights and fine print that suppresses speech. CFPB has also proposed codifying existing prohibitions against taking a consumer’s property without judicial due process or oversight.

CFPB sues Zelle and Three of the Largest Banks

In December 2024, the CFPB sued Early Warning Services, the operator of the Zelle peer-to-peer payment network, and three of the nation’s largest banks – Bank of America, JPMorgan Chase, and Wells Fargo – for failing to protect consumers from widespread fraud[13]. The CFPB alleges violations of federal law through critical failures including:

Zelle’s limited identity verification methods allowed bad actors to quickly create accounts and target Zelle users.
Delays in restricting and tracking criminals as they exploited multiple accounts across network, switching banks. In addition, banks did not share information about known fraudulent transactions with other banks on the network.
Banks ignored Red Flags and, despite receiving hundreds of thousands of fraud complaints, did not act on the information to prevent further frauds.
Banks failed to properly investigate Zelle customer complaints and take appropriate action for certain types of fraud and errors as required by the EFT Act and Regulation E.

The CFPB’s lawsuit seeks to halt unlawful conduct, obtain redress for harmed consumers, and obtain civil money penalties.

Miscellaneous Updates

Interagency Statement on Elder Financial Exploitation

The five Federal Financial Regulatory Agencies, FinCEN, and the State Financial Regulators issued a joint Statement in December 2024[14] providing financial institutions examples of risk management and other practices that may be useful and effective in combatting elder financial exploitation. The Statement aims at combatting the high level of exploitation of older adults, which FinCEN’s analysis of SAR data for one-year period ending June 2023 revealed to be about $27 Billion. Examples of risk management and other practices suggested in the Statement include:

Developing policies and practices to protect account holders and the institution.
Training employees specifically in recognizing and responding to elder financial exploitation.
Using transaction holds and disbursement delays, more effectively consistent with applicable law.
Establishing a trusted contact designation process for account holders.
Filing suspicious activity reports to FinCEN in a timely manner.
Reporting suspected elder financial exploitation to appropriate entities.
Providing financial records to appropriate authorities consistent with applicable law.
Engaging with elder fraud prevention and response networks.
Increasing awareness through consumer outreach.

Updated Version of UDAAP Booklet in Comptrollers Handbook

In December 2024, the OCC issued “Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices” booklet version 1.1[15]. The booklet, used by examiners, contains information regarding supervision of banks practices related to section 5 of the Federal Trade Commission Act, and sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which prohibit unfair, deceptive, or abusive acts or practices (UDAAP). The updated booklet includes the following key updates:

Clarity regarding sound risk management practices and guidance to examiners regarding overdraft services.
Updates from the CFPB regarding data protection and information security.
Updated version of UDAP and UDAAP Risk Indicators.

For further guidance or assistance contact us at: info@RGSGlobalAdvisors.com

[1] https://fincen.gov/sites/default/files/shared/FinCEN-Alert-DeepFakes-Alert508FINAL.pdf

[2] https://orders.fdic.gov/s/press-release-orders?prYear=2024&prDate=27&prMonth=12

[3] https://orders.fdic.gov/s/press-release-orders?prYear=2024&prDate=29&prMonth=11

[4] https://www.occ.gov/static/enforcement-actions/eaAA-ENF-2024-56.pdf

[5] https://www.occ.gov/static/enforcement-actions/eaAA-CE-2024-90.pdf

[6] https://www.occ.gov/static/enforcement-actions/eaAA-NE-2024-93.pdf

[7] https://occ.gov/news-issuances/news-releases/2025/nr-occ-2025-3.html

[8] https://rgsglobaladvisors.com/wp-content/uploads/2024/10/RGS-Newsletter-October-2024.pdf

[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-rule-on-federal-oversight-of-popular-digital-payment-apps-to-protect-personal-data-reduce-fraud-and-stop-illegal-debanking/

[10] https://www.consumerfinance.gov/about-us/newsroom/cfpb-closes-overdraft-loophole-to-save-americans-billions-in-fees/

[11] https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-rule-to-remove-medical-bills-from-credit-reports/