My Identity Was Stolen: How Banks vs Fintechs Responded

Risks in Digital Account Opening Often Go Undetected Or Ignored

Hey all, Jason here (or is it?!)

I’m writing this intro sitting on the baggage carousel at the Mexico City airport via my rapidly depleting phone hotspot, so I’ll keep this brief.

While in this week’s post, I address specific companies where my identity information was used, my intention is to use my experience to illustrate the industry-wide gaps that enable identity thieves, the crimes they perpetrate, and how much of the damage falls disproportionately on consumers, especially the most vulnerable, rather than on the financial institutions themselves.

New here? Subscribe to get Fintech Business Weekly each Sunday:

Fintech Meetup Returns in 2022

Sponsored content: I had the pleasure of attending the inaugural Fintech Meetup event earlier this year, and it's one of the most valuable events I've ever attended. The inaugural Fintech Meetup facilitated more than 19,000 meetings for professionals from across payments, banking and financial services. 

The event received such a positive reception, its organizers are already planning for 2022. The next Fintech Meetup will take place online March 8th - 10th,  and will keep the same online meetings event format as the inaugural event, but with a number of exciting platform enhancements to make the experience even better. 2022 participants are capped at 4,000 and the event will surely sell out.

Learn more about the event, a limited number of sponsorship opportunities, and get your tickets here:

Learn More & Get Your Ticket

My Identity Was Stolen: How Banks vs Fintechs Responded & What We Can Learn from It

Identity theft isn’t a particularly new problem, but in the age of massive data breaches and digital banking services, the issue has grown to be orders of magnitude worse.

While would-be identity thieves used to “dumpster dive” for documents with identity information or steal records from institutions with weak controls or security, like doctors’ offices, the digital era allows fraudsters to conduct their trade at scale.

There have been and continue to be numerous data breaches that give bad actors the raw ingredients they need to commit fraud — including the US Government’s Office of Personnel Management, in 2015 (of which I was a victim), and most notably the Equifax data breach in 2017, in which data on 148 million Americans was compromised.

Other major data breaches over the years that provide a rich data set for identity thieves includes Yahoo!, LinkedIn, Facebook, Marriott/Starwood, MySpace, Adobe, eBay, Capital One, and many, many others.

There is a wide variety of fraud that can be committed once an identity thief has someone’s identity information. The most well-known are applying for loans/credit and applying for government benefits/payments (unemployment, tax refund, etc.) using a victim’s credentials.

The COVID-19 pandemic has added fuel to what was already a raging fire. A slew of quickly enacted government programs, including expanded unemployment, stimulus checks, and the small business PPP program represented large, vulnerable targets. 

Consumers shifted even more of their behavior online and to mobile. Banks and financial institutions had to adapt to serving consumers digitally — and remote workforces, which potentially reduced oversight of employees, inhibited communication among teams tasked with monitoring and preventing fraud, and opened banks themselves up to attacks.

Part of the problem is visible in the FTC’s Consumer Sentinel Network 2020 Data Book, which recorded 4.72 million fraud, identity theft, and related complaints in 2020 — a 47% increase from the year prior. Complaints about fraudulent government benefits applications, often linked to bogus bank accounts in victims’ names, jumped a shocking 2,920% in 2020.

Aren’t There Laws About This?

It’s clear that identity theft and the fraud it enables is a sizable problem. Surely there are laws and regulations that require financial institutions to protect consumers and, in the event of fraud, assist them in resolving it?

Yes and no; there is ample law and regulation relevant to the topic, but many of the requirements are designed to require information gathering and reporting to the government and are not designed to encourage fraud prevention

Many of the regulations are vague or high-level enough that companies enjoy a wide degree of latitude in how they adhere to them in practice.

Much of the regulatory infrastructure is focused on the existence of and adherence to a “Compliance Management System” — written policies and procedures — even if, in practice, those policies and procedures fail to prevent criminal activity or harm to consumers.

The patchwork of laws and regulations governing financial institutions’ obligations include:

Bank Secrecy Act

The Bank Secrecy Act was originally passed in 1970 and is designed to assist US government agencies in detecting and preventing money laundering. Among other things, the BSA requires covered institutions to:

  • Establish effective BSA compliance programs

  • Establish effective customer due diligence systems and monitoring programs

  • Screen against Office of Foreign Assets Control (OFAC) and other government lists

  • Establish an effective suspicious activity monitoring and reporting process (including suspicious activity that might signal criminal activity)

  • Develop risk-based anti-money laundering programs

Though it’s called the “Bank Secrecy Act,” most of its provisions apply to 20+ types of businesses, in line with the FATF’s definition of financial institutions (FIs), including depository institutions, lenders, currency exchanges, broker-dealers, money services businesses, mutual funds, trust companies, precious metal dealers, even casinos and lawyers. 

The BSA has been amended and revised by numerous subsequent laws over the years, most notably the USA PATRIOT Act.

PATRIOT Act

The PATRIOT Act, passed in the wake of 9/11, has numerous provisions designed to thwart money laundering and terrorism financing, including amending the BSA to require FIs to adopt a Customer Identification Program (CIP), the cornerstone of a Know Your Customer (KYC) process.

Section 326 requires FIs to collect users’ name, date of birth, address, and identifier (typically SSN or ITIN).

However, Section 326 doesn’t specify how an FI must go about doing this. FIs aren’t required to verify each piece of information is accurate; rather, the requirement is to have a “reasonable belief” of the true identity of the customer.

A common approach for digital account openings is to use a Consumer Reporting Agency (CRA) to verify the supplied name matches SSN matches date of birth matches address.

(If you’re interested in learning more, I suggest this 700 page “Guide to US Anti-Money Laundering Requirements.”)

Fair and Accurate Credit Transactions Act (FACT Act)

Among other provisions, the FACT Act requires covered FIs to implement an Identity Theft Prevention Program, including:

  • Identifying relevant identify theft “red flags”

  • Establishing a monitoring program to detect ID theft red flags

  • Creating written policies and procedures to implement the program

  • Conducting periodic updates to the program

The FACT Act also includes a number of specific provisions around address verification, including if the address supplied to open an account doesn’t match the address on a consumer report or if a replacement debit/credit card is requested shortly following an address change.

Numerous Tools Exist to Detect & Prevent Fraud

Despite these legal and regulatory requirements, fraud remains a pervasive and growing problem.

Three out of the four elements required for CIP are public or quasi-public information: name, date of birth, and address. And while Social Security Number is non-public, it was never designed nor intended to be a secure identifier. According to the Social Security Administration:

“The SSN is the single most widely used record identifier for both government and the private sector, exerting a broad influence on the lives of most Americans. However, by itself, it is not a personal identifier because it lacks systematic assignment to every person and the means to authenticate a person's identity.”

As covered above, many if not most Americans have had their SSNs exposed via data breaches.

So what else can FIs do, not only to protect users but also themselves? There are numerous private market data vendors and fraud solutions companies can and do leverage:

  • Verifying the age and activity of current or prior bank accounts, via services like Early Warning System, ChexSystems, or data aggregators like Plaid, Finicity, MX

  • Determining the type of phone number supplied - landline, mobile, or VOIP - and if it has recently been ported, via services like Twilio

  • Checking if a phone number is known to be associated with the name and other identity information supplied

  • Email risk assessment - how “old” an email address is, or if it is known to be associated with fraud, via services like LexisNexis’ EmailAge

  • Fraud screening services that look at multiple device identifiers aka “device fingerprinting”, like Iovation (rebranded a TransUnion’s TruValidate) or ThreatMetrix

  • Knowledge-based Authentication (KBA), like IDology, which draw on credit bureau and public record information to attempt to authenticate an applicant

  • Identity document validation services, like Jumio, Onfido, Trulioo, which digitally capture and authenticate documents like driver’s licenses and passports and check against a captured photo of the user (including verifying if images were captured live)

  • Assessing the IP address used to open an account vs. known address on credit report or previously known IPs associated with an existing account

While these services are probabilistic and not deterministic of fraudulent activity, when combined and used as part of a fraud model and fraud prevention program, they can be quite effective.

But there are two problems: these services introduce “friction” into the onboarding experience, and they cost money.

These verifications could cost less than a penny per check, on the low end, for checking a phone network history or device ‘fingerprinting,’ to up to a couple dollars per check for ID verification or knowledge-based authentication.

While absolute per unit costs are low, if these services are used, the costs may be incurred whether or not an account is successfully opened, and across thousands of account opening attempts, they do add up.

The result tends to be a greater emphasis on using these screening tools to prevent fraud where a company will incur a monetary loss (like a large personal loan), and less scrutiny of low-dollar transactions and transactional accounts (cash advances, checking accounts).

Detecting & Fixing Fraud Falls on Consumers

Consumers have very little control over their data, but ultimately they are responsible for detecting and remediating identity theft when it occurs. While the most aggressive forms of fraud will show up as inquiries or accounts on the CRAs (Equifax, Experian, TransUnion), many other fraud attempts will not — including attempts to qualify for government benefits, steal tax refunds, and opening bank accounts in consumers’ name to attempt these or other scams.

My ID Theft Journey

Thankfully, the fraudulent activity committed using my identity credentials caused little damage to me, personally.

What follows is a synopsis of what I was able to learn about the fraudulent activity and how each financial institution responded to me as a consumer.

NetCredit (Enova) and SpeedyCash (Curo)

[disclosure: I previously worked for Enova in a different business unit]

I noticed hard inquiries from both NetCredit (owned by Enova) and SpeedyCash (owned by CURO) dated January 29th.

Both attempts to apply for a loan were unsuccessful, but the unauthorized hard inquiry such an attempt leaves on a consumer’s credit record is itself problematic. While the impact on a credit score is minimal, many lenders have “hard cuts” in their credit policies, including governing the number of recent hard inquiries. Inaccurate, unauthorized inquiries could cause an applicant to receive worse pricing or be declined when they otherwise wouldn’t be.

I was able to contact SpeedyCash via phone, and the representative was able to block the account associated with my identity. However, to purge the unauthorized hard inquiry, SpeedyCash requires a written affidavit that must be signed by either law enforcement or a notary — a not insubstantial barrier to fixing the problem, and one likely to disadvantage lower income users who may not have the time or resources to navigate the process [as of time of publication, this inquiry remains on my credit report].

NetCredit was another story. When attempting to reach the company via phone, I was placed on hold; after waiting over an hour, the call was disconnected. This happened for multiple attempts. When I attempted to reach customer service via email on June 1st, I was informed I must call regarding this matter.

With no ability to reach any agent to investigate or remediate the issue, I filed a complaint with the CFPB on July 13th. The CFPB complaint was closed with explanation on July 24th following a response from the company stating in part:

“Our records shows, on January 29, 2021 an application with NetCredit was created using Mr. Mikula’s personal information through a third party marketer, Leap Theory. As part of the application process NetCredit made an inquiry to Clarity Services, Inc. Since the credit inquiry was performed in conjunction with an application for credit, we had permissible purpose for the inquiry as stated by the Fair Credit Reporting Act. During the application process, Mr. Mikula also indicated their consent for NetCredit to obtain credit reports to assist in our lending decision.”

However, there is no indication what elements the company looked at, if any, to validate that loan request actually came from me, vs. a third party fraudulently using my information. The response further indicated a police report would be required before they would investigate the claim, something burdensome on any consumer dealing with identity fraud:

“Please be advised, that in order to investigate his claim he would need to contact his local police department and submit a copy of the police report.”

According to industry experts with whom I spoke about the CFPB complaint process in general, they indicated my experience was fairly typical, in that, as long as a company responds, the complaint is typically closed in its favor. The thoroughness of a company’s ‘investigation’ into a complaint varies, and it’s not unusual for complaint responses to be largely boilerplate, my sources said.

It’s unclear if the attempted fraud at NetCredit and SpeedyCash are related to the following sequence of activity beginning in April.

Discover

A fraudster attempted to open a bank account in my name at Discover on April 12th, which I only learned of due to a notice of adverse action from ChexSystems, a specialty CRA, that arrived at my address of record. Upon contacting Discover, representatives on the credit card and banking side were able to confirm no accounts were successfully opened and advised me to contact the CRAs to place an identity fraud alert.

Best Egg (Marlette Funding)

This is where things get more interesting.

On July 17th, Best Egg conducted a hard inquiry as part of an application for a $4,000 personal loan. When I reached out a couple of weeks later, the customer support team reassured me that the loan had already been flagged as possible fraud and hadn’t yet been funded. 

They indicated that a bank account at Huntington Bank opened on April 12th (same day as Discover attempt) was the destination for the loan; it’s common for lenders to check how long a bank account has been open, as newly opened accounts are a fraud risk. A 90 day window is fairly common.

The rep also relayed Best Egg had seen an “influx” of suspicious applications tied to Huntington recently; when fraudsters identify a weakness in an FI’s controls, it’s common for them to exploit it aggressively until it’s detected and blocked. Lenders guard against this by using “velocity checks” to monitor for sudden spikes in usage of certain banks/routing numbers.

The rep was further able to share the location associated with the app (San Antonio, Texas) and the last 4 digits of the phone used (which I later confirmed was a VOIP number).

Best Egg confirmed the hard inquiry would be removed from my credit record, as the application was fraudulent, without requiring a police report or other legal documents.

Huntington Bank

That the fraudster was able to successfully open an account at Huntington, a top 30 bank by assets, surprised me. The customer service agent there was able to quickly locate and freeze the account and provided details about the transactions that had been conducted:

  • $200 deposit from Qapital, on July 26

  • $100 deposit from Clerkie, on July 26

  • A personal check via remote deposit capture, on July 27 (unclear what amount and if this cleared)

  • $100 withdrawn to Green Dot on July 29

Clerkie

Unlike the previously mentioned companies, Clerkie lists no phone number on its website, only a generic email address: support@clerkie.io.

I reached out via this address, requesting a phone call, and did receive one within a few hours [note: I had also asked industry contacts if they had contact information for anyone at the company, and one contact reached out to Clerkie’s CEO, which may have impacted the response I received.]

The team was able to confirm that an account was opened using my information and that a $100 advance was successfully funded into the Huntington account. They also alerted me to a GO2Bank account (Green Dot) that was linked to the account, something I didn’t know at the time I spoke with them. 

They were able to provide me with the email address (recently registered), GO2Bank card information, phone number used (VOIP), and IP address associated with the account — information that was invaluable in continuing to trace and shut down the fraud.

Qapital & Lincoln Savings Bank

Qapital is a service that markets itself as “smarter mobile banking” (it’s not a bank, but that’s a different story). It offers budgeting tools, investing accounts, and accounts with debit cards via Lincoln Savings Bank (though this isn’t disclosed clearly on the website).

Like fintech peer Clerkie, Qapital has no phone number listed on its website — nor does it even have a “Contact Us” section or easily findable email address. Instead, one must drill into the legalese of its terms and conditions to find the only way to reach the company, through its support@qapital email address — and so I did.

Qapital’s response was underwhelming.

In my email, I provided no identifying information, and requested the company contact me. Instead, I received this reply:

“Hi Jason,

Thanks for reaching out! I apologize for any issues you've encountered.

We have closed this fraudulent account on our end. We highly recommend checking with your bank or a credit bureau to ensure additional accounts are not opened in your name.

I apologize again, but please let me know if you need help with anything else.

Best,
Gemma”

The response is troubling and indicative of Qapital’s inadequate fraud controls. They made no attempt to verify my identity before disabling the account — what if the account had been legitimate, and my request fraudulent (not uncommon in online harassment, stalking, or domestic violence situations)?

I requested additional information to isolate and stop any fraud attempts and clarification around the $200 transaction that Huntington Bank repeatedly confirmed had occurred; the reps from Qapital refused to assist via email or to contact me via phone and ceased responding to messages altogether.

When I reached out to Lincoln Savings Bank, which ultimately bears responsibility as the chartered bank tied to Qapital’s accounts and debit cards, the agent directed me back to Qapital’s dead end IVR, which has no option to speak to a human representative.

GO2Bank (Green Dot)

Green Dot, historically a major issuer of prepaid debit cards for brands including Walmart, as well as in its own name, has actually been a fully chartered bank since its acquisition of tiny Utah-based Bonneville Bank in 2011.

Green Dot products have a long history of enabling scams and fraud, dating to its “MoneyPak” product, which was a key vector in various scams, including advance loan fee scams, bogus IRS collection threats, and other debt collection scams.

There have also been numerous complaints over the years about Green Dot accounts opened using fraudulent identity credentials, often as part of an attempt to steal government benefits or tax refunds.

I was able to call the company and reach a representative fairly easily. The agent asked to confirm my information and, the way they responded to the address I gave suggests the address on the account didn’t match — which would make sense, as the fraudster seems to have been able to receive the physical debit card tied to the account.

If this is the case, Green Dot should have caught this address mis-match as part of its account opening procedures designed to prevent this type of fraud.

Either because I couldn’t fully validate the account — which isn’t surprising, given it was fraudulently opened — or because of company policy, the rep informed me my only option to get additional detail on the account was to complete an FTC identity theft form and mail it, along with a copy of my ID, to their PO Box.

No email or fax available. When I expressed my displeasure with this option, I was escalated to a manager, who eventually promised to connect me to “corporate,” but the call was disconnected shortly thereafter.

Again, the requirement to complete and mail complex legal documents shifts the burden squarely on to the consumer for the company’s failure to prevent fraud. Green Dot’s policy of only accepting documents via mail enhances this burden while also unnecessarily delaying consumers’ ability to access information necessary to prevent further fraud.

I was able to use the IVR system and website to confirm some details of the account and its transactions, including the use of a recently registered email address and the following transactions:

  • $0.76 fee July 12

  • Deposit Cash App Cash Out $2.66 on July 28

  • Transfer in $100 on Aug 2 (presumably from Huntington)

  • Purchase Cash App Benjamin W $12 on Aug 3

  • Purchase Cash App Benjamin W $32 on Aug 3

  • Purchase Cash App Benjamin W $48 on Aug 3

A portion of the name associated with a Cash App account typically appears as part of the transaction detail; if Green Dot had shared these details, it could assist in locating and freezing additional accounts used by the fraudster. 

While it’s unclear exactly when the Green Dot account was opened, the fraudster did move money from Huntington Bank into it and then out to Square’s P2P payment app, Cash App.

Cash App

Like Green Dot, Cash App has a history of being tied to various scams and frauds, a trend which escalated during the pandemic. Frauds and scams are made easier by the inability to dispute or reverse Cash App transactions and the near impossibility of reaching customer support.

Surprisingly, Cash App does have a phone number when you search for it. But upon being connected, you hear a recorded message telling you agents are experiencing higher than normal call volume and are unavailable, before immediately being disconnected. I tried the number a dozen times over several days and always heard the same message.

So while it’s clear that the fraudster did successfully acquire funds and move them through Huntington to Green Dot and then on to Cash App, the trail stops there, as I was unable to reach any kind of customer service agent, presumably allowing the fraudster to continue using the Cash App account unimpeded.

[Through a personal contact at Square, I was able to relay identifying information about the Green Dot account so that they could take appropriate action, but this is an avenue not open to a typical fraud victim.]

Cash App parent company Square works with multiple partners to power its Cash App service, including Lincoln Savings Bank and Sutton Bank; Square itself recently completed the process to acquire an industrial loan company bank charter and accompanying FDIC deposit insurance.

TransUnion, Equifax, Experian, ChexSystems

Although I wasn’t able to track the fraud beyond Cash App, I did want to do everything I could to prevent future fraud. The process to place alerts at the big three bureaus was surprisingly easy: I was able to do so via TransUnion’s phone system, with the alert then automatically populating to Experian and Equifax.

For ChexSystems, which is used by some banks in the account opening process, it was also fairly straightforward to place a fraud alert via its website.

Signs of Fraud Ignored, Hard to Reach Customer Service

Across some of these financial institutions, there is a common trend: obvious warning signs went undetected.

Based on the information some of the companies were willing to share, a couple warning signs were obvious:

  • the phone number used was a VOIP number (Google Voice), common for fraudsters

  • multiple email addresses used, likely recently created and with little verifiable history

  • IP address used didn’t match physical address on CRA (admittedly a weak signal)

  • Presumably, fraudster did not possess my identity documents or images of them

Companies originating loans had a greater economic incentive to screen for these warning signs and act on them — say, by requesting a user pass knowledge-based authentication or upload an identity document. The loan attempts at SpeedyCash, NetCredit, and Best Egg were all successfully blocked — the damage was limited to the hard inquiries they left behind, which can be removed.

On the transactional/bank account side, companies have much less incentive to monitor and act on attributes that can indicate fraud. Additional screening costs money and introduces “friction,” which may reduce the conversion rate of legitimate customers, raising the cost of customer acquisition.

In the case of fraudulently opened bank accounts, there’s often little cost to the FIs — the burden of detecting and fixing the fall out lands mostly on consumers. There’s unlikely to be a regulatory penalty, so long as FIs have an adequately documented compliance program, even if that program is ineffective at stopping fraud.

A second trend across several of the FIs I interacted with: poor or straight-up unreachable customer service, which was the case for Cash App, NetCredit/Enova, and Qapital. This exacerbates fraud victims’ burden while potentially allowing fraudulent activity to continue.

The victims aren’t just the ones like me, who’ve had their identity stolen; but also those that fraudulent accounts are used to perpetuate scams and crimes against. Lower income individuals and the elderly suffer disproportionately from scams run through bogus accounts; money laundering that takes place through them enables predicate offenses, including human trafficking, sexual exploitation, and drug smuggling.

Beyond those who have their identity stolen, these are the victims bearing the cost of companies’ focus on growing accounts and minimizing costs, even if they may be enabling fraud in the process.

How Can This Be Fixed?

I spoke to numerous industry experts while researching this piece, and the phrase that kept coming up was that these types of fraud will continue to be a game of ‘cat and mouse,’ with fraudsters constantly testing to find and exploit new weaknesses and FIs and their vendors detecting and blocking attacks.

Financial fraud isn’t going away and, as more consumers go digital around the globe and financial services becomes increasingly interconnected internationally, it could become even more pervasive.

Some modest proposals on areas that could be improved (or at least lessons learned): 

Data Security

In many ways, the horse has already left the barn on this one. The unique identifier the US system revolves around — SSN — is completely and irrevocably compromised. Even with the Social Security Administration developing a service for SSN verification, if the data on most Americans is already compromised, it’s too late.

Government Reporting

The available data on the frequency of fraud, identity theft, and related reports paint a pretty grim picture, with nearly 5 million such complaints in 2020, including about 1.4 million identity theft complaints. In reality, this likely understates the number, as it relies on consumers to detect and report the incident.

In addition to this reporting, it should be mandatory for FIs to report suspected fraud directly and even in cases where they aren’t contacted by the consumer. While FIs may be already filing SARs in these circumstances, those are confidential and thus not available to assess the true volume of fraudulent accounts.

Reforming How Companies Respond

Presently, the burden falls nearly entirely on consumers to detect and remediate these kinds of identity theft and fraud — even in cases where companies have flagged accounts as suspicious.

Some add further legal barriers, like requiring lengthy and complicated paperwork to be submitted by mail, which is designed to limit the company’s liability while inconveniencing the victim.

This must change.

If FIs detect suspicious activity or possible fraud, they should have an affirmative duty to attempt to notify the potential victim. If a consumer confirms an account is fraud, FIs — not consumers — should be responsible for remediating it, including tracing transactions and linked accounts and contacting those institutions.

Fraud Detection Cooperation

Fraudsters use the same techniques against multiple FIs and operate through networks of accounts, as my story demonstrates. By better sharing intelligence on the vectors and characteristics of attacks and compromised accounts, FIs would be better able to defend themselves and their customers.

This does happen already, through the common use of private vendors discussed above like LexisNexis, ThreatMetrix, or Early Warning. But, obviously, these services only work if companies use them. As demonstrated in my case, some choose not to, presumably due to cost or the friction they introduce.

Some financial institutions seem unwilling to use commercially available tools to prevent fraud because they don’t see the business case for it; the only way to change that is by requiring them to bear more of the cost of the fraud they allow on their services, which may change their economic calculus.

Rethinking a Digital Identity for the 21st Century

There is no quick or easy answer on how to reform identity management and validation in the digital realm.

Historically, governments have been the party to issue most “source of truth” identity information and documents that others rely on: birth certificates, Social Security Numbers, driver’s licenses, and passports being the most common in the US.

One can imagine a scenario where state or federal governments issue a digital identifier with multi-factor authentication — a digital driver’s license of sorts — and partner with private enterprise to build an identification service around it.

Other countries have successfully done this, including India’s Aadhaar system, with over 1 billion users; however, with a centralized database, information security risks remain. India’s Aadhaar was hacked in 2018.

Blockchain to the Rescue?

Much work is being done to develop the potential for decentralized blockchain platforms to serve identity management and verification functions. In the near-term, these are more likely to supplement or enable, rather than replace, government-issued and recognized identity documents. Though as recent events show, blockchains are also susceptible to hacking.

Companies’ Response

I reached out to the press or communications teams of all companies involved in these transactions, asking a general set of questions about their AML/KYC and Identity Theft Prevention programs and some specific questions about my case. Here’s how they responded:

SpeedyCash (CURO Group)

I can confirm representatives did receive my email, but they chose not to respond.

NetCredit (Enova)

I did receive an email and subsequent call from the communications team at Enova [reminder: I used to work there, and a former direct report of mine was part of the team responding to my press inquiry]. While the company didn’t share any additional information about the unsuccessful fraud attempt, they were able to remove the hard inquiry from my credit report.

BestEgg (Marlette Funding)

A BestEgg representative confirmed the company has an AML/KYC and Identity Theft Prevention Program, a designated compliance officer, and provided the additional detail that:

“Best Egg acquires data from over a dozen sources, utilizes custom models, and employs experienced Fraud Prevention personnel to verify application information and mitigate fraud.”

In my specific case, the representative confirmed that the application had been flagged as high risk and proof of address and identity had been requested (and not received). In confirmed fraud cases, it is BestEgg’s policy to remove hard inquiries (without requiring victims to provide police reports or affidavits). 

Huntington Bank

I can confirm representatives did receive my email, but they chose not to respond. [edit: I missed Huntington’s email response, which they sent prior to publication, directing me to pages 50 and 90 of their ESG report for additional information.]

Clerkie

A Clerkie representative confirmed the company has an AML/KYC and Identity Theft Prevention Program, a designated compliance officer, and provided the additional detail that:

“We run credit checks in addition to relying on a variety of other data sources (e.g., for IP checks, background checks, anti-fraud software, proprietary algorithms, credit file lock/status, etc). For instance, if a given user’s credit file had been locked or had an active fraud alert, that would have been automatically picked up by our systems and the use of that SSN would have been restricted/blocked on our platform. We don't engage in device fingerprinting (goes against our consumer privacy tenets).”

Qapital & Lincoln Savings Bank

A representative from Qaptial did not confirm whether or not the company has an AML/KYC or Identity Theft Prevention Program or designated compliance officer. They did state:

“After closely investigating the issue, we found that there was no activity on the account, and no transactions took place between Qapital, Lincoln Savings Bank, or the Huntington Bank account that was linked.

We understand that technology must be private, safe, and secure. That’s why we have multiple systems in place to protect all Qapital accounts and safeguard the personal information of our users. You can read more about our security measures on our website.”

GO2Bank (Green Dot)

A representative from Green Dot confirmed the company has an AML/KYC and Identity Theft Prevention Program, a designated compliance officer, and provided the additional detail that:

“For security and privacy reasons, we don’t share specifics related to our controls or customer cases or circumstances. We have, however, increased investments and resources to focus on fraud, and are continually working to refine and enhance the way we monitor, identify trends, mitigate fraud, and support our customers throughout their experiences with us.”

Cash App (Square) 

A representative from Square confirmed the company has an AML/KYC and Identity Theft Prevention Program, a designated compliance officer, and that Square/Cash App routinely share information with consumers on how to avoid scams on the platform.

Regarding any transactions involving a bank account or debit card, they suggested the best way to address the activity is through the financial institution associated with the account or card.

For victims of scams/fraud, they also suggested contacting Cash App support — and supplied the same phone I number tried numerous times, which offered no option to speak to a representative nor receive a call back from one.

Future of FinTech is back in NYC

Sponsored content: Pandemic be damned, financial services continues to evolve with record fintech funding, new disruptive business models and more traditional companies embracing digitization. 

Future of Fintech 2021 is back in NY this October 5-6 as the must-attend forum for understanding this evolution of financial services and as a live marketplace for connecting industry buyers and sellers.

Get what you came for: the most senior speaker lineup in the industry, exclusive research from our CB Insights Analysts, and unparalleled networking opportunities with an average of 3.6 networking meetings per person.

Across banking, lending, payments, wealth management and capital markets, Future of Fintech 2021 will provide the latest on new technologies, threats, and markets.

Fintech Business Weekly readers save $150 to attend with promo code: FINTECHBIZ

Learn More & Get Your Ticket

Fintech Business Weekly Resources

Early stage startup looking for equity investment, debt facility, or bank partner?
I may be able to help: jason@fintechbusinessweekly.com

Interested in advertising in Fintech Business Weekly?
Email me: jason@fintechbusinessweekly.com

Anonymous tip or story suggestions?
Reach me on Signal or Telegram: ‪+1 (316) 512-1571