MBA, Trade Groups Urge FTC to Crack Down on Banking Scams

The Mortgage Bankers Association, the American Bankers Association and other banking trade associations urged the Federal Trade Commission to crack down on those who impersonate banks or government officials in scams.

The Dec. 16 letter to FTC Chair Lina Khan comes in response to a proposed FTC proposed rulemaking that that would prohibit impersonation of government, businesses and their officials, and to prohibit entities from providing the “means and instrumentalities” for another to impersonate a government or business.

The proposed rule would “codify the well-understood principle that impersonation scams violate the FTC Act, as do those who provide impersonators with the means to harm consumers.” It would allow the Commission to recover money from, or seek civil penalties against, scammers who harm consumers in violation of the rule.

While generally supportive of the proposed rule, MBA, ABA, ACA International, the American Association of Healthcare Administrative Management, Credit Union National Association and the National Association of Federally Insured Credit Unions nonetheless expressed concern that the proposed rule’s provision that imposes liability on entities that provide the “means and instrumentalities” to impersonate another person could capture banks and companies like Zelle that provide payment services.

“[We ask the FTC] to state clearly that the mere provision of a payment service that is used by a bad actor to perpetrate the unlawful impersonation of a government or business would not constitute providing the ‘means and instrumentalities’ of the unlawful impersonation,” the letter said. “The FTC previously made clear that an entity may be liable for passing on a false or misleading representation only if it has ‘knowledge or reason to expect that consumers may possibly be deceived as a result.’ When a financial institution that provides a payment service has no knowledge or reason to expect that its customer is using the payment service to unlawfully impersonate a government or business, the institution is not providing the means or instrumentalities for the impersonation.”

Specifically, the letter urges the FTC to impose liability on telephone companies (Voice Service Providers) that provide consumers with unauthenticated and falsified Caller ID information in the consumer’s Caller ID display—i.e., those Voice Service Providers that “provide the means and instrumentalities” for another entity to impersonate a government or business. The letter noted in an effort to combat illegal call spoofing, the Federal Communications Commission recently implemented a call authentication framework – known as “STIR/SHAKEN” – that requires Voice Service Providers that originate calls using IP-based technology to attest to the authenticity of the telephone number that will be displayed in the recipient’s caller ID.

“Despite the FCC’s laudable efforts, the vulnerabilities in the current system continue to allow the impersonation of businesses using the Caller ID function,” the letter said. “Therefore…we recommend that the FTC take immediate action against telecommunications companies that provide consumers with unauthenticated and falsified Caller ID information in the consumer’s Caller ID display. When the authenticity of calls cannot be adequately verified through a direct and verified relationship with the call originator, the Voice Service Provider should not display data on the consumer’s caller ID device. Only those calls that demonstrate a verified relationship between the originating Voice Service Provider and the call originator should be allowed to display any data in the caller ID device.”

The letter expresses strong support for the proposed rulemaking. “We believe existing remedies are currently insufficient to stem the ever-increasing tide of impersonation scams,” it said. “Bad actors regularly impersonate banks, credit unions, other financial service providers, healthcare companies, and other legitimate callers by illegally “spoofing” phone numbers belonging to these businesses. A method used frequently is to cause the call recipient’s caller ID to display the name of a legitimate company instead of the name of the actual caller, who is seeking to defraud the recipient. Alternatively, the bad actor may send a text message from a number that appears to belong to a legitimate business, often including links to fake websites, or send a text message from the bad actor’s own number, making it appear that it is from a legitimate business, with the intent to defraud the recipient. The goal of both call and text spoofing is to lead the recipient to believe the call or text was placed by a company with whom the recipient is doing business and to induce the consumer to divulge important information, such as account numbers or log-in credentials, to the fraudster. Bad actors also have illegally spoofed phone numbers belonging to the Consumer Financial Protection Bureau and the Centers for Disease Control and Prevention, posing as employees of the agency, all with the intent to defraud consumers.”