Federal regulators scrutinize BofA for its response to California benefits fraud

Federal regulators are investigating Bank of America for its role in administering government benefits under a California program that was plagued by fraud at the height of the COVID-19 pandemic.

The Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau have been scrutinizing BofA’s actions as the state’s exclusive provider of prepaid debit cards to unemployment, disability and pandemic-relief beneficiaries, according to sources familiar with the matter.

The Office of the Comptroller of the Currency and Consumer Financial Protection Bureau are investigating Bank of America for potential shortcomings in its fraud protection practices related to its administration of California's unemployment benefit program.

Both the OCC and CFPB investigations are in their later stages, according to sources familiar with the inquiries. The OCC has indicated that an enforcement action is possible, the sources told American Banker.

Lawsuits against the $3.2 trillion-asset bank charge that it failed to respond to tens of thousands of cardholders who reported unauthorized transactions that drained their accounts and blocked legitimate beneficiaries from accessing their accounts in its efforts to root out fraud.

The federal inquiries BofA is facing in California are an extreme example of how government contracts can create regulatory headaches for banks. The few banks that have such contracts generally have failed to properly price in the compliance and operational risks of potentially having to respond to tens of thousands of people, experts said.

Despite the public significance and billions of taxpayer dollars involved, the inquiry by regulators is confidential.

Any fines or penalties assessed against BofA would mark one of the first enforcement actions against a megabank under the Biden administration.

For BofA, a regulatory fine would further add to a messy and expensive debacle that has already prompted 14 putative class-action lawsuits, dozens of individual lawsuits, and a court-ordered review of tens of thousands of fraud claims.

Both the OCC and CFPB declined to comment.

Bill Halldin, a BofA spokesman, said that as a matter of policy the Charlotte, North Carolina, company does not comment on the existence of regulatory inquiries.

But in a regulatory filing with the Securities and Exchange Commission late Tuesday, BofA warned that its business with California's benefits program could put the bank at risk.

"The Corporation's participation in implementing government relief measures related to the pandemic and other federal and state government assistance programs, including the processing of unemployment benefits for California and certain other states, may lead to additional such judgments, orders, settlements, penalties and fines," BofA stated in its annual 10K. "Litigation and investigation costs, substantial legal liability or significant regulatory or government action against us could have material adverse effects on our business, financial condition, including liquidity, and results of operations, and/or cause significant reputational harm to us."

BofA has administered California’s jobless benefits program since 2010 under an exclusive contract with the state’s Employment Development Department. The program faced unprecedented stress after California’s unemployment rate skyrocketed to 16.4% in April 2020.

The state estimates that $20 billion of the $180 billion in benefits paid out since March 2020 went to fraudsters, members of organized crime rings and prison inmates who applied for and obtained billions in jobless benefits they were not entitled to collect.

The fraud reached a fever pitch in the early months of the pandemic amid the effort to get benefits to people who had lost their jobs. The high level of fraud ignited a frenzy of calls to both the state agency and Bank of America as tens of thousands of Californians complained that their money was stolen through unauthorized transactions.

Many California beneficiaries seeking to resolve discrepancies complained they got a runaround when they contacted customer service. Some said they couldn’t access their money, even after waiting on hold for hours. Many said they couldn’t get any response from either BofA or the Employment Development Department. Others said that when they got through to BofA, they were told to speak to the EDD, or that the department referred them to the bank.

Most of the criticism has been leveled at the EDD.

“California, like many states, made the decision at the beginning of the pandemic that it was better to pay people than it was to withhold any money,” said Haywood Talcove, a fraud expert and the CEO of LexisNexis Special Services.

Because the federal Pandemic Unemployment Assistance program did not require income or employment verification upfront, fraudsters were able to backdate claims and self-certify their eligibility, the Employment Development Department said. Moreover, EDD’s contract with BofA dates back to 2010 before chip card technology was in wide use.

An EDD spokesman said that “the vast majority of funds went into the hands of workers truly in need.”

Yet Bank of America has also drawn sharp criticism for its response.

“BofA was caught completely off-guard in trying to deal with fraud,” said David P. Weber, a forensic accounting professor at Salisbury University’s Perdue School of Business. He is a former OCC special counsel for enforcement and former supervisory counsel at the Federal Deposit Insurance Corp.

Weber reviewed thousands of relevant documents related to BofA administering the Employment Development Department program as an expert for a prior CBS Investigation into the bank’s failures. Weber said that BofA underestimated the risks of the program and skimped on technology. EDD’s prepaid debit cards used outmoded magnetic stripe technology, not EMV chip technology that provides more sophisticated authentication to protect consumers from fraud.

While the state agency has borne the brunt of the criticism in legislative inquiries, “the responsibility for protecting the consumer ultimately rests with the depository institution," Weber said. "Policies, procedures, risks and controls are the responsibility of the bank.”

The BofA spokesman, Halldin, said that over the last two years, the bank has delivered unemployment benefits to nine million Californians via prepaid cards.

“As California’s unemployment program faced tens of billions of dollars in fraud, Bank of America’s goal always was to ensure legitimate recipients could access their benefits,” Halldin said.

In its best year, BofA’s contract with EDD earned $1 million in pretax income, according to BofA. The bank’s revenue-sharing agreement with the state allowed it to earn revenue from the interchange fees paid by merchants with every swipe of a prepaid card.

BofA told state lawmakers last year that it earned $687 million in total revenues but incurred $927 million in costs over the 10-year period that ended Dec. 31, 2020, putting its total losses in the program at $240 million so far.

Still, BofA’s losses in the program have been a tiny fraction of its annual profits. In the fourth quarter, BofA posted $7 billion in net income on revenue of $22.1 billion.

Prompt response required

Regulators are looking into whether BofA responded promptly, as required by statute, to consumers who alleged errors or fraud on their accounts, according to sources familiar with the matter.

The key issue is whether BofA abided by the Electronic Fund Transfer Act. That 1978 law requires banks to complete an investigation within 45 days and provide provisional credit within 10 days of being notified by a cardholder of an error, such as an unauthorized transaction, while investigating the error. On day 45, the full credit becomes permanent if fraud is found.

That law was passed decades before modern computer technology enabled quick and easy access to deposits. As a consumer protection statute, EFTA has no exception or leniency provision for cyber-attacks or organized fraud, leaving banks vulnerable to regulatory scrutiny.

The CFPB has authority over EFTA and its implementing statute, Regulation E. The CFPB on Feb. 15 issued a compliance bulletin clarifying the obligations that banks and other financial institutions have under EFTA and Reg E.

“EFTA’s consumer protections apply to government benefit accounts and financial institutions may be held liable for violations of this requirement,” the consumer bureau said.

The first proposed class-action against BofA, filed last year on behalf of 25 jobless people, alleges the bank breached its contract with cardholders by failing to protect consumers from fraud.

Brian Danitz, a partner at the law firm Cotchett, Pitre & McCarthy in San Francisco who filed that lawsuit, alleges that BofA tried to avoid paying out millions of dollars in provisional and permanent credits following fraud complaints. Danitz alleges that BofA purposely denied cardholder claims without justification.

“BofA promises that if there is an unauthorized transaction, not only will they abide by Reg E, but they will make sure that there is zero liability for the cardholder,” Danitz said. “When the fraud started to take place during the pandemic, Bank of America summarily denied these claims to avoid abiding by Reg E. This was an intentional, cold-hearted decision based purely on the bottom line.”

BofA has denied the allegations and asked for the lawsuits to be dismissed.

BofA has also told California lawmakers that it faced a deluge of up to 40,000 fraud claims a month from late 2020 to early 2021. That’s when it began using what it called a “fraud filter” of its own design to weed out criminals.

The bank told state lawmakers in December 2020 that it had paid “hundreds of millions of dollars” in provisional credit to fraudsters who had first duped the state into qualifying for benefits, and then sought to double-dip by filing claims to receive provisional credits.

The bank’s own fraud detection program demonstrated significant flaws, however, treating many honest individuals as if they were fraudsters.

“The application of these filters will inevitably impact some legitimate claimants,” Brian Putler, BofA’s director of state government relations for the Western region, said in a letter to state lawmakers.

This attitude did not sit well with U.S. District Judge Vince Chhabria in the class-action litigation.

Last May, the judge took issue with BofA for failing to conduct adequate investigations when cardholders reported unauthorized charges and found BofA often simply froze accounts “based on a faulty screening process.”

“The harm being suffered by the class members is irreparable,” Chhabria wrote in his ruling. “Continual denial of these benefits will seriously hinder the ability of many class members to feed their families and keep a roof over their heads.”

The judge issued an unusual preliminary injunction in June that ultimately was hammered out between the plaintiffs and BofA, with the help of a magistrate judge.

The injunction required BofA to open all of the claims it had denied based on the fraud filter. BofA said it reopened 46,000 claims, ultimately reimbursing 29,000 cardholders. The amount of money that has been returned to cardholders has not been publicly disclosed.

Chhabria said he issued the injunction because of the plaintiffs’ “strong likelihood of success on their claims.”

BofA also was ordered to expand the hours for fraud and claims initiation calls to 24 hours a day, seven days a week. The judge also ordered that calls be answered within five minutes. BofA’s call center staff for the California program ballooned from roughly 300 employees at the start of the pandemic to over 6,000 in late 2020, court documents show.

“Throughout the pandemic as the fraud intensified we committed significant additional resources to help legitimate claimants get their benefits,” Halldin said.

BofA has filed a motion to dismiss the case, along with 13 others, all of which have been consolidated in one multidistrict lawsuit in federal court in San Diego. The motion to dismiss is pending.

Frozen accounts

BofA has also drawn scrutiny in connection with the freezing of accounts that ended up harming legitimate beneficiaries. Danitz said that freezing accounts blocked many legitimate cardholders from accessing their money, often for months.

In September 2020, EDD asked BofA to freeze roughly 350,000 prepaid card accounts due to suspected fraud. By January 2021, the bank told state lawmakers that 488,000 accounts had been frozen at the direction of either BofA or the state’s EDD.

Last year, a state Assembly subcommittee found that while BofA notified EDD immediately when it froze each prepaid card, it didn’t notify the affected cardholder right away. BofA said there was a brief time when cardholders were not notified, and in many cases the bank did not have the information needed to verify an applicant’s identity.

“We now provide written notice to the cardholder of a freeze,” Putler, BofA’s lobbyist, told state lawmakers last year.

EDD typically sent BofA lists of accounts to freeze, and to unfreeze. Last March, EDD gave BofA the authority to verify the identities of cardholders whose accounts had been frozen or blocked. BofA has said it sent letters to 84,000 cardholders but was only able to identify roughly 20,000 legitimate beneficiaries, court documents show.

Danitz, the plaintiffs’ lawyer, said the number of cardholders actually harmed by BofA’s conduct will be determined at trial.

“The scale of their misconduct is much greater,” Danitz said.

Halldin told American Banker that BofAhas satisfied the judge’s preliminary injunction.

Outmoded technology

Another core allegation in the putative class-action suit is that BofA used outmoded magnetic stripe technology for EDD’s prepaid debit cards rather than EMV chip technology that provides more sophisticated authentication to protect consumers from fraud.

BofA has said in court documents that the state requested magnetic stripe technology in its contract.

Danitz said that because BofA would have had to pay an additional amount for more secure technology on each card, “EDD card holders were treated as second-class citizens.”

EMV, a payment method created by Europay, Mastercard and Visa, is the most secure prepaid card technology currently available. Regular BofA customers have received debit cards with EMV chips since 2014, but California’s EDD made no such requirement for prepaid cards. BofA began using EMV chips on EDD cards in July 2021.

Without security features such as EMV chips, beneficiaries’ cards were ripe for fraud, said Weber, the former OCC official.

“BofA woefully underestimated the fraud risk by not having EMV chips, which are the industry standard for true deposit accounts,” he said.

Last year, BofA tried to get out of its contract with the California EDD, but the agency exercised its option to renew for another two years.

When the pandemic hit in 2020, BofA already ran government benefit programs in a dozen states. By March 1 of this year, however, the bank will only be serving California and New Jersey.

"We have advised [California] that we would like to exit this business as soon as possible," Bank of America told reporters last July.

Kevin Wack contributed to this story.

For reprint and licensing requests for this article, click here.
Compliance
MORE FROM AMERICAN BANKER