Comerica Bank has shut down a component of its prepaid card program for federal benefits recipients after a recent spate of fraud cases.
Fraudsters have exploited security flaws in Comerica's Cardless Benefit Access Service to drain accounts belonging to federal beneficiaries, including retirees who receive Social Security benefits and veterans who rely on disability payments to make ends meet.
The service, which Comerica says is now discontinued, was part of the Direct Express program, a partnership between the Texas bank and the U.S. government that allows users without bank accounts to access their funds through prepaid cards.
The Cardless Benefit Access Service allows consumers to withdraw funds if they have lost their card, even when they are away from their home state. But in hundreds of cases the program allegedly dispensed funds to fraudsters, who had previously gained access to cardholder data and posed as the benefits recipients.
“Direct Express didn't put up a red flag, even though they had all the information about the money being wired to Florida, when we live in Massachusetts, but they just sent the money,” said Jackie Densmore, the caregiver for her brother-in-law, Derek Densmore, a disabled Marine who receives benefits. “We were thinking it was safe because it's the U.S. Treasury."
Cardholders allege that criminals — potentially working with insiders, such as call-center employees or third-party card manufacturers — stole Direct Express card numbers, addresses and three-digit card identifiers, enabling them to make fraudulent online purchases. In some cases, criminals also called Direct Express to report cards as lost or stolen, or to have PIN numbers changed, and had payments routed to MoneyGram locations where they could pick up a check and cash it.
Several victims of fraud claim Comerica has been slow in reimbursing them their money and in some cases has even suspended their accounts pending an investigation, restricting them from accessing new benefits payments. In some instances, they say Direct Express also charged cardholders fees to reissue and activate new cards after a fraud had been committed.
“Direct Express is holding customers hostage as a result of their own incompetence,” said J.B. Simms, an author and retired private investigator, who complained to the program after discovering fraudulent charges on his Direct Express account in December 2017.
Comerica shut down the cardless service on Aug. 18 and, victims said, took more concerted steps to return cardholders' funds only after American Banker raised questions about the allegations of fraud. Some accountholders, including Simms, have been complaining to Comerica for months.
Comerica said that it believes the Direct Express fraud is limited to the cardless service, and that one employee at a Direct Express call center has been fired over the security breach. Comerica has oversight of the Direct Express program but outsources the main call center function to Conduent, a publicly traded conglomerate in Florsham Park, N.J.
“Criminals have found a way around the controls that we put in place to safeguard cardholders,” said Nora Arpin, a Comerica senior vice president and director of government electronic solutions. “We’ve taken action to shut down the Cardless Benefit Access Service and have begun an investigation.”
Arpin said “only a few hundred cardholders” were affected, or just 0.13% of Direct Express’ 4.5 million prepaid debit cardholders.
Conduent declined to comment and referred all calls to Comerica.
The federal government oversees benefits payments through the Bureau of the Fiscal Service, an arm of the Treasury Department.
“The Bureau of the Fiscal Service is working with the Treasury Office of Inspector General, Comerica and its partners to effectively address bank card fraud and other consumer concerns, and protect the more than 4.5 million Direct Express benefit recipients who rely on this program for their monthly federal benefits,” said Thomas Santaniello, a spokesman for Treasury's Bureau of the Fiscal Service.
Call centers targeted by organized fraud rings
Arpin laid the blame squarely on organized fraud rings that are known to target call centers. In the case of Direct Express, she said, the fraudsters used data acquired from prior breaches to impersonate cardholders and steal government-issued benefit payments.
“There isn’t a single aspect of the payments system — credit cards, checks, cash — that doesn’t experience fraud,’’ Arpin said. “We very much empathize with the fact that there are circumstances in which being without the money is a very difficult situation for the cardholder.”
For the defrauded cardholders, however, the loss of monthly federal benefit payments has caused untold financial havoc. Cardholders describe having panic attacks, being unable to pay their rent and spending hours trying — unsuccessfully — to get reimbursed by Direct Express.
Cardholders allege that Direct Express typically refused to reimburse them their money when they lodged an initial complaint, and that program operators claimed the bank would first have to conduct an investigation.
Under Regulation E, the bank has 45 to 90 days to investigate fraud a claim. However, consumers can get their funds restored more quickly if they submit a written statement alerting Direct Express that they were a victim of fraud. The bank then has 10 days from receiving the statement to send a provisional credit to the consumer.
‘So I can pay my bills and purchase my medicines'
One of the more harrowing stories came from Kenneth Tillman, a Marine Corps combat veteran in Aurora, Colo., who suffers from post-traumatic stress disorder.
On Aug. 1, Tillman went to a pharmacy to buy medicine but his Direct Express card was denied. When he checked the Direct Express app on his phone, it showed a zero balance.
“I went into a panic mode,” he said.
He said he initially spent two hours trying to get through to Direct Express and finally drove to his therapist’s office. They contacted the call center together.
After finding three fraudulent charges at a Walgreens store in San Francisco, Direct Express suspended Tillman's account. But a call center employee refused to issue Tillman a credit for his roughly $750 in monthly benefits, he said.
“They told me it would take 90 days to get my money if they determined it was fraud, even though the lady told us it was fraud,” Tillman said.
Later that day, Tillman was admitted to a hospital, where he was treated for a week for pneumonia, said Rita Roberts, his therapist and a founder at New Start Recovery, an Aurora, Colo., counseling center.
“He’s been sick since the moment this happened because he couldn’t handle the stress,” Roberts said.
Tillman said when he was released from the hospital, on Aug. 17, he sent a letter to Direct Express, which required a written statement in order to start an investigation and give him a credit for his funds.
He wrote in the statement: “I need my [Social Security Disability Insurance] payment to be immediately reimbursed to me so I can pay my bills and purchase my medicines.”
Paul Katynski, 59, a disabled maintenance supervisor, called Direct Express on Feb. 6 to get the balance on his account, but instead got a recorded message that his PIN did not match. He reset his PIN. A day later, $1,971 in disability benefits were drained from his account.
“I knew something was wrong when I went to get my money and there was no money,” Katynski said.
He immediately called Direct Express, which told him that he had reported the card as lost.
“I said, ‘I don’t think the card is lost, since it’s right here in my hand,’ and I had to convince Direct Express that I was me,” he said. “It was scary.”
With his rent already due — and fearing an eviction notice — Katynski asked Direct Express to send him a MoneyGram, but they would only send $1,000, or half his benefit payment, he said.
In the meantime, Direct Express shipped out a new prepaid card and gave Katynski the tracking number, he said.
A day later, he called to get a delivery update and found the card had been re-routed to an address in Miramar, Fla. Another call to Direct Express, and a 40-minute hold, and he was able to cancel the second card, averting another fraud.
Direct Express charged him $59 in fees, which relates to him receiving and activating two new cards, as well as receiving two MoneyGrams that he needed to pay his rent.
"This is a lot of money that people are stealing and it happens every day, and it's sad, and no one is doing anything about it,” Katynski said.
'Purely for the cardholder'
However, Tillman, Katynski and others say Comerica ultimately reimbursed them all of their missing funds and fees, but only after American Banker had contacted them.
Arpin defended the bank's policy to suspend beneficiaries' prepaid accounts immediately after a fraud complaint, saying it is meant to protect accounts from any further fraud.
“Card suspension is purely for the cardholder,” she said. “If we identify the fraud through our scanning systems, then we reimburse the cardholder within 10 days. When fraud is identified before the cardholder calls us, we’ll make an outbound call. If we can’t reach the cardholder, we’ll temporarily suspend their card.”
But some cardholders disputed the processes and procedures used by Direct Express, saying they got no help from the call center or Comerica, even after providing information about fraud that could have allowed law enforcement to track down the criminals.
Derek Densmore, of Bourne, Mass., the disabled Marine, was distraught after $814 in disability payments got routed to a MoneyGram at a Walmart superstore in Hollywood, Fla., said his sister-in-law, Jackie Densmore. (As his caregiver, she is the payee on his Direct Express account.)
When she called Direct Express on Aug. 3 to check the account balance, there was a recording saying the debit card had been canceled and a new one would be sent in the mail. Densmore waited until Aug. 10, but by then, her brother-in-law’s benefits had been stolen. She was shocked that Direct Express did not call her to check before sending his benefits via MoneyGram to another state.
Frustrated at not being reimbursed, she searched social media for information about Direct Express and Comerica’s operation of the program. She came across Simms, the retired investigator, who had posted his contact information on Facebook. They began talking and sharing notes.
Simms had reported improper charges on his Direct Express account in December 2017. But he had no luck getting the money reimbursed by Direct Express.
He ultimately got reimbursed $234 back from Zulily, the merchant where fraudulent charges for clothing and perfume had been made, he said.
He claims criminals who stole Social Security and disability benefits “could have been stopped if Direct Express or Comerica had a fraud unit that could communicate with customers and law enforcement.”
“The red tape you have to go through to get to these people is insane,” Densmore said. "Disabled veterans and the elderly don't stand a chance when their money is taken and they give no answers."
Cardless service met a need, but carried risks
Arpin said the Cardless Benefit Access Service, launched in August 2017, addressed a need to provide cardholders with access to their funds in an emergency if they were not in possession of their cards.
There were “unfortunate situations where somebody didn’t have their [Direct Express] card and was in a state other than where they live,” she said “One of the challenges we’ve had with the program is that cardholders are often without their cards and they were looking to get access to their money faster.”
She declined to describe the bank’s security measures to prevent fraud, citing confidentiality.
She said Comerica’s oversight of the Direct Express program includes visiting the call centers several times a year and listening monthly to recordings of calls to assess how the Conduent-run call centers are performing.
Conduent is a global provider of diversified business services that operates in 11 different industries, with offices from India to Jamaica. In July, two U.S. senators
Julie Conroy, the research director in Aite Group's retail banking practice, said organized crime rings are attacking call centers more than ever before.
“Organized crime rings will go to great lengths to infiltrate contact centers,” Conroy said. “There should be more controls over authentication, what is a genuine request and confirming that it is the actual consumer.”
Treasury's IG performing follow-up audit of Direct Express
Comerica won the government contract to oversee Direct Express in 2008 and the contract was renewed in 2014, despite some criticism by the Treasury OIG in prior audits over how the program was being run.
In June, the Treasury’s OIG issued an “engagement memo” to Treasury related to the Direct Express program. The memo informed the Bureau of the Fiscal Service of a follow-up audit to determine if program administrators had responded to 14 recommendations included in IG audits in 2014 and 2017.
"Two months ago, we notified Fiscal Service that we were going to undertake a corrective action verification study to see if the recommendations we made were followed up," said Rich Delmar, counsel to Treasury Inspector General Eric Thorson.
The recommendations included that the program assess the costs and burden of the program to the cardholders; establish a quality assurance surveillance plan to monitor and document Comerica's performance, including service-level requirements; track Comerica's revenues and expenses; and periodically assess whether the bank's compensation is "reasonable and fair."
The OIG expects to complete its audit by the spring of 2019, Delmar said.