{"took":273,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":{"value":7,"relation":"eq"},"max_score":null,"hits":[{"_index":"complaint-public-v1","_id":"4529058","_score":24.664713,"_source":{"product":"Money transfer, virtual currency, or money service","complaint_what_happened":"I wanted to report a cryptocurrency theft involving a Sim swap attack to your office that I became a victim of. On XX/XX/XXXX, I first observed loss of my cellular service around. I tried using my wife 's phone when she arrived home around to call XXXX and they told me that they could not locate my restore connection and failed to provide me any further information. I went to a local XXXX store where I was provided a new XXXX  sim card. Later that afternoon, I could not access my email and I also could not access my Coinbase investment account. I found that my Coinbase account balance was almost wiped out by a transaction to an unkown XXXX XXXX and lost originally invested XXXX $ ( of which approximately XXXX XXXX  were in the XXXX amount and rest were in various altcoins ). My bank account funds were impacted which was attached to Coinbase, however protected by XXXX due to a timely freeze on my account. \nAfter later recovering some emails from my deleted folder, I learnt that my email password was reset on XXXX XXXX at XX/XX/XXXX using my attached cell phone number. Coinbase password was reset on on XXXX XXXX which was immediately after the change of my email password. I tried to call Coinbase promptly to report and stop these transaction but they had no live agent support available and I only got a bot response on email. I had written them further emails about the unauthorized activity on the account and I have requested refund for the fraudulent activity that I have not conducted since their company claims to be FDIC insured and insured with cyber protection. I have received no response or outcome. \nThis crypto loss has taken place due to poor cybersecurity measures of Coinbase which made my account vulnerable despite 2-factor authentication in place. Coinbase has deceptively and intentionally promoted itself as the most trusted cryptocurrency platform, while failing to take reasonable and state-mandated steps to prevent cyberattacks. Coinbase is bound to maintain stringent anti-hacking programs that monitor and filter transactions for potential violations of the Bank Secrecy Act ( BSA ) and anti-money laundering ( AML ) statutes ; and implement measures designed to effectively detect, prevent and timely respond to fraud. They have eliminated providing a live agent support without notifying long time customers ( including myself ). None of the customary cybersecurity systems were in place to prevent such a crime, my assets were stolen from his account by a hacker who used an IP address and equipment, from a location never before used by me and also to an unknown Crypto key previously not verified by me, especially after a fresh password reset. A proper cyber security algorithm should have stopped this transaction by a simple lock out of the account requiring additional verification like some of the other exchanges such as XXXX, especially after a recent password reset. They self-advertise as FDIC protected and should cover for my XXXX  loss since I never authorized to buy the cryptoholdings made by the hacker and I believe my crypto losses should be covered under fraud protection insurance due to poor cybersecurity measures with Coinbase. This is not first such event. Coinbase has been previously named in lawsuits of similar nature [ XXXX XXXX XXXX XXXX XXXXXXXX  ]. There are thousands of other victims of theft loss reported on the internet including profiles like XXXX, XXXX and complaint channels such as XXXX \n\nI and my family already feel devastated by this financial loss and a security threat to our personal information resulting in possible identity theft. I would really appreciate your help to recover financial damages that we have sustained in this case due to poor cybersecurity measures of Coinbase. Given the high impact of identity theft and growing cybersecurity fraud, a disciplinary action is warranted to prevent other American households to become victims of such fraudulent activity. If a company with multibillion dollar revenue cant afford appropriate security measures on the accounts of its consumers and cant provide a live agent support, then there is definitely an intentional internal scam which this company is intentionally overlooking and may be facilitating such crimes in the name of so called scammers.","date_sent_to_company":"2021-07-09T18:13:45.000Z","issue":"Fraud or scam","sub_product":"Virtual currency","zip_code":"12533","tags":null,"has_narrative":true,"complaint_id":"4529058","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Coinbase, Inc.","date_received":"2021-07-09T18:04:07.000Z","state":"NY","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["Given the high impact of <em>identity</em> <em>theft</em> and growing <em>cybersecurity</em> <em>fraud</em>, a disciplinary action is warranted to prevent other American households to become victims of such fraudulent activity."],"issue":["<em>Fraud</em> or scam"]},"sort":[24.664713,"4529058"]},{"_index":"complaint-public-v1","_id":"15932435","_score":13.260429,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I request that the CFPB ( 1 ) open an immediate enforcement investigation into Experian, Equifax, TransUnion, and involved furnishers ; ( 2 ) compel deletion and suppression of all disputed/identity-theft data ; ( 3 ) require certified documentation ( Method of Verification ) for any item retained ; ( 4 ) order removal of all dispute comments and fraud alerts that are obstructing mortgage approvals ; ( 5 ) require a reinsertion-prevention plan compliant with FCRA 611 ( a ) ( 5 ) ( B ) ; ( 6 ) impose UDAAP remedies and civil money penalties ; and ( 7 ) require restitution and make referrals to DOJ and appropriate agencies for criminal violations where applicable. I request full corrective action within four ( 4 ) calendar days due to ongoing housing harm.\n\nFactual Background I am a documented identity-theft victim ( FTC Report # above ). Over the past year, I submitted disputes to the national CRAs for fraudulent accounts, personal-data errors ( addresses, name variation, DOB ) , and unauthorized inquiries. The CRAs responded using automated workflows ( E-OSCAR/ACDV ) , returned boilerplate outcomes, and reinserted previously deleted items without certification or notice, while also attaching or retaining dispute comments and internal fraud alerts that blocked my mortgage approval and access to VA/FHA products.\n\nThe CRAs and/or furnishers trafficked my nonpublic data to secondary/tertiary consumer reporting agencies and data brokers ( e.g., XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX  ) without my consent, magnifying harm, exposure, and denial impacts. I am a XXXX veteran ; these actions aggravate harm under federal servicemember protections.\n\nHarms Real-estate denial and mortgage obstruction due to improper dispute comments/fraud alerts and identity-theft reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued identity-theft exposure from unauthorized sharing and weak safeguards.\n\nViolations ( Primary ) FCRA : 1681e ( b ) ( maximum possible accuracy ), 1681i ( reasonable reinvestigation ; anti-automation rubber-stamping ), 611 ( a ) ( 5 ) ( B ) ( reinsertion certification & written notice ), 1681g ( file disclosure ), 1681b ( permissible purpose ), 1681c-2 ( 605B identity-theft block ), 1681s-2 ( furnisher duties ).\n\nCFPA / Dodd-Frank Title X ( UDAAP ) : unfair, deceptive, abusive acts and practices ; CFPB enforcement authority.\n\nGLBA + FTC Safeguards Rule & Red Flags Rule : failure to protect nonpublic information ; failure to detect/respond to identity-theft patterns.\n\nECOA ( Reg B ), FHA, RESPA, ADA : discrimination and housing/credit obstruction via dispute comments, fraud alerts, and inaccurate file handling.\n\nSCRA ( servicemember protections ) and VA lending protections : aggravated harms to a veteran.\n\nCFAA ( 18 U.S.C. 1030 ), CIRCIA/Cybersecurity Enhancement : deficient controls leading to exposure/abuse of personal data.\n\n18 U.S.C. 241242, 1028 : civil-rights conspiracy and identity-theft-related misconduct ( for referral ).\n\nState privacy and UDAP ( e.g., CCPA/Cal. Civ. Code 1798 et seq. ).\n\nUCC 1-308 ( reservation of rights ) regarding any alleged consent or contracts.\n\nWhy E-OSCAR Use Here Violates the Law The bureaus appear to have routed my disputes through E-OSCAR, returning perfunctory ACDV results without substantive review. Indicators include : ( a ) form-letter denials ; ( b ) failure to address specific identity-theft evidence ; ( c ) rapid verified/updated toggles inconsistent with manual review ; ( d ) reinsertion of items previously removed, without a furnishers certification and without written notice required by FCRA 611 ( a ) ( 5 ) ( B ). Reliance on automated templates in lieu of a meaningful reinvestigation violates 1681i, and perpetuates inaccuracy in violation of 1681e ( b ). E-OSCAR may assist data exchange, but it can not substitute the bureaus statutory duties. \n\nSpecific Items in Dispute ( for deletion/suppression across all CRAs and resellers ) XXXX Account # XXXX {$440.00} Collection/Charge-off, XXXX XXXX XXXX Incorrect Address ( Current ), XXXX XXXX XXXX XXXX Incorrect Address ( Previous ), XX/XX/XXXX Incorrect DOB variation, XXXX XXXX XXXX Incorrect Name variation , all other derogatory, unverifiable, fraudulent, obsolete, reinserted, and suppressed data across Experian, Equifax, TransUnion, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, and affiliated resellers.\n\nDocuments the CFPB Should Compel ( MOV and Compliance Proof ) Identity-theft block actions under FCRA 605B ; all reasons for any refusal.\n\nReinsertion certification from each furnisher, plus written reinsertion notices sent to me ( or proof that none exist ).\n\nFull Method of Verification per item : contracts/notes, wet-ink or e-signature records, consent logs, IP addresses, device/browser fingerprints, timestamped audit trails, call/voice recordings, ACDV/CDV/AUD packets, Metro-2 fields used to verify, and screen-prints from furnisher systems.\n\nE-OSCAR audit logs showing dispute codes, timestamps, response codes, human reviewer IDs, decision matrices/algorithms used, and escalation steps.\n\nData-sharing map and access logs identifying every third party that received or accessed my data since XXXX.\n\nGLBA/Safeguards/Red Flags program documents ( policies, risk assessments, training logs, vendor management files, incident response records ).\n\nAdverse-action notices or any notices tied to fraud alerts/dispute comments that blocked mortgage underwriting.\n\nAll communications among the CRAs and furnishers regarding my disputes, identity-theft status, and reinsertion decisions.\n\nRequired CFPB Remedies and Enforcement 1. Order immediate deletion/suppression of all disputed and identity-theft items listed above across all CRAs and downstream resellers.\n\n2. Order removal of all dispute comments/fraud alerts that are obstructing mortgage approvals unless explicitly requested by me.\n\n3. Require certified MOV for any item the bureaus propose to retain ; if not produced, the item must be deleted.\n\n4. Mandate a reinsertion-prevention protocol : no item may reappear without 611 ( a ) ( 5 ) ( B ) furnisher certification and prior written notice to me.\n\n5. Impose UDAAP remedies and civil penalties ; require a compliance plan, independent audit, and senior-officer certifications.\n\n6. Restitution : require the CRAs/furnishers to compensate me for financial and housing harms.\n\n7. Referrals : where the record shows willful or reckless noncompliance, refer to DOJ and appropriate agencies for potential criminal/civil action.\n\nRelief and Compensation Sought Immediate correction of my consumer files ; permanent removal of all disputed/identity-theft items and comments.\n\nRestitution and damages for housing denial, rate inflation, credit suppression, identity-theft exposure, emotional distress, reputational harm, and veteran-specific harms.\n\nWritten confirmation of all deletions/suppressions sent to me and all parties that previously received the inaccurate data.\n\nCosts and fees associated with remediation and monitoring.\n\nFour-Day Urgency Because the unlawful reinsertion and dispute-commenting are actively blocking mortgage approval and veteran housing access, I request full corrective action within four ( 4 ) calendar days of CFPB receipt. Every day of delay compounds the harm.\n\nCertification : I declare under penalty of perjury that the facts provided are true and correct to the best of my knowledge. I authorize the CFPB to share this complaint with the named CRAs, furnishers, and regulators for investigation and enforcement. \n\nComplainant : XXXX XXXX Date : XX/XX/XXXX XXXX","date_sent_to_company":"2025-09-14T06:52:10.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"92131","tags":"Servicemember","has_narrative":true,"complaint_id":"15932435","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"EQUIFAX, INC.","date_received":"2025-09-14T06:51:45.000Z","state":"CA","company_public_response":null,"sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["Harms Real-estate denial and mortgage obstruction due to improper dispute comments/<em>fraud</em> alerts and <em>identity</em>-<em>theft</em> reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued <em>identity</em>-<em>theft</em> exposure from unauthorized sharing and weak safeguards."]},"sort":[13.260429,"15932435"]},{"_index":"complaint-public-v1","_id":"15925580","_score":13.260429,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I request that the CFPB ( 1 ) open an immediate enforcement investigation into Experian, Equifax, TransUnion, and involved furnishers ; ( 2 ) compel deletion and suppression of all disputed/identity-theft data ; ( 3 ) require certified documentation ( Method of Verification ) for any item retained ; ( 4 ) order removal of all dispute comments and fraud alerts that are obstructing mortgage approvals ; ( 5 ) require a reinsertion-prevention plan compliant with FCRA 611 ( a ) ( 5 ) ( B ) ; ( 6 ) impose UDAAP remedies and civil money penalties ; and ( 7 ) require restitution and make referrals to DOJ and appropriate agencies for criminal violations where applicable. I request full corrective action within four ( 4 ) calendar days due to ongoing housing harm.\n\nFactual Background I am a documented identity-theft victim ( FTC Report # above ). Over the past year, I submitted disputes to the national CRAs for fraudulent accounts, personal-data errors ( addresses, name variation, DOB ) , and unauthorized inquiries. The CRAs responded using automated workflows ( E-OSCAR/ACDV ) , returned boilerplate outcomes, and reinserted previously deleted items without certification or notice, while also attaching or retaining dispute comments and internal fraud alerts that blocked my mortgage approval and access to VA/FHA products.\n\nThe CRAs and/or furnishers trafficked my nonpublic data to secondary/tertiary consumer reporting agencies and data brokers ( e.g., XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX  ) without my consent, magnifying harm, exposure, and denial impacts. I am a XXXX veteran ; these actions aggravate harm under federal servicemember protections.\n\nHarms Real-estate denial and mortgage obstruction due to improper dispute comments/fraud alerts and identity-theft reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued identity-theft exposure from unauthorized sharing and weak safeguards.\n\nViolations ( Primary ) FCRA : 1681e ( b ) ( maximum possible accuracy ), 1681i ( reasonable reinvestigation ; anti-automation rubber-stamping ), 611 ( a ) ( 5 ) ( B ) ( reinsertion certification & written notice ), 1681g ( file disclosure ), 1681b ( permissible purpose ), 1681c-2 ( 605B identity-theft block ), 1681s-2 ( furnisher duties ).\n\nCFPA / Dodd-Frank Title X ( UDAAP ) : unfair, deceptive, abusive acts and practices ; CFPB enforcement authority.\n\nGLBA + FTC Safeguards Rule & Red Flags Rule : failure to protect nonpublic information ; failure to detect/respond to identity-theft patterns.\n\nECOA ( Reg B ), FHA, RESPA, ADA : discrimination and housing/credit obstruction via dispute comments, fraud alerts, and inaccurate file handling.\n\nSCRA ( servicemember protections ) and VA lending protections : aggravated harms to a veteran.\n\nCFAA ( 18 U.S.C. 1030 ), CIRCIA/Cybersecurity Enhancement : deficient controls leading to exposure/abuse of personal data.\n\n18 U.S.C. 241242, 1028 : civil-rights conspiracy and identity-theft-related misconduct ( for referral ).\n\nState privacy and UDAP ( e.g., CCPA/Cal. Civ. Code 1798 et seq. ).\n\nUCC 1-308 ( reservation of rights ) regarding any alleged consent or contracts.\n\nWhy E-OSCAR Use Here Violates the Law The bureaus appear to have routed my disputes through E-OSCAR, returning perfunctory ACDV results without substantive review. Indicators include : ( a ) form-letter denials ; ( b ) failure to address specific identity-theft evidence ; ( c ) rapid verified/updated toggles inconsistent with manual review ; ( d ) reinsertion of items previously removed, without a furnishers certification and without written notice required by FCRA 611 ( a ) ( 5 ) ( B ). Reliance on automated templates in lieu of a meaningful reinvestigation violates 1681i, and perpetuates inaccuracy in violation of 1681e ( b ). E-OSCAR may assist data exchange, but it can not substitute the bureaus statutory duties. \n\nSpecific Items in Dispute ( for deletion/suppression across all CRAs and resellers ) XXXX Account # XXXX {$440.00} Collection/Charge-off, XXXX XXXX XXXX Incorrect Address ( Current ), XXXX XXXX XXXX XXXX Incorrect Address ( Previous ), XX/XX/XXXX Incorrect DOB variation, XXXX XXXX XXXX Incorrect Name variation , all other derogatory, unverifiable, fraudulent, obsolete, reinserted, and suppressed data across Experian, Equifax, TransUnion, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, and affiliated resellers.\n\nDocuments the CFPB Should Compel ( MOV and Compliance Proof ) Identity-theft block actions under FCRA 605B ; all reasons for any refusal.\n\nReinsertion certification from each furnisher, plus written reinsertion notices sent to me ( or proof that none exist ).\n\nFull Method of Verification per item : contracts/notes, wet-ink or e-signature records, consent logs, IP addresses, device/browser fingerprints, timestamped audit trails, call/voice recordings, ACDV/CDV/AUD packets, Metro-2 fields used to verify, and screen-prints from furnisher systems.\n\nE-OSCAR audit logs showing dispute codes, timestamps, response codes, human reviewer IDs, decision matrices/algorithms used, and escalation steps.\n\nData-sharing map and access logs identifying every third party that received or accessed my data since XXXX.\n\nGLBA/Safeguards/Red Flags program documents ( policies, risk assessments, training logs, vendor management files, incident response records ).\n\nAdverse-action notices or any notices tied to fraud alerts/dispute comments that blocked mortgage underwriting.\n\nAll communications among the CRAs and furnishers regarding my disputes, identity-theft status, and reinsertion decisions.\n\nRequired CFPB Remedies and Enforcement 1. Order immediate deletion/suppression of all disputed and identity-theft items listed above across all CRAs and downstream resellers.\n\n2. Order removal of all dispute comments/fraud alerts that are obstructing mortgage approvals unless explicitly requested by me.\n\n3. Require certified MOV for any item the bureaus propose to retain ; if not produced, the item must be deleted.\n\n4. Mandate a reinsertion-prevention protocol : no item may reappear without 611 ( a ) ( 5 ) ( B ) furnisher certification and prior written notice to me.\n\n5. Impose UDAAP remedies and civil penalties ; require a compliance plan, independent audit, and senior-officer certifications.\n\n6. Restitution : require the CRAs/furnishers to compensate me for financial and housing harms.\n\n7. Referrals : where the record shows willful or reckless noncompliance, refer to DOJ and appropriate agencies for potential criminal/civil action.\n\nRelief and Compensation Sought Immediate correction of my consumer files ; permanent removal of all disputed/identity-theft items and comments.\n\nRestitution and damages for housing denial, rate inflation, credit suppression, identity-theft exposure, emotional distress, reputational harm, and veteran-specific harms.\n\nWritten confirmation of all deletions/suppressions sent to me and all parties that previously received the inaccurate data.\n\nCosts and fees associated with remediation and monitoring.\n\nFour-Day Urgency Because the unlawful reinsertion and dispute-commenting are actively blocking mortgage approval and veteran housing access, I request full corrective action within four ( 4 ) calendar days of CFPB receipt. Every day of delay compounds the harm.\n\nCertification : I declare under penalty of perjury that the facts provided are true and correct to the best of my knowledge. I authorize the CFPB to share this complaint with the named CRAs, furnishers, and regulators for investigation and enforcement. \n\nComplainant : XXXX XXXX Date : XX/XX/XXXX XXXX","date_sent_to_company":"2025-09-14T06:52:11.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"92131","tags":"Servicemember","has_narrative":true,"complaint_id":"15925580","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"TRANSUNION INTERMEDIATE HOLDINGS, INC.","date_received":"2025-09-14T06:41:17.000Z","state":"CA","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["Harms Real-estate denial and mortgage obstruction due to improper dispute comments/<em>fraud</em> alerts and <em>identity</em>-<em>theft</em> reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued <em>identity</em>-<em>theft</em> exposure from unauthorized sharing and weak safeguards."]},"sort":[13.260429,"15925580"]},{"_index":"complaint-public-v1","_id":"15932434","_score":13.2224655,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I request that the CFPB ( 1 ) open an immediate enforcement investigation into Experian, Equifax, TransUnion, and involved furnishers ; ( 2 ) compel deletion and suppression of all disputed/identity-theft data ; ( 3 ) require certified documentation ( Method of Verification ) for any item retained ; ( 4 ) order removal of all dispute comments and fraud alerts that are obstructing mortgage approvals ; ( 5 ) require a reinsertion-prevention plan compliant with FCRA 611 ( a ) ( 5 ) ( B ) ; ( 6 ) impose UDAAP remedies and civil money penalties ; and ( 7 ) require restitution and make referrals to DOJ and appropriate agencies for criminal violations where applicable. I request full corrective action within four ( 4 ) calendar days due to ongoing housing harm.\n\nFactual Background I am a documented identity-theft victim ( FTC Report # above ). Over the past year, I submitted disputes to the national CRAs for fraudulent accounts, personal-data errors ( addresses, name variation, DOB ) , and unauthorized inquiries. The CRAs responded using automated workflows ( E-OSCAR/ACDV ) , returned boilerplate outcomes, and reinserted previously deleted items without certification or notice, while also attaching or retaining dispute comments and internal fraud alerts that blocked my mortgage approval and access to VA/FHA products.\n\nThe CRAs and/or furnishers trafficked my nonpublic data to secondary/tertiary consumer reporting agencies and data brokers ( e.g., XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX  ) without my consent, magnifying harm, exposure, and denial impacts. I am a XXXX veteran ; these actions aggravate harm under federal servicemember protections.\n\nHarms Real-estate denial and mortgage obstruction due to improper dispute comments/fraud alerts and identity-theft reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued identity-theft exposure from unauthorized sharing and weak safeguards.\n\nViolations ( Primary ) FCRA : 1681e ( b ) ( maximum possible accuracy ), 1681i ( reasonable reinvestigation ; anti-automation rubber-stamping ), 611 ( a ) ( 5 ) ( B ) ( reinsertion certification & written notice ), 1681g ( file disclosure ), 1681b ( permissible purpose ), 1681c-2 ( 605B identity-theft block ), 1681s-2 ( furnisher duties ).\n\nCFPA / Dodd-Frank Title X ( UDAAP ) : unfair, deceptive, abusive acts and practices ; CFPB enforcement authority.\n\nGLBA + FTC Safeguards Rule & Red Flags Rule : failure to protect nonpublic information ; failure to detect/respond to identity-theft patterns.\n\nECOA ( Reg B ), FHA, RESPA, ADA : discrimination and housing/credit obstruction via dispute comments, fraud alerts, and inaccurate file handling.\n\nSCRA ( servicemember protections ) and VA lending protections : aggravated harms to a veteran.\n\nCFAA ( 18 U.S.C. 1030 ), CIRCIA/Cybersecurity Enhancement : deficient controls leading to exposure/abuse of personal data.\n\n18 U.S.C. 241242, 1028 : civil-rights conspiracy and identity-theft-related misconduct ( for referral ).\n\nState privacy and UDAP ( e.g., CCPA/Cal. Civ. Code 1798 et seq. ).\n\nUCC 1-308 ( reservation of rights ) regarding any alleged consent or contracts.\n\nWhy E-OSCAR Use Here Violates the Law The bureaus appear to have routed my disputes through E-OSCAR, returning perfunctory ACDV results without substantive review. Indicators include : ( a ) form-letter denials ; ( b ) failure to address specific identity-theft evidence ; ( c ) rapid verified/updated toggles inconsistent with manual review ; ( d ) reinsertion of items previously removed, without a furnishers certification and without written notice required by FCRA 611 ( a ) ( 5 ) ( B ). Reliance on automated templates in lieu of a meaningful reinvestigation violates 1681i, and perpetuates inaccuracy in violation of 1681e ( b ). E-OSCAR may assist data exchange, but it can not substitute the bureaus statutory duties. \n\nSpecific Items in Dispute ( for deletion/suppression across all CRAs and resellers ) XXXX Account # XXXX {$440.00} Collection/Charge-off, XXXX XXXX XXXX Incorrect Address ( Current ), XXXX XXXX XXXX XXXX Incorrect Address ( Previous ), XX/XX/XXXX Incorrect DOB variation, XXXX XXXX XXXX Incorrect Name variation , all other derogatory, unverifiable, fraudulent, obsolete, reinserted, and suppressed data across Experian, Equifax, TransUnion, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, XXXX, and affiliated resellers.\n\nDocuments the CFPB Should Compel ( MOV and Compliance Proof ) Identity-theft block actions under FCRA 605B ; all reasons for any refusal.\n\nReinsertion certification from each furnisher, plus written reinsertion notices sent to me ( or proof that none exist ).\n\nFull Method of Verification per item : contracts/notes, wet-ink or e-signature records, consent logs, IP addresses, device/browser fingerprints, timestamped audit trails, call/voice recordings, ACDV/CDV/AUD packets, Metro-2 fields used to verify, and screen-prints from furnisher systems.\n\nE-OSCAR audit logs showing dispute codes, timestamps, response codes, human reviewer IDs, decision matrices/algorithms used, and escalation steps.\n\nData-sharing map and access logs identifying every third party that received or accessed my data since XXXX.\n\nGLBA/Safeguards/Red Flags program documents ( policies, risk assessments, training logs, vendor management files, incident response records ).\n\nAdverse-action notices or any notices tied to fraud alerts/dispute comments that blocked mortgage underwriting.\n\nAll communications among the CRAs and furnishers regarding my disputes, identity-theft status, and reinsertion decisions.\n\nRequired CFPB Remedies and Enforcement 1. Order immediate deletion/suppression of all disputed and identity-theft items listed above across all CRAs and downstream resellers.\n\n2. Order removal of all dispute comments/fraud alerts that are obstructing mortgage approvals unless explicitly requested by me.\n\n3. Require certified MOV for any item the bureaus propose to retain ; if not produced, the item must be deleted.\n\n4. Mandate a reinsertion-prevention protocol : no item may reappear without 611 ( a ) ( 5 ) ( B ) furnisher certification and prior written notice to me.\n\n5. Impose UDAAP remedies and civil penalties ; require a compliance plan, independent audit, and senior-officer certifications.\n\n6. Restitution : require the CRAs/furnishers to compensate me for financial and housing harms.\n\n7. Referrals : where the record shows willful or reckless noncompliance, refer to DOJ and appropriate agencies for potential criminal/civil action.\n\nRelief and Compensation Sought Immediate correction of my consumer files ; permanent removal of all disputed/identity-theft items and comments.\n\nRestitution and damages for housing denial, rate inflation, credit suppression, identity-theft exposure, emotional distress, reputational harm, and veteran-specific harms.\n\nWritten confirmation of all deletions/suppressions sent to me and all parties that previously received the inaccurate data.\n\nCosts and fees associated with remediation and monitoring.\n\nFour-Day Urgency Because the unlawful reinsertion and dispute-commenting are actively blocking mortgage approval and veteran housing access, I request full corrective action within four ( 4 ) calendar days of CFPB receipt. Every day of delay compounds the harm.\n\nCertification : I declare under penalty of perjury that the facts provided are true and correct to the best of my knowledge. I authorize the CFPB to share this complaint with the named CRAs, furnishers, and regulators for investigation and enforcement. \n\nComplainant : XXXX XXXX Date : XX/XX/XXXX XXXX","date_sent_to_company":"2025-09-14T06:52:10.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"92131","tags":"Servicemember","has_narrative":true,"complaint_id":"15932434","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Experian Information Solutions Inc.","date_received":"2025-09-14T06:51:45.000Z","state":"CA","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["Harms Real-estate denial and mortgage obstruction due to improper dispute comments/<em>fraud</em> alerts and <em>identity</em>-<em>theft</em> reinsertion.\n\nFinancial suppression : inflated rates, lost approvals, reduced credit access.\n\nEmotional distress and reputational damage ( ongoing ).\n\nContinued <em>identity</em>-<em>theft</em> exposure from unauthorized sharing and weak safeguards."]},"sort":[13.2224655,"15932434"]},{"_index":"complaint-public-v1","_id":"16008137","_score":12.329053,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"CFPB Complaint Unauthorized Credit Card Account What happened : A credit card account was opened in my name with XXXX XXXX  without my knowledge, authorization, or consent. I did not apply for, sign for, or approve this account. This constitutes identity theft and unauthorized credit extension under federal law. \n\nI notified XXXX XXXX  XXXX XXXX that the account is fraudulent. I made it clear I do not wish to prosecute the individual responsible, but I will not assume liability for a debt I never incurred. \n\nDespite this, XXXX XXXX  has failed to resolve the matter promptly and ethically, leaving me exposed to potential credit harm and collection efforts. \n\n\nXXXX XXXX  Legal Issues Involved : 1. Fair Credit Billing Act ( 15 U.S.C. 1643 ) Consumers can not be held liable for unauthorized credit card charges.\n\n2. Fair Credit Reporting Act ( 15 U.S.C. 1681c-2, 1681i ) Furnishers must block fraudulent information upon notice and conduct a reasonable investigation.\n\n3. Truth in Lending Act ( 15 U.S.C. 1601 et seq. ) Unauthorized extensions of credit violate TILA protections.\n\n4. Fair Debt Collection Practices Act ( 15 U.S.C. 1692 et seq. ) Any attempt to collect on this account from me would be unlawful.\n\n5. Federal Trade Commission Act ( 15 U.S.C. 45 ) Continuing to report or collect on a fraudulent account is an unfair and deceptive practice. \n\n\n6. Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 ) XXXX XXXX  has a duty to maintain safeguards preventing identity theft. \n\n\n\n\nXXXX XXXX Ethical Issues : XXXX XXXX  failed to apply proper internal safeguards against fraud in account origination. \n\nInstead of swiftly confirming I am not responsible, the bank is subjecting me to uncertainty, potential credit damage, and harassment risk. \n\nThis behavior undermines consumer trust and violates the ethical standard of fair dealing expected from a federally regulated financial institution. \n\n\n\nXXXX XXXX What I want : 1. Written confirmation from XXXX XXXX that I am not liable for this debt. \n\n\n2. Immediate deletion of all negative credit reporting associated with this fraudulent account.\n\n3. Documentation of the accounts origination records ( application, IP address, phone records, etc. ) for my review.\n\n4. Implementation of stronger safeguards to prevent future fraudulent openings in my name. \n\nA. Federal Statutes Credit & Lending ( 30 ) 1. Truth in Lending Act ( TILA ), 15 U.S.C. 1601 et seq.\n\n2. Fair Credit Billing Act ( FCBA ), 15 U.S.C. 1666.\n\n3. Equal Credit Opportunity Act ( ECOA ), 15 U.S.C. 1691.\n\n4. Fair Credit Reporting Act ( FCRA ), 15 U.S.C. 1681.\n\n5. Fair Debt Collection Practices Act ( FDCPA ), 15 U.S.C. 1692.\n\n6. Credit Repair Organizations Act, 15 U.S.C . 1679.\n\n7. Electronic Fund Transfer Act ( EFTA ), 15 U.S.C. 1693.\n\n8. Identity Theft and Assumption Deterrence Act, 18 U.S.C. 1028.\n\n9. Fair and Accurate Credit Transactions Act ( FACTA ), Pub. L. 108159.\n\n10. Credit CARD Act of 2009, 15 U.S.C. 1637.\n\n11. Gramm-Leach-Bliley Act ( GLBA ), 15 U.S.C. 6801.\n\n12. Bank Holding Company Act, 12 U.S.C. 1841.\n\n13. Dodd-Frank Wall Street Reform and Consumer Protection Act.\n\n14. Consumer Financial Protection Act, Title X of Dodd-Frank .\n\n15. Federal Reserve Regulation Z ( 12 C.F.R. Part 1026 ).\n\n16. Federal Reserve Regulation B ( 12 C.F.R. Part 1002 ).\n\n17. Federal Reserve Regulation E ( 12 C.F.R. Part 1005 ).\n\n18. Federal Reserve Regulation V ( 12 C.F.R. Part 1022 ).\n\n19. Federal Reserve Regulation AA ( Unfair/Deceptive Acts ).\n\n20. Federal Reserve Regulation P ( Privacy of Consumer Financial Information ).\n\n21. Federal Reserve Regulation X ( RESPA ).\n\n22. OCC regulations ( 12 C.F.R. 7 ).\n\n23. FDIC consumer-protection oversight.\n\n24. Federal Trade Commission Act, 15 U.S.C. 45 ( unfair/deceptive practices ).\n\n25. Bank Secrecy Act ( BSA ), 31 U.S.C. 5311.\n\n26. Right to Financial Privacy Act, 12 U.S.C. 3401.\n\n27. Privacy Act of 1974, 5 U.S.C. 552a.\n\n28. Civil Rights Act, Title VI ( discrimination in lending ).\n\n29. Servicemembers Civil Relief Act ( SCRA ).\n\n30. Bankruptcy Code protections, 11 U.S.C. 362 automatic stay. \n\nB. Federal Regulatory Bodies & Guidance ( 20 ) 31. CFPB enforcement authority.\n\n32. OCC oversight of national banks. 33. FDIC enforcement powers. 34. Federal Reserve consumer compliance supervision. 35. FTC enforcement of UDAP.\n\n36. FinCEN suspicious activity reporting.\n\n37. DOJ prosecution authority for identity theft.\n\n38. HUD enforcement of ECOA.\n\n39. SEC disclosure rules ( if tied to securities ). \n\n\n40. NCUA oversight ( for credit unions, comparisons ).\n\n\n41. Federal banking ombudsman programs.\n\n42. CFPB Advisory Opinions.\n\n43. CFPB Supervisory Highlights reports.\n\n44. CFPB Circulars on credit reporting obligations. \n\n\n45. Interagency Guidelines on Identity Theft Red Flags.\n\n46. Interagency Guidance on Fair Lending.\n\n47. FFIEC examination manuals.\n\n48. OCC Consent Orders against abusive credit practices.\n\n49. CFPB consent decrees.\n\n50. FTC enforcement actions against banks for identity theft failures.\n\nC. Credit Reporting/Identity Theft Protections ( 25 ) 51. FCRA 605 limits on negative reporting.\n\n52. FCRA 609 consumer file disclosure rights.\n\n53. FCRA 611 dispute investigation rights.\n\n54. FCRA 623 furnisher duties.\n\n55. FCRA 615 adverse action notices.\n\n56. FCRA 605B blocking fraudulent tradelines.\n\n57. FACTA 112 fraud alert rights.\n\n58. FACTA 113 credit freeze rights.\n\n59. FACTA 114 red flag guidelines.\n\n60. FACTA truncation requirements for card numbers.\n\n61. Identity Theft Affidavit ( FTC Form 14039 ).\n\n62. Right to place extended fraud alerts.\n\n63. Right to opt out of prescreened credit offers.\n\n64. Right to request all application materials from bank.\n\n65. Right to request recordings of application calls.\n\n66. Right to request IP logs for online applications.\n\n67. Right to damages under FCRA for negligent noncompliance.\n\n68. Right to punitive damages for willful violations.\n\n69. Right to attorneys fees under FCRA.\n\n70. CFPB rules on credit report accuracy.\n\n71. CFPB Bulletin on furnishers obligations.\n\n72. CFPB Bulletin on ID theft resolution.\n\n73. OCC guidance on bank fraud safeguards.\n\n74. Red Flags Rule, 16 C.F.R. 681.\n\n75. Right to sue CRA and furnisher jointly.\n\nD. Consumer Contract & Liability Theories ( 20 ) 76. Fraudulent inducement.\n\n77. Breach of fiduciary duty.\n\n78. Breach of implied covenant of good faith and fair dealing.\n\n79. Negligence in account origination.\n\n80. Negligent misrepresentation.\n\n81. Constructive fraud.\n\n82. Civil conspiracy ( if collusion suspected ).\n\n83. Agency liability ( bank responsible for employees/agents ).\n\n84. Estoppel ( bank cant claim you owe for their failure to vet ).\n\n85. Rescission of fraudulent contract.\n\n86. Unconscionability of enforcing fraudulent account.\n\n87. Void ab initio contract never existed.\n\n88. Conversion ( wrongful assumption of your credit identity ).\n\n89. Invasion of privacy.\n\n90. Breach of statutory duty.\n\n91. Violation of public policy.\n\n92. Consumer fraud statutes ( state UDAP ).\n\n93. Deceptive trade practices statutes.\n\n94. Equitable relief under unjust enrichment.\n\n95. Declaratory judgment action.\n\nE. State-Level Protections ( 20 ) 96. State UDAP ( Unfair/Deceptive Acts & Practices ) laws.\n\n97. State identity theft laws.\n\n98. State credit reporting acts ( e.g., California CCRAA ).\n\n99. State financial privacy laws.\n\n100. State fraud statutes.\n\n101. State constitutional due process rights.\n\n102. State consumer fraud acts.\n\n103. State deceptive advertising acts.\n\n104. State civil penalties for bad faith collections.\n\n105. State banking regulators enforcement authority.\n\n106. State attorney general consumer divisions.\n\n107. State data breach notification laws.\n\n108. State tort of negligent supervision.\n\n109. State tort of negligent hiring.\n\n110. State tort of negligent entrustment.\n\n111. State tort of negligent infliction of emotional distress.\n\n112. State unfair competition laws.\n\n113. State licensing requirements for debt collectors.\n\n114. State lemon laws analogies ( consumer fairness ).\n\n115. State small claims remedies.\n\nF. Litigation & Remedies ( 15 ) 116. Private right of action under FCRA.\n\n117. Private right of action under FDCPA.\n\n118. Class action potential for systemic failures.\n\n119. Treble damages under state consumer protection statutes.\n\n120. Injunctive relief in federal court.\n\n121. Declaratory judgment in state court.\n\n122. Restitution for any credit harm.\n\n123. Emotional distress damages.\n\n124. Reputational damages.\n\n125. Punitive damages.\n\n126. Attorneys fees.\n\n127. Costs of suit.\n\n128. Arbitration challenges ( unconscionability ).\n\n129. Jury trial demand.\n\n130. Equitable estoppel.\n\nG. Procedural/Compliance Failures ( 30 ) 131. Failure to verify identity under KYC ( Know Your Customer ).\n\n132. Failure to comply with Red Flags Rule.\n\n133. Failure to send adverse action notice.\n\n134. Failure to authenticate application signatures.\n\n135. Failure to detect suspicious IP/application origin.\n\n136. Failure to confirm SSN with SSA.\n\n137. Failure to match address history.\n\n138. Failure to match phone records.\n\n139. Failure to confirm prior credit file.\n\n140. Failure to use fraud detection vendors properly.\n\n141. Failure to apply OCC guidance.\n\n142. Failure to apply CFPB circulars.\n\n143. Failure to provide written dispute response in 30 days.\n\n144. Failure to block tradeline within 4 business days ( FCRA 605B ).\n\n145. Failure to provide reinvestigation documentation.\n\n146. Failure to give notice of reinvestigation results.\n\n147. Failure to send billing error acknowledgment ( FCBA ).\n\n148. Failure to maintain reasonable procedures to assure accuracy.\n\n149. Failure to honor consumers fraud affidavit.\n\n150. Failure to mitigate damages once notified.\n\nH. Federal Statutes & Acts Not Yet Mentioned ( 50 ) 151. Electronic Signatures in Global and National Commerce Act ( E-SIGN ).\n\n152. Computer Fraud and Abuse Act ( CFAA ), 18 U.S.C. 1030.\n\n153. Racketeer Influenced and Corrupt Organizations Act ( RICO ), 18 U.S.C. 1962.\n\n154. Wire Fraud statute, 18 U.S.C. 1343.\n\n155. Mail Fraud statute, 18 U.S.C. 1341.\n\n156. Bank Fraud statute, 18 U.S.C. 1344.\n\n157. False Claims Act, 31 U.S.C. 3729.\n\n158. Sarbanes-Oxley Act, 15 U.S.C. 7201.\n\n159. Foreign Corrupt Practices Act, 15 U.S.C. 78dd-1.\n\n160. USA PATRIOT Act, Title III ( anti-money laundering ).\n\n161. Right to Financial Privacy Act ( reinforcement ).\n\n162. Depository Institution Management Interlocks Act.\n\n163. Expedited Funds Availability Act.\n\n164. Payment Card Industry Data Security Standards ( PCI DSS ).\n\n165. CAN-SPAM Act ( if digital application notices were misleading ).\n\n166. Telephone Consumer Protection Act ( TCPA ).\n\n167. Childrens Online Privacy Protection Act ( COPPA, if minors identity at risk ).\n\n168. Digital Millennium Copyright Act ( misuse of digital identity parallels ).\n\n169. Magnuson-Moss Warranty Act ( consumer contract parallels ).\n\n170. Federal Arbitration Act ( limitations ).\n\n171. Real ID Act ( identity validation failures ).\n\n172. False Statements Act, 18 U.S.C. 1001.\n\n173. 12 U.S.C. 24 ( incidental powers of banks, limits ).\n\n174. 12 U.S.C. 1818 ( FDIC enforcement ).\n\n175. 12 U.S.C. 1829 ( prohibited affiliations with criminals ).\n\n176. 12 U.S.C. 1831p-1 ( safety & soundness standards ).\n\n177. 18 U.S.C. 1956 ( money laundering ).\n\n178. 18 U.S.C. 1957 ( monetary transactions with criminal proceeds ).\n\n179. Federal Criminal Identity Theft Statute, 18 U.S.C. 1028A.\n\n180. Stored Communications Act, 18 U.S.C. 2701.\n\n181. Computer Security Act of 1987.\n\n182. Cybersecurity Information Sharing Act ( CISA ).\n\n183. E-Government Act ( privacy impact assessments ).\n\n184. Digital Identity Guidelines ( NIST SP 800-63 ).\n\n185. Anti-Tying Restrictions, 12 U.S.C. 1972.\n\n186. Bank Holding Company Act Amendments of 1970.\n\n187. Garn-St. Germain Depository Institutions Act.\n\n188. Competitive Equality Banking Act.\n\n189. FDIC Improvement Act.\n\n190. Financial Institutions Reform, Recovery, and Enforcement Act ( FIRREA ).\n\n191. Community Reinvestment Act ( CRA ).\n\n192. Home Mortgage Disclosure Act ( HMDA, parallels in reporting ).\n\n193. National Bank Act.\n\n194. Federal Reserve Act.\n\n195. Securities Act of 1933 ( disclosure parallels ).\n\n196. Securities Exchange Act of 1934 ( anti-fraud provisions ).\n\n197. Investment Advisers Act of 1940 ( fiduciary parallels ).\n\n198. Investment Company Act of 1940.\n\n199. Commodity Exchange Act.\n\n200. Clayton Antitrust Act.\n\nI. Case Law & Precedents ( 30 ) 201. XXXXXXXX XXXX XXXX XXXX XXXX XXXX XXXX ( usury, banking authority ). \n\n\nXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \nJ. Administrative Codes & Banking Standards ( 40 ) 231. 12 C.F.R. Part 30 OCC safety & soundness.\n\n232. 12 C.F.R. Part 34 Real estate lending standards.\n\n233. 12 C.F.R. Part 226 TILA.\n\n234. 12 C.F.R. Part 1022 FCRA.\n\n235. 12 C.F.R. Part 1005 EFTA.\n\n236. 12 C.F.R. Part 1002 ECOA.\n\n237. 12 C.F.R. Part 1026 Regulation Z.\n\n238. 12 C.F.R. Part 1029 Prepaid accounts.\n\n239. 12 C.F.R. Part 7 Bank powers.\n\n240. 12 C.F.R. Part 21 Bank security procedures.\n\n241. 12 C.F.R. Part 30 Appendix A Internal controls.\n\n242. 12 C.F.R. Part 353 FDIC incident reporting.\n\n243. 12 C.F.R. Part 208 Fed member banks.\n\n244. 12 C.F.R. Part 225 Bank Holding Companies.\n\n245. 12 C.F.R. Part 229 Check collection rules.\n\n246. 12 C.F.R. Part 370 Recordkeeping.\n\n247. 31 C.F.R. Part 1010 BSA requirements.\n\n248. 31 C.F.R. Part 1020 Customer identification.\n\n249. 31 C.F.R. Part 1022 MSB rules.\n\n250. 31 C.F.R. Part 1023 Broker-dealer rules.\n\n251. 31 C.F.R. Part 1024 Mutual funds.\n\n252. 31 C.F.R. Part 1025 Insurance companies.\n\n253. 31 C.F.R. Part 1026 Futures commission merchants.\n\n254. 31 C.F.R. Part 1027 Dealers in precious metals.\n\n255. 31 C.F.R. Part 1029 Loan or finance companies.\n\n256. OCC Comptrollers Handbook on Consumer Compliance.\n\n257. OCC Comptrollers Handbook on Fair Lending.\n\n258. OCC Bulletin 2013-29 ( third-party risk ).\n\n259. OCC Bulletin 2020-10 ( COVID fraud risks ).\n\n260. FFIEC IT Examination Handbook.\n\n261. FFIEC Cybersecurity Assessment Tool.\n\n262. FFIEC Identity Theft Red Flags guidance.\n\n263. FFIEC Fair Lending Exam Procedures.\n\n264. FFIEC Consumer Compliance Handbook.\n\n265. NIST SP 800-30 ( risk management ).\n\n266. NIST SP 800-53 ( controls ).\n\n267. NIST Cybersecurity Framework.\n\n268. ISO 27001 ( information security ).\n\n269. ISO 22301 ( resilience ).\n\n270. Basel III banking standards.\n\nK. Remedies, Doctrines & Tort Angles ( 30 ) 271. Restatement ( Second ) of Torts 552 ( misrepresentation ).\n\n272. Restatement ( Second ) of Contracts 163 ( fraud in factum ).\n\n273. Restatement ( Third ) of Agency ( principal liability ).\n\n274. Doctrine of Unclean Hands.\n\n275. Doctrine of Laches ( delay harms consumer ).\n\n276. Doctrine of Estoppel.\n\n277. Doctrine of Ratification ( bank ratified fraud ).\n\n278. Doctrine of Novation ( fraudulent substitution ).\n\n279. Tort of Outrage 280. Prima facie tort.\n\n281. Intrusion upon seclusion.\n\n282. Public disclosure of private facts.\n\n283. False light.\n\n284. Appropriation of name/likeness.\n\n285. Negligence per se ( statute violation = negligence ).\n\n286. Strict liability ( consumer credit fraud context ).\n\n287. Fiduciary duty ( banks as trusted intermediaries ).\n\n288. Fiduciary fraud.\n\n289. Constructive notice failures.\n\n290. Breach of contract.\n\n291. Breach of implied contract.\n\n292. Failure to mitigate damages.\n\n293. Punitive damages in tort.\n\n294. Exemplary damages under statutes.\n\n295. Emotional distress damages.\n\n296. Injunction to stop reporting.\n\n297. Declaratory judgment of non-liability.\n\n298. Quiet title to credit file.\n\n299. Unjust enrichment.\n\n300. Civil theft claims.\n\nL. International & Comparative ( 30 ) 301. GDPR ( General Data Protection Regulation, EU ).\n\n302. UK Data Protection Act.\n\n303. Canadian Personal Information Protection and Electronic Documents Act ( PIPEDA ).\n\n304. Canadian Consumer Reporting Act. \n\n\nXXXX. XXXX Privacy Act. \n\n\nXXXX. XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX ( XXXX ). \n\n\nXXXX. XXXX XXXX Requirements Regulation. \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX of XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX for XXXX XXXX of Operational Risk. \n\n\nXXXX. XXXX consumer protection principles. \n\n\nXXXX. XXXX guidelines for financial consumer protection. \n\n\nXXXX. XXXX XXXX for Consumer Protection. \n\n\nXXXX. XXXX High-Level Principles on Financial Consumer Protection. \n\n\nXXXX. XXXX Recommendations ( anti-money laundering ). \n\n\nXXXX. XXXX XXXX directive. \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXXXXXX XXXX XXXX XXXX \n\n\nXXXX. XXXX consumer financial law ( CONDUSEF ). \n\n\nXXXX. XXXX XXXX ( privacy law ). \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX XXXX XXXX XXXX. \n\n\nXXXX. XXXX XXXX on XXXX of XXXX XXXX. \n\n\nXXXX. XXXX XXXX XXXX law. \n\nXXXX XXXX XXXX XXXX ( XXXX ) XXXX. Right to notice of credit denial ( ECOA ). \n\n\n332. Right to obtain free credit reports annually.\n\n333. Right to security freeze on file.\n\n334. Right to file identity theft reports.\n\n335. Right to damages under state constitutions.\n\n336. Right to enforce federal supremacy clause.\n\n337. Right to petition state AG.\n\n338. Right to petition state banking commissioner.\n\n339. Right to petition state consumer affairs.\n\n340. Right to arbitration ( if favorable ).\n\n341. Right to reject arbitration.\n\n342. Right to jury trial.\n\n343. Right to discovery of application docs.\n\n344. Right to compel production.\n\n345. Right to subpoena bank employees.\n\n346. Right to depose compliance officers.\n\n347. Right to adverse inference for spoliation.\n\n348. Right to evidentiary sanctions.\n\n349. Right to statutory penalties under FCRA.\n\n350. Right to statutory penalties under FDCPA.\n\n351. Right to statutory penalties under ECOA.\n\n352. Right to statutory penalties under TILA.\n\n353. Right to statutory penalties under EFTA.\n\n354. Right to statutory penalties under GLBA.\n\n355. Right to actual damages.\n\n356. Right to consequential damages.\n\n357. Right to treble damages.\n\n358. Right to equitable estoppel.\n\n359. Right to rescission.\n\n360. Right to reformation.\n\n361. Right to void fraudulent contracts.\n\n362. Right to equitable lien removal.\n\n363. Right to declaratory relief.\n\n364. Right to preliminary injunction.\n\n365. Right to permanent injunction.\n\n366. Right to protective orders.\n\n367. Right to confidentiality orders.\n\n368. Right to sanctions.\n\n369. Right to contempt orders.\n\n370. Right to expungement of credit tradelines.\n\n371. Right to removal of collection references.\n\n372. Right to file criminal complaint.\n\n373. Right to demand criminal referral.\n\n374. Right to restitution.\n\n375. Right to attorneys fees.\n\n376. Right to costs of suit.\n\n377. Right to punitive damages.\n\n378. Right to exemplary damages.\n\n379. Right to statutory multipliers.\n\n380. Right to appeal.\n\nN. Emerging Areas & Pressure Points ( 20 ) 381. Algorithmic bias in credit scoring.\n\n382. AI/ML risk under CFPB guidance.\n\n383. Dark patterns in digital applications.\n\n384. Cybersecurity negligence.\n\n385. Vendor liability ( third-party processors ).\n\n386. Cloud data storage failures.\n\n387. Biometric identity misuse.\n\n388. Digital wallet fraud.\n\n389. Cryptocurrency exposure in banking regs.\n\n390. Fintech partnership liability.\n\n391. Embedded finance risks.\n\n392. BNPL ( buy now pay later ) consumer protections.\n\n393. Student loan servicing parallels.\n\n394. Payday lending enforcement parallels.\n\n395. Subprime auto lending parallels.\n\n396. Mortgage servicing failures parallels.\n\n397. Data broker regulation parallels.\n\n398. Social Security Administration cross-checks.\n\n399. IRS Identity Protection PIN parallels. \n\n\n400. CFPBs UDAAP ( Unfair, Deceptive, Abusive Acts & Practices ) authority. \n\n\n1. No Contract = No Liability You never signed, consented, or authorized this account. Under contract law, no agreement means no enforceable debt.\n\n2. Truth in Lending Act ( TILA, 15 U.S.C. 1601 et seq. ) Creditors can only hold you responsible for charges you actually authorized. Unauthorized accounts = zero liability.\n\n3. Fair Credit Billing Act ( FCBA, 15 U.S.C. 1666 ) Protects you from being billed for accounts you didnt open and charges you didnt make.\n\n4. Fair Debt Collection Practices Act ( FDCPA, 15 U.S.C. 1692 ) Any attempt to collect a debt not owed is a violation. If XXXX XXXX  or its agents push this, theyre exposed. \n\n\n5. GrammLeachBliley Act ( GLBA, 15 U.S.C. 6801 ) They failed their duty to protect your non-public personal information if someone was able to open an account in your name.\n\n6. Fair Credit Reporting Act ( FCRA, 15 U.S.C. 1681 et seq. ) They can not legally furnish inaccurate information to credit bureaus. Reporting this account under your name is a statutory violation.\n\n7. FTC Red Flags Rule ( 16 C.F.R. 681.2 ) Banks must detect and respond to identity theft indicators. Failure to block an unauthorized account is a compliance failure.\n\n8. Electronic Signatures in Global and National Commerce Act ( E-SIGN, 15 U.S.C. 7001 ) Any alleged digital signature must be tied directly to you and verifiable. If not, its worthless.\n\n9. Uniform Commercial Code ( UCC 3-401 & 3-403 ) Youre not liable for instruments ( credit agreements ) you didnt sign.\n\n10. State Consumer Protection Laws Every state has deceptive practices statutes ( UDAP ). Billing you for someone elses account is per se deceptive.\n\n-- - Ethical Grounds 11. Unjust Enrichment U.S. Bank profits by forcing debt onto someone who never benefited. Immoral.\n\n12. Good Faith & Fair Dealing Implied in every contract. They breached it by trying to enforce a contract that never existed.\n\n13. Duty of Care A banks job is to safeguard, not weaponize, your identity.\n\n14. Corporate Responsibility Big banks advertise trust while pushing phantom debts. Hypocrisy.\n\n15. Restorative Justice Youve been harmed by reputational and financial risk. They owe you, not the other way around.\n\n-- - Practical / Creative Angles 16. No Benefit Received Debt law requires an exchange of value. You received nothing.\n\n17. Failure to Verify They didnt follow KYC ( Know Your Customer ) standards. Their negligence is their loss.\n\n18. Fraud Risk Allowing this account undermines the financial system. Theyd rather chase you than fix their hole.\n\n19. Reputation Risk Public exposure of wrongful billing could cost them far more than canceling a bogus debt. \n\n\n20. Precedent Courts routinely throw out phantom debt cases. XXXX XXXX  knows this. \n\n\n\nXXXX XXXX Candidate for United States House of Representatives Michigan XXXX XXXX.","date_sent_to_company":"2025-09-17T07:27:38.000Z","issue":"Credit monitoring or identity theft protection services","sub_product":"Credit reporting","zip_code":"480XX","tags":null,"has_narrative":true,"complaint_id":"16008137","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"EQUIFAX, INC.","date_received":"2025-09-17T07:27:15.000Z","state":"MI","company_public_response":null,"sub_issue":"Billing dispute for services"},"highlight":{"complaint_what_happened":["Federal Criminal <em>Identity</em> <em>Theft</em> Statute, 18 U.S.C. 1028A.\n\n180. Stored Communications Act, 18 U.S.C. 2701.\n\n181. Computer Security Act of 1987.\n\n182. <em>Cybersecurity</em> Information Sharing Act ( CISA ).\n\n183. E-Government Act ( privacy impact assessments ).\n\n184. Digital <em>Identity</em> Guidelines ( NIST SP 800-63 ).\n\n185. <em>Anti</em>-Tying Restrictions, 12 U.S.C. 1972.\n\n186. Bank Holding Company Act Amendments of 1970.\n\n187. Garn-St. Germain Depository Institutions Act.\n\n188."],"issue":["Credit monitoring or <em>identity</em> <em>theft</em> protection services"]},"sort":[12.329053,"16008137"]},{"_index":"complaint-public-v1","_id":"16008134","_score":12.303797,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"CFPB Complaint Unauthorized Credit Card Account What happened : A credit card account was opened in my name with XXXX XXXX  without my knowledge, authorization, or consent. I did not apply for, sign for, or approve this account. This constitutes identity theft and unauthorized credit extension under federal law. \n\nI notified XXXX XXXX  XXXX XXXX that the account is fraudulent. I made it clear I do not wish to prosecute the individual responsible, but I will not assume liability for a debt I never incurred. \n\nDespite this, XXXX XXXX  has failed to resolve the matter promptly and ethically, leaving me exposed to potential credit harm and collection efforts. \n\n\n-- - Legal Issues Involved : 1. Fair Credit Billing Act ( 15 U.S.C. 1643 ) Consumers can not be held liable for unauthorized credit card charges.\n\n2. Fair Credit Reporting Act ( 15 U.S.C. 1681c-2, 1681i ) Furnishers must block fraudulent information upon notice and conduct a reasonable investigation.\n\n3. Truth in Lending Act ( 15 U.S.C. 1601 et seq. ) Unauthorized extensions of credit violate TILA protections.\n\n4. Fair Debt Collection Practices Act ( 15 U.S.C. 1692 et seq. ) Any attempt to collect on this account from me would be unlawful.\n\n5. Federal Trade Commission Act ( 15 U.S.C. 45 ) Continuing to report or collect on a fraudulent account is an unfair and deceptive practice.\n\n6. Gramm-Leach-Bliley Act ( 15 U.S.C. 6801 ) U.S. Bank has a duty to maintain safeguards preventing identity theft. \n\n\n\n\n-- - Ethical Issues : XXXX XXXX  failed to apply proper internal safeguards against fraud in account origination. \n\nInstead of swiftly confirming I am not responsible, the bank is subjecting me to uncertainty, potential credit damage, and harassment risk. \n\nThis behavior undermines consumer trust and violates the ethical standard of fair dealing expected from a federally regulated financial institution. \n\n\n\n-- - What I want : 1. Written confirmation from XXXX XXXX  that I am not liable for this debt. \n\n\n2. Immediate deletion of all negative credit reporting associated with this fraudulent account.\n\n3. Documentation of the accounts origination records ( application, IP address, phone records, etc. ) for my review.\n\n4. Implementation of stronger safeguards to prevent future fraudulent openings in my name. \n\nA. Federal Statutes Credit & Lending ( 30 ) 1. Truth in Lending Act ( TILA ), 15 U.S.C. 1601 et seq.\n\n2. Fair Credit Billing Act ( FCBA ), 15 U.S.C. 1666.\n\n3. Equal Credit Opportunity Act ( ECOA ), 15 U.S.C. 1691.\n\n4. Fair Credit Reporting Act ( FCRA ), 15 U.S.C. 1681.\n\n5. Fair Debt Collection Practices Act ( FDCPA ), 15 U.S.C. 1692.\n\n6. Credit Repair Organizations Act, 15 U.S.C . 1679.\n\n7. Electronic Fund Transfer Act ( EFTA ), 15 U.S.C. 1693.\n\n8. Identity Theft and Assumption Deterrence Act, 18 U.S.C. 1028.\n\n9. Fair and Accurate Credit Transactions Act ( FACTA ), Pub. L. 108159.\n\n10. Credit CARD Act of 2009, 15 U.S.C. 1637.\n\n11. Gramm-Leach-Bliley Act ( GLBA ), 15 U.S.C. 6801.\n\n12. Bank Holding Company Act, 12 U.S.C. 1841.\n\n13. Dodd-Frank Wall Street Reform and Consumer Protection Act.\n\n14. Consumer Financial Protection Act, Title X of Dodd-Frank .\n\n15. Federal Reserve Regulation Z ( 12 C.F.R. Part 1026 ).\n\n16. Federal Reserve Regulation B ( 12 C.F.R. Part 1002 ).\n\n17. Federal Reserve Regulation E ( 12 C.F.R. Part 1005 ).\n\n18. Federal Reserve Regulation V ( 12 C.F.R. Part 1022 ).\n\n19. Federal Reserve Regulation AA ( Unfair/Deceptive Acts ).\n\n20. Federal Reserve Regulation P ( Privacy of Consumer Financial Information ).\n\n21. Federal Reserve Regulation X ( RESPA ).\n\n22. OCC regulations ( 12 C.F.R. 7 ).\n\n23. FDIC consumer-protection oversight.\n\n24. Federal Trade Commission Act, 15 U.S.C. 45 ( unfair/deceptive practices ).\n\n25. Bank Secrecy Act ( BSA ), 31 U.S.C. 5311.\n\n26. Right to Financial Privacy Act, 12 U.S.C. 3401.\n\n27. Privacy Act of 1974, 5 U.S.C. 552a.\n\n28. Civil Rights Act, Title VI ( discrimination in lending ).\n\n29. Servicemembers Civil Relief Act ( SCRA ).\n\n30. Bankruptcy Code protections, 11 U.S.C. 362 automatic stay.\n\nB. Federal Regulatory Bodies & Guidance ( 20 ) 31. CFPB enforcement authority.\n\n32. OCC oversight of national banks.\n\n33. FDIC enforcement powers.\n\n34. Federal Reserve consumer compliance supervision.\n\n35. FTC enforcement of UDAP.\n\n36. FinCEN suspicious activity reporting.\n\n37. DOJ prosecution authority for identity theft.\n\n38. HUD enforcement of ECOA.\n\n39. SEC disclosure rules ( if tied to securities ).\n\n40. NCUA oversight ( for credit unions, comparisons ).\n\n41. Federal banking ombudsman programs.\n\n42. CFPB Advisory Opinions.\n\n43. CFPB Supervisory Highlights reports.\n\n44. CFPB Circulars on credit reporting obligations.\n\n45. Interagency Guidelines on Identity Theft Red Flags.\n\n46. Interagency Guidance on Fair Lending.\n\n47. FFIEC examination manuals.\n\n48. OCC Consent Orders against abusive credit practices.\n\n49. CFPB consent decrees.\n\n50. FTC enforcement actions against banks for identity theft failures.\n\nC. Credit Reporting/Identity Theft Protections ( 25 ) 51. FCRA 605 limits on negative reporting.\n\n52. FCRA 609 consumer file disclosure rights.\n\n53. FCRA 611 dispute investigation rights.\n\n54. FCRA 623 furnisher duties.\n\n55. FCRA 615 adverse action notices.\n\n56. FCRA 605B blocking fraudulent tradelines.\n\n57. FACTA 112 fraud alert rights.\n\n58. FACTA 113 credit freeze rights.\n\n59. FACTA 114 red flag guidelines.\n\n60. FACTA truncation requirements for card numbers.\n\n61. Identity Theft Affidavit ( FTC Form 14039 ).\n\n62. Right to place extended fraud alerts.\n\n63. Right to opt out of prescreened credit offers.\n\n64. Right to request all application materials from bank.\n\n65. Right to request recordings of application calls.\n\n66. Right to request IP logs for online applications.\n\n67. Right to damages under FCRA for negligent noncompliance.\n\n68. Right to punitive damages for willful violations.\n\n69. Right to attorneys fees under FCRA.\n\n70. CFPB rules on credit report accuracy.\n\n71. CFPB Bulletin on furnishers obligations.\n\n72. CFPB Bulletin on ID theft resolution.\n\n73. OCC guidance on bank fraud safeguards.\n\n74. Red Flags Rule, 16 C.F.R. 681.\n\n75. Right to sue CRA and furnisher jointly.\n\nD. Consumer Contract & Liability Theories ( 20 ) 76. Fraudulent inducement.\n\n77. Breach of fiduciary duty.\n\n78. Breach of implied covenant of good faith and fair dealing.\n\n79. Negligence in account origination.\n\n80. Negligent misrepresentation.\n\n81. Constructive fraud.\n\n82. Civil conspiracy ( if collusion suspected ).\n\n83. Agency liability ( bank responsible for employees/agents ).\n\n84. Estoppel ( bank cant claim you owe for their failure to vet ).\n\n85. Rescission of fraudulent contract.\n\n86. Unconscionability of enforcing fraudulent account.\n\n87. Void ab initio contract never existed.\n\n88. Conversion ( wrongful assumption of your credit identity ).\n\n89. Invasion of privacy.\n\n90. Breach of statutory duty.\n\n91. Violation of public policy.\n\n92. Consumer fraud statutes ( state UDAP ).\n\n93. Deceptive trade practices statutes.\n\n94. Equitable relief under unjust enrichment.\n\n95. Declaratory judgment action.\n\nE. State-Level Protections ( 20 ) 96. State UDAP ( Unfair/Deceptive Acts & Practices ) laws.\n\n97. State identity theft laws.\n\n98. State credit reporting acts ( e.g., California CCRAA ).\n\n99. State financial privacy laws.\n\n100. State fraud statutes.\n\n101. State constitutional due process rights.\n\n102. State consumer fraud acts.\n\n103. State deceptive advertising acts.\n\n104. State civil penalties for bad faith collections.\n\n105. State banking regulators enforcement authority.\n\n106. State attorney general consumer divisions.\n\n107. State data breach notification laws.\n\n108. State tort of negligent supervision.\n\n109. State tort of negligent hiring.\n\n110. State tort of negligent entrustment.\n\n111. State tort of negligent infliction of emotional distress.\n\n112. State unfair competition laws.\n\n113. State licensing requirements for debt collectors.\n\n114. State lemon laws analogies ( consumer fairness ).\n\n115. State small claims remedies.\n\nF. Litigation & Remedies ( 15 ) 116. Private right of action under FCRA.\n\n117. Private right of action under FDCPA.\n\n118. Class action potential for systemic failures.\n\n119. Treble damages under state consumer protection statutes.\n\n120. Injunctive relief in federal court.\n\n121. Declaratory judgment in state court.\n\n122. Restitution for any credit harm.\n\n123. Emotional distress damages.\n\n124. Reputational damages.\n\n125. Punitive damages.\n\n126. Attorneys fees.\n\n127. Costs of suit.\n\n128. Arbitration challenges ( unconscionability ).\n\n129. Jury trial demand.\n\n130. Equitable estoppel.\n\nG. Procedural/Compliance Failures ( 30 ) 131. Failure to verify identity under KYC ( Know Your Customer ).\n\n132. Failure to comply with Red Flags Rule.\n\n133. Failure to send adverse action notice.\n\n134. Failure to authenticate application signatures.\n\n135. Failure to detect suspicious IP/application origin.\n\n136. Failure to confirm SSN with SSA.\n\n137. Failure to match address history.\n\n138. Failure to match phone records.\n\n139. Failure to confirm prior credit file.\n\n140. Failure to use fraud detection vendors properly.\n\n141. Failure to apply OCC guidance.\n\n142. Failure to apply CFPB circulars.\n\n143. Failure to provide written dispute response in 30 days.\n\n144. Failure to block tradeline within 4 business days ( FCRA 605B ).\n\n145. Failure to provide reinvestigation documentation.\n\n146. Failure to give notice of reinvestigation results.\n\n147. Failure to send billing error acknowledgment ( FCBA ).\n\n148. Failure to maintain reasonable procedures to assure accuracy.\n\n149. Failure to honor consumers fraud affidavit.\n\n150. Failure to mitigate damages once notified.\n\nH. Federal Statutes & Acts Not Yet Mentioned ( 50 ) 151. Electronic Signatures in Global and National Commerce Act ( E-SIGN ).\n\n152. Computer Fraud and Abuse Act ( CFAA ), 18 U.S.C. 1030.\n\n153. Racketeer Influenced and Corrupt Organizations Act ( RICO ), 18 U.S.C. 1962.\n\n154. Wire Fraud statute, 18 U.S.C. 1343.\n\n155. Mail Fraud statute, 18 U.S.C. 1341.\n\n156. Bank Fraud statute, 18 U.S.C. 1344.\n\n157. False Claims Act, 31 U.S.C. 3729.\n\n158. Sarbanes-Oxley Act, 15 U.S.C. 7201.\n\n159. Foreign Corrupt Practices Act, 15 U.S.C. 78dd-1.\n\n160. USA PATRIOT Act, Title III ( anti-money laundering ).\n\n161. Right to Financial Privacy Act ( reinforcement ).\n\n162. Depository Institution Management Interlocks Act.\n\n163. Expedited Funds Availability Act.\n\n164. Payment Card Industry Data Security Standards ( PCI DSS ).\n\n165. CAN-SPAM Act ( if digital application notices were misleading ).\n\n166. Telephone Consumer Protection Act ( TCPA ).\n\n167. Childrens Online Privacy Protection Act ( COPPA, if minors identity at risk ).\n\n168. Digital Millennium Copyright Act ( misuse of digital identity parallels ).\n\n169. Magnuson-Moss Warranty Act ( consumer contract parallels ).\n\n170. Federal Arbitration Act ( limitations ).\n\n171. Real ID Act ( identity validation failures ).\n\n172. False Statements Act, 18 U.S.C. 1001.\n\n173. 12 U.S.C. 24 ( incidental powers of banks, limits ).\n\n174. 12 U.S.C. 1818 ( FDIC enforcement ).\n\n175. 12 U.S.C. 1829 ( prohibited affiliations with criminals ).\n\n176. 12 U.S.C. 1831p-1 ( safety & soundness standards ).\n\n177. 18 U.S.C. 1956 ( money laundering ).\n\n178. 18 U.S.C. 1957 ( monetary transactions with criminal proceeds ).\n\n179. Federal Criminal Identity Theft Statute, 18 U.S.C. 1028A.\n\n180. Stored Communications Act, 18 U.S.C. 2701.\n\n181. Computer Security Act of 1987.\n\n182. Cybersecurity Information Sharing Act ( CISA ).\n\n183. E-Government Act ( privacy impact assessments ).\n\n184. Digital Identity Guidelines ( NIST SP 800-63 ).\n\n185. Anti-Tying Restrictions, 12 U.S.C. 1972.\n\n186. Bank Holding Company Act Amendments of 1970.\n\n187. Garn-St. Germain Depository Institutions Act.\n\n188. Competitive Equality Banking Act.\n\n189. FDIC Improvement Act.\n\n190. Financial Institutions Reform, Recovery, and Enforcement Act ( FIRREA ).\n\n191. Community Reinvestment Act ( CRA ).\n\n192. Home Mortgage Disclosure Act ( HMDA, parallels in reporting ).\n\n193. National Bank Act.\n\n194. Federal Reserve Act.\n\n195. Securities Act of 1933 ( disclosure parallels ).\n\n196. Securities Exchange Act of 1934 ( anti-fraud provisions ).\n\n197. Investment Advisers Act of 1940 ( fiduciary parallels ).\n\n198. Investment Company Act of 1940.\n\n199. Commodity Exchange Act.\n\n200. Clayton Antitrust Act. \nI. Case Law & Precedents ( 30 ) XXXX. XXXXXXXX XXXX XXXX XXXX XXXX XXXX XXXXXXXX ( usury, banking authority ). \n\n\nXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \n\n\nXXXX. FTC XXXX XXXX XXXX  ( hypothetical analogies ). \n\n\nXXXX. XXXXXXXX XXXX SEC ( statute of limitations ). \n\n\nXXXX. XXXXXXXX XXXX. SEC ( equitable disgorgement ). \nJ. Administrative Codes & Banking Standards ( 40 ) 231. 12 C.F.R. Part 30 OCC safety & soundness.\n\n232. 12 C.F.R. Part 34 Real estate lending standards.\n\n233. 12 C.F.R. Part 226 TILA.\n\n234. 12 C.F.R. Part 1022 FCRA.\n\n235. 12 C.F.R. Part 1005 EFTA.\n\n236. 12 C.F.R. Part 1002 ECOA.\n\n237. 12 C.F.R. Part 1026 Regulation Z.\n\n238. 12 C.F.R. Part 1029 Prepaid accounts.\n\n239. 12 C.F.R. Part 7 Bank powers.\n\n240. 12 C.F.R. Part 21 Bank security procedures.\n\n241. 12 C.F.R. Part 30 Appendix A Internal controls.\n\n242. 12 C.F.R. Part 353 FDIC incident reporting.\n\n243. 12 C.F.R. Part 208 Fed member banks.\n\n244. 12 C.F.R. Part 225 Bank Holding Companies.\n\n245. 12 C.F.R. Part 229 Check collection rules.\n\n246. 12 C.F.R. Part 370 Recordkeeping.\n\n247. 31 C.F.R. Part 1010 BSA requirements.\n\n248. 31 C.F.R. Part 1020 Customer identification.\n\n249. 31 C.F.R. Part 1022 MSB rules.\n\n250. 31 C.F.R. Part 1023 Broker-dealer rules.\n\n251. 31 C.F.R. Part 1024 Mutual funds.\n\n252. 31 C.F.R. Part 1025 Insurance companies.\n\n253. 31 C.F.R. Part 1026 Futures commission merchants.\n\n254. 31 C.F.R. Part 1027 Dealers in precious metals.\n\n255. 31 C.F.R. Part 1029 Loan or finance companies.\n\n256. OCC Comptrollers Handbook on Consumer Compliance.\n\n257. OCC Comptrollers Handbook on Fair Lending.\n\n258. OCC Bulletin 2013-29 ( third-party risk ).\n\n259. OCC Bulletin 2020-10 ( COVID fraud risks ).\n\n260. FFIEC IT Examination Handbook.\n\n261. FFIEC Cybersecurity Assessment Tool.\n\n262. FFIEC Identity Theft Red Flags guidance.\n\n263. FFIEC Fair Lending Exam Procedures.\n\n264. FFIEC Consumer Compliance Handbook.\n\n265. NIST SP 800-30 ( risk management ).\n\n266. NIST SP 800-53 ( controls ).\n\n267. NIST Cybersecurity Framework.\n\n268. ISO 27001 ( information security ).\n\n269. ISO 22301 ( resilience ).\n\n270. Basel III banking standards.\n\nK. Remedies, Doctrines & Tort Angles ( 30 ) 271. Restatement ( Second ) of Torts 552 ( misrepresentation ).\n\n272. Restatement ( Second ) of Contracts 163 ( fraud in factum ).\n\n273. Restatement ( Third ) of Agency ( principal liability ).\n\n274. Doctrine of Unclean Hands.\n\n275. Doctrine of Laches ( delay harms consumer ).\n\n276. Doctrine of Estoppel.\n\n277. Doctrine of Ratification ( bank ratified fraud ).\n\n278. Doctrine of Novation ( fraudulent substitution ).\n\n279. Tort of Outrage 280. Prima facie tort.\n\n281. Intrusion upon seclusion.\n\n282. Public disclosure of private facts.\n\n283. False light.\n\n284. Appropriation of name/likeness.\n\n285. Negligence per se ( statute violation = negligence ).\n\n286. Strict liability ( consumer credit fraud context ).\n\n287. Fiduciary duty ( banks as trusted intermediaries ).\n\n288. Fiduciary fraud.\n\n289. Constructive notice failures.\n\n290. Breach of contract.\n\n291. Breach of implied contract.\n\n292. Failure to mitigate damages.\n\n293. Punitive damages in tort.\n\n294. Exemplary damages under statutes.\n\n295. Emotional distress damages.\n\n296. Injunction to stop reporting.\n\n297. Declaratory judgment of non-liability.\n\n298. Quiet title to credit file.\n\n299. Unjust enrichment.\n\n300. Civil theft claims.\n\nL. International & Comparative ( 30 ) 301. GDPR ( General Data Protection Regulation, XXXX ). \n\n\nXXXX. XXXX XXXX XXXX XXXX. \n\n\nXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \n\nM. Miscellaneous Technical Points ( 50 ) 331. Right to notice of credit denial ( ECOA ).\n\n332. Right to obtain free credit reports annually.\n\n333. Right to security freeze on file.\n\n334. Right to file identity theft reports.\n\n335. Right to damages under state constitutions.\n\n336. Right to enforce federal supremacy clause.\n\n337. Right to petition state AG.\n\n338. Right to petition state banking commissioner.\n\n339. Right to petition state consumer affairs.\n\n340. Right to arbitration ( if favorable ).\n\n341. Right to reject arbitration.\n\n342. Right to jury trial.\n\n343. Right to discovery of application docs.\n\n344. Right to compel production.\n\n345. Right to subpoena bank employees.\n\n346. Right to depose compliance officers.\n\n347. Right to adverse inference for spoliation.\n\n348. Right to evidentiary sanctions.\n\n349. Right to statutory penalties under FCRA.\n\n350. Right to statutory penalties under FDCPA.\n\n351. Right to statutory penalties under ECOA.\n\n352. Right to statutory penalties under TILA.\n\n353. Right to statutory penalties under EFTA.\n\n354. Right to statutory penalties under GLBA.\n\n355. Right to actual damages.\n\n356. Right to consequential damages.\n\n357. Right to treble damages.\n\n358. Right to equitable estoppel.\n\n359. Right to rescission.\n\n360. Right to reformation.\n\n361. Right to void fraudulent contracts.\n\n362. Right to equitable lien removal.\n\n363. Right to declaratory relief.\n\n364. Right to preliminary injunction.\n\n365. Right to permanent injunction.\n\n366. Right to protective orders.\n\n367. Right to confidentiality orders.\n\n368. Right to sanctions.\n\n369. Right to contempt orders.\n\n370. Right to expungement of credit tradelines.\n\n371. Right to removal of collection references.\n\n372. Right to file criminal complaint.\n\n373. Right to demand criminal referral.\n\n374. Right to restitution.\n\n375. Right to attorneys fees.\n\n376. Right to costs of suit.\n\n377. Right to punitive damages.\n\n378. Right to exemplary damages.\n\n379. Right to statutory multipliers.\n\n380. Right to appeal.\n\nN. Emerging Areas & Pressure Points ( 20 ) 381. Algorithmic bias in credit scoring.\n\n382. AI/ML risk under CFPB guidance.\n\n383. Dark patterns in digital applications.\n\n384. Cybersecurity negligence.\n\n385. Vendor liability ( third-party processors ).\n\n386. Cloud data storage failures.\n\n387. Biometric identity misuse.\n\n388. Digital wallet fraud.\n\n389. Cryptocurrency exposure in banking regs.\n\n390. Fintech partnership liability.\n\n391. Embedded finance risks.\n\n392. BNPL ( buy now pay later ) consumer protections.\n\n393. Student loan servicing parallels.\n\n394. Payday lending enforcement parallels.\n\n395. Subprime auto lending parallels.\n\n396. Mortgage servicing failures parallels.\n\n397. Data broker regulation parallels.\n\n398. Social Security Administration cross-checks.\n\n399. IRS Identity Protection PIN parallels.\n\n400. CFPBs UDAAP ( Unfair, Deceptive, Abusive Acts & Practices ) authority. \n\n\n1. No Contract = No Liability You never signed, consented, or authorized this account. Under contract law, no agreement means no enforceable debt.\n\n2. Truth in Lending Act ( TILA, 15 U.S.C. 1601 et seq. ) Creditors can only hold you responsible for charges you actually authorized. Unauthorized accounts = zero liability.\n3. Fair Credit Billing Act ( FCBA, 15 U.S.C. 1666 ) Protects you from being billed for accounts you didnt open and charges you didnt make.\n\n4. Fair Debt Collection Practices Act ( FDCPA, 15 U.S.C. 1692 ) Any attempt to collect a debt not owed is a violation. If U.S. Bank or its agents push this, theyre exposed.\n\n5. GrammLeachBliley Act ( GLBA, 15 U.S.C. 6801 ) They failed their duty to protect your non-public personal information if someone was able to open an account in your name.\n\n6. Fair Credit Reporting Act ( FCRA, 15 U.S.C. 1681 et seq. ) They can not legally furnish inaccurate information to credit bureaus. Reporting this account under your name is a statutory violation.\n\n7. FTC Red Flags Rule ( 16 C.F.R. 681.2 ) Banks must detect and respond to identity theft indicators. Failure to block an unauthorized account is a compliance failure.\n\n8. Electronic Signatures in Global and National Commerce Act ( E-SIGN, 15 U.S.C. 7001 ) Any alleged digital signature must be tied directly to you and verifiable. If not, its worthless.\n\n9. Uniform Commercial Code ( UCC 3-401 & 3-403 ) Youre not liable for instruments ( credit agreements ) you didnt sign.\n\n10. State Consumer Protection Laws Every state has deceptive practices statutes ( UDAP ). Billing you for someone elses account is per se deceptive. \n\n\n\n\n-- - Ethical Grounds 11. Unjust Enrichment U.S. Bank profits by forcing debt onto someone who never benefited. Immoral.\n\n12. Good Faith & Fair Dealing Implied in every contract. They breached it by trying to enforce a contract that never existed.\n\n13. Duty of Care A banks job is to safeguard, not weaponize, your identity.\n\n14. Corporate Responsibility Big banks advertise trust while pushing phantom debts. Hypocrisy.\n\n15. Restorative Justice Youve been harmed by reputational and financial risk. They owe you, not the other way around.\n\n-- - Practical / Creative Angles 16. No Benefit Received Debt law requires an exchange of value. You received nothing.\n17. Failure to Verify They didnt follow KYC ( Know Your Customer ) standards. Their negligence is their loss.\n\n18. Fraud Risk Allowing this account undermines the financial system. Theyd rather chase you than fix their hole.\n\n19. Reputation Risk Public exposure of wrongful billing could cost them far more than canceling a bogus debt. \n\n\n20. Precedent Courts routinely throw out phantom debt cases. XXXX XXXX  knows this. \n\n\n\nXXXX XXXX Candidate for United States House of Representatives Michigan XXXX XXXX.","date_sent_to_company":"2025-09-17T07:27:38.000Z","issue":"Credit monitoring or identity theft protection services","sub_product":"Credit reporting","zip_code":"480XX","tags":null,"has_narrative":true,"complaint_id":"16008134","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Experian Information Solutions Inc.","date_received":"2025-09-17T07:27:15.000Z","state":"MI","company_public_response":null,"sub_issue":"Billing dispute for services"},"highlight":{"complaint_what_happened":["Federal Criminal <em>Identity</em> <em>Theft</em> Statute, 18 U.S.C. 1028A.\n\n180. Stored Communications Act, 18 U.S.C. 2701.\n\n181. Computer Security Act of 1987.\n\n182. <em>Cybersecurity</em> Information Sharing Act ( CISA ).\n\n183. E-Government Act ( privacy impact assessments ).\n\n184. Digital <em>Identity</em> Guidelines ( NIST SP 800-63 ).\n\n185. <em>Anti</em>-Tying Restrictions, 12 U.S.C. 1972.\n\n186. Bank Holding Company Act Amendments of 1970.\n\n187. Garn-St. Germain Depository Institutions Act.\n\n188."],"issue":["Credit monitoring or <em>identity</em> <em>theft</em> protection services"]},"sort":[12.303797,"16008134"]},{"_index":"complaint-public-v1","_id":"5572167","_score":6.327303,"_source":{"product":"Money transfer, virtual currency, or money service","complaint_what_happened":"Dear Consumer Financial Protection Bureau, I am one of hundreds of victims of theft of cryptocurrency off the exchange run by Gemini Trust Company , LLC ( d/b/aXXXX Gemini XXXX, XXXX ) ( Gemini ) that resulted from Geminis unfair, deceptive, or abusive acts or practices ( UDAAPs ), in violation of the Dodd-Frank Act, 12 U.S.C. 5531. In short, as a result of Geminis failure to adequately safeguard self-directed retirement assets on its exchange from foreseeable misconduct, hackers were able to fraudulently transfer tens of millions of dollars worth of cryptocurrency off the exchange on XX/XX/XXXX, including [ Amount ] ETH from my account. \n\nGemini lured myself and the other victims in by selling security and trust : Trust is our product, they tell the public. We bought it and were led to believe Gemini would adequately safeguard our valuable retirement assets. Gemini advertises its industry leading security, and broadcasts unequivocally that All crypto held online in our exchange wallet is insured. It was precisely statements like these that led me ( and others ) to believe my self-directed retirement funds would be safe on the Gemini exchange and therefore to select a custodian that advertised a partnership with Gemini for this very purpose. At no time, prior to the theft of assets, did Gemini provide any indication that they would not put the full force of their company resources and highly touted security program behind the protection of my assets. To the contrary, upon signing up with Gemini, they sent welcome letters, reiterating promises of their security-first mentality and an ethos of asking for permission, not forgiveness, and they promised the full Gemini experience. \n\nI, and other victims, had every reason to rely on Geminis representations in establishing trust and selecting a place to buy and store valuable retirement assets. However, based on Geminis responses to my inquiries ( and those of other victims ) to date, these representations proved to be unbelievably deceptive. Gemini now claims that all security measures to protect the tens of millions of crypto held on Geminis exchange fell on XXXX XXXX relatively small company that, among other things, takes miniscule fees compared to those taken by Gemini for buying and holding crypto, and that does not sell its product based on its own security but rather that of Gemini. Even though Gemini promised ( among other industry-leading security ) two-factor authentication ( 2FA ), protections against single point of failure, and that in any event crypto is insured against fraud, victims were not notified ( via 2FA or otherwise ) of the withdrawals that Gemini says was due 100 % to IRA Financial ( a single-point of failure ) being severely compromised, and the assets were not insured against this loss. \n\nGemini violated the Dodd-Frank Act by engaging in UDAAPs and harming the victims in several ways. This included unfair acts and practices in the form of inadequate safeguards that caused injuries not reasonably avoidable by consumers. It also included deceptive practices in the form of material misrepresentations reasonably misleading and injuring consumers. Gemini also appears to have violated both state law and possibly the Electronic Funds Transfer Act ( EFTA ), each of which violation would constitute an actionable UDAAP under Dodd-Frank Act as well as a violation of the underlying laws These violations are detailed below.\n\nI. Geminis Unfair Acts and Practices : Failure to Establish Appropriate Policies and Procedures to Prevent, Detect, or Remedy Fraudulent Activity Harming Consumers The fraud that occurred on XX/XX/XXXX was stark. Hackers were able to compromise XXXX XXXX Geminis partner in providing consumers with an option to invest their self-directed retirement funds in cryptocurrency. Amazingly, Gemini had no safeguards against a single point of failure at XXXX  XXXX, where hacked administrative accounts were able to transfer tens of millions of dollars from hundreds of different individual customer accounts under their control into one account, and then transfer from the one account off the exchange, all within dozens of minutes. In statements to victims after this egregious security failure, Gemini has said The subject transactions appeared, from Geminis perspective, to be routine, authorized, and legitimate. This statement from Gemini is incredible and highlights the extreme lack of anything close to proper safeguards.\n\nThe standard for unfairness in the Dodd-Frank Act is that an act or practice is unfair when : ( 1 ) It causes or is likely to cause substantial injury to consumers ; ( 2 ) The injury is not reasonably avoidable by consumers ; and ( 3 ) The injury is not outweighed by countervailing benefits to consumers or to competition. See 15 U.S.C. 45 ( n ) ( The standard for unfairness in the Dodd-Frank Act has the same three-part test as the FTC Act, which was first stated in the FTC Policy Statement on Unfairness ( XXXX XXXX, XXXX ), available at : http : //www.ftc.govXXXX, and later specifically included in the FTC Act. ) As an example, in In re XXXX XXXX, XXXX XXXX, the Office of the Comptroller of the Currency ( OCC ) brought an enforcement action where a bank maintained deposit account relations with telemarketers and payment processors without adequately safeguarding against fraud. In that case, the telemarketers regularly deposited large numbers of remotely created checks drawn against consumers accounts, a large proportion of which were not authorized by consumers. OCCs investigation indicated the bank failed to establish appropriate policies and procedures to prevent, detect, or remedy such activities. Under the three-part test for unfairness, ( 1 ) the consumers lost money from the fraudulent checks was a substantial injury, ( 2 ) consumers could not have avoided the injury from transactions to which they had not consented, and ( 3 ) the cost to the bank of establishing a minimum level of due diligence, monitoring, and response procedures sufficient to remedy the problem would have been far less than the amount of injury to consumers that resulted from the banks avoiding those costs. See CFPB Consumer Laws and Regulations, UDAAPs Manual v.3 at pp.4-5 ( XX/XX/XXXX ) ( discussing the analysis ). \n\nGeminis failures in the present case easily meet the three-part test for unfairness. First, the lost tens of millions of dollars worth of crypto is obviously a substantial injury. Second, there is nothing the consumers could have done to avoid this injuryin fact, not only had the victims not consented to the transfers, but we relied on notifications and two-factor authentication to make any transfers on the Gemini exchange, and yet no notice was provided by Gemini at any time as the accounts were being drained. No protections were offered by Gemini and there was nothing consumers could have done, reasonable or otherwise, to prevent this. Third, as in In re XXXXXXXX XXXX XXXXXXXX XXXX, the cost to Gemini of establishing a minimum level of due diligence, monitoring, and response procedures sufficient to remedy the problem would have been far less than the injury resulting from Geminis avoiding these costs. In other words, Geminis failures were clearly unfair under the meaning of Dodd-Frank , and in accordance with precedent, and CFPB should take action to compel Gemini to restore the victims accounts.\n\nII. Geminis Deceptive Acts and Practices : Misleading Claims and Omissions About Security and Insurance that Consumers Reasonably Relied Upon to their Detriment When I was looking for a platform I could use to invest my self-directed retirement funds in crypto, I picked XXXX  XXXX due to their advertised partnership with Gemini, which holds itself out as an industry leader in security and advertises that all crypto on its exchange is insured. Gemini got my business, and those of countless others no doubt, by promoting a reputation for safety and security. I, and other victims, reasonably relied on Geminis assurances that our assets were safe on the Gemini exchange, and we reasonably believed that, should they be somehow stolen or otherwise compromised, our assets would be protected by Geminis insurance. But all of this appears based on Geminis current position to be egregiously misleading. In other words, Geminis representations were extremely deceptive.\n\nUnder the Dodd-Frank Act, a representation, omission, act, or practice is deceptive when ( 1 ) The representation, omission, act, or practice misleads or is likely to mislead the consumer ; ( 2 ) The consumers interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and ( 3 ) The misleading representation, omission, act, or practice is material. See CFPB Consumer Laws and Regulations, UDAAPs Manual v.3 at p. 5 ( XX/XX/XXXX ) ( citing FTC Policy Statement on Deception, available at http : //www.ftc.govXXXX XXXX \n\nCFPB has explained that, in addition to affirmative representations that are misleading, if material information is necessary to prevent a consumer from being misled, it may be deceptive to omit that information. Id. Examples of deceptive practices may include, among other things, offering to provide a product or service that is not in fact available ;... omitting material limitations or conditions from an offer ; or failing to provide the promised services. Id. \n\nGeminis acts and practices easily meet the test under Dodd-Frank because they lured consumers in with statements creating reasonable expectations for security and insurance, which proved to be totally false and which materially harmed the consumers who relied on these reasonable expectations. Below, I set forth some of the specific statements and representations made or omitted by Gemini, the reasonable expectations these created, and the reality of what occurred and what Gemini is saying now.\n\nA. What Gemini Said : That They Are Safe, Trusted, Leaders in Security, and that Their Protections Include 2FA, Protections Against Single-Points of Failure , and Insurance Against Fraud Geminis entire sales pitch is that they are safe and secure, and that people should trust them to safeguard their valuable assets. Gemini tells the public they are the Safest Crypto Exchange, and make the following representations, among others : Trust is our product.\n\nGeminis founders built Gemini to deliver the first trusted platform that focused on strong security controls and compliance. \nGemini has built a leading security program focused on developing innovative security solutions to help protect and secure our customers and their assets. \nAll crypto held online in our exchange wallet is insured and we use best-in-industry cold storage coverage with leading insurance providers. \n\nSee Gemini Advertising and Marketing Materials, Exhibit A. \n\nAlong the same lines, XXXX  XXXX distinguished itself in advertisements by stressing its partnership with Gemini and underscoring the safety, security, and insurance of the Gemini XXXX. XXXX  XXXX advertised about its partner and their collective products and services, among other things : Gemini is a regulated crypto exchange with over {$10.00} billion in assets. \nHow it works... XXXX  XXXX creates your crypto account on Gemini. Gemini then emails you onboarding instructions. \nGemini is a regulated trust company and offers its clients insurance against fraud. \n\nXXXX  XXXX XXXX and Marketing Materials, Exhibit B. \n\nGemini participated in this partnership and at no time qualified or corrected any statements advertised about the safety, security, and insurance that would protect customers. \n\nNotably, I recall seeing and relying on similar communications and advertisements about the safety and security of Gemini ( and XXXX  XXXX as a result of their partnership with Gemini ), and I understand some materials have since been taken down by one or both companies. I do not have access to all of these, but I believe other victims may have some of these materials that they have provided or may provide to CFBP.\n\nOne stark example of this is Geminis prior claims about insurance, which has now been heavily qualified.\n\nGeminis prior representation about insurance was : All crypto held online in our exchange wallet is insured and we use best-in-industry cold storage coverage with leading insurance providers.\n\nAs of the date of this letter, Gemini has taken this down, tacitly acknowledging its inaccuracy, and Gemini now represents to the public only that : We maintain insurance against certain types of crypto losses from our exchange wallet and from Gemini Custody. To learn more about our insurance, and what it does and does not cover, please visit our User Agreement.\n\nSee Exhibit A. \n\nIn addition to these general promises, Gemini advertises specific details of their industry leading security that protect customers. Some particularly relevant representations include those concerning two-factor authentication and protections against single points of failure : In discussing its specific security practices, Gemini states that Two-Factor Authentication ( 2FA ) is required by default, in order to access your account and make withdrawals.\n\nSimilarly, Gemini toutes its asset security, stating The multisignature digital signature scheme ( multisig ) used eliminates single points of failure and improves our resilience against the loss or compromise of any individual private key.\n\nIt bears noting here that Gemini never corrected any statements advertised by XXXX  XXXX ( or itself ) about the security that would apply to holding retirement account assets on its exchange. In addition, none of the affirmative statements made above were qualified in any way that would communicate to a potential customer of the XXXX  XXXX XXXX Gemini partnership that investing retirement funds are any less protected than investing non-retirement funds. In fact, when onboarding through Gemini after singing up with XXXX  XXXX and Gemini, Gemini communicates the oppositethey sent victims welcome letters, reiterating promises of their security-first mentality and an ethos of asking for permission, not forgiveness, and they promised the full Gemini experience. \n\nB. What Victims Reasonably Understood and Expected : That Our Crypto Was Safe and Insured and that Gemini Would Not Allow Tens of Millions to Be Withdrawn From Our Accounts Without Our Permission or Even Notification, Among other Reasonable Expectations All these statements of assurance and trust workedI and other victims believed Gemini ( and purchased their product ). I and other victims came to the expectation and belief that our crypto was safe from fraud on Geminis exchange, and that in the event anything did happen, Gemini protected our crypto with insurance so there was no appreciable risk of catastrophe. The entire point of selecting XXXX XXXX and Gemini as a place to hold valuable retirement assets was the promised security, safety, and insurance. \n\nSpecific beliefs reasonably held as a result of Geminis representations included that no crypto would be withdrawn from victims accounts without consent via 2FA, that Gemini had adequate protections in place to prevent catastrophic loss from a single-point-of failure, and that in any event our assets were protected against fraudulent withdrawals by Geminis insurance coverage. These beliefs and expectations were eminently reasonable based on the statements above.\n\nFor example, the statement that Geminis security eliminates single points of failure communicates to consumers that we can trust there are multiple layers of security protecting our assets, so that there is no risk of one compromise causing catastrophic loss.\n\nGeminis statement that 2FA is required to make withdrawals gave us the expectation that our accounts would not be able to be drained without our consent or knowledge. My expectations and beliefs on this were also reinforced along the way, including by Geminis requirement for 2FA anytime I executed any transaction on Geminis platform. \n\nThis misrepresentation is particularly egregious given Geminis direct communications to us that they founded Gemini with a security-first mentality and an ethos of asking for permission, not forgiveness. We reasonably expected that they would not allow tens of millions in retirement assets to be withdrawn from our accounts without our permission. This expectation was more than reasonable given their explicit statement that 2FA was required for withdrawals and subsequent practice of asking our permission via 2FA for any buy or trade prior. Not only did they fail to ask for our permission, now they are not even asking our forgivenessto date they have taken zero responsibility for allowing our retirement funds to be funneled off the safest crypto exchange. \n\nGeminis unqualified statement that all crypto on their exchange is insured gave us all confidence that, should anything happen, there is insurance available to cover loss. This was advertised by both Gemini and XXXX XXXX, and a material inducement for us to give them business. Given these broad, unqualified statements, it was reasonable for customers to expect that Gemini would in fact cover crypto with insurance against loss if their security practices failed to prevent the loss, as was the case here. \n\nAs to the rest of my expectations around security and insurance, at no time did I have any reason to question any of the representations and promises initially made that I relied upon in signing up with XXXX XXXX and Gemini. \n\nC. What Actually Happened and What Gemini Now Says About it On XX/XX/XXXX, XXXX  XXXX was hacked. Hackers gained control of XXXX  XXXX administrator accounts, transferred tens of millions of dollars worth of assets from hundreds of victims to one account, created a new external wallet, and transferred the assets off Gemini exchange without notifying victims or apparently raising any flags at Gemini whatsoever. In fact, Gemini told victims The subject transactions appeared, from XXXX perspective, to be routine, authorized, and legitimate. Gemini XX/XX/XXXX Response to Victim CFPB Claim, Exhibit C. As presented to Gemini, these actions satisfied all of Geminis transaction approval requirements and appeared to be authorized transactions made from XXXX  XXXX known and approved devices. Gemini XX/XX/XXXX Response to EFTA Notice, Exhibit D. Further, Gemini has stated their insurance does not cover the loss because Geminis systems were not compromised.\n\nIn other words, the expectations we reasonably held based on Geminis representations proved dramatically false : Our expectation that Gemini was a safe, secure, trustworthy place to store crypto was eviscerated by their total failure to prevent bad actors from summarily and fraudulently transferring tens of millions of dollars worth of assets off the exchange. \nOur expectation that Gemini would notify us with 2FA and ask permission to withdraw funds proved shockingly false as we heard nothing from Gemini while they allowed our funds to be drained.\n\nOur expectation that their security included multiple layers to protect against single-points of failure such as the hack of an administrator with the power to create new external wallets and transfer off assets without safeguards proved similarly false.\n\nFinally, our expectation that Gemini maintained insurance that would protect our crypto as a fail-safe in case there was a dramatic unexpected breach also proved false. \n\nD. Clear Violation of Standard under XXXX XXXX These misrepresentations easily meet the test for deceptive under the Dodd-Frank Act. First, they are likely to mislead customers. As noted, the whole point of the advertising is to garner trust in Geminis security and get customers to buy their product. Second, as explained above, believing these representations under the circumstances is reasonable. Customers had no reason to question what Gemini and XXXX  XXXX were selling until the catastrophic failures came to light. Finally, the representations were material. The entire reason I ( and others, presumably ) chose Gemini was for the advertised safety and security. \n\nIt is critical to note that, even if all of Geminis claims were technically accurate ( for example, if their 2FA applied to XXXX  XXXX and not the consumer, and if the coins were insured just not against this type of fraud ), these claims remain highly misleading and illegal under XXXX XXXX I was led to believe, as any reasonable consumer would be through these claims, that my crypto was safethat it would not be withdrawn without my own 2FA ( which was required for purchases and transfers ) ; that Geminis systems were not susceptible to single-point of failure attacks ( including, what a reasonable consumer would think constitutes single-point of failurethe hack of Geminis partner administrator ) ; and that in any event, my crypto was protected via Geminis touted insurance policy. All of these beliefs turned out to be false and inaccurate, and yet they are totally reasonable and foreseeable based on Geminis advertising, representations, communications, acts, and practices. These misrepresentations were hugely materialthe trust was the foundation of my ( and other customers ) decision to go with Gemini. In no event would any of us have considered putting our retirement assets on the Gemini exchange had we known that our assets were not in fact protected in the way Gemini led us to believe they would be. \n\nIn other words, whether or not Gemini technically provided all the security they advertised, the fact remains that it was totally inadequate to prevent massive, foreseeable fraud, and this was shocking to customers who reasonably relied on their statements to believe that Gemini would be able to prevent, or at minimum insure loss from, such massive fraud. \n\nIII. Geminis Violations of State and Federal Law In addition the the violations outlined above, violations of applicable state and federal law also constitute UDAAPs, enforceable as violations under Dodd-Frank.\n\nA few noteworthy violations of applicable New York state law include : Gemini was required to conduct risk-assessment of XXXX XXXX platform and evaluate the adequacy of XXXX XXXX cybersecurity practices and protections under 23 NYCRR 500.11 . Gemini failed to do this. This is particularly egregious since Gemini now points to the breach at XXXX  XXXX and says Gemini holds no responsibility, putting all of the weight of responsibility on a security link that they themselves did not evaluate, in contravention of state law. \n\nGemini was required to provide its telephone number for the receipt of complaints under 23 NYCRR 200.20 ( b ) ( 1 ), but had only provided XXXX XXXX with its email address. This violation resulted in delays and significant loss after XXXX  XXXX detected the ongoing theft and Gemini was unresponsive to initial email notifications, with no ability to immediately notify Gemini. \n\nGeminis false, misleading, and deceptive representations and omissions, discussed above, are violations of New York law on advertising and marketing, 23 NYCRR 200.18. Gemini claims that its unqualified advertising that all crypto held on its exchange are insured was modified by language buried in its user agreement. However, as discussed above, even if this is technically true, the unqualified advertisement was highly misleading and deceptive, and itself is false without the separate qualification. Similarly, as discussed above, Geminis advertisements and representations that 2FA was required for withdrawals was misleading, deceptive, and ultimately false. \n\nGemini was required to implement adequate anti-money laundering measures and protections under 23 NYCRR 200.15 ( b ), ( c ). Criminals were able to steal assets from hundreds of accounts, transfer those assets ( one coin at a time ) to a single, unrelated account and then remove the stolen assets to a money-laundering tornado, thereby hiding the identity/ownership of the assets. This criminal laundering scheme involved several hundred transfers that went completely undetected by Gemini, in violation of New York anti-money laundering law. \n\nSimilarly, Gemini was required to monitor its system for transactions that might signify money laundering, tax evasion, or other illegal or criminal activity. 23 NYCRR 200.15 ( e ) ( 3 ). Gemini did not monitor for such activity here, as evidenced by the fact that it permitted hundreds of illegal transfers to occur, one coin at a time, into a single, unrelated account having no connection to its customers XXXX  accounts, and then allowed all of the stolen assets to be removed from its exchange. Subsequently, Gemini stated The subject transactions appeared, from Geminis perspective, to be routine, authorized, and legitimate. \n\nCritically, Gemini was also required to maintain, as part of its anti-money laundering program, a customer identification program. 23 NYCRR 200.15 ( h ). As part of this, Gemini was required to verify the identity of any accountholder initiating a transaction with a value greater than {$3000.00}. Here, as discussed above, Gemini did not verify the identity of the hundreds of customers via 2FA or otherwise of the withdrawals of hundreds of millions of dollars worth of crypto via voluminous transactions, all over {$3000.00} in value.\n\nGemini further failed to have in place appropriate policies and procedures to block or reject specific or impermissible transactions that violate Federal or State laws, rules, or regulations in violation of 23 NYCRR 200.15 ( j ). As discussed above, Geminis failures to monitor for, flag, or notify customers of hundreds of millions of dollars worth of crypto being fraudulently transferred to one account then to a new external wallet off exchange and into the abyss was an egregious failure.\n\nGemini also violated Californias Unfair Competition Law, Cal. Bus. Prof. Code 17200 et seq., which prohibits unfair business practices, including misleading advertising, similar to the federal violations of XXXX discussed above. Geminis unfair and misleading business practices were violations of state law in California because Gemini advertised its services here in California where I and other California victims reside, and Gemini got my business and that of other California victims, who all suffered a loss as a result of these practices.\n\nGemini may also have violated the Electronic Funds Transfer Act. I provided Gemini with notice of unauthorized transfer and requested correction under Regulation E. Gemini responded that Regulation E did not apply to the unauthorized transfer from my Gemini account because the account was a retirement account. It is unclear to me whether this is accuratethe exemption from retirement accounts appears to be focused on exempting the entity complying with IRS retirement obligations, which in this case would be XXXX  XXXX. It is not clear that the exemption would apply to Gemini, who is not regulated as a custodian. Thus, it appears Gemini may also have violated the EFTA. See EFTA Correspondence, Exhibit E.\n\nIV. Conclusion and Request for Remedy Geminis promises of security, notifications, insurance, and trust succeeded in getting the business of hundreds of victims that put tens of millions of dollars of critically important retirement funds on Geminis exchange and trusted Gemini to deliver on its promises, including to ask permission not forgiveness. Yet we found out Gemini failed us dramatically by allowing thieves to fraudulently transfer our retirement savings to one account, create an external wallet, and transfer our savings off Geminis exchange, without so much as notifying us, much less performing any of the promised or required verifications. Gemini did not even flag this as unusual, but instead told victims The subject transactions appeared, from Geminis perspective, to be routine, authorized, and legitimate. And they say it was not insured after all. \n\nThis is an outrageous failure on so many levels. The violations of XXXX are stark and numerous, as set forth above. We were misled by Gemini into buying the trust they were selling. But in the end, they did not protect our assets, and they are not putting the force of their company behind their initial promises of security and insuranceinstead it appears they are putting the force of their company toward gearing up to defend claims and making all the hundreds of victims pay out of pocket to hire private attorneys to enforce their clear rights. It is reprehensible. \n\nI am asking the CFPB to enforce XXXX and require Gemini to make the victims wholespecifically to reimburse victims in-kind for all of the crypto that was allowed to be transferred fraudulently off Geminis exchange, and to reimburse victims for any attorney fees and other costs actually incurred as a result. If CFPB has the power and inclination, I also request further penalties to be issues and further compensation to victims to be paid for their non-monetary damages, including the severe mental stress and emotional turmoil it has had on their lives as theyve dealt with drained retirement accounts and an about-face from the company that promised trust and security. \n\n\nThank you for your immediate care and attention to this matter. \n\nSincerely,","date_sent_to_company":"2022-05-18T00:46:37.000Z","issue":"Fraud or scam","sub_product":"Virtual currency","zip_code":"94107","tags":null,"has_narrative":true,"complaint_id":"5572167","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Winklevoss Exchange LLC","date_received":"2022-05-18T00:20:35.000Z","state":"CA","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["Critically, Gemini was also required to maintain, as part of its <em>anti</em>-money laundering program, a customer identification program. 23 NYCRR 200.15 ( h ). As part of this, Gemini was required to verify the <em>identity</em> of any accountholder initiating a transaction with a value greater than {$3000.00}."],"issue":["<em>Fraud</em> or scam"]},"sort":[6.327303,"5572167"]}]},"aggregations":{"has_narrative":{"meta":{},"doc_count":7,"has_narrative":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":1,"key_as_string":"true","doc_count":7}]}},"product":{"doc_count":7,"product":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Credit reporting or other personal consumer reports","doc_count":5,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Credit reporting","doc_count":5}]}},{"key":"Money transfer, virtual currency, or money service","doc_count":2,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Virtual currency","doc_count":2}]}}]}},"issue":{"doc_count":7,"issue":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Problem with a company's investigation into an existing problem","doc_count":3,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Their investigation did not fix an error on your report","doc_count":3}]}},{"key":"Credit monitoring or identity theft protection services","doc_count":2,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Billing dispute for services","doc_count":2}]}},{"key":"Fraud or scam","doc_count":2,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}}]}},"timely":{"doc_count":7,"timely":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Yes","doc_count":7}]}},"company_response":{"doc_count":7,"company_response":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Closed with explanation","doc_count":4},{"key":"Closed with non-monetary relief","doc_count":3}]}},"submitted_via":{"doc_count":7,"submitted_via":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Web","doc_count":7}]}},"company":{"doc_count":7,"company":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"EQUIFAX, INC.","doc_count":2},{"key":"Experian Information Solutions Inc.","doc_count":2},{"key":"Coinbase, Inc.","doc_count":1},{"key":"TRANSUNION INTERMEDIATE HOLDINGS, INC.","doc_count":1},{"key":"Winklevoss Exchange LLC","doc_count":1}]}},"state":{"doc_count":7,"state":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"CA","doc_count":4},{"key":"MI","doc_count":2},{"key":"NY","doc_count":1}]}},"company_public_response":{"doc_count":7,"company_public_response":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","doc_count":2}]}},"tags":{"doc_count":7,"tags":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Servicemember","doc_count":3}]}}},"_meta":{"license":"CC0","last_updated":"2026-07-14T12:00:00-05:00","last_indexed":"2026-07-14T12:00:00-05:00","total_record_count":16441818,"is_data_stale":false,"has_data_issue":false,"break_points":{}}}