Health Savings Accounts (HSAs) first appeared in 2004 and their use has grown rapidly ever since. According to research firm Devenir.com, by the end of 2020 there may be as many as 30 million accounts with estimated combined value reaching $75 billion.
That kind of money has an almost gravitational pull for bad actors intent on committing financial fraud. HSAs appear ripe for the picking. And, no surprise, that’s exactly what’s happening.
Fraudulent HSA activity has grown to the point of attracting the FBI’s attention.
An FBI Intelligence Bulletin dated June 26, 2019 predicts increased fraud targeting funds held in HSA-administering companies.
The FBI also presents evidence for a probable increase in online theft of customers’ personally identifiable information (PII) in order to steal money directly from customer accounts.
The direct attacks on customer accounts are devastating. The customer bears the loss, not the institution. And, because customers typically monitor their HSA account less carefully than they would a bank account, they may not discover the loss for months!
Four clear factors are fueling the increase in HSA fraud.
- HSAs have few restrictions and conditions on how and when money is withdrawn. In contrast to medical insurance or a Health Reimbursement Arrangement (HRA), money in an HSA can be taken out for any reason at any time. The lack of restrictions tends to make account holders think of their HSA differently than they would a bank or brokerage account.
- While HSA accounts are similar to bank accounts, non-bank entities are the intermediaries. So, bank security steps and procedures designed to detect fraudulent activity aren’t in place. No Bank Secrecy Act (BSA) scrutiny to verify customer identity when the account is opened and no Suspicious Activity Reports (SARS) monitoring potentially fraudulent money movement.
- Some employers might be in a rush to set up the now-popular HSA benefit for their employees. They might take shortcuts with normal verification steps, which can lead to PII becoming an easier target for bad actors.
- Customers often view their HSA account as an employee benefit, not as a bank account. This makes them more vulnerable to sophisticated online phishing schemes. The truth is any online inquiries about an HSA should be treated with the same degree of suspicion and skepticism as you would treat an emailed request for personal banking information.
Where do we go from here?
We’ve identified the HSA fraud problem. We have a good sense of how and why the problem is growing. We all need to be more aware of this issue, and more conscious of how it’s impacting our clients.
TASC is taking proactive steps to thwart these potential thefts. We continue to study all aspects of the problem and develop recommendations for our clients. Working together with law enforcement, we can combat this threat.
