Interpreting Updated Reg. E Guidance and Proposed U.S. Legislation on Authorized Fraud Liability
July 13th, 2023
Social engineering scams are flourishing, putting a spotlight on the way unauthorized and authorized electronic transactions are interpreted under Regulation E (Reg. E). Banks and financial institutions (FIs) in the U.S. face increasing scrutiny, particularly with their responsibility toward customers in the event of a fraud report for a digital transaction and the associated liability when there’s a financial loss.1
Updated guidance from the Consumer Financial Protection Bureau (CFPB) in 2021, which was also echoed by the Federal Deposit Insurance Corporation (FDIC) in March 2022, offers insights to help FIs deal with these complex liability decisions, particularly for unauthorized electronic transactions.2
In this post, we break down this regulatory guidance and its impact on the financial services industry. We’ll also touch on past legislation proposed in the U.S. House of Representatives to extend Reg. E liability to authorized fraud. We believe this is inspired by pending legislative efforts in other regions, such as in the U.K. where authorized push payment fraud (APP fraud) is a multibillion-pound problem.3
Updated Regulatory Guidance for Unauthorized Fraud
Any fraud professional, especially those managing a high volume of customer reports of fraud or disputed transactions, is familiar with Reg. E. To unravel the CFPB’s recent guidance on Reg. E, it helps to have some historical context.
While we know many large banks and financial institutions have treated fraudulent payments that have followed from the unauthorized access of a consumers account as account takeover, and thus not the responsibility of the consumer – this practice was not always uniform within industry. To address this inconsistency, and on the heels of a flood of consumer complaints, the CFPB decided last year to reconsider the definition of unauthorized fraud under Reg. E, specifically on determining liability.
Updated guidance focuses on:
- What party executed the disputed or fraudulent transaction during an unauthorized fraud event—the fraudster, or the customer?
- How access to the account occurred, which in these cases, is most likely fraudulently induced.
- What type of scam was used? Customers fall for any number of diverse social engineering scams that lead to a fraudster gaining access to accounts. Some popular scams include:
- Impersonation of a trusted party (such as the customer’s bank)
- Investment scams involving cryptocurrencies
- Romance scams
Under the lens of Reg. E, the CFPB recognizes unauthorized fraud, or account takeover (ATO), as electronic transactions where the customer was not involved in the execution of the payment itself. A customer can claim Reg. E protection and file a dispute if a digital transaction meets certain criteria.
This is how we interpret it, though it’s not legal advice: on a claim of unauthorized fraud, an FI must consider first-party fraud or accept financial liability under Reg E. In other words, if the FI can’t prove that a customer is lying or intentionally provided misleading information about who logged into the account and completed the disputed transaction, then they must reimburse that customer for their losses. Consequently, NICE Actimize recommends that FIs internally align with their own compliance and legal teams to ensure unauthorized fraud claims are being correctly settled considering this new regulatory guidance.
Updated Regulatory Guidance for Authorized Fraud
Authorized fraud has received significant industry attention lately due to an uptick in payments fraud using popular money transfer apps. This social engineering scheme happens when a customer is convinced via phone or text to send payment to the fraudster directly or via a money mule. Victims are instructed to use peer-to-peer (P2P) payment applications to execute a fraudulent transaction, which can result in devastating financial losses.
Because many banks don’t assume liability when authorized transactions are disputed by the customer, the victims of authorized fraud are lodging their complaints with the CFPB. Major financial institutions are working to create standardized refund procedures for customers scammed through P2P scams. Some banks are currently accepting liability for authorized fraud, either due to growing pressure from customers, increasing media attention, concern over customer attrition, fear of further regulatory scrutiny, or a combination of these factors. This shift of responsibility to banks highlights a significant change in the payments landscape. FIs need to have effective onboarding and real-time transaction monitoring for fraud and scams, but they also need real-time controls for money mule activity to reduce fraud loss risk.
However, neither the CFPB nor the FDIC has offered specific counsel on financial liability for authorized fraud transactions under Reg. E. The industry at large is currently waiting for potential guidance. The wait might be short, as pending legislation in the U.S. House of Representatives may soon provide clarity into this issue.4
Legislative efforts worldwide
In addition to the recently proposed legislation in the U.S. House of Representatives, there’s rising political attention on this matter in the U.S. Senate. At this time, it’s our view that while senators are insisting that banks should accept liability for authorized fraud under Reg. E, there aren’t any concrete resources or guidance indicating agreement from the CFPB or the FDIC.
U.S. legislative efforts in this area are possibly being influenced by the U.K.’s experience with authorized fraud, especially considering the U.K.’s Payment Systems Regulator proposal to introduce legislative amendments to allow mandatory reimbursement for authorized fraud in 2022. Unsurprisingly, the title of a previously proposed (and since stalled) bill concerning authorized fraud liability in the U.S. House of Representatives (117th Congress, 2D Session) was to amend the Electronic Fund Transfer Act [Reg. E] to treat fraudulently induced electronic fund transfer in the same manner as unauthorized electronic fund transfer, and for other purposes.
Global approach to customer liability
Though Reg. E solely applies to U.S. banks and FIs, there’s clearly some regional cross-pollination occurring regarding consumer liability that’s evident in the liability shift for fraud losses, as witnessed in the similarity of regulatory and legislative approaches not only in the U.S. and the U.K., but Australia, and Singapore.
While it’s important to have better clarity on financial liability for losses associated with both authorized and unauthorized fraud, it’s not the only solution. Banks and FIs are under extreme operational and financial pressures to effectively deal with the constantly increasing scale of fraud attacks, regardless of if the fraud event was authorized or unauthorized.
Rather than shifting the sole liability to banks and FIs, these organizations must leverage a combination of technologies, tools, and approaches. This is accomplished by using consumer-friendly and robust fraud and anti-money laundering (AML) risk controls supported by comprehensive solutions that leverage artificial intelligence and machine learning. Banks and FIs also need to change from reactive to proactive approaches in how they monitor for money mule transactions, by:
- Addressing potential fraud loss responsibility shifts for scams
- Recognizing that stopping money mule transactions in real time is an effective part of the scams kill chain
This is how FIs can protect consumers and thwart fraudster’s access to these ill-gotten gains.
To fight the growing problem of authorized and unauthorized fraud, an effective approach can be augmented with other sophisticated tools, like behavioral biometrics and mobile data intelligence.
Go here to learn more about NICE Actimize’s fraud authentication and management solutions and resources.
1 Consumer Finance Monitor: CFPB updates electronic fund transfers FAQs (2022)
2, 3 Consumer Finance Monitor: FDIC Consumer Compliance Supervisory Highlights looks at unauthorized EFTs, overdraft programs, re-presentment of unpaid transactions, and fair lending (2022)