Laptop computer open and on at night

Preparing for a Liability Shift: Steps Banks Can Take as the CFPB Considers P2P Payments Fraud Regulation

Thomas Giltrow, Managing Director Risk and Compliance — Chicago

The Consumer Financial Protection Bureau (CFPB) may be on the cusp of redefining liability in peer-to-peer (P2P) transactions fraud claims. For banks, the changes would not only entail significant financial consequences but also impose a nebulous new obligation of determining whether a consumer has been deceived.

The COVID-19 pandemic ushered in new iterations of consumer interaction, including how consumers conduct financial transactions. As a result, electronic money transfers between consumers (i.e., P2P transactions) have risen to historic levels, growing by nearly 60% in dollar amount and almost doubling in quantity between 2019 and 2021.

The scale-up of electronic payments and adoption of P2P payment platforms such as PayPal,  CashApp and Zelle has rendered the transfers — which are instantaneous and often irreversible — an increasingly ripe target for bad actors, and incentivized a slate of new tactics to deceive consumers. In fact, the number of consumer complaints the CFPB received related to money transfers and identified as alleging “fraud or scam” doubled between 2019 and 2021. Half of complaints to the CFPB regarding P2P payments are fraud-related.

Today, consumers are protected from unauthorized electronic transfers under the Electronic Funds Transfer Act (EFTA), which was implemented through the CFPB’s Regulation E. Under Reg E, consumers cannot be held liable for electronic transactions they did not authorize (e.g., a hacked account). But what happens when consumers are deceived into authorizing transactions that they believe are legitimate but are actually part of a scam? Current regulations do not hold banks accountable for those losses.

Members of Congress and consumer advocates take a stand

In July, six Democratic senators, including CFPB architect and consumer advocate Elizabeth Warren, authored a letter to the CFPB urging it to act to better protect consumers against fraudulent P2P transactions. This action joins a growing echo chamber of appeals from the National Consumer Law Center, a consumer rights nonprofit organization that works on behalf of low-income individuals, and other consumer advocacy groups for the CFPB to assert its authority to amend and enforce Reg E as the prevalence and magnitude of consumer impact of fraudulent P2P transactions continue to rise.

While the CFPB has not commented publicly, recent news reports have indicated that the agency plans to issue guidance in the coming weeks that is likely to shift financial liability from the victims of P2P payments schemes to the banks facilitating them.

A potentially daunting new task for banks: verifying deceit   

Changes to Reg E may include broadening the scope of claims that are classified as errors. Specifically, the CFPB may expand the definition of “unauthorized” electronic fund transfers to cover fraudulent P2P transactions and thereby extend existing error resolution and liability protections to impacted consumers.

Such changes could have significant financial, operational and compliance implications for banks and P2P payment platforms, which up to this point do not bear any responsibility for fraud beyond investigation and coverage of “unauthorized” P2P claims. If banks become responsible for losses arising from transactions that consumers willingly authorize but claim to be fraudulent, they will carry the burden of proving whether customers were defrauded.

Notably, in certain cases, the cost of adjudicating individual claims may exceed the value of the claims themselves. That drawback could give rise to another form of fraud — consumers falsely alleging victimhood in a P2P transaction to secure automatic approval of their claims because it is less expensive for an institution to grant the claim than to ascertain its validity.

Key considerations for banks

Banks should consider the following proactive steps to prepare for revisions to Reg E and the resulting impact to their balance sheet and control environment:

  • Confirm inventory error claim intake channels: Banks should confirm their existing Reg E error claim intake channels so that they are prepared to modify intake processes, website forms and customer call scripts quickly.
  • Identify impacted policies, procedures and disclosures: Banks should identify the policies, procedures and consumer disclosures that may require revision to address these regulatory changes.
  • Conduct technology and operations impact analysis: Banks should assess the impact of and their readiness to address potential changes to technology platforms, data requirements and operational processes. Regulatory changes may require the collection of new data points, modification of system functionality and development of potentially complex new claim adjudication criteria.
  • Assess training needs: Banks should consider refreshing or reconducting their training needs assessment to identify impacted roles and responsibilities, including third parties engaged in error claim processing. New and potentially complex adjudication criteria to evaluate error claims may require dedicated training to implement updated procedures accurately and consistently.
  • Assess financial impacts: The forthcoming changes are likely to impose significant financial costs. Banks should consider projecting the potential liability to inform financial reporting as well as conducting cost-benefit analyses of investigating or reimbursing claims and implementing new or improved controls to prevent P2P fraud.

The prospect of a shift in liability may incent the broader financial services industry to invest in identification verification and authorization-related controls. In a recent example, Early Warning Services, the parent company of Zelle, revived its Authentify product, which enables consumers to use their banking log-in credentials to verify their identify. A host of third-party ID verification services similar to Authentify could be repurposed to improve identity verification in P2P transactions and help prevent fraud.

As banks await the specifics of the CFPB’s guidance, they will be wise to preemptively assess readiness for the potential changes and explore the feasibility of new or improved controls to mitigate the financial impacts.

Learn about Protiviti’s Regulatory Compliance and Risk Management services.

Add comment