On June 4, 2021, the Consumer Financial Protection Bureau (CFPB) released a “Frequently Asked Question” bulletin designed to provide guidance to consumers and financial institutions (FIs) around compliance with the Electronic Funds Transfer Act (EFTA) and Subpart A of Regulation E (Reg E). Among the many helpful insights that the FAQ bulletin shared were several questions that reveal the bureau’s interpretation of the extent to which these laws should apply to scam victims. While all FIs are sensitive to the plight of customers victimized by financial criminals, and despite having a sincere desire to expedite and fully restore those victimized customers to the state of financial well-being that they enjoyed prior to the crime, most also have to weigh the cost of refunding the loss against the benefit of retaining that customer. This analysis is substantially complicated by two important considerations:
- The degree to which the FI has control over the nature of the security control that the criminal defeated
- The complicity, intentionally or unknowingly, of the customer in the commissioning of the crime
Historically, most FIs only reimbursed victims of scams under circumstances in which the FI’s controls failed and when there were no indications that the customer benefited financially or otherwise from the fraud. The guidance that the bureau released in June does much to call these practices into question. Specifically, the guidance makes it clear that regardless of whether or not the customer was “fraudulently induced into sharing account access information with a third party,” the customer is entitled to claim protection under Reg E. The guidance goes on to include specific examples of the most popular forms of social engineering attacks that banks and their customers have been struggling to defeat.
The scope of the impact of this guidance is potentially enormous. It is the first and most significant signal from a U.S. regulator of a tectonic shift in the enforcement of consumer protection regulations that resembles a similar shift in the U.K. market to counter the alarming increase in authorized push payment scams that followed the adoption of the U.K.’s Faster Payment Service in 2008. Regulators in the U.K. now have a much more stringent set of requirements known as “the code” (more details can be found in an analysis in this report) that FIs must adhere to in determining whether a claim qualifies for reimbursement. In addition to “the code,” U.K. FIs must now demonstrate that they have controls in place to verify payees. While the CFPB has not issued a mandate for these kinds of controls, it’s clear that FIs must act now if they wish to avoid significant increases in net losses resulting from having to reimburse all victims of scams that don’t show obvious signs of collusion. FIs will have to consider upgrading authentication and detection controls; updating security, claims, and dispute resolution policies; modifying access to payment instruments; and elevating the understanding and awareness of customers and internal personnel of scams. With the increase of social engineering and the influx of breached personal data available to scammers, FIs cannot afford to procrastinate.
Add new comment