What Impact Does Proposed U.S. Legislation on Authorized Fraud Liability Have on Banks?

Jake Emry, Fraud Prevention Subject Matter Expert, NICE Actimize

Jake Emry, Fraud Prevention Subject Matter Expert, NICE Actimize

Social engineering scams are flourishing, putting a spotlight on the way unauthorized and authorized electronic transactions are interpreted under Regulation E (Reg. E), a regulation designed to protect consumers who use electronic methods to transfer funds. Currently, financial institutions (FIs) in the U.S. are facing increased scrutiny, particularly with respect to their responsibility toward customers in the event of a financial loss due to unauthorized fraudulent digital transactions.

Updated guidance from the Consumer Financial Protection Bureau (CFPB) in 2021, which was also echoed by the Federal Deposit Insurance Corporation (FDIC) in March 2022, offers insights to help FIs deal with these complex liability decisions, particularly for unauthorized electronic transactions.

Updated Regulatory Guidance for Unauthorized Fraud

Any fraud professional, especially those managing a high volume of customer reports of fraud or disputed transactions, is familiar with Reg. E. To unravel the CFPB’s recent guidance on Reg. E, it helps to have some historical context.

In the past, when a fraudster illicitly obtained valid credentials from the customer, and then logged in to an account, unauthorized electronic transactions that followed were generally perceived by the financial services industry to be the customer’s fault. Consequently, customers took on the financial responsibility for any losses due to fraudulent transactions from the account. However, CFPB and FDIC guidance no longer agree with this biased interpretation of Reg. E.

On the heels of a flood of consumer complaints, the CFPB decided last year to reconsider the definition of unauthorized fraud under Reg. E, specifically on determining liability. Recently updated guidance focused on which party executed the disputed or fraudulent transaction during an unauthorized fraud event—the fraudster, or the customer, and how access to the account occurred, which in these cases, is most likely fraudulently induced.

The guidance also addresses what type of scam was used. Customers may fall for any number of diverse social engineering scams that lead to fraudster gaining access to accounts. Some popular scams include impersonation of a trusted party (such as the customer’s bank), investment scams involving cryptocurrencies, and romance scams.

Under the lens of Reg. E, the CFPB recognizes unauthorized fraud, or account takeover (ATO), as electronic transactions where the customer was not involved in the execution of the payment itself. A customer can claim Reg. E protections and file a dispute if a digital transaction meets these criteria. What the guidance may suggest is that on a claim of unauthorized fraud, an FI must consider first-party fraud or accept financial liability under Reg E.

In other words, if the FI can’t prove that a customer is lying or intentionally provided misleading information about who logged into the account and completed the disputed transaction, they must reimburse that customer for their losses. Consequently, in consideration of this new regulatory guidance, FIs will need to be sure that they have internally aligned with both their compliance and legal teams to ensure unauthorized fraud claims are being correctly settled.

Updated Regulatory Guidance for Authorized Fraud

Authorized fraud has received significant industry attention lately due to an uptick in P2P payments fraud. This social engineering scheme happens when a customer is convinced via phone or text to send payment to the fraudster directly or via a money mule. Victims are instructed to use the one of the peer-to-peer (P2P) payment applications to execute the fraudulent transaction, which normally results in devastating financial losses.

Because many banks don’t assume liability when authorized transactions are disputed by the customer, the victims of authorized fraud are lodging their complaints with the CFPB. Some banks are currently accepting liability for authorized fraud, either due to growing pressure from customers, increasing media attention, concern over customer attrition, fear of further regulatory scrutiny, or a combination of these factors. However, neither the CFPB nor the FDIC has offered specific counsel on financial liability for authorized fraud transactions under Reg. E. The industry at large is currently waiting for potential guidance. The wait might be short, as pending legislation in the U.S. House of Representatives may soon provide clarity into this issue.

Legislative efforts worldwide

In addition to the recently proposed legislation in the U.S. House of Representatives, there’s rising political attention on this matter in the U.S. Senate from Senator Elizabeth Warren and Senator Robert Menendez. In reviewing their collective assertions on authorized fraud,they are insisting that banks should accept liability for authorized fraud under Reg. E, although there aren’t any concrete resources or guidance indicating agreement from the CFPB or the FDIC.

U.S. legislative efforts in this area are possibly being influenced by the U.K.’s experience with authorized fraud, especially considering the U.K.’s Payment Systems Regulator proposal to introduce legislative amendments to allow mandatory reimbursement for authorized fraud in 2022. Unsurprisingly, the title of the currently proposed bill concerning authorized fraud that’s under consideration in the U.S. House of Representatives (117th Congress, 2D Session) is “to amend the Electronic Fund Transfer Act [Reg. E] to treat fraudulently induced electronic fund transfer in the same manner as unauthorized electronic fund transfer, and for other purposes.”

Global approach to customer liability

Though Reg. E solely applies to U.S. FIs, there’s clearly some regional cross-pollination occurring regarding consumer liability that’s evident in the liability shift for fraud losses, as witnessed in the similarity of regulatory and legislative approaches in the U.S. and the U.K.

While it’s important to have better clarity on financial liability for losses associated with both authorized and unauthorized fraud, it’s not the only solution. FIs are under extreme operational and financial pressures to effectively deal with the constantly increasing scale of fraud attacks, regardless of if the fraud event was authorized or unauthorized.

FIs must leverage a combination of technologies, tools, and approaches in order to deal with these challenges. This is accomplished by using consumer-friendly and robust fraud and anti-money laundering (AML) risk controls supported by comprehensive solutions that leverage artificial intelligence and machine learning.

An effective approach can be augmented with other sophisticated tools, like behavioral biometrics and mobile data intelligence, to fight the growing problem of authorized and unauthorized fraud.