Regulation E Update

    By Sheryl S. Jackson

    Impact of Potential CFPB Change

    There is no doubt that consumer behavior changed over the course of the last two years, with more people becoming comfortable with app-driven financial transactions, online banking and digital communications. Along with the convenience of innovative ways to conduct financial business, technology also provided another avenue for fraudsters to take money from credit union members.

    While Regulation E provides a basic framework that establishes the rights, liabilities and responsibilities of participants in electronic fund transfer systems, it was not designed with some of the new technologies in mind. “The regulation was passed in the 1970s to protect consumers and financial institutions as relatively new technologies like credit cards and ATMs gained prominence,” said Andrew Morris, senior counsel for research and policy for NAFCU. Although interpretations of the Regulation have been updated through FAQs to address questions related to new technologies, the speed and dynamic nature of peer-to-peer (P2P) transactions via third-party platforms poses new challenges, he said. “We are also hearing that the Consumer Financial Protection Bureau (CFPB) is working on new interpretive guidance that could place a greater burden on credit unions by requiring them to assume an even greater share of the liability associated with fraudulent transactions.”

    Existing Regulation E guidance already presents its own set of challenges in the P2P context. “Under the current CFPB interpretation of Regulation E, a depository institution can be responsible for pass-through transactions, even if another company’s platform—such as an app-based P2P service—was used by the consumer to withdraw funds from their credit union account,” said Morris. “In these pass-through situations, a consumer can choose which organization to contact in case of error or fraud.”

    This is problematic for credit unions because members may find it more difficult to receive human assistance from a large technology company, and the credit union’s commitment to relationship banking often means members rely on their credit union to untangle the error. Credit unions will do everything they can to help the member, but they might not have detailed transaction information to investigate error or fraud involving P2P services because relevant information resides with the P2P service’s platform, explained Morris. “Our advocacy efforts are focused on encouraging the CFPB to explore a hierarchal response to consumer reports of error or fraud in pass-through transactions by requiring P2P providers to respond first since they have the information necessary to investigate,” he said. “This issue needs to be resolved as soon as possible because more consumers are joining these P2P platforms and the opportunity for fraud or error increases with volume.”

    New Technology; New Challenges

    Emerging innovations in payment options, such as the FedNow Service, present new opportunities for credit unions to deliver faster payments, but also present additional challenges related to managing fraud risk. One recent survey of NAFCU members revealed that a majority of respondents expected future availability of FedNow to “accelerate adoption” of faster payments. However, the irrevocable nature of real-time settlement could mean that early engagement with the service may correspond with conservative transaction value limits, and focus—at least initially—on business use cases.

    “Real-time payments in which transactions are settled instantaneously and irrevocably create a much more difficult type of fraud to unwind and resolve,” said Morris. “Although we don’t know what the CFPB will change in current guidance, we are concerned that the guidance will be expanded to place more of the burden on credit unions as more responsibility is removed from consumers and greater liability is placed on financial institutions.”

    As the financial industry provides information to the CFPB to advocate for guidance that is fair to consumers and financial institutions and does not unintentionally set the stage for even more fraudulent activity, credit unions still face a number of challenges managing fraud risk today, said Mark Thomson, vice president of compliance for BECU. These challenges include:

    • Keeping up with the increasing number of Regulation E disputes and fraud claims that our members are submitting for our investigation and resolution with existing resources.
    • Keeping up with the fraudster’s complex use of systems, sophisticated social engineering methodologies and speed of operations, and the seemingly ever-increasing resources they have at their disposal to target our members.
    • Balancing the need for effective software and hardware tools to validate the identity of the member against the members’ desire for easy and quick sign-in to apps and systems.
    • Understanding when an investigation into disputed transactions is thorough and sufficient to conclude that the transactions are authorized.
    • Understanding what the standard of proof is for an investigation into disputed transactions and a determination that the transactions were authorized.
    • Maintaining consistency in investigations and outcomes across all members, across all products and through time.

    One of the most difficult challenges is managing the moral hazard problem in the Regulation E dispute process, said Thomson. “The moral hazard problem arises in economics when one party in a transaction takes on excessive risk because they know that any resulting negative consequences will be borne by the other party to the transaction,” he said. “In the context of Regulation E and electronic funds transfers, Regulation E’s limitations on member liability for fraudulent transactions can reduce the member’s incentive to take precautions against fraud, leaving credit unions to bear the losses.”

    Currently, Regulation E language assigns limited liability to a consumer in some cases. One example is a caller who identifies themselves as a representative of the credit union telling the member that their checking account has been hacked, and they need to go to a website provided by the caller to update access credentials. Once the fraudster has obtained log-in information via the “imitation” website, EFTs are initiated using the access credentials for the real account. In this case, the member did not authorize the EFTs and received no benefit from the transaction, Regulation E limits liability to the member.

    However, if the member agrees to deposit a check for someone, withhold some funds for their own benefit, and send another amount back to the person, the member is responsible for the full amount because the transaction was authorized by the account holder and anticipated gain from the transaction.

    “If the CFPB changes the language of Regulation E and significantly undermines the language in the definition of an unauthorized EFT in a manner that weakens the bulwark this language provides against the moral hazard problem, this will significantly degrade a credit union’s ability to manage fraud risk associated with EFTs,” said Thomson. “It may significantly increase the amount of fraud experienced by the credit union and undermine the economic viability of offering EFT and P2P payment systems.”

    Member Involvement Essential

    “We cannot address fraudulent activity alone,” said Doug Wright, chief financial officer for Mission Federal Credit Union. “Consumers must be our first line of defense by reviewing their statements and evaluating transactions and potential recipients carefully.” It’s also important for members to be aware of potential fraud, understand that credit union staff will not call for personal information including access credentials and take steps to prevent access to their accounts. “However, if CFPB changes the language to remove liability for their actions, there is little incentive to be vigilant,” he said. “P2P investigations will continue to be challenging because credit unions have no visibility into the transactions, and we do not know what steps services such as Venmo take to mitigate risk.”

    Mission Fed has taken steps to minimize fraud loss while still providing excellent member service. “We have invested in better tools, using artificial intelligence and machine learning to review transaction activity, and we’ve hired more staff,” said Wright. Over the years, Mission Fed staff involved in fraud monitoring and investigations has grown from one or two people 20 years ago to 10 to 12 people in recent years. “You must have human intervention to monitor and review flagged transactions to determine if it is suspicious. It’s part of balancing the need to provide reasonable, quality member service with the need to protect the credit union from fraud loss.” While NAFCU and other industry associations are actively advocating for reasonable updates to guidance that reflect the risks for increased fraud with new technology and minimization of consumer liability, it is important for individual credit unions to act as well, suggested Wright. “We need to educate our employees and our members to make sure our side of the story is told, and we need to take the message to the community as well,” he said. “As fraud risk increases and if CFPB guidance changes, credit unions may have to spend more money on tools and staff to monitor transactions, and we may have to tighten controls to stop some transactions. This could impact our members, which none of us want to happen.”