A showdown is coming over who is liable for P2P payments fraud

The Consumer Financial Protection Bureau is expected to issue guidance soon on banks' liabilities for fraud perpetrated on digital payments platforms like Zelle, setting up a major regulatory fight that could play out for years.  

Financial institutions claim they cannot be held liable when a consumer incorrectly sends an electronic payment to the wrong person or gets tricked by a criminal and authorizes a payment that turns out to be a scam or fraud. 

Banks and credit unions are likely to sue the bureau if it tries to assign broad liability for fraudulent payments authorized by consumers. Some expect the CFPB will need to issue a rulemaking if it tries to mandate that consumers get repaid for fraud.

Zelle app
The Consumer Financial Protection Bureau is expected to issue a guidance detailing the extent to which banks and credit unions are liable for fraud on digital payments platforms like Zelle.
Adobe Stock

"Most consumers do not know that there is a difference between sending payments from PayPal's wallet or their underlying bank account," said Aaron Klein, senior fellow at the Center on Regulation and Markets at the Brookings Institution. 

The issue is complicated because the 1970s-era law governing electronic payments — the Electronic Fund Transfer Act of 1978 — is woefully out of date. 

The law never envisioned that consumers would transfer money to criminals or someone they do not know in response to an unexpected text or phone call, Klein says, and from a public policy perspective, consumers have come to believe that instant payments and digital wallets have the same consumer protections as credit cards.

"It's important that the bureau modernizes Regulation E to deal with the realities of digital wallets existing outside of traditional banks," Klein said.

The CFPB has clear authority to interpret the EFTA and could clarify that, in certain circumstances, a payment is an "error" when a consumer is defrauded into initiating an electronic transfer to a fraudster. The bureau also could add a new category of error for fraudulently-induced payment and may also clarify that EFTA applies to all electronic payments. 

The EFTA has a list of seven categories of error, including unauthorized payments and incorrect transfers by a financial institution that require consumers be reimbursed if they notify their institution promptly. But at the time the act was passed, electronic transfers were almost exclusively executed by banks or other financial institutions, and as a result "errors" have traditionally been interpreted to have been made by financial institutions — not the consumer. 

Signage is displayed outside of branches for Bank of America, JPMorgan Chase and Capital One.
Why Zelle's owners revived an old brand to battle ID fraud

"I think there's an excellent legal argument that a customer mistake is an incorrect transfer," said Gail Hillebrand, a payments expert and former CFPB associate director for consumer education and engagement. "What's more incorrect than sending your money to the wrong person?"

Hillebrand also said that a failure by financial institutions or payment providers to act to prevent fraud can be considered an "unfair" practice that the CFPB could enforce under its general prohibition against "unfair, deceptive or abusive acts or practices," known as UDAAP. 

The CFPB has already taken some steps to apply UDAAP to payments.

In July, the CFPB fined Bank of America $100 million for botching the disbursement of unemployment benefits on prepaid cards. And earlier this month the CFPB said in a circular that a failure to prevent fraud and identity theft can constitute an "unfair" practice. 

Several Democratic lawmakers have urged CFPB Director Rohit Chopra to take steps to provide stronger protections for consumers after a spate of news stories and lawsuits against banks and payment providers.

"Determining liability based on whether a consumer or a fraudster physically initiates a transaction is antiquated," the lawmakers wrote in a letter led by Sens. Jack Reed, D-R.I., and Bob Menendez, D-N.J. "Our nation's consumer protection rules must evolve to keep pace with the growth of instant payment services like Zelle."

Zelle has become a poster child for digital payments fraud, with thousands of consumers complaining that its parent company Early Warning Services, based in Scottsdale, Arizona, refuses to investigate fraud or resolve mistakes. Early Warning is owned by Bank of America, Capital One Financial, JPMorgan Chase, PNC Financial Services Group, Truist Financial, U.S. Bancorp and Wells Fargo.

Complaints to the CFPB about Early Warning Services jumped 80% from March 2022 to June 2022, said Marcia Tal, the CEO of Tal Solutions, a New York-based artificial intelligence firm that analyzes complaint data. 

Banks on the offensive

Many of the largest banks have already gone on offense by issuing more frequent warnings to customers and added layers of confirmation to use Zelle. Some banks tell consumers outright that the money they send "may not be recoverable" and that a bank will never ask a consumer to transfer money to themselves or to anyone else. 

Some of the most pernicious fraud in electronic payments involves criminals sending out mass emails and then posing as bank representatives to those that respond, instructing them to send money to a bogus account. Some experts think the CFPB could take a narrow approach by issuing guidance that banks reimburse consumers in those instances.

Trace Fooshee, a strategic advisor at Aite-Novarica Group, said he is concerned that the CFPB may change the standard used to test whether a payment order was authorized by a consumer or not. 

"The standard that has been used has been whether the customer had authenticated properly and issued the payment order. The banks prefer this standard because it's a tangible, verifiable fact," Fooshee said. "If the CFPB changes the standard to whether or not the customer intended to issue the payment order, then the banks will have a nightmare of a time dealing with the new standard. How can they be expected to prove intent?"

Banks will have to spend more money investigating mistakes and fraudulent payments authorized by a consumer, he said. Some think banks and credit unions will be forced to increase fees and shoulder more losses, or in a worst-case scenario, they would have to withhold or curtail some peer-to-peer payments.

Credit unions  and small community banks also would suffer if they had any exposure to fraud-related losses and if they are required to conduct investigations into peer-to-peer payments. 

"Credit unions that are only tangentially connected to P2P transactions because of a linked debit or credit card may share full responsibility for investigating alleged errors despite being in an inferior position to research the cause of the error and validate the consumer's claims," Dan Berger, president and CEO of the National Association of Federally-Insured Credit Unions, said recently in a letter to the CFPB. 

Others suggest that the Federal Reserve bears some responsibility for failing to modernize the payments system that has largely been under-regulated, in part, because it has been controlled by banks for so long. The Fed has made substantial headway on its own real-time payments platform FedNow, which is expected to launch in 2023.

"It's a national disgrace that the Fed's payment system moves at the same speed as it did when we had flip phones and went to Blockbuster whereas the rest of the world has iPhone13 and streams," said Klein. 

Others suggest the CFPB needs to act precisely because the massive losses due to fraud are unsustainable. 

"The payment system is a national economic asset," said Hillebrand. "It should be safe for everyone to use no matter which rail they use. People shouldn't have to understand their plumbing in order to get safe water."

For reprint and licensing requests for this article, click here.
Regulation and compliance Digital payments
MORE FROM AMERICAN BANKER