CFPB Regulation E Update: Onus on Banks for Better Fraud Prevention

The Consumer Financial Protection Bureau (CFPB) made waves in the financial industry last month when it came out swinging after a four-year slumber under the deregulation-friendly Trump administration to publish a compliance aid that prevents banks from exploiting loopholes in Regulation E. Now that banks and other financial institutions are back on the hook for reimbursing their customers who have fallen victim to fraud, they have a bigger financial incentive than ever before to invest in fortifying one-time passwords and leveling up their biometric game to protect their bottom line. 

If you’ve ever sent money to a friend over Venmo after a shared meal, transferred funds from your savings account to your checking account in a pinch, withdrew cash from the ATM before a vacation, or paid your electric bill online at the end of the month, you’ve enjoyed the ease and convenience of authorizing an electronic fund transfer (EFT). Unfortunately, as legitimate EFTs become a daily part of our lives, unauthorized EFTs are becoming all too common. According to the Fed, an unauthorized electronic fund transfer is an EFT from a consumer’s account initiated by a person other than the consumer without authority to initiate the transfer and from which the consumer receives no benefit. In layman’s terms, an unauthorized EFT is simply when a crook gains access to a customer’s bank account or credit card information and steals every last penny. Fortunately, considering just how common they are, unauthorized EFTs don’t mean financial ruin for victims thanks to the Electronic Fund Transfer Act of 1978 and its companion policy, Regulation E.

Intending to prevent bankruptcy for consumers who risk losing everything to unauthorized EFTs and maintaining a trusted and safe digital banking system, Congress passed the Electronic Fund Transfer Act, signed into law by President Jimmy Carter in 1978. At its core, the legislation transfers the liability for unauthorized EFTs from the consumer to the financial institution. In his reporting for The American Prospect, journalist David Dayen explains: “As long as the consumer reports the unauthorized transfer within 60 days, the financial institution must investigate the matter and credit the consumer’s account if they find the transfer to be unauthorized. Depending on the circumstances, the consumer may have to take a hit of up to $500, but the limit on liability is even more stringent (no more than $50) if the consumer informs their bank within two business days. The financial institution picks up the rest of the cost.”

Since the law was passed, rates of fraud have increased astronomically. Today, teams of skilled fraudsters turn a profit by imitating bank representatives to fool vulnerable individuals, especially older folks, into handing over their banking information. In 2020, credit card fraud alone totaled an estimated $11 billion in the United States. In order to avoid costly pay-outs, financial institutions have increasingly begun denying restitution to victims of unauthorized EFTs by arguing that if a customer willingly gives out their personal information (password, pin, etc.), they are “personally negligent,” regardless of whether they were fooled into doing so under false pretenses, and therefore ineligible. In June, however, the CFPB weighed in and closed this loophole once and for all, coming down on the side of consumers. The CFPB ruled that a consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E. Electronic fund transfers (EFTs) initiated using account access information obtained through fraud or robbery fall within the Regulation E definition of unauthorized EFT.

This ruling will save millions of defrauded consumers from being held liable for bogus charges and encourage banks to invest in the next generation of fraud prevention processes and tools.

Because mobile phones are now an integral part of digital banking, banks and other financial institutions are increasingly looking to Phone-Centric Identity™ to prevent fraud, especially in the wake of the CFPB’s new regulation. Fortified 2-Factor Authentication using Prove Instant Link™, Prove Trust Score™, and Prove GaitAuth™ are best-in-class products that banks can use to dramatically cut down on social engineering fraud while improving customer experience.

To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.