Despite the absence of specific legislation mandating the use of open banking in the U.S., this practice is growing across the country. Open banking — when banks and financial institutions provide third parties with access to customers’ financial data — allows third parties to initiate payments and to offer other services that customers find convenient, like opening accounts, comparing financial products or getting customized offers.
The Consumer Financial Protection Bureau (CFPB) has openly stated its intention to use its mandate under Section 1033 of Dodd-Frank Act to further promote the use of open banking. There is yet one challenge that may have delayed the agency’s plans to enact new regulation: authorized push payments (APP) fraud. APP scams occur when individuals and businesses are tricked into sending money to an account controlled by a fraudster.
Open banking has facilitated a significant increase in the number of electronic transactions, and also the number of fraudulent activities. While banks may be in favor of sharing customers’ data with third parties — and in fact, many of them have reached agreements with third parties — they may be held responsible for the losses in case of APP scams, even when they are not a party in the transaction. The CFPB has issued guidelines to determine when a bank may be responsible.
The key element to determine who is liable for such losses is whether the electronic transfer is “authorized” or “unauthorized.” The federal law covering electronic transfers, Regulation E, only requires banks to return the funds when the transaction is “unauthorized,” and APP scams would, in principle, fall outside this category. But the CFPB issued guidance in late 2021 to clarify when an electronic fund transfer (EFT) could be considered “unauthorized.”
According to the agency, “unauthorized EFTs include transfers initiated by a person who obtained a consumer’s access device through fraud or robbery.” The agency goes further, and it includes examples. For instance, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E. This would include cases that resembles the techniques used in APP scams, like when a third-party calls the consumer and pretends to be a representative from the consumer’s financial institution and then tricks the consumer into providing their account login information, account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account.
The rest of the CFPB’s guidelines seem to reinforce the idea that APP scams may be considered an “unauthorized” EFT and banks may be held responsible under Regulation E, unless they can prove the customer’s liability.
In order to promote open banking, the CFPB may probably need to strike the right balance between encouraging banks to share customers’ financial data and limiting their responsibility in APP fraud cases. But this is not the only case where the bureau may need to look at Regulation E.
On May 19, the Federal Reserve published a final rule clarifying some aspects of the future transfers over its FedNow payment system, and it admitted that the system doesn’t have all the tools to prevent potential fraud. FedNow will provide new rails to make instant payments, but the Fed recognized that “the irrevocable, real-time nature of instant payments can pose a challenge to the industry as a whole in detecting and preventing fraud.”
The Fed would allow banks to delay certain transactions when there is a risk of fraudulent activity associated with anti-money laundering or terrorism activities, but this exemption may not be extended to APP scams. The Fed recommends instead strengthening consumer protections related to instant payments, and it suggests further examination of Regulation E as a potential tool for this.
Read More: FedNow Will Let Banks Delay Instant Payments to Prevent Fraud