CFPB’s New Guidance Takes Aim at Recent Increase in Digital Payments Fraud and Unauthorized Transactions

The adoption of electronic payments substantially accelerated during the pandemic and shows no sign of slowing down. As digital payments increased, so did the volume of errors and fraud in the payments system. TransUnion recently reported that the rate of digital fraud attempts rose nearly 150% worldwide during the first four months of 2021 as compared to the last four months of 2020. On June 4, 2021, the Consumer Financial Protection Bureau issued a Compliance Aid to answer lingering questions posed by industry and consumer advocates about the applicability of the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E (Reg E) to digital payments. Bank and non-bank participants in the payment system should take note of this new guidance, which sets forth how the Bureau will analyze providers’ handling of consumer complaints regarding unauthorized or erroneous electronic fund transfers.

As an initial matter, Compliance Aids are relatively new to the Bureau, though other federal and state agencies have used them in various formats. The Bureau’s Policy on Compliance Aids became effective on February 27, 2020. Since then, the Bureau has issued six Aids, including this one. As the Bureau explained in its Policy Statement on Compliance Aids, these documents are neither formal “rules” nor decisions binding on specific entities but are intended to provide companies with practical guidance helpful to compliance professionals or other stakeholders. What is particularly notable about this form of guidance is that the Bureau expressly states that it will not take enforcement or supervisory action against “entities that reasonably rely on Compliance Aids.”

The Bureau has been focused on EFTA compliance related to digital payments for some time. Supervisory examiners have issued findings that some financial institutions have placed burdens and barriers on consumers prior to conducting investigations of payment errors and have failed to appropriately stop automatic payments. The CFPB recently took enforcement action against a financial institution for alleged violations of Regulation E and related unfair acts or practices, requiring that institution to provide approximately $12 million in remediation and pay a $3.5 million penalty.

Key Takeaways from the Bureau’s New Guidance

The eight Frequently Asked Questions in the Compliance Aid appear simple but address the core complaint-handling and dispute-resolution functions that often pose the most challenging compliance obligations on companies. Business leaders who manage electronic fund transfer processes should take note of four key points.

• A financial institution cannot deny a customer’s attempt to limit his or her liability for an unauthorized transaction where that customer was defrauded into providing account information to an unauthorized user who transferred funds out of the account. This restriction applies even to situations where a customer is tricked into providing information necessary to initiate electronic fund transfers (such as account number and password) to a third party pretending to be from the customer’s financial institution.
• A financial institution may not consider customer’s negligence, (i.e., writing their PIN on their debit card) when determining whether an electronic fund transfer is authorized for purposes of Reg E. Specifically, the customer’s negligence cannot be used to infer “authorization” for transfers made by a third party who obtained account access through fraud or robbery.
• Financial institutions must conduct a reasonable investigation after receiving an oral or written notice of error from a customer. Companies cannot delay or avoid that investigation process by requiring burdensome documentation (i.e., police reports or forms) or by requiring customers to first resolve disputes with merchants.
• Compliance obligations under Reg E supersede requirements established by any payment networks, and a customer cannot be required to waive their rights under the EFTA or Reg E through contract or agreement.

Finally, it is important to note that the provisions of Reg E in the Compliance Aid may also be applied to prepaid accounts and digital wallets, not just to traditional bank accounts. The Bureau’s Prepaid Rule, effective April 1, 2019, extended error resolution and limitations of consumer liability for unauthorized electronic fund transfers to certain prepaid products, including digital wallets. Accordingly, the guidance in this Compliance Aid is applicable to both bank and non-bank deposit, prepaid account, and payment providers.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Elizabeth L. McKeen, an O'Melveny partner licensed to practice law in California, Pamela A. Miller, an O'Melveny partner licensed to practice law in New York, Laurel Loomis Rimon, an O'Melveny partner licensed to practice law in California and the District of Columbia, and Melissa B. Guidorizzi, an O'Melveny counsel licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.