Peer-to-Peer Payments: Monitoring for Fraud
Don’t breathe that sigh of relief just yet. Although the CFPB may have dropped its lawsuit against Zelle for its failure to follow error-resolution requirements on its Peer-to-Peer (P2P) payments platform, states are still in the mix looking to increase liability under Regulation E. For example, the New York State Attorney’s General (NYAG) has brought a case against Citibank that seeks to bring wire transfers under Regulation E’s umbrella by categorizing wires as Electronic Fund Transfers (EFTs). America’s Credit Unions and the New York Credit Union Association, together with American Bankers Association, Bank Policy Institute, and the Clearing House Association, filed an amicus brief to defend against this overreach. However, it is clear that credit unions are still in the thick of it with Regulation E and fraud.
With the increasing popularity and use of P2P services comes growing concerns of fraud. Credit Unions who use these services may want to pay close attention to their due diligence efforts in this space, as scrutiny has increased over the years concerning lack of fraud protection for customers using P2P services.
Common P2P scams include impersonation scams, fake sales, phishing scams, and rental scams. These types of fraud are common tactics used by criminals because the P2P platforms themselves often do not provide purchase protection, refunds, or transaction reversals. According to a popular P2P platform’s term of service, once a user submits a transaction, it is considered authorized and final. Although there is pressure on Congress to reform this practice, as of today, they have not.
Due to lack of robust customer support from many P2P platforms, consumers often turn to their credit union or bank to try to get their money back by filing Regulation E claims of unauthorized EFTs. Some credit unions have denied these claims on the basis that those members voluntarily provided their login to facilitate the transfer and ultimately the fraud. Denying reimbursement to members who are victims of these types of scams could expose credit unions to allegations of violating Regulation E.
One of the main questions regarding claims of unauthorized transactions is, if you can believe it, whether the transaction was unauthorized or not. Section 1005.2(m) of Regulation E defines an unauthorized electronic fund transfer as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” (emphasis added) The official interpretation to §1005.2(m) clarifies that “an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through robbery or fraud.”
The CFPB has issued Electronic Fund Transfers FAQs to clarify what constitutes an unauthorized EFT under Regulation E. The CFPB’s answers to questions 5 and 6 under the category, “Error Resolution: Unauthorized EFTs,” clearly indicate that consumers victimized in this type of scam, by providing fraudsters access to their P2P accounts, should be provided protection under Regulation E.
As noted above, with the CFPB’s expansive definition of unauthorized transfer and the NYAG’s lawsuit to recategorize wires as EFTs, credit unions are facing a dangerous threat. The good news is, there are ways credit unions can take control to set themselves and their customers up for better protection when it comes to P2P scams. Here are some practices that credit unions can implement to help mitigate P2P fraud risk:
1. Member Education: Remind your members how to identify common scams and the dangers of sharing personal information like login details and explain how to verify recipient details before sending money.
2. Monitor Transactions: Set up systems to flag suspicious transactions based on unusual activity patterns; monitor for large transfers to unfamiliar recipient; and implement temporary holds on new P2P recipients to verify identity.
3. Limit New User Exposure: Set daily transaction limits, or consider utilizing a verification process before allowing large transfers via P2P.
4. Implement System Features: Use built-in security features like verification codes and account linking or utilize interim messaging for members that remind them to be diligent of scam attempts before completing a transfer. Implement strong security measures, such as two-factor authentication.
Remember, just because the CFPB dropped its lawsuit against Zelle, this should not be interpreted to indicate the problem is resolved. While it is important for credit unions to keep pace with evolving customer preferences, such an offering P2P services, it is even more important for them to ensure new technologies do not create security vulnerabilities. Exercising due diligence and implementing additional security layers, such as monitoring for fraud, will help shield credit unions and their customers from an increased risk of P2P fraud.
If you have any questions concerning this topic, please contact the America’s Credit Union’s Compliance team at compliance@americascreditunions.org.
