Credit unions that offer online wire transfers may want to pay attention to a lawsuit that is currently playing out in federal court in New York. Back in January, the New York Attorney General’s Office (NYAG) filed a federal lawsuit against Citibank. The lawsuit alleges violations of law relating to Citibank’s offering of online and mobile wire transfers. Last week, the Consumer Financial Protection Bureau (CFPB) weighed-in on the case, filing an amicus brief in support of the NYAG’s arguments. The end result? Regulators at both the state and federal levels are now arguing a legal theory that, if supported by the courts, could result in a large increase in fraudulent transaction liability for financial institutions, including credit unions.
Wire Transfers – Which Laws Apply?
Many financial institutions offer the option to send wire transfers. Typically, wire transfers are governed by the Uniform Commercial Code (UCC), specifically article 4A (or Regulation J for transfers completed using the Fedwire service). These transactions require someone who wishes to send money (the sender) to provide a “payment order” to a financial institution (the “receiving bank”), which then sends the funds to another financial institution (the “beneficiary bank”) who then provides the funds to the intended recipient (the “beneficiary”). According to the model UCC, a sender can provide the payment order orally, in writing, or electronically.
The UCC has been adopted by U.S. states in varying formats. As such, wire transfers tend to be governed by laws and rules at the state level. This sets wires apart from credit card, debit card, and peer-to-peer payment transactions, which are governed by federal consumer protection regulations.
Fraudulent Transactions
Fraud has been on the rise in recent years, with more and more Americans falling victim to scams and social engineering methods. In fact, the losses consumers have faced from fraud have caused some, including elected officials and regulators, to push for increased coverage of fraudulent transactions under Regulation E, which governs electronic funds transfers (EFTs), such as transactions involving debit cards and peer-to-peer payments. Under Regulation E, a consumer’s liability will be limited for unauthorized EFTs, which are EFTs that are initiated by someone other than the consumer who lacks the authority to initiate them. When a consumer’s liability is limited, the credit union will end up bearing the rest of the loss.
When it comes to fraudulent wire transfers, however, the conventional wisdom in financial services has been that such transactions are not covered by Regulation E, which specifically defines EFT to exclude “[a]ny transfer of funds through Fedwire or through a similar wire transfer system that is used primarily for transfers between financial institutions or between businesses.” As discussed above, wires are subject to UCC Article 4A, which states that a credit union will not bear liability for fraudulent wire transfers so long as the credit union followed an agreed upon set of “commercially reasonable” security procedures. However, the regulators are now challenging this conventional wisdom in court.
The NYAG Lawsuit
As mentioned above, the NYAG sued Citibank in federal court earlier this year, alleging violations of law relating to Citibank’s wire transfer practices. Specifically, the NYAG’s complaint argues that Citibank violated New York state law by failing to subject electronically initiated wire transfers to the requirements of Regulation E. According to the NYAG, wire transfers that are initiated electronically – such as through online or mobile banking – should be covered by Regulation E’s provisions, including the provisions regarding unauthorized EFTs. Last week, the CFPB filed an amicus brief in the case in which the CFPB agrees with the NYAG’s analysis and arguments, thus putting the weight of a federal regulator behind the NYAG’s legal theory.
According to the regulators, a wire transfer can be broken down into several steps, like so:
- Step 1: The consumer (“sender”) provides a payment order to his financial institution (the “receiving bank);
- Step 2: The receiving bank electronically moves funds from the consumer’s account to pay itself for the payment order;
- Step 3: The financial institution sends the funds to the beneficiary bank;
- Step 4: The beneficiary bank transfers the funds into the beneficiary’s accounts.
The regulators allege that steps 2-4 above are distinct funds transfers that are subject to their own laws and regulations. For example, wires between financial institutions are excluded from Regulation E, and thus step 3 would be subject to the UCC or Regulation J. However, the regulators argue that step 2 – in which the institution takes funds from the sender’s account to fund the transfer – is actually an EFT and therefore subject to the requirements of Regulation E. Thus, the NYAG argues that a wire transaction can be broken down into distinct steps, with some of those steps receiving Regulation E protections. The CFPB’s amicus brief agrees, arguing that the legislative and regulatory history supports this approach and that, despite a long history of industry practice to the contrary, Regulation E was always meant to apply to certain steps in a wire transaction (if initiated electronically).
Let’s consider the practical implications of this argument. A credit union member unwittingly gives her log-in information to a scammer, who then logs into her online banking account and sends a wire transfer. If courts adopt the NYAG and CFPB’s view of Regulation E, then the step at which the credit union deducts funds from the member’s account would be an unauthorized EFT, meaning the member’s liability would be limited and the credit union could bear the resulting loss. This approach could result in increased in fraud losses for credit unions.
The CFPB’s amicus brief is also notable, as it shows the federal regulator with authority to amend and interpret Regulation E now embraces this interpretation of Regulation E’s applicability to wire transfers. While the agency has not indicated a broader initiative is in the works, this amicus brief could foreshadow the CFPB’s use of this theory in future rulemakings or exams.
America’s Credit Unions will keep you up-to-date on this litigation as developments occur.