With the proliferation of tools like Zelle, Venmo, CashApp, PayPal, and ApplePay, nearly every bank has now dealt with consumer fraud perpetrated through mobile payment apps, particularly with respect to person-to-person (P2P) functionality. So, who bears the loss when a customer reports that they have been the victim of fraud perpetrated against their deposit account, debit card, or credit card linked to a P2P app? The analysis is more complicated than one might think, often leaving both banks and consumers disappointed and frustrated. Let’s walk through a few basics.
How did the fraud happen?
Mobile payment scams generally come in two flavors: (1) the consumer is tricked into authorizing a payment through the app, or (2) the fraudster gains access to the consumer’s P2P app and originates transactions without the consumer’s knowledge or involvement.
If the consumer did in fact log into the app and make the payment themselves, the loss is likely the consumer’s to bear. This type of scam is sometimes referred to as “push payment fraud” or “APP fraud,” wherein a scammer impersonates a known service provider (like a utility company or landlord) or otherwise invents false pretenses to induce the consumer to agree to send funds. Much to the consternation of consumers, this type of fraud is not considered to be “unauthorized” under applicable regulations.
A situation in which the fraudster gains access to the consumer’s P2P app account could be a different story, however. Perhaps the fraudster stole the consumer’s phone or (more likely) enticed the consumer to give the fraudster login information by masquerading as the consumer’s bank or the P2P app itself. In this circumstance, the chances of the bank bearing some or all of the loss increase, as these scenarios can meet the definition of “unauthorized” under Regulation E and Regulation Z.
What payment type was used?
Debit Cards, Prepaid Cards, and Deposit Accounts
If the unauthorized transaction involved an electronic fund transfer (EFT) from a linked deposit account, debit card, or prepaid card, then the unauthorized transaction provisions of Regulation E will control. Regulation E defines an unauthorized EFT as one made by a person “without actual authority to initiate the transfer and from which the consumer receives no benefit” and includes a situation in which the fraudster obtained the consumer’s access device from the consumer through fraud or robbery.
So, do stolen payment app credentials or a pilfered smart phone constitute “access devices” under Regulation E? While industry experts and legal professionals have debated this, the answer is probably yes. Regulation E defines an access device as a “card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate [EFTs].” Even though many P2P apps utilize a tokenization process whereby the actual account details are encrypted and hidden from the recipient of the funds, the Regulation E definition is still broad enough to include debit cards and account numbers stored in P2P apps.
Credit Cards
If the unauthorized transaction was made through a credit card connected to the P2P app, then Regulation Z will govern. The definition of “unauthorized use” here differs somewhat from that in Regulation E: “the use of a credit card by a person, other than the cardholder, who does not have actual, implied, or apparent authority for such use, and from which the cardholder receives no benefit.” However, the official interpretation of the rule makes clear that, like Regulation E, unauthorized use includes “a transaction initiated by a person who has obtained the credit card from the consumer, or otherwise initiated the transaction, through fraud or robbery.” Therefore, as with EFTs, credit card transactions initiated through fraudulently obtained access to a P2P app likely constitute unauthorized use under Regulation Z.
It is important to note that while many banks include provisions in their commercial account agreements attempting to strictly limit the bank’s liability in the event the customer makes their online banking or other payment login information available to anyone else, both Regulation E and Regulation Z prohibit banks from imposing greater liability on a consumer through contractual representations or waivers.
Were notification requirements followed?
In order for the liability for an unauthorized transaction to shift from the consumer to the bank, the consumer must provide sufficient notice to the bank. For example, Regulation E has a very short timeframe — two business days — for the consumer to report the theft of an access device in order to cap the consumer’s liability at $50. Absent timely notification, the consumer’s liability increases to up to $500 (or higher if the consumer fails to notify the bank within sixty days after a periodic statement showing the fraudulent transaction is sent).
Changes ahead?
The CFPB and Congress have raised concerns over increasing P2P app fraud and have begun to debate solutions to further protect consumers from liability (even in circumstances attributable to the consumer’s own negligence or failure to verify the identity of a payee). Some suggest requiring P2P apps themselves to share in the liability for scams perpetrated using their platforms; others say banks should do more to shut down accounts being used by fraudsters to take receipt of pilfered funds. Whatever the resolution, bankers should pay close attention to upcoming political commentary and proposed rules to ensure policies, procedures, and customer education efforts are beefed up to protect everyone involved.
Featured Professionals
Professionals
612.492.7218
