Interpreting Updated Reg. E Guidance and Proposed U.S. Legislation on Authorized Fraud Liability
July 27th, 2022
Social engineering scams are flourishing, putting a spotlight on the way unauthorized and authorized electronic transactions are interpreted under Regulation E (Reg. E). Banks and financial institutions (FIs) in the U.S. face increasing scrutiny, particularly with their responsibility toward customers in the event of a fraud report for a digital transaction and the associated liability when there’s a financial loss.
Updated guidance from the Consumer Financial Protection Bureau (CFPB) in 2021, which was also echoed by the Federal Deposit Insurance Corporation (FDIC) in March 2022, offers insights to help FIs deal with these complex liability decisions, particularly for unauthorized electronic transactions.
In this post, we break down this regulatory guidance and its impact on the financial services industry. We’ll also touch on recent legislation proposed in the U.S. House of Representatives to extend Reg. E liability to authorized fraud. We believe this is inspired by pending legislative efforts in other regions, such as in the U.K. where authorized push payment fraud (APP fraud) is a multibillion-pound problem.
Updated Regulatory Guidance for Unauthorized Fraud
Any fraud professional, especially those managing a high volume of customer reports of fraud or disputed transactions, is familiar with Reg. E. To unravel the CFPB’s recent guidance on Reg. E, it helps to have some historical context.
In the past, when a fraudster illicitly obtained valid credentials from the customer, and then logged in to an account, unauthorized electronic transactions that followed were generally perceived by the financial services industry to be the customer’s fault. Consequently, customers took on the financial responsibility for any losses due to fraudulent transactions from the account. However, CFPB and FDIC guidance no longer agree with this biased interpretation of Reg. E.
On the heels of a flood of consumer complaints, the CFPB decided last year to reconsider the definition of unauthorized fraud under Reg. E, specifically on determining liability. Updated guidance focuses on:
- What party executed the disputed or fraudulent transaction during an unauthorized fraud event—the fraudster, or the customer?
- How access to the account occurred, which in these cases, is most likely fraudulently induced.
- What type of scam was used? Customers fall for any number of diverse social engineering scams that lead to fraudster gaining access to accounts. Some popular scams include impersonation of a trusted party (such as the customer’s bank), investment scams involving cryptocurrencies, and romance scams.
Under the lens of Reg. E, the CFPB recognizes unauthorized fraud, or account takeover (ATO), as electronic transactions where the customer was not involved in the execution of the payment itself. A customer can claim Reg. E protections and file a dispute if a digital transaction meets this criteria.
This is how we interpret it, though it’s not legal advice: on a claim of unauthorized fraud, an FI must consider first-party fraud or accept financial liability under Reg E. In other words, if the FI can’t prove that a customer is lying or intentionally provided misleading information about who logged into the account and completed the disputed transaction, they must reimburse that customer for their losses. Consequently, NICE Actimize recommends that FIs internally align with their own compliance and legal teams to ensure unauthorized fraud claims are being correctly settled considering this new regulatory guidance.
Updated Regulatory Guidance for Authorized Fraud
Authorized fraud has received significant industry attention lately due to an uptick in Zelle™ payments fraud. This social engineering scheme happens when a customer is convinced via phone or text to send payment to the fraudster directly or via a money mule. Victims are instructed to use the Zelle™ peer-to-peer (P2P) payment application to execute the fraudulent transaction, which normally results in devastating financial losses.
Because many banks don’t assume liability when authorized transactions are disputed by the customer, the victims of authorized fraud are lodging their complaints with the CFPB. Some banks are currently accepting liability for authorized fraud, either due to growing pressure from customers, increasing media attention, concern over customer attrition, fear of further regulatory scrutiny, or a combination of these factors. However, neither the CFPB nor the FDIC has offered specific counsel on financial liability for authorized fraud transactions under Reg. E. The industry at large is currently waiting for potential guidance. The wait might be short, as pending legislation in the U.S. House of Representatives may soon provide clarity into this issue.
Legislative efforts worldwide
In addition to the recently proposed legislation in the U.S. House of Representatives, there’s rising political attention on this matter in the U.S. Senate from Senator Warren and Senator Menendez. In reviewing their collective assertions on authorized fraud, it’s our view that while they’re insisting that banks should accept liability for authorized fraud under Reg. E, there aren’t any concrete resources or guidance indicating agreement from the CFPB or the FDIC.
U.S. legislative efforts in this area are possibly being influenced by the U.K.’s experience with authorized fraud, especially considering the U.K.’s Payment Systems Regulator proposal to introduce legislative amendments to allow mandatory reimbursement for authorized fraud in 2022. Unsurprisingly, the title of the currently proposed bill concerning authorized fraud that’s under consideration in the U.S. House of Representatives (117th Congress, 2D Session) is “to amend the Electronic Fund Transfer Act [Reg. E] to treat fraudulently induced electronic fund transfer in the same manner as unauthorized electronic fund transfer, and for other purposes.”
Global approach to customer liability
Though Reg. E solely applies to U.S. banks and FIs, there’s clearly some regional cross-pollination occurring regarding consumer liability that’s evident in the liability shift for fraud losses, as witnessed in the similarity of regulatory and legislative approaches in the U.S. and the U.K.
While it’s important to have better clarity on financial liability for losses associated with both authorized and unauthorized fraud, it’s not the only solution. Banks and FIs are under extreme operational and financial pressures to effectively deal with the constantly increasing scale of fraud attacks, regardless of if the fraud event was authorized or unauthorized.
Rather than shifting the sole liability to banks and FIs, these organizations must leverage a combination of technologies, tools, and approaches. This is accomplished by using consumer-friendly and robust fraud and anti-money laundering (AML) risk controls supported by comprehensive solutions that leverage artificial intelligence and machine learning.
An effective approach can be augmented with other sophisticated tools, like behavioral biometrics and mobile data intelligence, to fight the growing problem of authorized and unauthorized fraud.
Go here to learn more about fraud authentication and management solutions and resources.
 McNamee, J. UK bill seeks to protect access to cash and victims of APP fraud. (2022)
 To amend the Electronic Fund Transfer Act to Treat fraudulently induced electronic fund transfers in the same manner as unauthorized electronic fund transfer, and for other purposes. 117th Cong. (2022)
 Nguyen, L. and Cowley, S. Senators question Zelle over how it is responding to reports of rising fraud. (2022)