Financial transaction

Should banks be held liable for unauthorized P2P fraud?

“Caveat emptor”, goes the old adage – buyer beware.

And now, in the digital age, as peer-to-peer (P2P) transactions between bank accounts gain traction and fraudsters impersonate legitimate people and businesses, the mantra has become “sender, beware”.

Ingo money CEO Drew Edwards told Karen Webster that digital and the introduction of fast P2P rails have made all consumers increasingly comfortable with P2P, as evidenced by triple-digit percentage gains in Zelle and Venmo volumes.

It also made fraudsters quite comfortable exploiting the instantaneous and irrevocable nature of these transactions.

And it has made consumers increasingly uncomfortable with the bank’s position to refund their money if it ends up in the hands of the fraudster.

“There’s still some education that needs to be administered in the banking industry to remind consumers of their responsibility,” Edwards said.

A matter of trust

At the center of the debate is the growing number of consumers falling victim to scammers who trick consumers into sending money to a bad guy’s account. Scams cost consumers up to $6.1 billion in 2021, the Federal Trade Commission (FTC) reported, up from $3.4 billion the year before. In the first quarter of 2022, losses exceed $1.7 billion. These scams run the gamut from romance scams to deals on highly sought-after consumer goods to signing up for training or educational courses that never existed.

In such cases, the regulations, in particular Reg E, are clear: if a consumer authorizes the transfer, the financial institution (FI) has no liability – meaning the bank is not obligated to refund the transfer. money to the consumer.

The P2P model as it currently exists is a “sender distrust model,” Edwards said, adding that there are prompts during and just before the end of the process that inform the sender that the transaction is irrevocable, that it is better to check and re-check the recipient’s information.

Edwards said these situations are no different from a consumer writing and signing a mailed check to a fraudster or executing a telegraphic transaction to a bad guy. If these funds clear the consumer’s account, the responsibility rests with the sender.

“Why should P2P be any different,” Edwards asked rhetorically. “Simply put, if the funds are sent to the wrong person but the bank has been instructed to do so – well, that’s the sender’s problem.”

Taking a different stance is akin to a blank checkbook for a scammer, he said, especially with friendly fraud schemes — where the idea of ​​writing checks, making payments, consumers claiming that ‘they did not receive what was ordered and demanding refunds would proliferate.

where things get murky

Where things are a little less clear is when a consumer’s bank account credentials have been compromised by a third party to whom the consumer has granted access to their credentials, and these account credentials are used to commit fraud. The use of such credentials is clearly not authorized by the consumer, but authorized by the consumer to be used by that third party.

This is the use case that has recently made national headlines, and has also caught the attention of the Consumer Financial Protection Bureau (CFPB), which has revised its FAQ to include unauthorized liability that corresponds to this definition. It clearly says that if an account holder shares credentials with a third party and that third party is compromised – and the fraudster uses those credentials to access the account holder’s account and move money – the bank is responsible.

Is it, Webster asked, an open checkbook for third parties, FinTechs, to be less rigorous about their own knowledge of your business (KYB) and fraud systems and protocols?

It’s complicated, Edwards said, adding that someone other than the consumer must be responsible, including the bank, for maintaining consumer confidence that the bank is a safe place to keep their money. This is also where the liability structure of other more proven payment methods can be instructive.

“No one would use a credit or debit card if it didn’t have a capped liability that essentially prevents cards from being passports to emptying bank accounts,” Edwards said.

On the other hand, he said FinTechs should compensate the bank for these compromised transactions. FinTechs buy insurance for this purpose, and FI agreements with data platforms that use application programming interface (API) access to bank accounts rather than screen scraping can block everything which is not expressly authorized by the end user.

“After all, open banking isn’t free for everyone,” Edwards said. “The bank has asked which third parties it is willing to provide access to open banking.”

Otherwise, open banking will die on the vine, he said. If regulators hold banks liable for the improper use of compromised consumer bank account credentials by a third party, banks will either refuse to offer instant transfers or take other steps to protect the consumer from fraud and their systems against fraudulent attacks caused by third parties with lax fraud. and security protocols.

hard to hide

Edwards said the technology can help with both types of fraud. Banks can use technology to make “sender beware” prompts more robust, including alerting someone about to make a P2P transaction on a mobile phone that the recipient is not in their contacts.

Technology also makes it harder for individuals to hide where they were, what they purchased, and whether they were on recognized mobile devices. P2P transactions can be irreversible, but there is also a built-in level of security, due to the audit trail.

And the authentication will be strengthened or reduced depending on the size of transactions and credentials. In the open banking world, logging in to a range of providers with the same credentials would be pointless without additional authentication prompts.

“Technology is a wonderful thing because it makes it difficult for fraudsters to hide,” Edwards said.

The most fundamental question to be answered, he said, is what is at the “foundation of the banking system in this country” – consumers who trust that their money is safe in the bank. It is a differentiator that banks, with decades of experience, have built over the years and why nearly 90% of bank customers say they trust their banks.

With FinTechs, Edwards said, the lingering question is whether the third party exposes customers’ banking credentials every time they log on.

“It is the responsibility of FinTechs and financial institutions to create a safe environment for consumers to transact,” he told Webster, adding that “any FinTech that does not have proper assurance, standards appropriate security and appropriate credentials should be blocked.”



About: More than half of utilities and consumer finance companies have the ability to digitally process all monthly bill payments. The kicker? Only 12% of them do. The Digital Payments Edge, a collaboration between PYMNTS and ACI Worldwide, surveyed 207 billing and collections professionals at these companies to find out why going digital remains elusive.