Should Banks Be Liable for Unauthorized Push Payments Fraud?

“Caveat emptor,” goes the old saying — buyer beware.

And now, in the digital age, as peer-to-peer (P2P) transactions between bank accounts gain ground and fraudsters impersonate legitimate people and businesses, the mantra now becomes “sender beware.”

Ingo Money CEO Drew Edwards told Karen Webster that digital plus the introduction of fast P2P rails has made all consumers increasingly comfortable with P2P, as evidenced by triple-digit percentage gains in Zelle and Venmo volumes.

It’s also made fraudsters pretty comfortable, too, exploiting the instant, irrevocable nature of these transactions.

And it’s made consumers increasingly uncomfortable with the bank’s position to refund their money if it ends up in the fraudster’s hands.

“There’s still a bit of education that needs to be administered in the banking industry to keep reminding consumers of their liability,” Edwards said.

A Question of Trust

At the center of the debate is the increasing number of consumers who have fallen victim to scammers who convince consumers to send money to a bad guy’s account. Scams cost consumers as much as $6.1 billion in 2021, as reported by the Federal Trade Commission (FTC), up from $3.4 billion the previous year. Through the first quarter of 2022, the losses top $1.7 billion. These scams run the gamut from romance scams to deals on highly-sought-after consumer goods to enrollment in training or educational courses that never existed.

In such cases, the regulations, specifically Reg E, are clear: If a consumer authorizes the transfer, the financial institution (FI) has no liability — meaning the bank is not obligated to refund the money to the consumer.

The P2P model as it exists now is a “sender beware model,” Edwards said, adding that there are prompts during and just before the process is concluded that inform the sender that the transaction is irrevocable, that they’d better check and re-check the recipient’s information.

Edwards said these situations are no different than a consumer writing and signing a check that’s mailed to a fraudster or executing a wire transaction to a bad guy. If those funds clear the consumer’s account, the onus is on the sender.

“Why should P2P be any different,” Edwards asked rhetorically. “Simply put, if the funds are sent to the wrong person but the bank was told to do it — well, then, that’s the sender’s problem.”

Taking any different stand is akin to a blank checkbook for a crook, he said, especially with friendly fraud schemes — where the idea of writing checks, making payments, consumers claiming they did not get what was ordered and demanding refunds would proliferate.

Where Things Get Murky

Where things are a little less clear is when a consumer’s bank account credentials have been compromised by a third party to whom the consumer has authorized access to their credentials, and those account credentials are used to commit fraud. Use of those credentials is clearly unauthorized by the consumer, but authorized by the consumer to be used by that third party.

It’s the use case that’s made national headlines recently, and one that has also captured the attention of the Consumer Financial Protection Bureau (CFPB), which has revised its FAQs to include unauthorized liability that fits this definition. It says clearly that if an account holder shares credentials with a third party and that third party is compromised — and the fraudster uses those credentials to access the account holder’s account and move money — the bank is responsible.

Is that, Webster asked, an open checkbook for third parties, FinTechs, to be less rigorous about their own know your business (KYB) and fraud systems and protocols?

It’s complicated, said Edwards, adding that someone other than the consumer must be responsible, including the bank, to retain the trust of the consumer that the bank is a safe place to keep their money. It’s also where the liability structure of other, more time-tested payment methods can be instructive.

“No one would use a credit or debit card if there weren’t capped liabilities that essentially keep the cards from being passports to empty bank accounts,” Edwards said.

On the other hand, he said that the FinTechs should be indemnifying the bank on those compromised transactions. FinTechs carry insurance for that purpose, and FIs’ agreements with data platforms that use application programming interface (API) access to bank accounts rather than screen scraping can block anything not expressly authorized by the end user.

“After all, open banking is not a free-for-all,” said Edwards. “The bank has got to police which third parties they are willing to give access to open banking.”

Otherwise, open banking will die on the vine, he said. If regulators hold banks liable for the illegitimate use of consumer bank account credentials compromised by a third party, banks will refuse to offer instant transfers or take other measures to protect the consumer from fraud and their systems from fraud attacks caused by third parties with lax fraud and security protocols.

Hard to Hide

Edwards said technology can help with both types of fraud. Banks can use technology to make “sender beware” prompts more robust, including alerting someone about to make a P2P transaction on a mobile phone that the receiver is not in their contacts.

Technology also makes it harder for individuals to mask where they were, what they bought, and whether they were on recognized mobile devices. P2P transactions may be irreversible, but there is also a level of safety built in, due to the audit trail.

And authentication will be stepped up or down based on transaction sizes and credentials. In the open banking world, logging on to a range of providers with the same credentials would be moot without additional authentication prompts.

“Technology is a wonderful thing because it makes it hard for the fraudsters to hide,” Edwards said.

The more fundamental issue to be addressed, he said, is what is at “the foundation of the banking system in this country” — consumers trusting that their money is safe at the bank. It’s a differentiator that banks, with decades of experience, have built up over the years and why nearly 90% of bank customers say they trust their banks.

With FinTechs, Edwards said, there is the perennial question whether the third party is exposing customers’ bank credentials each time they log in.

“The onus is on the FinTechs and the financial institutions to create a safe environment for the consumers to be able to transact,” he told Webster, adding that “any FinTech that does not have proper insurance, proper security standards and proper credentials should be blocked.”