Mobile App Fraud and Regulation E
Over the past several months, more and more consumers have turned to mobile payments. Whether to send money to a family member out of work or to pay for groceries at the local market, contactless payments are on the rise. Fraudsters have also caught on to this trend and some credit unions have seen an increase in fraud claims for payments made via mobile apps. As a result, the NAFCU Compliance team has gotten some questions from credit unions on resolving these claims.
We’ve covered some issues with mobile payment apps in previous blogs. This blog post discusses the overlapping error resolution responsibilities between the credit union and the app provider and clarifies a credit union is not permitted to require members to attempt to resolve the claim with the app provider first. This blog post explains how it is up to the credit union to prove a transaction was properly authorized before it may deny a fraud claim. NAFCU has also met with the CFPB on this issue and continues to advocate for more clarity. For a general refresher on unauthorized EFTs under Regulation E, check out this article.
Today’s post covers another FAQ on mobile app fraud and Regulation E. Here’s the scenario and question at issue:
Jane adds her debit card information to a mobile payment app and that information is stored in the app. John hacks into her payment app account and uses the stored credentials to initiate transactions. Jane submits a notice of error to her credit union stating the transactions initiated by John through the app are unauthorized EFTs. As Jane provided her debit card information to the app provider and authorized the provider to initiate transactions, would all transactions made through the app be considered authorized EFTs regardless of whether Jane or John initiated an individual transfer?
NAFCU reached out to the CFPB using its regulatory inquiries system and received non-binding, informal guidance on this question. The following information is based off that discussion. While this is not an official interpretation of Regulation E, credit unions may still find this information helpful in making risk-based determinations on how to proceed with these types of claims.
The argument for the answer to be yes goes a bit like this: the investigation and resolution of these types of unauthorized transactions fall on the app provider because Jane authorized the provider to have her payment credentials and initiate transactions. As such, all transactions the app provider initiates are authorized regardless of who initiates each individual transaction. As credit unions are not required to investigate authorized transactions, it is up to Jane to resolve the claim directly with the app provider and the credit union has no Regulation E error resolution responsibilities.
The key issue with this type of argument is there is no way under the current rules to separate the relationships between the credit union, member and app provider. At the end of the day, it is the credit union’s access device (debit card) being used to facilitate transactions through a third-party. The existence of the third-party does not terminate the relationship between the credit union and its member which means both the credit union and the app provider may have some responsibilities to the member for unauthorized transactions. This is especially true if the app provider is considered a “financial institution” under Regulation E by virtue of the prepaid accounts rule. The challenge from a regulatory supervisory perspective is how to ensure all app providers correctly understand whether and to what extent they are covered under Regulation E.
Another issue with this type of argument is that Regulation E does not contemplate a blanket authorization to initiate transactions each time a member provides her payment information to a third-party. Giving a third-party access to payment credentials does not equate to giving that third-party authorization to conduct transactions the member did not actually initiate. For example, Jane gives her debit card information to her gym. The gym uses that information to collect her monthly membership fee and pay for items Jane charges to her account at the gym. If the gym charges Jane’s July membership fee twice or charges her card for items she did not purchase, those transactions are not authorized simply because Jane gave the gym her debit card information. In other words, the authorization happens at the individual transaction level, as determined by the scope of the authorization, even when multiple transactions between the parties are contemplated. As a result, the scope of Jane’s authorization to her gym could be relevant in determining which transactions are considered unauthorized.
Dealing with these types of fraud claims can be challenging as the credit union may not have access to all the information it needs to properly investigate because of the involvement of a third-party. However, section 1693g(b) of the Electronic Fund Transfers Act (EFTA) puts the burden on the credit union anyway. Credit unions may want to consider suggesting the member also reach out to the app provider (though the Regulation E error resolution timeframes still apply to the credit union if it received a notice of error from the member) and reviewing any authorization the member provided to app provider.
* * *
NAFCU will be closing at noon tomorrow and will be closed all day Friday in observance of Independence Day. We’ll be back to blogging on Monday. Have a safe and enjoyable holiday weekend!