The CFPB updated its Electronic Fund Transfers (EFTs) FAQs on December 13, 2021. It seems these updates have kind of flown under the radar as we haven’t seen much if any, discussion within our typical compliance circles. The focus of these updates was specific to person-to-person (P2P) payments.
The FAQs clarify that:
- P2P payments ARE subject to Regulation E. This includes payments initiated online, through an electronic terminal, via telephone, debit card, ACH, using a prepaid account or any other electronic method.
- P2P providers, such as PayPal, Venmo, etc., ARE financial institutions under Regulation E (similar to banks, credit unions, savings associations, etc.). When it comes to electronic funds transfer errors, the FAQs state, Any entity that is considered a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions. Generally speaking, the same requirements and restrictions of Regulation E apply to P2P providers the same as they do to banks, credit unions, and others.
- There are “narrow circumstances” where a financial institution could also be considered a service provider under §1005.14 of Regulation E. In these cases, the provider of the EFT service has the primary responsibility to resolve the error and the account-holding institution has more limited responsibilities but only in the case of ACH transactions where there is an access device but no agreement in place between the account-holding institution and P2P provider. This particular update made our heads spin a little bit and led us to contact the CFPB for further guidance. We plan to address this in more detail in the upcoming February edition of Banking on BCCand our “Regulation E: EFT Errors & Disputes” webinar on March 22nd!
Some other things of note from the updates include:
- The CFPB is seeing more and more institutions that deny disputes based on a consumer’s previous transactions with the same merchant. Here’s your warning shot: The CFPB does not like this and the FAQs indicate these institutions are being cited for not conducting a reasonable investigation.
- When someone uses stolen credentials (login information, etc.) to initiate a transfer, the transaction(s) is unauthorized, assuming the consumer receives no benefit. Some examples of access being obtained fraudulently were provided, such as someone physically stealing someone’s debit card or someone hacking into a third-party system or consumer’s phone to gain access.
It’s easy to feel defeated when it comes to Regulation E because trying to do right by your customer usually means you lose. It’s good to know; however, those P2P providers are, in fact, financial institutions and that, if they receive notice of an error, they too have error resolution responsibilities.
Published
2021/01/21