We believe that an “accepted access device” under Regulation E could include a P2P payment app that your customer has attached to their bank-issued debit card. Under Regulation E, an access device is a “card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers,” and an access device is generally “accepted” when “the consumer . . . [r]equests and receives, or signs, or uses the access device to transfer money between accounts or to obtain money, property, or services.” We believe that if your customer attaches their bank-issued debit card to a P2P payment app and uses the app to initiate debit card transactions, the app would be considered an “accepted access device” under Regulation E.
Additionally, a non-bank P2P payment app provider that allows a consumer to initiate debit card transactions is considered a “financial institution” with error resolution obligations under Regulation E. Regulation E states that any person “that issues an access device and agrees with a consumer to provide electronic fund transfer services” is a “financial institution.” Further, the CFPB has issued FAQs on Regulation E and P2P payments, which explain that a P2P payment provider may meet the definition of a financial institution. For example, a non-bank P2P provider that enters into an agreement with a consumer “for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account” is a financial institution for Regulation E purposes. The CFPB’s FAQs also explain that both the account-holding depository institution and a non-bank P2P payment provider both would have error resolution obligations if the customer notifies them of an error related to a payment made through the P2P payment app.
In some situations, an account-holding financial institution has limited error resolution responsibilities. This is the case when the non-bank P2P provider qualifies as a “service provider” — an entity that issues an access device to a bank customer without an agreement with the bank regarding such access. However, as noted by the CFPB’s FAQs, “an ACH agreement combined with another agreement to process payment transfers — such as an ACH agreement under which members specifically agree to honor each other’s debit cards,” (i.e., the debit card network rules) constitutes an agreement, meaning that the account-holding institution has full error resolution responsibilities.
For resources related to our guidance, please see:
- Regulation E, 12 CFR 1005.2(a)(1) (“‘Access device’ means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”)
- Regulation E, 12 CFR 1005.2(a)(2) (“An access device becomes an ‘accepted access device’ when the consumer:
(i) Requests and receives, or signs, or uses (or authorizes another to use) the access device to transfer money between accounts or to obtain money, property, or services;
(ii) Requests validation of an access device issued on an unsolicited basis; or
(iii) Receives an access device in renewal of, or in substitution for, an accepted access device from either the financial institution that initially issued the device or a successor.”)
- Regulation E, 12 CFR 1005.2(i) (“‘Financial institution’ means a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services, other than a person excluded from coverage of this part by section 1029 of the Consumer Financial Protection Act of 2010, title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376.”)
- CFPB, Electronic Fund Transfers FAQs, Coverage: Financial Institutions, Question 2 (“Can non-bank P2P payment providers be considered financial institutions under Regulation E? Any P2P payment provider that meets the definition of a financial institution, as discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, is a financial institution under Regulation E. . . . Additionally, . . . non-account-holding providers of P2P payment or bill payment services are considered covered financial institutions under Regulation E if the provider issues an access device and agrees with a consumer to provide EFT services. . . . For example, a P2P provider may enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account. Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.”)
- CFPB, Electronic Fund Transfers FAQs, Coverage: Financial Institutions, Question 3 (“If a non-bank P2P payment provider initiates a debit card ‘pass-through’ payment from the consumer’s account held by a depository institution to a different person’s account at another institution, is the non-bank P2P payment provider considered a financial institution under Regulation E? Generally, yes. As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, an entity that issues an access device and agrees with a consumer to provide EFT services, is considered a financial institution under Regulation E. . . . Thus, if an entity, including a non-bank P2P payment provider, enters into an agreement with a consumer to provide EFT services and issues an access device, and initiates a debit card ‘pass-through’ payment, then that entity would be covered as a financial institution under Regulation E. Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error.”)
- CFPB, Electronic Fund Transfers FAQs, Coverage: Financial Institutions, Question 4 (“If a consumer uses a non-bank P2P payment provider to initiate a debit card ‘pass through’ payment from the consumer’s account held by a depository institution, is the depository institution considered a financial institution under Regulation E, even though the transfer was initiated through the non-bank P2P payment provider? Yes. As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, the definition of financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide EFT services. . . . Here, because the depository institution holds the consumer’s deposit account, it is considered a financial institution under Regulation E with full error resolution obligations. . . . Electronic Fund Transfers Coverage: Financial Institutions Question 1 discusses a narrow circumstance where a non-account-holding financial institution is considered a ‘service provider’ and any account-holding financial institution has more limited error resolution responsibilities; however that provision does not apply when there is an agreement between the non-account-holding financial institution (the non-bank P2P payment provider) and the account-holding financial institution (the consumer’s depository institution). . . . An ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards – is an ‘agreement,’ and thus this section does not apply. Comment 14(a)-2. Thus, where, as here, an EFT is initiated through a non-bank P2P payment provider using a consumer’s debit card information, the P2P provider and the account-holding financial institution are parties to an agreement to honor each other’s debit cards – the debit card network rules – and the service provider provision in 12 CFR 1005.14, discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, does not apply. Accordingly the account-holding financial institution has full error resolution responsibilities.”)