IBA Compliance Connection

Your go to source for compliance!

If our customer attaches a debit card issued by our bank to a non-bank person-to-person (P2P) payment mobile application, and our customer temporarily loans their phone to a friend, who uses the P2P app to send themself money without permission, would the P2P app be considered the access device? Would the non-bank P2P provider be considered the “financial institution” for error resolution purposes, meaning we can refer the customer to the non-bank P2P provider if the customer notifies us of the fraudulent transaction? Would the answer to this change if the P2P app instead accessed our customer’s account directly rather than through a debit card? Would this even be considered an unauthorized electronic fund transfer (EFT) since the customer voluntarily loaned their phone to their friend? How would this answer change if the fraud was instead committed by an unknown third-party scammer who obtained our customer’s P2P app username and password?

by

admin

Yes, we believe the non-bank P2P payment mobile application would be the relevant “access device” in this scenario, as Regulation E defines “access device” as a “card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”

Also, a non-bank P2P provider could be considered a “financial institution” with error resolution obligations under Regulation E, since it has issued an access device and agreed with the consumer to provide electronic fund transfer services. However, this does not mean that your financial institution would not also have error resolution obligations to the customer. The CFPB has issued FAQs on Regulation E and P2P payments, which explain that even if a non-bank P2P payment provider initiates a debit card ‘pass through’ payment, the account-holding depository institution is still considered a “financial institution” under Regulation E “with full error resolution obligations” because “the depository institution holds the consumer’s deposit account.”

We do not believe that apps accessing customer accounts directly would be treated differently than apps that use a customer’s debit card — the CFPB’s FAQs state that “Regulation E applies to any person-to-person (P2P) or mobile payment transactions that meet the definition of EFT, including debit card, ACH, prepaid account, and other electronic transfers to or from a consumer account.”

We believe that a transfer initiated by a friend who was loaned the consumer’s phone would be considered an “unauthorized” EFT. The CFPB’s FAQs state that a transfer from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider is considered an unauthorized EFT “because the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer — i.e., the fraudster — and the consumer received no benefit from the transfer.” Also, the exception for situations in which a consumer grants authority to make transfers to a third party, who then exceeds that authority, would not apply. Presumably your customer did not provide the friend with authority to make transfers when loaning out the phone. Similarly, if a third party scammer obtained the customer’s username and password, without the consumer’s permission to make transfers, those transactions would be considered unauthorized.

For resources related to our guidance, please see:

  • Regulation E, 12 CFR 1005.2(a)(1) (“‘Access device’ means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”)
  • Regulation E, 12 CFR 1005.2(i) (“‘Financial institution’ means a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services, other than a person excluded from coverage of this part by section 1029 of the Consumer Financial Protection Act of 2010, title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376.”)
  • CFPB, Electronic Fund Transfers FAQs, Coverage: Financial Institutions, Question 4 (“If a consumer uses a non-bank P2P payment provider to initiate a debit card ‘pass through’ payment from the consumer’s account held by a depository institution, is the depository institution considered a financial institution under Regulation E, even though the transfer was initiated through the non-bank P2P payment provider? Yes. As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, the definition of financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide EFT services. . . . Here, because the depository institution holds the consumer’s deposit account, it is considered a financial institution under Regulation E with full error resolution obligations.”)
  • CFPB, Electronic Fund Transfers FAQs, Coverage: Transactions, Question 1 (“What transactions are covered by the Electronic Fund Transfer Act and Regulation E? The term ‘electronic fund transfer’ or ‘EFT’ means any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account. . . . Accordingly, Regulation E applies to any person-to-person (P2P) or mobile payment transactions that meet the definition of EFT, including debit card, ACH, prepaid account, and other electronic transfers to or from a consumer account.”)
  • CFPB, Electronic Fund Transfers FAQs, Error Resolution: Unauthorized EFTs, Question 3 (“Is an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider considered an unauthorized EFT? Yes. Because the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer – i.e., the fraudster – and the consumer received no benefit from the transfer, the EFT is an unauthorized EFT. . . . This is true even if the consumer does not have a relationship with, or does not recognize, the non-bank P2P payment provider.”)