Last month, the CFPB updated its Electronic Fund Transfers FAQs that address compliance with the Electronic Fund Transfer Act (EFTA) and Regulation E. The FAQs provide guidance on Regulation E’s coverage and on the error resolution requirements, with the bulk of the new questions focusing on person-to-person (P2P) payment providers and P2P transfers.
While the FAQs help provide some clarity for financial institutions, they do not provide any new obligations or requirements under Regulation E. The FAQs seek to clarify existing rules and provide insight into the CFPB’s understanding of the regulation. However, it is important to note the FAQs do not represent binding rules.
With regard to coverage for P2P payment providers, the FAQs reiterate that a non-bank P2P payment provider can be a financial institution if it holds a consumer’s account. The CFPB notes an “example of an account that a non-bank P2P payment provider may directly or indirectly hold is a prepaid or mobile account whose primary function is to conduct P2P transfers.” The FAQs also note a non-account-holding provider of P2P payment or bill payment services can be a financial institution if it issues an access device. By way of example, “a P2P provider may enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account.”
With regard to coverage for P2P transfers, the FAQs note these can be electronic fund transfers (EFTs), including those via debit card, ACH, prepaid account or other electronic transfer to or from a consumer’s account. The FAQs also remind financial institutions that credit push P2P transfers and debit card pass-through transfers are EFTs.
The FAQs further advise that Regulation E requires financial institutions to investigate and resolve errors involving P2P transfers that are EFTs. The FAQs provide that an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider is considered an unauthorized EFT, even if the consumer does not have an existing relationship with the non-bank P2P payment provider. The CFPB also provides two examples of unauthorized P2P transfers:
- “A consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, lender, or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided P2P payment application to initiate a credit push payment out of the consumer’s deposit account.”
- “A consumer shares their debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks into the consumer’s phone and uses the mobile wallet to initiate a debit card transfer out of the consumer’s deposit or prepaid account.”
Other FAQs address: transactions that are considered EFTs, entities that are considered financial institutions, what is an error for purposes of the EFTA and Regulation E, a financial institution’s error resolution obligations, and what is an unauthorized EFT. The CFPB’s previous FAQs on fraudulent inducement, consumer negligence, private network rules, and police reports remain unchanged