Article State:

Re-Evaluate Your Fraud Policies Now

Financial institutions that have not already done so should begin work now to make their P2P fraud protection policy explicit.

Financial institutions need to have reasonable policies that are crafted to reflect care for the accountholder, while at the same time not enabling them to be careless. The institution needs to clearly define fraud vs scam in simple and plain English. Oftentimes, policies contain too much legal language that a reasonable consumer doesn’t understand, which makes the actual conversations with them at a later point much more difficult. Having clear policies upfront will help the accountholder understand what they may be held liable for, and what your institution will be responsible for under Reg E. Follow the direction and guidance from your legal team, and don’t be afraid to talk with your examiner. Since P2P fraud is not limited to any one platform, it may be beneficial to create a general or multiplatform P2P fraud protection policies, because stronger consumer protections could be on the way.

In August, there was a rumor that the CFPB would be issuing guidance on institution liability for instant payment fraud within weeks, but so far has not done so. In October of 2022, Senator Elizabeth Warren (D-Mass) criticized institutions that fail to “make their customers whole” and calling on them to honor their “zero liability” fraud policies. However, is that fair? Financial institutions have built many processes to prevent account takeover, but in many cases, the customer has provided them access to their account. If zero liability was in play, what would prevent a fraudster from talking to consumers and being active in the actual fraud together? The pendulum can swing both ways, so this must be strictly defined.

Fraud protection teams should maintain constant awareness of emerging schemes related to P2P. This knowledge should be leveraged using fraud analysis software designed to analyze payment transactions – specifically systems able to detect excessive payment attempts in short periods (minutes), able to tell whether digital payments are “in network” or “out of network,” and able to detect dollar amounts or transaction volumes falling outside accountholder norms for various timeframes. These are typically categorized as fraud and consumers are covered under Reg E.

Institutions offering P2P solutions like Zelle® or FedNow should also spend significant time working to strike the appropriate balance between the kind of activity users would like to conduct versus the institution’s risk appetite for fraud. For some institutions, this may be more conservative transaction ceilings and payment volume limits until they are better able to gauge their P2P fraud vulnerabilities. After a time of evaluation using tighter restrictions, they may decide to gradually expand what is permitted. Having a fraud committee review new products and services is always helpful.

Maximizing Awareness
“Fraud” refers to unauthorized transactions, meaning transactions that a consumer does not themself authorize and initiate. This can happen when a fraudster obtains the consumer’s account access credentials. On the other hand, “scams” refer to transactions that are authorized and initiated by a consumer, but the consumer is convinced to make the payment through deception, such as when a scammer convinces to send money for nonexistent goods. However, it’s the grey area in the middle that is causing so much confusion and angst to institutions.

This is at the heart of the confusion caused by the recent FAQs the Consumer Finance Protection Bureau (CFPB) released in June 2021 and December 2021. These were not new laws passed, but instead new interpretations of existing Reg E laws.

Most institutions are trying to be sympathetic and reasonable, but some are still confused about what is fraud and what is a scam. Losses resulting from the victim’s explicit authorization and initiation of payment, whether for merchandise or the movement of money to the fraudster, usually remain with the victim, as typically these are categorized as scams. Losses in which the victim did not initiate or authorize payment and the fraudsters conducted the transactions themselves are defined as fraud – and covered by Reg E. This is even the case when the victim divulged passwords and authentication codes to the fraudster. If the institution built all these processes to protect the consumer’s account, but the consumer helps the fraudster through them, this is at the heart of the confusion where consumers, media, and even congress are picking sides.

So as an institution how should you be thinking about this?
One of the best strategies any institution can implement to help consumers is an aggressive messaging campaign about activity that can lead to an authorized loss of funds (scams) or account takeover (fraud). The fundamental message should make it abundantly clear that the institution will never call, text, or email asking the accountholder for information that could grant access to an account, nor will it seek accountholder authorization for any kind of funds transfer. Accountholders enrolling in P2P should always receive clear, practical education. However, your messaging should blanket the entire accountholder base. You need to clearly define what is a scam and what is fraud. What is the responsibility of the consumer in both of those instances?

Successful messaging campaigns need to be far-reaching and should be renewed on a regularly recurring cycle throughout the year. Institutions reporting the best results followed a program of combined methodologies. Embedded website messages, mass emails, and pamphlets or infographics are a few ideas that have worked well. Zelle® provides an entire website of materials your institution can use. A major awareness thrust can work to reduce not just scams, but fraud in general. Helping customers understand what to look for and to always be skeptical is a good thing in this fight.

Conclusion
As P2P continues to gain popularity, consumer expectations for their institutions to offer it will continue to grow. Clear, realistic, well-considered P2P policies, and getting ahead of scams and account takeover fraud before it happens should be a priority for financial institutions. Make sure you have clear educational materials for fraud and scams and educate, educate, and educate your customers on the differences. Not only will it help your customers, but it will also help your fraud staff from having those difficult conversations with customers after they lost money. With the addition of a few simple steps and strategies, your institution can equip itself to be better positioned with your current P2P solution, or when you roll out any instant real-time payments in the future.