On June 4th, 2021 the Consumer Financial Protection Bureau (CFPB) released what appeared to be a innocuous Frequently Asked Question (FAQ) document clarifying the provisions of the Electronic Fund Transfer Act (EFTA) and specifically, the implications of Regulation E (Reg E).
It didn’t take long for industry analysts such as Trace Fooshsee of the Aite-Novarica group to recognize that this guidance signals a significant change in how many banks will have to manage social engineering fraud in the future.
The CFPB guidance is clear. Banks, as a matter of law, must offer Regulation E-compliant recourse to customers who have been duped into handing over their account access details to scammers. Although many banks already have policies that are aligned with this guidance, many others will need to re-examine their procedures if they wish to fare well during CFPB examinations.
What is Reg E?
Reg E has been around for decades. It was passed as a provision of the Electronic Funds Transfer Act (EFTA) in 1978, and has been a cornerstone of consumer fraud protection regulation ever since.
Reg E guarantees consumers the right to claim recourse for unauthorized Electronic Fund Transfers (EFT) from their bank accounts, on the condition that the transfer has not benefited said consumer, and that the unauthorized EFTs are reported to their bank in a timely manner.
Traditionally, may banks have focused their Reg E compliance efforts on unauthorized pull payments, such as those incurred when a bad actor steals a debit card, or makes a fraudulent payment request to a customer’s bank. The clarified guidance on June 4th is significant as it re-asserts Reg E’s wider provisions, overtly mentioning the need to reimburse victims of specific types of social engineering fraud.
Why is this important?
In short, the guidance makes it clear that customers who are scammed into handing over their account access details to a bad actor, can claim the Reg E protection for any unauthorized EFT that are subsequently made by that bad actor.
Previously, some banks have been reluctant to cover losses incurred by this type of fraud because they have wrongly presumed that those losses are:
- out of scope of Reg E, and that;
- any customer who has handed over their account access details to a bad actor has been, by
definition, negligent, and has therefore voided their right to protection in line with the bank’s terms and conditions of service.
The guidance however clearly refutes both points, stating specifically that:
“(W)hen a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.”
“(C)onsumer behavior that may constitute negligence (…) does not affect the consumer's liability for unauthorized transfers under Regulation E.”
What can I do about it?
There are two key things banks should do to ensure that they follow the clarified guidance.
Firstly, banks should be operationally ready to deal with an anticipated rise in Reg E claims. There are strict response times that must be adhered to, and banks should ensure that their dispute resolution systems are able to handle increased volumes of claims. Customer services teams should also be thoroughly briefed on the new requirements to ensure that customers are not denied access to their Reg E rights.
Secondly, Banks should seek to minimize their exposure to fraud by deploying technology that will prevent their consumers falling victim to social engineering scams in the first place.
Fortunately, banks are in an excellent position to take advantage of advanced customer authentication technologies (such as behavioral biometrics) that ensure that bad actors are not able to access the accounts of legitimate users.
How does this technology work?
Behavioral biometrics offers banks a unique opportunity to prevent unauthorized users gaining access to a legitimate customer's account.
Callsign’s behavioral biometrics work on the principle of positive identification.
We analyze how each individual user physically interacts with their device, tracking inputs like their typing cadence, the pressure they apply to their keypad, their mouse movements, and the angle at which they hold their mobile device.
These inputs are then used to create a unique model, which is calibrated to each individual user. This model defines the user’s ‘usual’ behavior and provides a baseline that subsequent interactions can be compared to. If, during a session, the user exhibits behavior that is outside that which is expected, the access attempt is identified as ‘unusual’, and therefore potentially fraudulent, and dealt with accordingly.
In practice, this means that even if the customer was tricked into giving their username, password, and even an SMS OTP to a bad actor, that bad actor would not be able to access the account.
Although the bad actor will have entered all the correct information, they will not have done so in a way that is consistent with the legitimate user’s behavior (i.e. the way that they type / hold their device / interact with the screen). As a result, the model will identify that it’s not the correct user conducting the session, and access to the bank account will be denied.
When Callsign’s behavioral biometrics are coupled with our advanced device identification, location analytics, and threat detection technology, a robust multifactor authentication capability can be realized. This combined approach stops even the most sophisticated attacks, without damaging user experience (see our Machine Learning Fusion whitepaper to find out how).
Why do I care?
Ultimately, the CFPB’s guidance can be interpreted as a statement of intent. This issue is on the regulator’s radar and it is clear that protecting users from those that would steal their account access information is no longer optional.
When the regulator calls and asks what robust protections banks are putting in place to ensure their customers are able to claim their Reg E rights, those banks need to ensure that they have an equally robust answer.