Alerts

CFPB Updates Electronic Fund Transfers FAQs

December 16, 2021

On Dec. 13, 2021, the Consumer Financial Protection Bureau (“CFPB”) updated its FAQs compliance aid[1] on electronic fund transfers (“EFTs”).[2] The prior June 4, 2021 version highlighted certain Regulation E requirements and noted Regulation E violations it had previously identified in its Supervisory Highlights, which included (1) requiring consumers to provide notice of error within a shorter time frame than required by law,[3] (2) requiring consumers to file a police report or other documentation to initiate an error resolution investigation,[4] and (3) requiring the consumer to contact the merchant about a potential unauthorized EFT before initiating an error resolution investigation.[5]

The updated guidance emphasizes the CFPB’s expectations with respect to the interaction among the following provisions of the Electronic Fund Transfer Act (“EFTA”) and its implementing regulation, Regulation E:[6] (1) coverage of person-to-person (“P2P”) and mobile payment transactions, (2) the “service provider” provisions of Regulation E,[7] (3) error resolution procedures and consumer liability limits, and (4) unauthorized EFTs.

None of the guidance appears to be a new interpretation of the EFTA or Regulation E. Rather, the FAQs appear to emphasize the broad consumer protections Regulation E affords consumers who hold asset accounts, including checking, savings, prepaid and mobile accounts, particularly within the framework of non-bank P2P providers who operate amidst a diversity of threats from cybercriminals.

While the guidance does not establish new requirements under Regulation E, the FAQs — which consist of about twenty-four (24) sets of questions and answers — reiterate to industry certain requirements, including the following we highlight below:

Non-bank providers of EFT services may be covered “service providers” subject to certain requirements of Regulation E.[8] Generally, a person who provides EFT services to a consumer, but does not hold the consumer’s account may be a “service provider” under Regulation E if the person (1) issues an access device that the consumer can use to access the account, and (2) no agreement exists between the access device issuer and the account-holding financial institution. Importantly, whether a “service provider” is involved may impact the error resolution responsibilities of the account-holding institution.
Regulation E limits consumer liability for unauthorized EFTs conducted by fraudsters.[9] The CFPB affirms Regulation E protections for consumers where fraudsters first obtain account access information through hacking, phishing, tricking or fraudulently inducing the customer and then using such information to conduct unauthorized EFTs.
Multiple institutions involved in an unauthorized EFT may be subject to the error resolution requirements of Regulation E.[10] If an unauthorized EFT occurs, all covered financial institutions involved must comply with the error resolution requirements of Regulation E, and the consumer is protected by the liability protections for unauthorized EFTs under Regulation E. The FAQs focus on such scenarios in the context of P2P payment providers where unauthorized transfers involve both account-holding financial institutions and non-bank providers, both of whom may have responsibilities under the error resolution provisions of Regulation E.

As a reminder, anyone in the payments space, including bank and non-bank providers must carefully consider their responsibilities and consumers’ rights and protections under Regulation E.

Schulte Roth & Zabel’s lawyers are available to assist you in addressing any questions you may have regarding these developments. Please contact the Schulte Roth & Zabel lawyer with whom you usually work, or any of the following attorneys:

Donald J. Mosher – New York (+1 212.756.2187, donald.mosher@srz.com)

Kara A. Kuchar – New York (+1 212.756.2734, kara.kuchar@srz.com)

Jessica Sklute – New York (+1 212.756.2180, jessica.sklute@srz.com)

Melissa G.R. Goldstein – Washington, DC (+1 202.729.7471, melissa.goldstein@srz.com)

Adam J. Barazani – New York (+1 212.756.2519, adam.barazani@srz.com)

Jessica Romano – New York (+1 212.756.2205, jessica.romano@srz.com)

Hadas A. Jacobi – New York (+1 212.756.2055, hadas.jacobi@srz.com)

Steven T. Cummings – New York (+1 212.756.2251, steven.cummings@srz.com)

[1] “Compliance Aids” are a relatively new category of compliance resources produced by the CFPB. Compliance Aids are not “rules” under the Administrative Procedures Act, and they are not intended to make decisions that bind regulated entities. Rather, “Compliance Aids are designed to accurately summarize and illustrate the underlying rules and statutes.” 85 Fed. Reg. 4579 (Jan. 27, 2020), available here.

[2] The updated FAQs can be found here.

[3] FAQ 3 of Error Resolution.

[4] FAQ 4 of Error Resolution.

[5] FAQ 9 of Error Resolution: Unauthorized EFTs.

[6] 15 U.S.C. § 1693, et seq.; 12 C.F.R. Part 1005.

[7] 12 C.F.R. § 1005.14.

[8] FAQs 1–4 of Coverage: Financial Institutions.

[9] See, e.g., FAQs 3–6 of Error Resolution: Unauthorized EFTs.

[10] FAQ 4 of Error Resolution: Unauthorized EFTs.

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2021 Schulte Roth & Zabel LLP.