Weekly Fintech Focus

  • Democratic senators urge CFPB to focus on bank liability for fraud occurring on P2P payment platforms.
  • CFPB and OCC issue $225M fine to a bank for failures related to unemployment benefits payments.
  • UK financial regulators open consultation on oversight of financial institutions’ third-party service providers.

Dem Senators Urge CFPB Focus on P2P Payment Platforms

A group of Democratic U.S. senators sent a letter to the Consumer Financial Protection Bureau (CFPB) urging the agency to take a harder look at peer-to-peer (P2P) payment platforms like Zelle and to consider modernizing consumer protections for these digital payment services. The senators recommend that the CFPB “send a strong signal that the agency expects banks under its supervision to bear more responsibility for letting scammers and fraudsters onto services that they developed and that they currently market as safe platforms to send and receive money.” Further, the senators suggest that the CFPB clarify that fraudulent payments on these P2P platforms be considered an “error” under Regulation E when “a consumer is defrauded into initiating a transfer to a scammer” and that some other acts of fraud could be considered an “unauthorized electronic fund transfer.”

As noted in the letter, Regulation E currently protects consumers if they are tricked into giving account information to a fraudster, but not if they open an application to transfer funds directly to that same fraudster. So, in an instance where a consumer falls victim to a scam and sends account information to another person who uses that information for fraud, the consumer could report that to the bank and be made whole by the bank. However, if that same consumer opens their banking mobile app and initiates a Zelle transfer to that same fraudster, Regulation E protection does not apply because the consumer sent the actual funds—not merely the account information—and therefore the transfers were not “unauthorized.”

The letter follows a growing trend of consumer lawsuits related to error resolution and fraud tied to bank P2P payment platforms. Some of the signatories to the letter have been pursuing the issue of fraudulent transactions related to bank P2P payment platforms for some time.

Regulators Issue $225M Fine to Bank for Unemployment Payment Failures

The CFPB and the Office of the Comptroller of the Currency (OCC) issued fines of $100 million and $125 million, respectively, to a large bank for the bank’s failures in dispersing state unemployment benefits during the height of the COVID-19 pandemic. The orders explain that the bank implemented a faulty fraud detection program that automatically and unlawfully froze accounts with little customer recourse to unfreeze even though in many situations there was no actual fraud. The orders also require that the bank take steps to issue hundreds of millions of dollars in consumer redress.

The CFPB found that the bank engaged in unfair and abusive acts and practices that resulted in California residents not receiving unemployment benefits. These unfair and abusive acts included the bank replacing reasonable investigations of fraud with a fraud detection program that included an overly simplified fraud flagging system. The bank also retroactively applied the faulty fraud filter to deny some error notices that had previously been investigated and paid. Additionally, customers entitled to unemployment insurance benefits had an extremely difficult time unfreezing their prepaid debit cards or reporting fraudulent use of those cards. The bank had advertised 24/7 availability for customer service, but its call center was operating at a much lower level of support. Finally, the bank sent consumers to the California state unemployment department for verification to regain access to benefits, but the state regulator was not staffed for such a high volume of consumer inquiries. The CFPB asserted that the bank should have known it was redirecting consumers to an entity that could not manage their issues.

The OCC’s order involved similar allegations under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. Those allegations relate to the bank’s failure to adequately investigate and resolve consumer claims, as well as other deficiencies in the bank’s administration of the program, including operational processes, risk management, and other internal controls.

UK Financial Regulators Look to Strengthen Oversight of Third-Party Service Providers

The Bank of England launched a consultation to review the protections and guidance in place related to third-party service providers that perform certain outsourced functions for regulated financial institutions. The Prudential Regulation Authority and the Financial Conduct Authority noted that they are concerned about the risks posed by certain outsourced services, including cloud and other data-related services, should the firms providing those services fail or be disrupted. As financial institutions digitize their services or use outsourcing partners to provide more services directly to the financial institution, such as by outsourcing data services to third-party cloud service providers, those financial institutions could incur additional risk. Such risks increase when the outsourced services are critical to a financial institution’s functions. To that end, regulators are seeking solutions about how to identify critical third parties and then how to set standards regarding those third parties’ resilience.

The Bank of England’s consultation comes at the same time legislation was introduced in Parliament that would give regulators more power to oversee third-party service providers.  Additionally, the consultation and legislation have significant similarities to the European Union’s Digital Operational Resilience Act (DORA), which addresses certain third-party service providers under the purview of financial services regulation and will be implemented across the EU by the end of 2022.