Zig-zagging Toward Compliance: The Uncertain Certainty of APP Fraud Liability

When the FDIC issued a report in March 2022 clarifying that FDIC Regulation E of the Electronic Transfer Act protected victims of fraudulent activity, and that the banks and P2P payment platforms were both responsible for fraudulent electronic transfers, I started talking with banks about the potential coming liability shifts to Authorized push payments (APP). At that time, the overwhelming sentiment was, “Meh … it’ll never happen.”

Turns out, those early assessments weren’t quite accurate. Since then, a flurry of draft regulations around APP liability and reimbursements have surfaced, and there’s increased scrutiny on how responsibility for fraudulent transactions should be allocated.

With the FDIC’s clarification that both banks and P2P platforms share liability for fraudulent transfers under Regulation E, the landscape of financial crime prevention is evolving. This shift could have far-reaching implications for the industry, potentially exposing banks and payment providers to greater risks and requiring them to adopt more stringent fraud prevention measures. As the conversation around APP fraud liability continues to gain momentum, it’s essential for financial institutions to be proactive in understanding and preparing for these changes.

In this blog, I take inventory of prior potential regulatory APP liability shifts and the banking industry’s response to those discussions, and what the shifts could mean for financial institutions.

What Is the Potential Liability Shift in APP Fraud?

The potential liability shift in APP fraud involves holding both the sending and receiving financial institutions accountable for unauthorized transactions by fraudsters. This means that banks could be responsible for refunding customers who fall victim to APP fraud, a significant change from the current situation where liability often rests solely on the consumer. The FDIC’s clarification of Regulation E marked a significant turning point, signaling a shift in how responsibility for fraudulent transactions is viewed.

By holding both sending and receiving institutions accountable under the Electronic Transfer Act, the groundwork was laid for a broader conversation about liability in cases of APP fraud. This clarification sparked increased scrutiny from lawmakers, who began to question whether financial institutions were doing enough to protect consumers from fraudulent activity. It wasn’t long before this scrutiny led to more direct challenges.

Following the FDIC report in March 2022, Senators Warren, Menendez, and Reed sent a letter in April to one of the leading platforms calling out what the Senators believed to be widespread fraud and the lack of controls in the banks and platforms to stop it. At the next Senate Banking, Housing, and Urban Affairs Committee (BHUA) hearing in D.C., Senator Warren asked each of the five banks’ CEOs whether they would commit to refunding customers who report to their banks that they’ve been defrauded through Zelle. At that point, none of the CEOs was willing to make that commitment.

Senator Warren then followed up with a report stating, “Fraud and theft are rampant on Zelle – and are increasing,” and that banks were “not repaying the vast majority of cases where customers were fraudulently induced into making payments on Zelle.”

In response, the American Bankers Association and three other financial trade organizations pushed back against Senator Warren, claiming, “The report issued today offers no constructive solutions to better prevent and crack down on fraud.” At the time, it appeared the banks, their associations, and the platforms hoped that their pushback would quash any regulatory response to consumer payment fraud impacts.

It didn’t. Instead, regulators began to signal that the receiving bank would eventually be liable for reimbursement of P2P fraud losses.

How Has Zelle Responded to APP Fraud?

Zelle, the leading P2P platform, has taken proactive steps by expanding its network operating rules to require participating financial institutions to reimburse consumers for certain qualifying imposter and APP scams. On June 30, 2023, they announced that they had expanded their “network operating rules to require all participating financial institutions to reimburse consumers for certain qualifying imposter scams.”

This move, however, only addresses a portion of the fraud cases, highlighting the need for broader industry collaboration.

On July 23, the Senate Permanent Subcommittee on Investigations (PSI) released a staff report on Zelle fraud and bank failures to protect consumers. In the report, the PSI stated that Zelle’s “policy change resulted in $18.3 million in reimbursed scam claims in the six months following its implementation, amounting to approximately 15 to 20 percent of all scam disputes on the Zelle Network within that time frame.”

While Zelle’s policy change marked a significant step toward addressing APP fraud, it became clear that more comprehensive measures were needed to protect consumers on a broader scale. The limitations of Zelle’s actions, as highlighted in the Senate report, underscored the necessity for legislative intervention to close the gaps left by individual platforms.

What Is the Protecting Consumers from Payment Scams Act?

Earlier in August, the U.S. House Committee on Financial Services introduced the Protecting Consumers from Payment Scams Act, which aims to close loopholes and clarify the Electronic Fund Transfer Act (EFTA) to better protect consumers who are defrauded when they make payments.

The Act is written to ensure consumer protection for bank wire transfers and electronic transfers authorized by phone. It proposes a European-style liability shift, suggesting that losses from unauthorized fraud payments should be shared between the consumer’s financial institution and the receiving institution. Additionally, it suggests extending liability to other firms that facilitate payments, encouraging them to enhance authentication and financial fraud prevention efforts.

Getting Dizzy?

Regulators, banks, fintechs and payment platforms continue to zigzag their way through the best way to handle shifts in liability for APP fraud losses, with each side taking small steps toward a solution. For its part, the U.S. government has attempted a measured, direct response, seemingly continuing to push toward regulation in the hopes that the industry will self-regulate and take what they believe to be the industry’s fair share of the loss.

And, while the industry has worked hard to implement technologies to limit losses to consumers and identify APP fraud sooner, it may not be fast enough.

As the financial industry grapples with these evolving challenges, it’s worth examining how similar liability shifts have played out in other areas, such as the transition to EMV chip technology, which offers valuable lessons for handling fraud and liability in the digital age.

The EMV Liability Shift

EMV — a global standard for credit and debit card payments that uses embedded microchips, commonly referred to as “chip cards,” to authenticate and secure transactions at the point of sale (POS) — replaced the magnetic stripe in 2015 and significantly reduced card-present fraud. However, it also led to an increase in card-not-present fraud, particularly in online transactions where a physical card is not required.

Payment networks like Visa and Mastercard have implemented security measures — some leveraging machine learning — and safeguards to protect cardholders, including the adoption of biometrics and the expansion of contactless payment options. Meanwhile, Payment Service Providers (PSPs) and the Payment Systems Regulator (PSR) play crucial roles in enforcing Anti-Money Laundering (AML) policies to prevent the creation of mule accounts and other fraudulent activities.

As these systems evolved, the responsibility for fraud has been increasingly shared among payees, PSPs, card issuers, and financial institutions, guided by frameworks like the contingent reimbursement model to ensure fairness and security in the digital payment ecosystem.

Navigating the Shift in APP Fraud Liability

As the liability shift for APP fraud continues to evolve, it’s important for businesses to understand how this change impacts the broader financial ecosystem.

Traditionally, eCommerce merchants have been more focused on mitigating risks associated with card not present transactions and managing chargebacks related to credit card fraud. However, with the introduction of the EMV chip and advancements in CRM systems, the landscape of financial crime is shifting.

While these technologies have helped reduce fraud in some areas, they also highlight the need for a comprehensive approach to security that encompasses all aspects of payment processing, especially as the liability for fraud increasingly moves from consumers to the institutions facilitating these transactions.

With the government considering shared liability for fraudulent APP payments and wire transfers among sending banks, receiving banks, and other firms, steps can be taken now to reduce fraud and minimize financial losses.

For Receiving Banks

Receiving banks should focus on identifying money mules, accounts that have been taken over, and synthetic identities hiding within your portfolio. Analysis has shown that banks and fintechs of all sizes have roughly 3-4% synthetic identities within their open and active customer populations. If you have not taken appropriate steps to stop third-party and synthetic fraud from entering your portfolio at new account opening, your percentage of fraudulent identities actively operating in your customer account population may be even higher.

Additionally, if you have lax sign-in controls or do not have enough rigor around non-monetary changes to your customer accounts, you will also likely have many accounts that could have been taken over by bad actors.

The best way to identify these fraudulent accounts hiding in your portfolio is to perform Portfolio Scrubs. Portfolio Scrubs can be performed securely in a batch environment once annually, or more often, to identify and set up treatment strategies to efficiently tease out bad actors from your account base. There are several fraud companies that can provide this type of analysis for you, and I would be happy to direct you to a few of them.

For Sending Banks

Sending banks should implement an efficient platform, like DataVisor, which can be used to rapidly build predictive rules and signals, and develop Unsupervised (UML) and Supervised Machine Learning (SML) models and AI driven strategies to discover and identify fraudulent ACH, wire, P2P, and other fraudulent transactions. This is essential to stay ahead of APP liability shifts. While DataVisor’s platform is built for even a businessperson to easily create custom models, if you don’t have an analytics team or need help in developing analytic models and strategies, DataVisor also has out-of-the-box solutions that can be used to identify these types of fraud.

Other Firms

For financial firms involved in facilitating payments, the first step is to identify which entities might fall under the new regulation. Many players participate in the APP process, even if they aren’t directly handling payment processing. These entities often connect scammers with consumers and could be impacted by the regulation. This group includes:

• Telecom companies like AT&T, Verizon, and T-Mobile
• Email providers such as Gmail, Yahoo, and Hotmail
• Social networks like Craigslist and Facebook Marketplace, where consumers purchase items like puppies or event tickets that never materialize
• Government agencies, often impersonated by scammers to intimidate consumers into paying fabricated debts or falsely claim involvement in federal investigations

Of course, P2P providers like Zelle, Venmo, CashApp, and even the FedNow Real-Time Payment (RTP) service by the Federal Reserve are the most obvious targets. These entities shouldn’t wait to see if they fall under the definition of “discretionary” or “other firms,” as they are likely the primary focus of this regulation.

It’s Time to Act

While Zelle has led efforts to combat APP fraud, there has been no coordinated attempt to share fraud data – such as IP addresses, device information, or flagged bank accounts – across P2P providers. Establishing a real-time data-sharing program among these competitors could demonstrate to the government that the financial services industry is capable of self-regulation and is committed to fraud detection and mitigation.

The financial services industry still has an opportunity to collaborate and self-regulate, potentially avoiding stricter government enforcement. It’s crucial for banks, fintechs, and other key players to take swift action, showing regulators that they can effectively work together to reduce bank fraud and other types of fraud, and protect consumers.

Regardless of whether the outcome is self-regulation or new government-imposed rules, the APP fraud liability shift is imminent, and it’s time to prepare.