Payments Pros – The Payments Law Podcast

Senators Urge CFPB to Increase Consumer Protection Against Payment App Scams

Episode Summary

This episode of Payments Pros spotlights an episode from The Crypto Exchange, where Kalama Lui-Kwan joins Payments Pros hosts Keith Barnett and Carlin McCrory to discuss consumer protection under Regulation E.

Episode Notes

This episode of Payments Pros spotlights an episode from The Crypto Exchange, where Kalama Lui-Kwan joins Payments Pros hosts Keith Barnett and Carlin McCrory to discuss consumer protection under Regulation E. They delve into a July 2022 letter from Democratic senators, urging the CFPB to hold banks liable for consumer losses when the consumers provide alleged fraudsters with access to their own accounts through payment apps. Keith and Carlin examine the senators' concerns and the potential significant impact on financial institutions from any changes that the CFPB makes.

Episode Transcription

Payments Pros – The Payments Law Podcast: Senators Urge CFPB to Increase Consumer Protection Against Payment App Scams
Speakers: Keith Barnett, Carlin McCrory, and Kalama Lui-Kwan

Keith Barnett:

Welcome to another episode of Payments Pros, a Troutman Pepper podcast focusing on the highly regulated and ever evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. From the BSA to EFTs, FinTech Direct tech, licensure to lending, Nacha to the FTC, to the CFPB and payment processing to debt collecting, our team has you covered.

My name is Keith Barnett and I'm one of the hosts of the podcast and a partner at Troutman Pepper. Before we jump into today's episode, let me remind you to visit and subscribe to our blog, And don't forget to check out our other podcasts on We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, the Fair Credit Reporting Act, cybersecurity, hot button labor and employment law issues and more.

Make sure to subscribe to hear the latest episodes. From time to time, we share episodes from other podcasts throughout our firm that touch on issues we think will interest you, our listeners. Today, we are pleased to share with you an episode from The Crypto Exchange podcast that discusses consumer protection under Regulation E and the push from Democratic senators urging the CFPB to hold banks liable for consumer losses when the consumers provide alleged fraudsters with access to their own accounts through payment apps. We hope you enjoy the episode.

Kalama Lui-Kwan:

Welcome to another episode of The Crypto Exchange, a Troutman Pepper podcast focusing on the world of digital assets and payments. As longtime leaders in the intersecting worlds of law, business and government regulations, our lawyers can go beyond the buzzwords and headlines to make sense of the emerging legal and regulatory frameworks for operating in the digital asset and payments industries. My name is Kalama Lui-Kwan and I'm one of the hosts of the podcast and a partner at Troutman Pepper.

Before we jump into today's episode, let me remind you to visit and subscribe to our blog, And don't forget to check out our other podcast on We have episodes that focus on trends that drive enforcement activity, consumer financial services, the Fair Credit Reporting Act, cybersecurity, hot button labor and employment law issues and more. Make sure to subscribe to hear the latest episodes.

Today I'm joined by my colleagues Keith Barnett and Carlin McCrory to discuss consumer protection revisions under Reg E, as well as a recent effort by democratic senators to encourage the CFPB to strengthen payment app fraud protections. Keith and Carlin, looking forward to that discussion today. And Keith, let's start with you. On July 20th, a group of Democratic senators wrote to Director Chopra at the CFPB regarding their concerns about scams on payment apps. Could you tell us a little bit about that letter?

Keith Barnett:

Yeah, sure. Thanks, Kalama. So, these Democratic senators stated in their letter that peer-to-peer instant payment platforms are highly susceptible to fraud because payments are obtained nearly instantaneously. The letter goes on to state that under the Electronic Fund Transfer Act, a consumer is protected if they are tricked into handing over account information to a fraudster who then initiates a transfer.

Now, they are fine with that because the consumer is protected, but they also add that a consumer is not protected if they are tricked into opening an application to transfer funds directly to the fraudster. And that's what they don't like, right? The letter states that, consumers should be protected under EFTA or whatever law, actually in both circumstances, and the senators want the banks to provide that protection under EFTA. And they have an interesting argument as to why.

The senators argue that determining liability based on whether a consumer or a fraudster physically initiates a transaction is antiquated. These laws were written in the 1970s and now we're in 2022, and they want the laws to catch up with the times. It's not suited for the current system where the consumers will only need a cell phone number and a username to send a peer-to-peer payment from a mobile device to pretty much get money anywhere.

So, the letter actually poses suggested remedies, several of them, or at least two of them. First, the senators think that the CFPB should clarify that in certain circumstances a payment is an error, and I'll put that in air quotes, under EFTA when a consumer is defrauded into initiating a transfer to someone who turns out to be a scammer.

Second, the senators want the CFPB to issue guidance that a fraudulently induced transaction is an unauthorized electronic fund transfer. And I put that in air quotes as well. That it's unauthorized under the EFTA, which could also end up shifting liability to the financial institutions from the consumers.

Lastly, the letter states that there should not be any concerns about the bank being a victim because EFTA already protects banks against transfers initiated with fraudulent intent by the consumer. And just to give you a little bit more background before I close this out, this letter comes on the heels of an April letter sent by Senators Warren and Menendez saying that fraud is flourishing on peer-to-peer payment platforms. And those platforms and their bank partners have abdicated responsibility for fraudulent transactions or at least abdicated their own responsibility for it. The senators raised concerns over what they called ongoing failure by the banks and payment platforms that own the service to address the scams and provide appropriate redress to the defrauded consumers.

Carlin McCrory:

And Keith, I think that's a really interesting point, because while the banks are protected from fraud against their consumers, a lot of these times the fraudsters aren't consumers with the bank, they're not banking with that specific bank. So how are the banks expected to protect against these third-party fraudsters that are coming in and duping the consumers? It's an interesting problem and I'm not sure that there's really a remedy there.

Kalama Lui-Kwan:

It is an interesting problem. And Carlin, there are other provisions in Reg E that currently protect consumers. Could you tell us a little bit about those?

Carlin McCrory:

Yeah, sure, Kalama. Reg E sets forth the conditions in which consumers can be held liable for unauthorized transfers. And its commentary expressly states that negligence by the consumer can't be used as the basis for imposing greater liability than is permissible under the regulation. The CFPB also has explicitly stated, and I quote, "When a consumer is fraudulently induced into sharing account access information with a third party and a third party uses that information to make an EFT from the consumer's account, the transfer is an unauthorized EFT under Regulation E."

And this is exactly the point that the letter is trying to address, is that the sharing of account access information is different from the consumer actually transferring funds directly to a fraudster. Additionally, the CFPB has stated that there's a variety of situations where a consumer may hand out account access information. These would be considered unauthorized EFTs.

This could be something like a third party calling the consumer and pretending to be a representative from the financial institution and tricking the consumer into providing their account login information. And then even that texted account confirmation code, they may hand over their debit card number or any other information to initiate an unauthorized EFT.

The other situation that the CFPB mentions is a third party using phishing or other methods to gain access to a customer's computer and watch the consumer entering their account login information and EFTs stemming from these situations are deemed unauthorized EFTs under Reg E. As for damages, EFTA allows for a one-year statute of limitations on claims. For class actions, a court may award actual damages for the consumers, as well as an amount that the court determines, which should not be more than the lesser of either $500,000 or 1% of the net worth of the bank, as well as attorney's fees.

Kalama Lui-Kwan:

That's helpful. Keith, given what Carlin just shared with us, do you think the CFPB will be receptive to the letter from the senators?

Keith Barnett:

Probably, because the senators who sent the letter, they're Democrats and they are in lockstep with the leadership at the CFPB. In that same vein, or at least along those lines, these senators are all about consumer protection and sometimes at the expense of the financial institution. And in fact, on July 19th, the Wall Street Journal published an article stating that the CFPB, at least at that point in time, had been preparing to PROC banks to pay back more customers who are victims of these alleged scams.

And in the article, the Wall Street Journal states that the bureau was preparing to release that guidance in quote, "In the coming weeks." But now here we are nearly a month later and we still have not heard anything. And that doesn't mean that the CFPB is not going to act, it just means that it appears to be taking its time and hopefully thinking these things through because as Carlin mentioned, we have a situation where the tail is wagging the dog.

The senators sent this letter mainly because there's been an increase in the number of lawsuits, class action lawsuits in particular against banks and peer-to-peer payment platforms alleging Reg E violations. So, they are getting pressure from their constituents. And also, according to the Wall Street Journal article, the bank and industry groups are expected to fight any expanded interpretation of EFTA or their legal obligations.

And in the lawsuits that have been filed against the banks and payment platforms, they've argued that Reg E is not as expansive as the plaintiffs say it is. And it looks like the senators are asking the CFPB to expand that. And to dig a little bit more deeply with respect to the bank's argument, the banks are arguing that the Reg E error resolution notice does not provide that a consumer would be protected from these types of losses as Carlin mentioned.

And the Reg E notice states, "You could lose all your money in your account." And the Reg E notice goes on to stay, "To notify us immediately if you believe that an electronic fund transfer has been made without your permission." So, in these various cases, the consumers are transferring their own funds, so they are not without the consumer's permission, they are actually with the consumer's permission.

And there are defenses the banks are taking advantage of, because Reg E defines unauthorized as, "A transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit." The cases argue that EFTA does not apply to an authorized transfer intentionally made by a banking customer, even if the banking customer later comes to regret it. And of course, they'll later come to regret it through their own negligence.

And then one last point here, the CFPB needs to be careful with respect to whatever it does, and maybe that's the reason why we have not had any regulations yet, because adding a new requirement to the banks is a huge undertaking that has the potential to be very costly to banks. And these banks may push these costs back down to the consumers, the very consumers that the CFPB purports to protect.

A lot of people in the industry are saying, and I actually agree with them, that pushing the liability to the banks will likely lead consumers to abuse the liability rules because they'll say, "Oh, let's make the banks pay anyway. They have money to burn." Those are some interesting issues there.

Kalama Lui-Kwan:

Yeah. Let's focus on that last point, Keith, because I think that's something that's worth discussing. Carlin, just thinking forward, what do you think some of the unintended consequences will be flowing from these greater protections?

Carlin McCrory:

Other than what Keith already said, this really will affect the smaller financial institutions that can't afford to dish out the money for all of these unauthorized transactions. And again, the cost may be passed on to consumers just like Keith said.

Also, I know from speaking with various financial institutions that they are already reimbursing consumers for these types of claims, and it's been a large burden on them in reimbursing these consumers already. Really, enhancing the protections means that these institutions will just be losing out on more money and the costs are likely going to be passed on to customers.

Also, since a customer's negligence can't be considered, we commonly see that these individuals are being tricked over the phone to send funds to a fraudster. We've seen that in a bunch of these class action cases. And so, while the financial institutions can give training tips and tricks to its customers that the bank will never ask for this sort of information, customers are still going to end up transferring money to these fraudsters on a regular basis. And there's not much that the bank can do to prohibit this.

Kalama Lui-Kwan:

That's helpful. I wonder, Keith, following up on that, Rohit Chopra has been on an interviewing spree recently and we'll actually discuss what he's had to say on payments in a coming episode. But could you talk a little bit about what he shared with Law360 recently as it relates to these lawsuits?

Keith Barnett:

The question posed to Rohit Chopra by Law360 was, "From where you sit now, do you think banks and other platform operators are doing a good enough job of helping consumers who get scammed on these services?" Now, anyone who knows Chopra knows that ... You already know the answer to that question. It's almost an unfair leading question.

But at any event, he noted that he had seen student debt relief scams at the Department of Education and the romance scams at the FTC along with general identity theft issues. It's showing that I've seen this before just in different formats. And he noted that the Bureau is looking at the issue pretty broadly, and it is a part of what the CFPB is reviewing from its big tech payments orders that they issued a while ago, and they're trying to figure out their way going forward.

And he noted that real-time payments are becoming more prevalent in the developed world, though that necessarily means that fraud will surge. And he said that he'd like for the United States to take a more innovative or different path. He also acknowledged that some companies are actively trying to reduce fraud by asking, for example, the last four digits of the recipient's phone number.

But he really didn't show his cards at this point and didn't really call out any payment platforms by name, to his credit. But the fact that he is entertaining this is significant. And with that, you'll see the shift of the CFPB under Chopra. And by that, I'm not necessarily talking about the shift to Chopra from the Trump nominated directors beforehand. I'm actually talking about the shift from his former boss, Richard Cordray to him, because under Cordray, the CFPB initiated enforcement actions and investigations against financial services companies for alleged wrongdoing that either the financial services companies allegedly committed or their vendors committed, or their service providers or some other agents committed against consumers.

But now think about this, Chopra appears to now be considering expanding the scope of CFPB potential rulemaking and potential enforcement by holding financial institutions liable for the acts of others who are not vendors, who are not any type of third-party service providers and are not the financial institutions themselves. So, if you think about this, the financial institutions may be liable for acts performed by fraudsters when the financial institutions are not the ones who let the fraudsters in.

And in many cases, Carlin talked about negligence earlier, but it was the customer's own negligence that caused the problem. And if the financial institutions will have to pay, that's just very problematic, in my opinion.

Kalama Lui-Kwan:

Indeed, it is. Keith, Carlin, we're out of time, but thank you very much for joining us today. And thank you to our audience for listening to today's episode. Don't forget to visit our blog And please make sure to subscribe to this podcast, whether you use Apple Podcast, Google Play, Stitcher or some other platform, we'll look forward to the next episode. Thanks again.

Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only.This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper.If you have any questions, please contact us at