Last month, the CFPB updated its Electronic funds transfer faqs that deal with Electronic Funds Transfer Act (EFTA) and Regulation E compliance. FAQs provide guidance on Regulation E coverage and error resolution requirements, with most new questions focusing on person-to-person (P2P) payment providers and P2P transfers.
While the FAQs help clarify financial institutions, they do not provide any new obligations or requirements under Regulation E. The FAQs are intended to clarify existing rules and to provide an overview of the CFPB’s understanding of the regulation. However, it is important to note that FAQs do not represent binding rules.
Regarding the coverage of P2P payment providers, the FAQ recalls that a non-bank P2P payment provider can be a financial institution if it holds a consumer’s account. The CFPB notes that an “example of an account that a non-bank P2P payment provider may directly or indirectly hold is a prepaid or mobile account whose main function is to make P2P transfers”. The FAQ also states that a non-account P2P payment or bill payment service provider can be a financial institution if it issues an access device. For example, “a P2P provider can enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account.” .
Regarding the coverage of P2P transfers, the FAQ states that they can be electronic funds transfers (EFTs), including those via debit card, ACH, prepaid account or other electronic transfer to or from the account. of a consumer. The FAQs also remind financial institutions that P2P push credit transfers and pass-through debit card transfers are EFTs.
The FAQ further states that Regulation E requires financial institutions to investigate and resolve errors involving P2P transfers that are EFTs. The FAQs provide that an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider is considered an unauthorized EFT, even if the consumer does not have an existing relationship with the payment provider. P2P non-banking. The CFPB also provides two examples of unauthorized P2P transfers:
- “A consumer shares account access information in order to complete a transaction with a third party, such as a merchant, lender or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the third party’s computer system. The fraudster then uses a P2P payment application provided by the bank to initiate a credit push payment from the consumer’s deposit account.
- “A consumer shares his debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks the consumer’s phone and uses the mobile wallet to initiate a debit card transfer from the consumer’s deposit or prepaid account.
Other FAQs cover: transactions considered to be EFTs, entities considered to be financial institutions, what constitutes an error for the purposes of EFTA and Regulation E, the error resolution obligations of a financial institution and what an unauthorized EFT is. Previous CFPB FAQs on fraudulent inducements, consumer negligence, private network rules, and police reporting remain unchanged.