Fintech Legal Report – July 2022 #2 | Perkins Coie

Weekly Fintech focus

• Democratic senators are urging the CFPB to focus on bank liability for fraud that occurs on P2P payment platforms.
• CFPB and OCC issue $225 million fine to bank for mistakes related to unemployment benefits payments.
• UK financial regulators open consultation on oversight of financial institutions’ third-party service providers.

Dem Senators urge CFPB to focus on P2P payment platforms

A group of Democratic US senators sent a letter to the Consumer Financial Protection Bureau (CFPB) urging the agency to take a closer look at peer-to-peer (P2P) payment platforms like Zelle and consider modernizing consumer protections for these digital payment services. The senators recommend that the CFPB “send a strong signal that the agency expects banks under its supervision to bear more responsibility for allowing scammers and fraudsters to access services they have developed and currently market as secure platforms for sending and receiving money.” The senators further propose that the CFPB clarify that fraudulent payments on these P2P platforms are considered an “error” under Rule E when “a consumer is defrauded into initiating a transfer to a fraudster” and that some other acts of fraud can be considered an “unauthorized electronic money transfer.”

As noted in the letter, Rule E currently protects consumers if they are tricked into providing account information to a fraudster, but not if they open an application to transfer funds directly to the same fraudster. So in a case where a consumer falls victim to a scam and sends account information to another person who uses that information for fraud, the consumer can report this to the bank and be made whole by the bank. But if the same consumer opens their mobile banking app and initiates a Zelle transfer to the same fraudster, Regulation E protections don’t apply because the consumer sent the actual funds — not just the account information — and therefore the transfers weren’t “unauthorized.” “

The letter follows a growing trend of consumer lawsuits related to troubleshooting and fraud related to banks’ P2P payment platforms. Some of the signatories to the letter have been pursuing the issue of fraudulent transactions related to banks’ P2P payment platforms for some time.

Regulators issue $225 million fine to bank for failing unemployment payments

The CFPB and the Office of the Comptroller of the Currency (OCC) issued fines of $100 million and $125 million, respectively, to a major bank for the bank’s failure to spread government unemployment benefits during the height of the COVID-19 pandemic. The orders explain that the bank implemented an error-prone fraud detection program that automatically and illegally froze accounts with little customer right to lift the freeze, even though in many situations there was no actual fraud. The orders also require the bank to take steps to issue hundreds of millions of dollars in consumer redress.

The CFPB found that the bank engaged in unfair and abusive acts and practices that resulted in California residents not receiving unemployment benefits. These unfair and abusive actions included the bank replacing reasonable fraud investigations with a fraud detection program that included an overly simplistic fraud flagging system. The bank also retroactively applied the faulty fraud filter to deny some error messages that had previously been investigated and paid for. In addition, customers entitled to unemployment benefits had an extremely difficult time unlocking prepaid debit cards or reporting fraudulent use of these cards. The bank had advertised 24/7 availability for customer service, but the call center had a much lower level of support. Ultimately, the bank referred consumers to California’s unemployment department for verification to regain access to benefits, but the state regulator was not staffed for such a large number of consumer inquiries. The CFPB argued that the bank should have known it was redirecting consumers to an entity that could not handle their problems.

The OCC’s order involved similar allegations under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. These allegations relate to the bank’s failure to adequately investigate and resolve consumer claims, as well as other deficiencies in the bank’s administration of the program, including operational processes, risk management and other internal controls.

British financial regulators want to strengthen supervision of third-party service providers

The Bank of England launched a consultation to review the safeguards and guidance in place relating to third party service providers performing certain outsourced functions for regulated financial institutions. The Prudential Regulation Authority and the Financial Conduct Authority noted that they are concerned about the risks posed by certain outsourced services, including cloud services and other data-related services, if the firms providing these services fail or are disrupted. As financial institutions digitize their services or use outsourcing partners to provide additional services directly to the financial institution, such as by outsourcing data services to third-party cloud service providers, these financial institutions may incur additional risks. Such risks increase when the outsourced services are critical to a financial institution’s functions. To that end, regulators are seeking solutions for how to identify critical third parties and then how to set standards for the resilience of those third parties.

The Bank of England’s consultation comes as legislation was introduced in Parliament that would give regulators more power to oversee third-party service providers. In addition, the consultation and legislation have significant similarities to the EU’s Digital Operational Resilience Act (DORA), which addresses certain third-party service providers under the regulation of financial services and will be implemented across the EU by the end of 2022.

[View source.]