CFPB Updates Regulation E FAQs to Address P2P Payments and Providers
Happy Friday, compliance friends! I’m coming at you today from my new office at the new house! It will take some work to get settled and make it cozy, but for now, I’m so excited to have my own space in our very own home.
Today, we’re talking about the CFPB’s Regulation E FAQs. We previously blogged about the Regulation E FAQs in June of 2021 when the bureau issued this helpful compliance aid; and on December 13, 2021, they updated it. The update encompasses additional questions and answers regarding person-to-person/peer-to-peer (P2P) payments and payment providers in relation to Regulation E. It is important to note that, while the FAQs help provide some clarity for financial institutions, they do not provide any new obligations or requirements under Regulation E. The FAQs simply seek to clarify existing rules and provide insight into the CFPB’s understanding of the regulation.
Some of the new FAQs appear to stem from the bureau’s Fall 2021 Supervisory Highlights, where the CFPB identified issues with some financial institutions’ error resolution processes for misdirected payments. These misdirected payments were a result of various “token errors” during the P2P payment process, where the consumer entered the correct identifying token information for the recipient, but there was inaccurate or outdated information in the digital payment network directory. The bureau found that “institutions violated Regulation E by failing to determine that token errors constituted “incorrect EFTs” under the regulation.
The new FAQs clarify, in the “Transactions” section, that P2P payments can be considered EFTs under Regulation E, and states that “any P2P payment that meets the definition of EFT is covered by the Electronic Fund Transfer Act (EFTA) and Regulation E.” Additionally, this section makes clear that P2P payments that use a consumer’s debit card to transfer funds, credit-push P2P payments that transfer funds out of a consumer’s deposit, prepaid or mobile account, and P2P debit card “pass-through” payments are all considered EFTs which are subject to Regulation E’s requirements.
The “Financial Institutions” section provides that a non-bank P2P payment provider can be considered a financial institution if it “directly or indirectly holds an account belonging to a consumer.” Question 2 of this section provides the “example of an account that a non-bank P2P payment provider may directly or indirectly hold is a prepaid or mobile account whose primary function is to conduct P2P transfers.” Moreover, a P2P provider that does not hold consumer accounts may be considered a financial institution “if the provider issues an access device and agrees with a consumer to provide EFT services.” The example provided in the FAQs for this scenario would be where a P2P provider enters an agreement with consumers for a mobile wallet service that may be utilized to make debit card transactions from the consumer’s external bank account to another person’s external bank account. Question 2 wraps up with the reminder that all financial institutions (including P2P providers that meet the definition) have error resolution responsibilities under the section 1005.11, with only limited exceptions.
The “Error Resolution: Unauthorized EFTs” section of the FAQs further reiterate that Regulation E requires financial institutions to investigate and resolve errors involving P2P transfers that are unauthorized EFTs. Question 3 of this section provides that an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider is considered an unauthorized EFT. This is because “the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer – i.e., the fraudster – and the consumer received no benefit from the transfer.” This scenario meets the definition of an unauthorized EFT found in section 1005.2(m) of the regulation. Moreover, question 11 confirms that a depository institution will still have full error resolution obligations under Regulation E if a fraudster initiates an EFT from the consumer’s account through a non-bank P2P provider even if the consumer does not have an existing relationship with the non-bank P2P payment provider.
Question 10 explains that private network rules or other agreements that provide for “interbank finality and irrevocability” do not diminish consumer protections against liability for unauthorized EFTs under the Electronic Fund Transfer Act, and emphasizes that “no agreement between a consumer and any other person may waive any right provided by the EFTA.”
Check out the CFPB’s Electronic Fund Transfers FAQs here for all of the questions and answers regarding Regulation E’s requirements.