Compliance Blog

Over the past year, NAFCU has been hearing from credit unions about how to handle unauthorized use claims where a mobile payment app was used to facilitate the transaction. These questions range from whether the credit union is liable for the unauthorized transactions to whether the credit union may require the member to file a claim with the app provider first to whether the mobile app provider is actually the party responsible for resolving the claim. In the post-prepaid rule compliance world, the answers to these questions have become largely unclear.

Under sections 1005.6 and 1005.11 of Regulation E, the “financial institution” is responsible for resolving claims for unauthorized use, including being liable for the amounts if the investigation reveals the transaction was unauthorized. Before the prepaid rule, claims for unauthorized transactions made via a mobile payment app were more straightforward as the credit union was the only “financial institution” involved in the transaction with Regulation E error resolution responsibilities. If a member timely filed a claim that an unauthorized transaction was made using a mobile payment app, the rule required the credit union to investigate the claim and either refund the amount or provide evidence the claim was not unauthorized, depending on what the investigation revealed.

However, implementation of the prepaid rule has further complicated these already complex investigations. Under section 1005.2(b)(3), accounts that are issued on a prepaid basis, whether or not additional funds can be added after account opening, and are meant to be used at multiple unaffiliated merchants are considered “accounts” under Regulation E. Any entity that holds an “account” is considered a “financial institution.” The preamble to the 2016 final prepaid rule discusses mobile payment apps throughout and determines some of them are considered prepaid accounts; in which case, the app provider is a financial institution. Comment 1005.2(b)(3)(i)-6 provides the test for when an app is an “account” covered by Regulation E:

"Product acting as a pass-through vehicle for funds. To satisfy §1005.2(b)(3)(i)(D), a prepaid account must be issued on a prepaid basis or be capable of being loaded with funds. This means that the prepaid account must be capable of holding funds, rather than merely acting as a pass-through vehicle. For example, if a product, such as a digital wallet, is only capable of storing a consumer's payment credentials for other accounts but is incapable of having funds stored on it, such a product is not a prepaid account. However, if a product allows a consumer to transfer funds, which can be stored before the consumer designates a destination for the funds, the product satisfies §1005.2(b)(3)(i)(D)."

The result is that any mobile payment app that is capable of storing funds is an “account” and the entity holding that account is a “financial institution.” It is important to keep in mind that the language of the preamble and the rule focus on the capabilities of the payment app rather than how the consumer is actually using it. If funds can be stored in the app for any purpose or amount of time, then it falls within the definition of an account.

So, what does all this mean for your credit union? The most challenging issue this definition creates is that there are two financial institutions involved, both with equal Regulation E error resolution responsibilities for the same transaction. Filing a claim directly with the mobile payment app provider does not alleviate the credit union from its Regulation E obligations if the member also files the same claim with the credit union. If the app provider resolves the claim and refunds the unauthorized amount, credit unions may be able to debit any credit it provided for the same claim as discussed in this blog. However, the rule does not permit credit unions to refuse to investigate a claim until the member first tries to resolve it directly with the app provider. These investigations can put a strain on resources as the credit union is not always in the best position to investigate the claim. Each investigation requires the credit union to understand the complexities of the myriad payment apps, how they function and the way they process payments in order to determine whether the transaction was unauthorized. 

NAFCU is tracking the issues credit unions are facing in dealing with these types of unauthorized transaction claims. In October, we met with the CFPB to discuss some possible solutions under their various innovation policies. In order to best identify the right solution, we need your input. If your credit union has been battling this issue, please reach out to me or Andrew Morris, NAFCU Senior Counsel for Research and Policy, and tell us your challenges along with any thoughts you have on how these challenges could be resolved. Whether it’s simply an increased number of these claims or having to create new staff training tools for resolving these claims or increased costs, we want to know about it! Your input will greatly assist us in our continued discussions with the CFPB and could help ease your regulatory burden.