Social engineering scams (scams in which criminals exploit someone’s trust to obtain money/confidential information, before committing a serious misdeed) are flourishing in the United States.
As per BioCatch data, these scams have seen a significant 57% jump since 2021. Generally, customers under the banking fold have been the target of such scams. While some have lost their life savings in such incidents, financial institutions have faced brand damages.
The spotlight has gone into the way electronic regulations get interpreted under Regulation E (Reg. E), a rule designed to protect consumers who use ATMs and net banking. With social engineering scams going up by a massive proportion, financial institutions have come under the scanner, especially the way they respond to their customers after a financial loss due to fraudulent digital transactions.
The Consumer Financial Protection Bureau 2021 updated its guiding principles in dealing with social engineering scams and the same rules got support from the Federal Deposit Insurance Corporation (FDIC) in 2022.
These updated guidance principles also help financial institutions to deal with the liability fallouts of social engineering scams.
Fraud professionals dealing with a high volume of customer reports related to fraud/disputed transactions are also familiar with Regulation E.
This Regulation E had a ‘biased’ interpretation of banks’ responsibilities to customers post fraud and the explanation didn’t please CFPB and FDIC. As per that version, if a fraudster illicitly obtained customer credentials and carried on unauthorized transactions, then it would be the customer’s fault and he/she will have to bear the financial consequences.
CFPB 2021 reconsidered the determining liability aspect of the concept of ‘unauthorized fraud’ under Reg. E. Now the updated law covers areas like sources of fraudulent transactions and how customer accounts got accessed by hackers.
Also, the updated Reg. E covers the concept of social engineering scams in detail. Common crimes under this category are the impersonation of a trusted party (such as the customer’s bank), Crypto and other investment scams and romance ones.
Under the amended law, the customer can claim Reg. E protections if any digital transactions from his/her account is meeting this criteria of unauthorized fraud.
The CFPB recognizes unauthorized fraud, or account takeover (ATO), as electronic transactions where the customer was not involved in the execution of the payment itself.
The financial institution must consider first-party fraud or accept financial liability under the amended Reg. E, after the customer complaint, gets lodged.
In other words, if the FI can’t prove that a customer is lying or intentionally provided misleading information about who logged into the account and completed the disputed transaction, they must reimburse that customer for their losses. Consequently, in consideration of this new regulatory guidance, FIs will need to be sure that they have internally aligned with both their compliance and legal teams to ensure unauthorized fraud claims are being correctly settled.
Authorized fraud too has received industry attention recently due to an increase in P2P payments fraud (Peer to Peer Payments App Fraud, where a criminal steals another person’s payment information and uses it to make unauthorized transactions/purchases).
In most P2P payment fraud cases, the customer is asked via phone calls or SMSs to send the money to the fraudster, either directly or with the help of a money mule. And the transaction happens through a P2P platform.
For authorized fraud transactions, banks have recently changed their approach and accepted liability for the contested transactions, due to factors like customer pressure, media attention, customer attrition fears, and concerns of facing regulatory scrutiny.
With neither CFPB nor FDIC offering counsel on financial liability for authorized fraud transactions under Reg. E, the banking industry is waiting for another set of amended guidelines. There is legislation on this matter, which is currently pending in the U.S. House of Representatives.
Senator Elizabeth Warren and Senator Robert Menendez are also insisting on a rule tweak, under which the banks will have to accept liability for authorized fraud under Reg. E.
All these legislative initiatives from the United States are mostly influenced by similar experiences from the United Kingdom.
UK’s Payment Systems Regulator has already launched a proposal to make amendments, which will allow mandatory reimbursement for authorized fraud.
While the recent legislative reform initiatives from American and British lawmakers have finally started catering to the customers’ interests, in dealing with fraud, financial institutions are facing pressures to deal with the growing fraud incidents. They must adopt a customer-friendly and robust risk control mechanism backed by artificial intelligence and machine learning. Also, they can use high-end tools like behavioral biometrics and mobile data intelligence.
While the threat actors are upgrading their skill sets, cybersecurity tools are getting smarter too. Financial institutions need to incorporate these threat detection mechanisms, in order to protect the customers’ life savings and the brand values.