Faster Payment Fraud and the Elephant in the Room

As we move closer to the rollout of FedNow next year, the Fed has been proactively creating and distributing documentation on the various aspects of its faster payment solution. Certainly fraud is a component of faster payments that is on everyone’s mind. Zelle, which has been available in the U.S. since June of 2017, has experienced a high level of fraud and it has everyone…nervous. Is Zelle not a secure service? Is it getting regularly hacked by bad actors?  Not at all, but Zelle has one element that has drawn the attention of criminals looking to commit payment fraud and that is finality. Zelle’s push credits are irrevocable and final when presented. And as it turns out, so is every other “faster payment” solution.

The issue is not some flaw in the technology related to the faster payment solutions. The issue is whether or not a person or company gets duped into sending money to a fraudster and then uses a faster payment service to push a credit to that criminal. The fact that the other party is a bad actor and that the customer was duped into sending the money is completely unrelated to the faster payment option that was used. It would have been fraud if the customer sent cash, wrote a check or paid with Bitcoin. But they used a faster payment option and that system worked perfectly. Acting on the specific instructions of the customer to move that money. The service was not hacked, there was no override of limits or authorizations. The term being used for this is “Authorized Push Payment or APP” fraud. The customer made a mistake in trusting the bad actor and because of that mistake, our industry is going to overreact to address the “APP Fraud” that is “inherent” in using faster payment solutions, and it looks like it could absolutely happen.

I was reading a resource from the Federal Reserve on how they will address fraud. It is an excellent piece, you can access it here.  As I reviewed this piece, it became clear to me that the fraud addressed is exclusive to how financial institutions should protect their systems and customer data. There is no reference to anything related to Authorized Push Payment fraud in the fraud-at-a-glance document, but it is APP fraud that has the industry so up in arms. Unlike ACH and Card, there is no option for a customer instruct their FI to return a faster payment credit. It is delivered and settled with finality. So is the financial institution responsible for the behavior of their customers if all our systems operate in the manner with which they were designed? Perhaps so.

In the U.K., there is a movement underway to make banks responsible for their customer’s errors regarding push credits. Regardless of court cases that found in favor of the banks, it is clear that there is an effort to make banks responsible for some or all of APP fraud losses a customer incurs, even though the bank systems all worked perfectly and the customer authorized the credits. Here in the U.S., Reg E does not cover APP fraud … today. However, there are those that consider APP fraud to be essentially the equivalent of corporate account takeover and suggest that Reg E should be modified to make the FIs liable for APP fraud. The CFPB has stated that banks should not consider customer negligence in deciding applicability of Reg E. However, taking the customer’s potential negligence out of the equation would seem to set up an environment where the customer has no incentive to scrutinize the transactions they conduct. Caveat Emptor anyone? There is an excellent article on LinkedIn that has more on APP Fraud and Reg E –

It is not my place to opine on whether or not APP Fraud should be covered by financial institutions. I will however, opine that while our industry should undertake any and all reasonable efforts to protect our customers, we cannot absolve the customer from the responsibility of their actions. They must be aware of who they are transacting with and understanding that when they see a message that says, “When you execute this push credit, payment to the recipient is final and irrevocable,” that the bank actually means it. If there is a database of bad actors and the customer is trying to execute a payment to that bad actor, is it the bank’s responsibility to deny the transaction?  Or would the FI respond to the customer and advise that the recipient is on a list of known bad actors, and ask, “Do you wish to cancel this transaction?” And if the customers indicates no, then a message says, “You understand that this credit will be delivered and settled immediately with no options for a return, so you wish to continue?” and the customer says proceed, then under what circumstances should the FI be liable if the transaction turns out to be fraudulent?  I’d say … none.