As part of Aite-Novarica’s Top 10 Trends in Fraud & AML, 2022: Braving the New Normal in January of this year, I predicted that regulatory pressure would increase due to a rise in scam activity. While I have yet to see much evidence of an increase in actions against financial institutions (FIs) by regulators, you don’t have to look very hard to see that consumers are beginning to show signs of distress.
While this is a troubling development in and of itself, what concerns me most is that as more consumers are targeted by fraudsters, a growing number of people are coming away from an already traumatizing event with an amplified sense of violation. This feeling may become even stronger after they discover that by initiating the fraudulent payment themselves—even if they were deceived into doing so—the treatment of the event is transformed from an unauthorized payment fraud to an authorized payment fraud.
This distinction means that the FI is not required by law to reimburse the consumer if the payment was initiated by the victim. This fact, along with the well-rationalized origin for why the policy boundaries were established, is frequently left out of contemporary narratives about the subject.
Unfamiliarity With Reg E Causes Problems
While the origins and boundaries of the policy are relatively well known among fraud professionals familiar with Reg E, it comes as a devastating realization to the victim—one that leaves them feeling profoundly wronged.
The worst part, of course, is that such a dramatic outcome, which hinges on a poorly understood nuance in policy, makes an irresistible narrative for journalists and legislators. Both of these groups, in their eagerness to be seen as taking bold action to protect consumers, run the risk of mistaking motion for progress.
Examples of this are popping up with increasing frequency and include:
- Two articles (here and here) in a prominent global newspaper that distort the nature and application of Reg E protections and the CFPB’s guidance on the matter
- A stirring letter from prominent politicians that was carefully engineered to go long on an appeal to sentiment but short on a realistic understanding of the reg
- A well-meaning but hastily assembled legislative proposal that, if passed as-is, would lead to unintended consequences and might end up harming the public more than protecting it
To be clear, the Scampocalypse is a serious problem for the financial services industry, and much needs to be done to improve the industry’s resilience. But as I said, motion is not always progress. Actions need to be taken—but it’s vital to thoughtfully analyze the nature of the actions and carefully craft and execute those actions.
Collaboration Is a Powerful Tool
All of the aforementioned narratives ignore or distort the reason the regulation distinguishes between “authorized” transactions and “unauthorized” transactions. Specifically, there is no explanation or defense of why FIs lobbied to ensure that both the FI and the consumer share some degree of agency in assuming responsibility for maintaining the security of the consumer’s funds.
If this omission persists, and public opinion continues to be guided by such an unbalanced escort, I fear it will wander into outcomes that are likely to produce unwelcome consequences. It is (and will remain) absolutely necessary to avoid laying liability for the event exclusively at the feet of any one actor in the ecosystem.
To do so would, in my estimation, only serve the criminal community. So long as FIs and their customers not only share the responsibility of securing themselves against attacks but collaborate on integrating their security countermeasures, it will be possible to keep scam attacks relatively controlled.
In partnership, FIs and their customers can overcome the criminal element. I have little doubt that it will be necessary to adjust consumer protection policies in order to ensure greater consistency in providing victims with reasonable recourse to reimbursement under specific circumstances. Perhaps the most important step will be acknowledging the need to make the terms of consumer protection coverage abundantly clear to everyone.
This will include making it clear to consumers that the risks of being victimized by scammers are real, that those risks are growing, and that consumers themselves need to step up their security game to adequately defend themselves. The FIs that communicate this successfully will find it is an opportunity to demonstrate their commitment to their customers’ financial well-being, and their customers will repay them with brand loyalty.
FIs that fail to meet this challenge may save themselves some trouble in the short run, but they run the risk of endangering the industry’s reputation in the best-case scenario and the birth of poorly thought-out legislation in the worst-case scenario. It’s time to begin having important conversations with consumers about their security, about the crucial role they play in protecting themselves, and about where the boundaries of protections stop so that their expectations can be properly adjusted.
To learn more about how fraud executives at FIs are combatting the growing number of global scams, read my recent report Scams: On the Precipice of the Scampocalypse.