CFPB’s Error Resolution Provisions and Identity Theft – Musings on a Conundrum
April 02, 2018
(Please note that while this blog discussions a question of regulatory compliance, it is not legal advice, and all questions about compliance should be referred to competent counsel.)
One of the most alarming provisions in the Consumer Financial Protection Bureau’s final prepaid rule was one that required full refunds for error resolution on open-loop prepaid cards, including those that weren’t registered. This requirement could have potentially opened up a virtual barn door for fraud of all kinds. Virtually anyone who found a used prepaid card in the trash would have been able to claim the money disappeared and reclaim whatever funds had been loaded on that card, whether they were the ones who loaded it or not.
The good news is that through the advocacy of the NBPCA, the Bureau was able to eventually understand why the industry was so concerned about this provision. In the amendments to the final rule made earlier this year, it changed this provision so that liability limits did not apply to cards that did not complete the customer identification process.
Of course, no rule covers every possibility. For example, what do providers do when they discover that a card was registered with fraudulent or stolen information in the process of an error investigation?
The card completed registration, so is the provider on the hook for refunding the disputed charge to the card under the regulation?
The logical answer seems to be no.
While the cardholder may have completed the identification process, the issuer can revoke and close the account if they discover that it was opened under false credentials. Once the account has been closed, no liability would need to be resolved, because the account itself was fraudulent.
The risk for providers in this situation is if they provide a provisional credit to the account before the investigation into the alleged fraud is completed and a fraudster subsequently cashes out the card before the deceit is discovered. Assuming the claim is made a short time after registration, a provider could take advantage of the extended provisional credit period under Reg-E, which would help.
A provider might argue that the verification process was not successfully completed as specified under the rule if a fraud was discovered. However, the Bureau has provided no guidance on this to our knowledge and there has been no court test of it.
Regardless, providers should be alert for potential frauds in regard to limited liability claims and make sure that they develop a process for identifying, investigating, and resolving suspicious claims.
Here's the relevant part of the rule.
Error resolution and limited liability. The Bureau is amending Regulation E §§ 1005.11(c)(2)(i), 1005.18(d)(1)(ii) and (e)(3), comments 18(e)-4 through 6, and appendix A-7(c) to provide that Regulation E's error resolution and limited liability requirements do not extend to prepaid accounts that have not successfully completed the financial institution's consumer identification and verification process (i.e., accounts that have not concluded the process, accounts where the process is concluded but the consumer's identity could not be verified, and accounts in programs for which there is no such process). For accounts where the consumer's identity is later verified, financial institutions are not required to resolve errors and limit liability with regard to disputed transactions that occurred prior to verification. The Bureau is also making related changes to model disclosure language. In addition, the Bureau is requiring that, for accounts in programs where there is no verification process, financial institutions either explain in their initial disclosures their error resolution process and limitations on consumers' liability for unauthorized transfers, or explain that there are no such protections, and that such institutions comply with the process (if any) that they disclose.