Can the CFPB make Zelle liable for fraud? Maybe not.
Should an administrative agency be able to claim authority Congress didn’t give it, even if it is for a good cause? That issue may have arisen as six Senate Democrats have sent a letter to CFPB Director Rohit Chopra asking the CFPB to expand bank liability for fraudulent payments made through instant payment providers like Zelle. This is motivated by an increase in consumers being tricked into sending fraudsters money via the app. While a consumer is generally protected if someone else causes an unauthorized payment, with the bank bearing the liability, it is unlikely that this applies to this new form of fraud, at least not as the regulations are currently written.
This brings us to the Senators’ letter, in which they argue that the CFPB already has authority under the Electronic Fund Transfer Act (EFTA) and Regulation E, the enabling regulation for EFTA, to apply the liability regime in EFTA to instant payments. The Senators argue that a fraudulent payment could be defined as an “unauthorized electronic fund transfer” (UEFT) or under certain circumstances an “error” as defined by EFTA and Reg. E. Such a change would make it far more likely that banks would have to reimburse customers who are duped into sending fraudsters money via Zelle and similar services. The Senators argue that the current liability regime fails to reflect the reality of how payments are done, and that is a valid concern. However, the immediate question is: Does the CFPB have this authority? And there I’m not so sure.
First, let’s talk about how the law defines “unauthorized electronic fund transfer.” 15 U.S.C. 1693a(12) defines it as:
the term “unauthorized electronic fund transfer” means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit, but the term does not include any electronic fund transfer (A) initiated by a person other than the consumer who was furnished with the card, code, or other means of access to such consumer’s account by such consumer, unless the consumer has notified the financial institution involved that transfers by such other person are no longer authorized, (B) initiated with fraudulent intent by the consumer or any person acting in concert with the consumer, or (C) which constitutes an error committed by a financial institution. (Emphasis added)
This would seem to present a problem for the CFPB expanding the definition of “unauthorized electronic fund transfer” to encompass the type of fraud that appears to predominate on platforms like Zelle. The paradigmatic UEFT is someone getting your debit card credentials (number, PIN, CVV etc.) and impersonating you to either take money from your account directly or spend your money buying something for them. Conversely, the current kind of problem involves the consumer-victim initiating the transfer of funds to the scammer under false pretenses.
In this case it seems hard to argue that the transfer was initiated by someone other than the customer. Yes, the transfer was initiated under false pretenses, but it was the consumer who pushed the button to send the money, and the clear language of the statute seems to preempt expanding the definition to include such activity.
The official interpretation of the definition of UEFT in Reg. E does seek to expand the definition to include situations where the consumer’s access device (e.g. credit card, smartphone, etc.) is obtained by the criminal via fraud or robbery and where a consumer is forced to withdraw money from an ATM under threat. However, even if those constructions of the statute are valid, neither of those cases neatly match up with what is at issue here. In fact, the interpretations’ statement that transfers made by someone who was granted access to the payments device and authority by a consumer, but who exceeded that authority (e.g. an employee exceeding their authority on a company card), would not count as a UEFT might be an argument that consumer approved transactions, even if the consumer is misled, wouldn’t count.
Expanding the definition of “error” to include fraudulent transfers initiated by the consumer might seem like a more defensible position. The EFTA’s definition (15 USC 1693f(f)) of what constitutes an “error” is fairly broad:
For the purpose of this section, an error consists of —
(1)an unauthorized electronic fund transfer;
(2)an incorrect electronic fund transfer from or to the consumer’s account;
(3)the omission from a periodic statement of an electronic fund transfer affecting the consumer’s account which should have been included;
(4)a computational error by the financial institution;
(5)the consumer’s receipt of an incorrect amount of money from an electronic terminal;
(6)a consumer’s request for additional information or clarification concerning an electronic fund transfer or any documentation required by this subchapter; or
(7)any other error described in regulations of the Bureau. (Emphasis added)
The last prong in particular would seem to provide ample authority for the CFPB to expand the definition as requested by the Senators. But, is that really the case?
There is reason to be skeptical. As my colleague Andrew Vollmer has explained in regard to the SEC’s climate proposal, courts look to the context of the statute and its language when assessing whether Congress granted an agency certain authority. Using that method, it seems unlikely that the CFPB could stretch the definition of “error” to include a case where a consumer is tricked into initiating a payment.
If you look at the other things that constitute an error under the statute you can see that they are primarily the result of someone else’s mistake or misuse. As discussed above, it seems unlikely that a consumer who initiated fraudulent payment would count as an UEFT. The second, third, fourth, and fifth items listed all involve a mistake by the financial institution where the system didn’t work correctly. In all of those cases the consumer was not the prime mover of the error.
The sixth item listed is different in that it is an information request by the consumer about a transaction that occurred on the system. However, this doesn’t appear to create an independent exception from liability. Rather, it appears to exist to allow a consumer time to examine whether a UEFT or other substantive error listed above occurred.
Now, none of this is a comment on the underlying merits of expanding EFTA liability protections to consumers, where a robust debate can certainly occur. In the Senators’ letter they argue that the current regime is “antiquated”, and that may well be true. Much has changed since the EFTA was passed. However, the law is the law, and if it needs to be expanded it should be Congress who does so. Not only would that be more appropriate than an administrative agency trying to stretch its power beyond its legitimate limit, it would also be more durable. The Supreme Court has shown itself to be willing and able to strike down agencies’ assertions of authority that are not supported by the statute, so any unilateral attempt by the CFPB to “modernize” EFTA may end up being struck down. The Senators should look inward for a remedy rather than encourage bureaucratic power-grabbing.
Whether we should change who is liable for payments fraud to reflect the brave new world of person-to-person instantaneous payments is an important question that Congress should take up. In doing so Congress can assess the cost and benefits of different options and make any necessary changes through legislation. What we should avoid however is trying to amend a law by administrative fiat, which will harm not only the market, but the rule of law.