It’s going to get much tougher for financial institutions to avoid being declared as liable in the case of electronic fund transfer (EFT) social engineering scams.

Specifically, the Consumer Financial Protection Bureau (CFPB) recently released a Frequently Asked Questions “compliance aid” to provide guidance about its positions on the Electronic Fund Transfer Act (EFTA) and Regulation E. The bureau indicated that, if a third party fraudulently induces a consumer into sharing account access information which is used to initiate an EFT, then the transfer meets Regulation E’s definition of an unauthorized EFT.

In a section of considerable interest, the CFPB states that these institutions cannot take into account a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E. “For example, consumer behavior that may constitute negligence under state law,” according to the section, “such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers under Regulation E.”

The FAQs also state that – if customers sign agreements with their financial institutions to modify or waive certain protections granted by Regulation E – the institution cannot use the agreement to determine whether the ETF was unauthorized and whether liability protections apply.

The development substantially raises the stakes for the financial…

Read more…