Regulation E has been in force for many decades in the U.S. but the Consumer Financial Protection Bureau’s (CFPB) June 4th Compliance Aid clarified its applicability beyond what FIs had been used to. Financial Institutions were required to reimburse their customers when any unauthorized funds transfers were made from the consumer’s account. This makes a ton of sense from the consumer’s perspective. If a third party or fraudster successfully moved money out of the consumer’s account without their knowledge, and the bank was unable to detect and stop such unauthorized transfers, the bank was required to investigate the disputed transaction and then reimburse the consumer if the transaction was found fraudulent.

Clarifying the Definition of Unauthorized Transfers

The new guidance effectively expands the sphere of reimbursable scenarios to include situations where the victim is coerced into sharing their account login information, such as a one-time passcode (OTP), with fraudsters. This change is particularly relevant in a time of rampant social engineering and scams. I explain the details in more depth in the video below.


There is seemingly no dearth of gullible consumers who would give away information like an OTP sent by their bank. An OTP is typically delivered in the form of an SMS text when the bank assesses something unusual or high risk such as a login from a new device, adding a payee, setting up a transfer or even transferring money in real time. It is a means of ensuring that it is indeed the account holder who is trying to make the transaction. Banks instruct the consumer to not share the passcode with anybody, but fraudsters are able to coax or intimidate unsuspecting consumers into sharing their passcodes.

Anatomy of a Vishing Scam

A typical scenario goes something like this: A fraudster tries to log into the consumer’s account with stolen credentials but is confronted with a request from the bank to enter an OTP. The bank, having detected a login attempt from an unrecognized device, sends an SMS OTP to the customer to ensure that the genuine customer is attempting the login, perhaps from a new device they recently acquired. The fraudster then calls the victim, impersonating a customer service agent from the bank. The fraudster uses scare tactics such as telling the victim that a risky transaction was detected on their account and that the bank is calling to make sure everything is okay. The fraudster then asks the victim to read back the OTP which had been sent by the bank.

Senior citizens are particularly vulnerable to these tactics, but even younger customers who value convenience over privacy can fall prey to vishing attempts. Banks want to help, but historically their stance has been that they can’t reimburse customers who were responsible for giving away their credentials.  

When Customers Are the Weakest Link

Do consumers share responsibility for these transactions if they are being scammed into giving away their OTPs? Well, they may, but now they’re covered!

The CFPB in its Compliance Aid mentions the various ways a third party can fraudulently obtain “a consumer’s account access information: (1) a third party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.”

The customer has become the weakest link in banks’ efforts to defend against fraud. This has potential to significantly impact banks’ and credit unions’ bottom lines, where Reg E is applicable. It opens up another fraud loss channel and can potentially double their losses. So long as the investigation finds an EFT was unauthorized by the consumer, even when the consumer unwittingly shared their passcode with a fraudster or were negligent in keeping their sensitive information secret, the bank has to make the customer whole. Consequently, in their own self-interest, financial institutions will need to update their dispute processes and enhance their ability to both detect and differentiate between genuine fraud and collusion. Most importantly, financial institutions must find ways to stop such unauthorized money movements in the first place to avoid confronting mounting losses.

Behavioral biometrics technology is uniquely positioned to help financial institutions detect and investigate fraudulent transactions that are seemingly being made by authenticated users. When device risk assessment or traditional authentication mechanisms like an OTP cannot detect the presence of a third party fraudster, capturing and analyzing online behavior reveals the tell-tale signs of fraud, making all the difference. BioCatch goes further and provides the tools and insights to differentiate between genuine and fraudulent sessions, so that banks can make informed decisions about the disputed transactions, protecting themselves as well as their customers from becoming the weakest link.

Join us on August 25 for a live webinar where we will discuss what the expanded CFPB guidance means, its potential impact on U.S. banks, and how behavioral biometrics is already being used to detect these types of scams.

Recent Posts