Reg E – Protecting and preventing consumers falling for social engineering scams – what does it mean for banks?
By Rob Campbell, Head of Industry and Product Marketing at Callsign
At the beginning of June 2021, the Consumer Financial Protection Bureau (CFPB) published a document clarifying the implications of Regulation E (Reg E) within the Electronic Fund Transfer Act (EFTA).
Reg E provides protection for consumers who fall victim to ‘unauthorized Electronic Fund Transfers’ (EFT), requiring banks to offer the victim compensation for any losses incurred.
Unauthorized EFTs are a catch all term, but it is commonly applied to situations where purchases have been made on a customer’s card after it has been stolen, or erroneous invoices have been charged directly to a customer’s bank account.
The June guidance clarified the Reg E provisions, specifically calling out the need for banks to protect consumers who fall victim to specific types of social engineering fraud.
The law states (and the regulator has emphasized) that banks must offer Reg E compliant resolutions to consumers who are tricked into handing over account details, passwords, pins etc. to scammers who later use this information to access the customer’s account and make payments from it.
This is potentially a huge clarification of policy, which will have vast implications for consumers, as well as fraud experts in the financial services industry.
Before Reg E clarification was given, many banks had been unwilling to compensate consumers who had fallen victim to this type of social engineering fraud because they believed it was either out of the scope of Reg E or, they didn’t have to provide recourse because the victim had been negligent handing over account access details to fraudsters.
The regulation clearly states even when a consumer is tricked into sharing account access details with a third party who then uses that information to make an EFT, the transfer is unauthorized. Furthermore, consumer behavior that may constitute negligence doesn’t have an effect on the consumer’s liability for unauthorized transfers under Reg E.
How can banks get ready for Reg E guidance?
There are two key things banks need to prepare for regarding Reg E clarification. Firstly, banks will need to prepare for the potential rise in Reg E claims from consumers. The regulation stipulates specific response times that must be met by banks when settling disputes with customers. Making sure that their dispute resolution systems can meet any increase in consumer claims is critical for the bank to comply with Reg E, but also helps protect their reputation.
Banks will also need to take time to inform and educate customer service teams on the new requirements of Reg E so that customers are aware of their rights.
Secondly, banks need to minimize their exposure to this particular type of social engineering fraud, which is becoming more common around the world.
Fortunately, that’s where technology can help.
Advanced Customer Authentication Technologies can help banks prevent social engineering
The technology to prevent unauthorized users gaining access to customers’ accounts is now readily available. Even if a customer has been duped into giving away their username and password to a fraudster, leaps in behavioral biometrics technology mean banks can still block the fraudsters’ access to the consumer’s account.
All of us are different. The way we interact with our devices are equally different. Some of us will type quickly, holding our device close as we frantically tap at our screens or keypads, while others will keep their devices at arm’s length, gently swiping their screens in a relaxed way.
Behavioral biometrics use these differences to detect genuine users and differentiate them from bad actors. They do this by using powerful AI and Machine Learning models to analyze how individual users interact with their devices.
If, for example, a user claiming to be Jane Doe has inputted Jane Doe’s password correctly, sufficiently advanced behavioral biometrics could identify that even though the password is correct, the user is not in fact Jane.
The behavioral biometrics model would identify that the user can’t be Jane as they were typing with their right hand, while Jane is left-handed. This telltale sign adds what’s known as an inherence factor (something you are) to the knowledge factor (something you know) of a password, adding a significant boost to security without having to make a big change to the underlying technology platform or user journey.
The other advantage of behavioral biometrics is that unlike other biometrics (such as voice or facial recognition), they are extremely difficult to replicate. Sophisticated bad actors are now using recordings to dupe voice recognition software, and even deep fakes circumvent facial recognition systems. Behavioral biometrics however are very difficult to capture and replicate (how can you go about replicating how someone types or holds their phone?) making behavioral biometric authenticators particularly hard to fool.
Why should banks embrace behavioral biometrics now?
The sophistication of scams and the growth of social engineering is on the regulator’s radar, protecting consumers is their top priority. There is now no room for interpretation, customers must be compensated by their bank if they fall victim to this type of fraud.
This means banks will need to demonstrate robust fraud prevention and consumer protection if they wish to limit the impact of what some commentators have described as the scamdemic.
About the author
Rob Campbell is Head of Industry and Product Marketing at Callsign.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.