Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 21, 2020

Personal Responsibility for Irrevocable Payment Scams

Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.

You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraudOff-site link.

In August, a UK-based consumer advocate organization called Which?Off-site link released a research reportOff-site link based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.

The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?

My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?