There is an ongoing effort to make Approved Push Payment (or APP) fraud the responsibility of participating financial institutions. To quickly recap the APP fraud issue: a sending bank’s customer initiates a faster payment, say an RTP or FedNow push credit to a receiver. The transaction is completed without any error. The receiver turns out to be a bad actor and the sender does not receive goods or services to their satisfaction. There is nothing unauthorized about the transaction therefore Reg does not apply. What is the sending bank’s responsibility to reimburse their customer in this situation? As stated above, current regulation does not require the sending bank to make their customer whole. And that makes sense, if the customer had paid in cash (or any other payment type for that matter), the issue is that a buyer was defrauded. I have sympathy for this scenario but that does not mean the sending FI has a responsibility to cover this loss. What seems to be occurring is those who are in a position to make rules and laws are looking at the finality of an instant payment and deciding that this is a mitigating factor in assigning liability to the financial institution. What is lost in this reasoning is the fact that bank customers have to be smart about who they transact with, and the bank cannot be responsible for any bad choices a customer might make. Note: the exception to the above is where the customer’s device has been hacked and a bad actor uses the customer’s own account to push an instant payment credit to the bad actor’s account. This is clearly an unauthorized transaction and unauthorized debits and credits are covered by Reg E. Recently, the Independent Community Bankers of America posted information to its members on recent comments from Comptroller of the Currency Michael Hsu on the APP fraud issue. It is clear that Hsu believes that banks should be liable for authorized transaction fraud. In a recent speech on artificial intelligence and fraud, Hsu indicated he supports requiring banks to reimburse customers tricked into sending money to fraudulent accounts. More specifically, Hsu advocated for a new policy similar to one in the United Kingdom, where the customer’s bank and the receiving bank must reimburse defrauded customers for losses, with the reimbursement cost split 50-50 between each bank. Hsu claimed that: This arrangement incentivizes banks to develop and implement effective fraud controls. This liability model deserves greater discussion in the United States. In cases where AI plays a role in the fraud, splitting the liability evenly among the customer’s bank, the receiving bank, and the AI platform is worth considering. There is no question that financial institution should make every effort to enable their customers to safely conduct transactions. Education is of paramount importance and customer facing applications can include the appropriate notices about the finality of instant payments (Are you sure? Are you really, really sure?). Hsu’s remarks are only the latest salvo in the debate over who is liable for customers duped into authorizing payments to scammers. The ICBA report highlighted several other players advocating for banks being liable for APP fraud: Elizabeth Warren (D-Mass.) in 2022 issued a report calling on the CFPB to strengthen Regulation E to require banks to reimburse customers who authorized fraudulent payments. In response, ICBA said it opposes unlimited liability for P2P fraud and encouraged policymakers to focus on the fraudsters themselves. The CFPB and FTC also continues to advocate for APP fraud to be the responsibility of the financial institution. The fact is that making APP fraud the responsibility of the sending FI, in whole or in part, will have a dampening effect on a financial institution broadly offering instant payment options. After all, if a customer can simply claim they were defrauded and are made whole, do we not think that customers would quickly catch on that they can transact with impunity and stop exercising reasonable care about with whom they are transacting? We can look at the aforementioned UK example to see that, in fact, customers will misuse an APP fraud reimbursement requirement to recover funds that are the result of bad judgement. ICBA’s take is it will continue raising concerns with policymaker calls for expanding legal liability to reimburse consumers for authorized transactions. While it is greatly beneficial for ICBA to be advocating on behalf of thousands of community banks, you need to be an active participant in making your voice heard. Make sure someone on your staff is following the APP fraud issue and the activities of the ICBA in this regard. Make sure your congressional representatives hear from you, either individually or as a part of your state’s periodic trips to Washington, that making banks responsible for fraud completely out of the control of the bank is unreasonable and unwarranted. There are steps we could take as an industry to remediate fraud. Chiefly, giving our customers the ability to be knowledgeable about any reported fraud for a receiver prior to pushing a credit to that receiver would be the best remediator of fraud. Sadly, none of the instant payment services will allow customers to have access to reported fraud. Therefore, it may take an industry initiative to track suspected bad receivers and make that information available to any front-end system used to initiate an instant payment. I have a write-up on exactly how this type of system could be created and implemented. I If you are interested in receiving a copy of my proposed remediation of APP fraud, send me an email to dpeterson@bankers-bank.com and I’ll send you a copy. Let’s work together to strengthen the remediation of fraud without limiting the availability of instant payment options for bank customers. The views expressed in this blog are for informational purposes. All information shared should be independently evaluated as to its applicability or efficacy. FNBB does not endorse, recommend or promote any specific service or company that may be named or implied in any blog post.