It’s going to get much tougher for financial institutions to avoid being declared as liable in the case of electronic fund transfer (EFT) social engineering scams.
Specifically, the Consumer Financial Protection Bureau (CFPB) recently released a Frequently Asked Questions “compliance aid” to provide guidance about its positions on the Electronic Fund Transfer Act (EFTA) and Regulation E. The bureau indicated that, if a third party fraudulently induces a consumer into sharing account access information which is used to initiate an EFT, then the transfer meets Regulation E’s definition of an unauthorized EFT.
In a section of considerable interest, the CFPB states that these institutions cannot take into account a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E. “For example, consumer behavior that may constitute negligence under state law,” according to the section, “such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers under Regulation E.”
The FAQs also state that – if customers sign agreements with their financial institutions to modify or waive certain protections granted by Regulation E – the institution cannot use the agreement to determine whether the ETF was unauthorized and whether liability protections apply.
The development substantially raises the stakes for the financial industry, according to an interpretation of the guidance from Trace Fooshee, a Senior Analyst with the Aite-Novarica Group, which is an advisory firm for banks, investment firms, insurers and payment providers. “Historically, most (financial institutions) only reimbursed victims of scams under circumstances in which the FI’s controls failed and when there were no indications that the customer benefited financially or otherwise from the fraud,” Fooshee writes. “The guidance that the bureau released … does much to call these practices into question.”
What’s more, these crimes are only increasing in volume: Three-fourths of financial professionals say their organization was the target of payment scams in 2020, and 90 percent reveal that these incidents have either grown in frequency or have remained consistent with the number of schemes in 2019. (Meaning just 10 percent say they are on the decline.)
Clearly, banks must take immediate steps to significantly reduce – or outright eliminate – the potential for EFT fraud. At BehavioSec, we’ve worked closely with financial industry customers to deploy behavioral biometrics solutions to ensure accurate and frictionless user authentication, resulting in positive and secure user experiences:
— If a criminal has taken over an account by fraudulently obtaining a victim’s credentials our solutions enable security teams to detect the activity and block it. Our behavioral biometrics technology creates profiles based upon how users interact with their devices – such as how they use a touch screen, move a mouse, type on a keyboard, etc. Even if criminals take control of accounts protected with OTP codes, often through a SIM swap attack or vishing call, they won’t be able to impersonate the user’s behavior. Thus, their account takeover will be exposed before they’re able to do any harm.
— Con artists will pose as virtually anyone to separate targeted marks from their money. They often pretend to be the IRS and demand thousands of dollars in “back taxes owed.” In a “romance scam,” they’ll present themselves as a potential love interest and then ask for money.
If a fraudster has gained enough trust (even temporarily) to coax a victim into unwittingly making a large EFT payment to the fraudster, our “social engineering” feature will intervene. BehavioSec technology picks up on various traits that victims exhibit when in this situation. They may, for example, demonstrate behaviors of hesitation because they have misgivings about what they’re doing. Or they could pick their smartphone up and down while going back and forth with a criminal, who is directing the victim to set up an EFT. Our behavioral biometrics will recognize these deviations from normal interactions with devices and send alerts to security teams.
Simply stated, if financial institutions are on the hot seat with increased liability burdens for EFT scams, then they must take proactive steps to dramatically reduce the likelihood that these social engineering scams occur. This is where our technology steps in.
Again, for the user, behavioral biometrics is passive and non-intrusive. Customers do not have to do anything beyond conducting an EFT or otherwise accessing their banking accounts, our analysis of their behavior does the rest. If this level of assured and “invisible” (to the user) security sounds like something you’d like to know more about, then please contact us.