Reg E – Protecting and Preventing Consumers From Falling Into Social Engineering Scams – What Does This Mean For Banks?
By Rob Campbell, Head of Industry and Product Marketing at Callsign
In early June 2021, the Consumer Financial Protection Bureau (CFPB) published a document clarifying the implications of Regulation E (Reg E) within the Electronic Funds Transfer Act (EFTA).
Reg E offers protection to consumers who are victims of “unauthorized electronic funds transfers” (EFTs), requiring banks to offer the victim compensation for any loss suffered.
Unauthorized EFTs are a catch-all term, but it is commonly applied to situations where purchases were made on a customer’s card after it was stolen, or incorrect invoices were debited directly from the account. bank of a client.
The June guidelines clarified the provisions of Reg E, specifically calling on banks to protect consumers who are victims of specific types of social engineering fraud.
The law states (and the regulator emphasized) that banks must offer Reg E compliant resolutions to consumers who are required to hand over account details, passwords, PINs, etc. to crooks who later use this information to access the customer’s account and make payments from there.
This is potentially a huge policy clarification, which will have far-reaching implications for consumers, as well as fraud experts in the financial services industry.
Prior to the Reg E clarification, many banks were unwilling to compensate consumers who had been victims of this type of social engineering fraud because they believed it was outside the scope of Reg E or that they did not have to provide a remedy because the victim had been negligent in passing on account access details to fraudsters.
The regulation makes it clear that even when a consumer is required to share account access details with a third party who then uses that information to perform an EFT, the transfer is unauthorized. In addition, consumer behavior which may constitute negligence does not affect the consumer’s liability for unauthorized transfers under Reg E.
How can banks prepare for Reg E directions?
There are two key things banks need to prepare for regarding Reg E clarification. First, banks will need to prepare for the potential increase in Reg E claims from consumers. The regulation provides for specific response times that banks must respect when settling disputes with customers. Ensuring that their dispute resolution systems can cope with any increase in consumer complaints is essential for the bank to comply with Reg E, but also helps protect its reputation.
Banks will also need to take the time to brief and educate customer service teams on new Reg E requirements so that customers are aware of their rights.
Second, banks need to minimize their exposure to this particular type of social engineering fraud, which is becoming increasingly common around the world.
Fortunately, this is where technology can help.
Advanced Customer Authentication Technologies Can Help Banks Prevent Social Engineering
Technology to prevent unauthorized users from accessing customer accounts is now available. Even if a customer has been tricked into giving their username and password to a scammer, advancements in behavioral biometrics mean that banks can still block fraudsters’ access to the consumer’s account.
We’re all different. The way we interact with our devices is just as different. Some of us will type quickly, holding our device close to us as we frantically typing on our screens or keyboards, while others will keep our devices at arm’s length, gently sweeping their screens in a relaxed manner.
Behavioral biometrics uses these differences to detect real users and differentiate them from bad actors. To do this, they use powerful AI and machine learning models to analyze how individual users interact with their devices.
If, for example, a user claiming to be Jane Doe entered Jane Doe’s password correctly, sufficiently advanced behavioral biometrics could identify that even if the password is correct, the user is not in fact Jane.
The behavioral biometrics model would identify that the user cannot be Jane because he was typing with his right hand, while Jane is left-handed. This telltale sign adds what’s called an inheritance factor (something you are) to the knowledge factor (something you know) of a password, which dramatically boosts security without having to bring big changes to the underlying technology platform or user journey.
The other advantage of behavioral biometrics is that unlike other biometrics (such as voice or facial recognition), they are extremely difficult to reproduce. Sophisticated bad actors are now using recordings to fool speech recognition software, and even deep fakes bypass facial recognition systems. However, behavioral biometrics are very difficult to capture and replicate (how can you replicate the way someone types or holds their phone?), Which makes behavioral biometric authenticators particularly hard to fool.
Why should banks embrace behavioral biometrics now?
The sophistication of scams and the growth of social engineering are on the regulator’s radar, with consumer protection their top priority. There is no longer any room for interpretation, customers must be compensated by their bank if they are victims of this type of fraud.
This means that banks will need to demonstrate strong fraud prevention and consumer protection measures if they are to limit the impact of what some commentators have described as the scam.
About the Author
Rob Campbell is responsible for industry and product marketing at Callsign.
DISCLAIMER: Biometric Update Industry Information is submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect those of Biometric Update.
authentication | behavioral biometrics | biometrics | Call sign | financial services | fraud prevention | identity verification | regulation