View or download a PDF of the letter here.
December 21, 2021
Submitted to Regulations.gov
Director Rohit Chopra
Bureau of Consumer Financial Protection
1700 G Street NW
Washington, DC 20552
Re: Big Tech Payment Platforms, Docket No. CFPB-2021-0017
Dear Director Chopra,
The 65 undersigned consumer, civil rights, faith, legal services and community groups submit these comments in response to the Consumer Financial Protection Bureau’s (CFPB) inquiry into certain business practices of six large technology companies operating payments systems in the United States. In these comments, we would like to focus on consumer protections in those payment systems, and in particular the lack of protection against consumer errors and fraud. We also discuss the application of existing federal data governance laws. These comments will not address other privacy issues, but we agree with other commenters that any data collected through payment systems should be used only with consumer permission and in ways that they would expect.
Scams and errors can have a particularly harsh impact on low-income families and communities of color. Payment system providers can do far more to protect consumers, and ultimately the systems themselves will benefit if consumers have greater protection and confidence when making person-to person (p2p) payments.
The lack of protection in p2p systems plagues not only the payment systems of large technology companies but also new or proposed faster p2p payment systems that operate through banks and credit unions. Accordingly, we urge the CFPB to:
- Clarify that all payment services providers and financial institutions have an existing duty under the Electronic Fund Transfer Act (EFTA) to investigate and resolve all errors committed through p2p systems, including errors committed by consumers.
- Enact a rule to define fraud in the inducement as an error covered by the EFTA’s error resolution procedures.
- Most urgently, without waiting for an EFTA rulemaking to be complete, work with the Federal Reserve Board (FRB) to revise the proposed regulations for the soon-to-be launched FedNow payment system to require financial institutions to protect consumers in the event of consumer errors or fraud in the inducement.
- Clarify the protections when a consumer’s account is wrongfully frozen, generally applying the EFTA’s error resolution framework.
- Clarify application of existing federal data governance laws including the Gramm-Leach Bliley Act (GLBA) and possibly the Fair Credit Reporting Act (FCRA).
As consumer, small business, civil rights, community and legal service groups described at greater length in comments submitted three months ago to the FRB, the existing p2p payment systems of large technology companies and financial institutions simply are not safe for consumers to use. Scams often take the last dollar from those least able to afford it, and often target older adults, immigrants and other communities of color. These communities, already denied or stripped of wealth through discrimination over the centuries to the present day, can least afford to lose money to scams and errors. Fast p2p payment systems, if properly designed, can provide broad benefits to consumers. But those benefits will only be realized if the systems are safe to use.
The providers of these p2p systems make decisions about what safety features to install, when to protect consumers, and how to monitor and react to red flags of potentially fraudulent payments received by their customers. Unfortunately, these companies have made the decision to prioritize speed, convenience and ubiquity at the expense of safety. They must instead take responsibility for their choices and protect consumers when the systems they design and implement result in predictable errors or fraud.
Protecting consumers from errors and fraud will create greater incentives for payment system providers to prevent those problems in the first place, benefiting everyone. Getting those incentives right is the most important thing the CFPB can do, as companies that are incentivized to prevent fraud and errors will use constantly improving technology and innovations to spot potential scams and errors, aggregate reports of fraud, and freeze accounts that are being used to receive fraudulent funds before the funds are gone and before more consumers can be defrauded.
In today’s world of fintech and innovation, it is ironic that the primary response of payment system providers to fraud and errors in p2p systems is to use old-fashioned disclosures and warnings to consumers to “be careful” and not to send payments to people they do not know — even while promoting their systems for broad use. Scammers prey on consumers’ trust, and warnings are far less effective than the sophisticated systems that payment providers can design.
It is especially important to flag the responsibilities of the institution that holds the account that receives a fraudulent payment. Institutions already have the duty to know their customer and to monitor accounts to prevent illegal activity. When they fail in those responsibilities and allow their customer to use an account that enables a scam, it is appropriate for that institution to bear the costs if the funds cannot be recouped.
If fraud and error rates are low in the aggregate, the system can bear those costs and spread them. If rates are high, then the systems clearly have fundamental problems that must be addressed. But even a single instance of fraud or mistake can be devastating to a consumer. The equities strongly favor protecting consumers with the same type of strong protection they have in the credit card market.
Accordingly, we have five requests.
- The CFPB should make clear that the existing obligation under the EFTA to investigate and resolve errors applies in the case of consumer errors in p2p systems. There are no limitations in the definition of “error” that would eliminate errors committed by consumers. Indeed, the EFTA generally protects consumers even in situations when they are negligent. If a payment is made in error — whether to the wrong person or in the wrong amount — it does not matter who made the error; the recipient is not entitled to that payment, and it should be reversed. Thus, institutions should be complying with their duty to investigate and resolve errors.
- The CFPB should ensure that consumers using p2p services have protection from scammers, using the Bureau’s EFTA rulemaking authority to define additional “errors.” While payments that consumers are fraudulently induced to send fall outside of the definition of “unauthorized charge,” fraudulently induced payments can still be considered an error triggering a duty to investigate and resolve the error. A payment that was sent to an imposter or under other situations involving fraud can and should be deemed an error.
- Most urgently, the CFPB must work with the FRB to improve the proposed rules governing the FedNow system to add in protection against consumer errors and fraud. The FedNow system should not be launched unless and until consumers (and small businesses) are protected from fraud and errors. Consumer protection issues cannot be ignored in the FedNow rules and cannot wait for EFTA rules covering the entire market. We have an opportunity now for FedNow to be a model for how other p2p systems can and should operate, and the CFPB and FRB should work together to seize that opportunity.
- The CFPB should clarify the rules and protections when accounts are frozen. If a financial institution freezes an account because it spots red flags of fraudulent use or identity theft, it is not clear how long the freeze may last or what rights consumers have if they believe their account was wrongfully frozen. Our general view is that consumers should have the right to contest a frozen account as an error under the EFTA (because the freeze will prevent the correct debiting and crediting of electronic fund transfers), and that error resolution procedures should apply: Unless law enforcement requires a different result, the institution should have 10 days to resolve whether any funds in the account should be unfrozen or whether the funds should be returned to the sender (or held for distribution to victims). But the topic deserves more consideration, as we recognize that the correct result requires balancing the importance of stopping fraudulent use with the rights of consumers whose accounts are incorrectly frozen.
- With respect to data sharing issues, we urge the CFPB to make clear the application of existing federal data governance laws, including GLBA and the FCRA. A p2p payment system is most definitely a “financial institution” under GLBA since payment processing is a “financial activit[y] as described in” the Bank Holding Act. Thus, any sharing of information with third parties is subject to the privacy notice requirements of Regulation P, and the p2p company is subject to the data security requirements of the Federal Trade Commission’s Safeguards Rule. To the extent that the p2p company sells or shares information to a third party, it could be a furnisher under the FCRA, or even a consumer reporting agency if the information is not first-hand experience information and the third party uses it for credit, employment or other FCRA-covered purpose. And if consumer report information is shared internally between affiliated companies, the affiliate marketing provisions of the FCRA are implicated.8
Thank you for considering these comments.