I started teaching payment rules, compliance, and risk management in 2007. Back then I used to describe credit-push payments as warm and fuzzy. Everyone likes a credit hitting their account. For the most part, the people I was teaching worked in bank operations. Very few of their problems had to do with credit-push payments (wires and direct deposits via ACH). Curricula tended to focus on debit-pull payments, the long list of return codes that accompany them, and how Regulation E works.
It is a new year and the days of warm and fuzzy credit-push-curricula are but a memory. The shift started happening around 2013, or at least that is when the FBI coined the term “business email compromise” (BEC) as reports of the scam started piling in. BEC scams vary in tactics, but the goal is the same. A fraudster convinces a company's employee to send credit-push payments to an account where the fraudster can access the funds. Reported losses attributed to BEC scams have so far totaled more than $50 billion. It is clear to see fraudsters still like the scheme, and it is not that hard to trick one human being.
Infrequently, the victimized business can claw back the funds with their bank's help, assuming the funds are still there and the receiving bank agrees to return them. Usually, however, by the time the fraud is detected, the funds have already been moved elsewhere.
Often, there is a court case, and sometimes the bank of the victimized business takes the loss instead of the business. It all depends on the circumstances and the court's application of the Uniform Commercial Code–Article 4A, or UCC 4A for short. But those are business problems. Credit-push payments are still warm and fuzzy in the consumer space… right? Nope, that is shifting, too.
The proliferation of person-to-person payment apps and services has led to a huge increase in credit-push payment volume. What's more, instant payments have arrived in the United States, and over the next decade, these credit-push payments will account for a significant share of payments volume. Fraudsters are flocking to find one more human being to trick in a new and massive opportunity.
Keep in mind, UCC 4A doesn't apply to consumer payments, and the civil justice system isn't a good option for smaller-value consumer scams. Enter Regulation E, the consumer protection rules that define liabilities and settle disputes between consumers and banks.
But Reg E isn't bringing back any warm and fuzzies for me in this increasingly fraught credit-push environment. Reg E has always been difficult to interpret, teach, and implement. Originally written for debit-pull payments, Reg E was updated in December 2021 to include coverage for credit-push P2P payments. This consumer protection, however, is for unauthorized payments. The regulation offers no protection when the account-owning consumer is tricked into authorizing or mistakenly authorizes sending money to a criminal
These credit-push scams, called authorized push payment fraud, deserve a shift in our curriculum, mitigation techniques, and approach to consumer protection.
For another take on authorized push payment fraud, check out the post my colleague Claire Greene wrote on the topic last spring.