CFPB's prepaid card rule could open the door to rampant fraud
Card issuers are sounding the alarm about the Consumer Financial Protection Bureau's final prepaid rule, claiming the agency has opened the door to potential fraud on unregistered cards.
The CFPB has already proposed delaying the implementation of the final rule for six months until April 2018, in part due to industry concerns. The delay came after the CFPB made changes in its final rule that caught the industry off guard, including extending certain protections for error resolution and limited liability for all prepaid accounts even on unregistered cards bought at retail stores.
As a result of those changes, financial institutions would be on the hook for most fraud losses on unregistered cards, even if they have no information about the consumer. That would make it it tough to investigate whether the fraud actually occurred, card issuers say.
"Companies are going to get calls from people saying someone is using their card, even though the card does not have their name on it and the institution does not know anything about the customer," said David Beam, a partner at Mayer Brown. "It's difficult to follow error resolution procedures on someone you don't know."
Regulators have long sought to extend to prepaid cards the same consumer protections granted to credit and debit cards. But analysts said doing so opens the door to fraud that currently does not exist.
"Here's the problem: Fraudsters are always looking for new ways to break the system and they are quite sophisticated, so once they figure out that they can do it, it could be a big issue," said Ben Jackson, the director of prepaid advisory services at Mercator Advisory Group. "The problem only exists once the rule to provide this protection goes into effect, and suddenly unregistered cards might become hugely popular as fraudsters start buying them."
Madeline K. Aufseeser, CEO and co-founder of Tender Armor, a Fort Lauderdale, Fla., fraud prevention firm, said there is potential for a new fraud scheme, which could undermine the CFPB's goals of trying to help consumers.
"This type of fraud could become rampant to the point where it hurts prepaid debt card issuer profitability so much so that they could ultimately raise cardholder fees or may be forced to get out of the business," Aufseeser said.
Fraudsters could game the system by loading up on unregistered cards, purchasing big-ticket items like TVs or electronics and then notifying the issuer that the charges were unauthorized.
Under Regulation E , which implements the Electronic Fund Transfer Act, if a consumer notifies a financial institution within two business days after learning of a loss or theft, the consumer's liability is capped at $50.
If a consumer notifies the issuer after two business days, the consumer's liability is capped at $500. Anything beyond the consumer liability limits is a loss for the issuer.
A consumer only has to provide a name, a number associated with the account and a description of the fraud to trigger an investigation. The financial institution has up to 45 days to investigate. If the transaction was unauthorized, or the issuer cannot determine if it was authorized, issuers would have to credit the customer, minus the $50 consumer liability.
Quantifying how many consumers could be affected or the potential for fraud is tough, said Jackson, because the industry does not track unregistered accounts. Many cards also are unregistered only temporarily.
The biggest players in direct-to-consumer general-purpose cards are Green Dot Corp. in Pasadena, Calif., Netspend in Austin, Tex., and American Express, Jackson said.
By comparison, nearly all reloadable prepaid cards require that the consumer register so the issuer can validate their identify typically using a name, address, Social Security number and date of birth. With unregistered cards there is no way for an issuer to know if the consumer committed the fraud or if the consumer perpetuated the same fraud with another company, Jackson said.
Issuers are concerned that they have inadvertently tipped their hands by highlighting the potential for fraud on unregistered cards.
"We've been working hard with the bureau over the last five months to secure more time for the industry to comply as well as address more substantive issues appearing in the final rule such as the new limitation of liability requirements for unregistered cards," said Brad Fauss, president and CEO of the Network Branded Prepaid Card Association, which represents prepaid providers.
The CFPB's changes to the final rule caught the prepaid industry by surprise because its proposal did not extend Reg E protections to all prepaid cards.
The CFPB is accepting public comments through April 5 on its proposal earlier this month to delay the final prepaid rule. The bureau has delayed the effective date of past rules on mortgage disclosures and remittance transfers.
Kris Andreassen, a CFPB senior counsel, wrote on March 9 that if the agency determines "that any substantive changes to the prepaid accounts rule are necessary and appropriate, we will issue a separate proposal and provide the public an opportunity to comment on those changes before finalizing."