According to the Federal Reserve System, noncash payments more than doubled in the last 20 years, totaling $128.5 trillion in the U.S. in 2021.[1] For the four years 2018-2021, Automated Clearing House (ACH)[2] payments grew $27.2 billion, credit and debit card payments grew $2.3 billion and check payments grew $0.5 billion. Thus, ACH represents 91% of non-cash transaction growth. “Both ACH credit and ACH debit transfers grew more than 12 percent per year in value from 2018—faster value growth than card or check transactions,” according to the Fed.

This growth has spurred a significant increase in inquiries from our legal clients about electronic funds transfers. Inquiries fall into three groups. “Is this fintech service being pitched to me legit and how does it really work?” “I am having difficulty using this service; what am I doing wrong?” And “I got scammed; help me get my money back, now!”

Sadly, the third group predominates, evidence that marketing dwarfs risk disclosure in fintech companies’ presentation of financial innovations to prospective customers. Websites claim their companies’ products are “seamless,” “frictionless,” “virtual,” “agile,” “resilient,” or all of the above. If you sign up, you are destined to have an “awesome” experience.

In place of cliché words should be disclosures about customers’ risk of loss, whether funds are protected by FDIC insurance while in the hands of non-bank financial companies, and how to get money back if you need to reverse a transaction, including directions for how to reach not an AI-enabled robot, but a human operator with authority to take prompt corrective action rather than just record your complaint.

Another complication is the absence of a unified and internally consistent body of law governing non-cash financial transactions.

· Paper checks are governed by Article 4 of the Uniform Commercial Code (UCC), a state-level law first published in 1952 and adopted, with minor variations, in all 50 states. Its rules, since updated, are simple.[3]

· Credit card transactions, also a 1950s innovation, are covered by at least six federal statutes, including the Fair Credit Billing Act of 1974 and the Fed’s Regulation Z, which governs interest rate calculations and disclosures.

· 1970s era Regulation E sets terms for debit card transactions. It watered down the rules governing credit cards when it comes to claims for refunds.

· Wire transfers and ACH payments have long been used for transactions among big business and financial institutions. They are subject to Article 4A of the UCC, enacted in the early 1990s. Since the turn of the century, small business and consumers have been drawn to wire and ACH transactions by Internet-based money transfer services like PayPal.

Who bears the risk of loss, and the maximum amount that can be lost, varies depending on which law applies. Federal law limits to $50 losses from unauthorized credit card transactions, including those resulting from lost or stolen cards. Credit card issuers seldom highlight this benefit to customers; but it is the strongest protection available for non-cash transactions.

Debit card users can be at risk under Regulation E for the entire balance in their bank account to which the debit card is linked. Under Regulation E’s requirements, cardholders must keep track of their cards and promptly notify the issuers of the cards’ loss or theft in order to be protected against losses. The rising tide of losses in recent years has made banks less customer-friendly about refunds than they used to be.

Mostly unknown to small businesses and consumers is the UCC loss sharing regime applicable to wire and ACH funds transfers. The essential feature of these transfers is their instantaneous effect. The money is good upon receipt at the “beneficiary bank.” The UCC permits the sender’s bank, the “receiving bank,” to reverse or “recall” erroneous transactions. But the law places the burden on the receiving bank to satisfy the beneficiary bank about the bona fides of the recall request, including requiring the receiving bank to indemnify the beneficiary bank for any loss it experiences if it refunds the money and then gets sued by its customer. For that reason, immediate action to recall an erroneous or fraudulent transaction is essential. Once the beneficiary bank funds the customer’s account, rare is the case when the receiving bank and its customer recover the misdirected money.

Payment services like Venmo (owned by PayPal) describe the basics of the Article 4A risk allocation scheme in their user agreements. Venmo’s agreement though is 27,800 words long, up more than 11,000 words since the pandemic. Nobody but lawyers paid to do so read agreements that long or complicated. Because the agreements are so thoroughly rooted in banking law and regulation, lay people of average aptitude haven’t a prayer of understanding the agreements even if they read them.

The dramatic rise in scams involving electronic transfers[4] has prompted a commensurate rise in litigation. In a recent local case,[5] criminals induced a title insurance company handling the refinancing of a $7 million loan for a suburban Pittsburgh office building to send loan payoff proceeds to a “spoofed” bank account at a large local bank. The criminals set up the receiving account to look legitimate, including opening the account in the name of the lender whose loan was being paid off. Quick legal action by the title insurance company led to court orders freezing that and other accounts to which the criminals transferred the stolen money. Recovery of the money itself though will take months or years of investigation and litigation as the banks involved grind through their internal procedures according to UCC Article 4A.

The proliferation of so-called fintech companies that provide electronic financial services also raises the risk that funds in their hands are not FDIC-insured.[6] The FDIC created “pass-through” insurance to insure accounts of customers of payment services such as Venmo. Fintech companies that desire to offer pass-through FDIC deposit insurance must be approved for that purpose and must maintain sub-accounts in the name of each customer tracking funds kept with their company. Big e-payment companies like Venmo now view pass-through insurance as a necessary part of their product offering; smaller ones often do not. Because venture capital financing has recently become scarce, there is greater risk today that venture capital-funded fintech companies will go bankrupt when they run out of capital and their customers’ funds will be lost as a result.

A business and legal culture that tolerates fraud as a cost of doing business is a final impediment to safety and soundness of electronic financial services. Banks chronically understaff operations centers responsible for investigating fraud. They view investigating fraud as a cost with no business benefit to themselves. Legislators and regulators have not held the industry accountable for customers going home empty-handed most of the time.[7] The Consumer Financial Protection Bureau this spring published cautionary guidance about the prevalence of fraud and consumers’ need to take precautions. Absent enforcement action against nationally recognized financial intermediaries, the CFPB guidance is just “wind over the buffalo grass,” in the words of a Sioux proverb.

The pervasiveness of the problem came home to me recently. I received an email from the Giant Eagle grocery company, asking about my customer experience July 2 at their Wilkinsburg, PA, convenience store. I called the corporate office July 3 to say neither my wife nor I left our home across the Allegheny River from Wilkinsburg on July 2.

The customer service representative explained our home phone number associated with a loyalty program account was entered at a point-of-sale terminal at the Wilkinsburg c-store and $3.00 was downloaded and applied to a purchase that was paid for with a debit or credit card. I asked how that could happen. “Likely, it was someone mis-entering digits on the keypad,” said the operator. “Likely, it was someone fraudulently accessing my money,” said I. “How often does this happen?” I continued. “It happens with some frequency,” the operator replied evasively. “But don’t worry; we will credit your account for $3.00,” she said brightly. When I told my sister in Ann Arbor of the experience, she said her husband recently had the same thing happen to him at a coffee shop he favors. His loss was about $50 from his loyalty rewards account. The upshot: today, no amount is too small to be stolen and it’s not difficult to do.

Until we as a society take financial fraud seriously, by investing the resources needed to shut it down, we will continue to be our own worst enemies. The top-20 U.S. banks and the government (Federal Reserve, OCC, FDIC and CFPB) should take the lead by cleaning up the fraud problem at the bank-owned Zelle® payment service and using that as a template to rewrite the law to reflect market realities cited at the beginning of this blog post. Leading state financial regulatory agencies (e.g., New York, California, Texas, Pennsylvania and Illinois) and the Independent Community Bankers Association need to have input too, so K Street lobbyists do not tilt the scale completely in favor of big banks and big business. Our financial e-commerce system “needs fixed,” as they say in Pittsburgh. Done well, the fix can effectively serve us all.

[1] “The 2022 Federal Reserve Payments Study in Four Charts,” Take on Payments Blog of Federal Reserve Bank of Atlanta, June 26, 2023, available at https://www.atlantafed.org/blogs/take-on-payments

[2] The nation’s 12 Federal Reserve Banks and Electronic Payments Network (EPN) are the two national ACH operators.

[3] Under § 4-406(c), “If a bank sends or makes available a statement of account or items . . . , the customer must exercise reasonable promptness in examining the statement or the items to determine whether any payment was not authorized because of an alteration of an item or because a purported signature by or on behalf of the customer was not authorized.” In practice, this means customers have up to 30 days to identify fraudulent checking account transactions.

[4] See the earlier installment of this blog titled, “Internet Banking and Multifactor Authentication,” January 12, 2023.

[5] Fidelity National Title Insurance Co. v. JPMorgan Chase Bank NA et al., case number GD-23-007127, in the Court of Common Pleas of Allegheny County, Pennsylvania.

newsroom.

[7] Tristan et al. v. Bank of America NA et al., case number 8:22-cv-01183, in the U.S. District Court for the Central District of California.