Brandi B. Reynolds, CAMS-Audit, CCI
Ask any Compliance Officer about the intent of Regulation E and they’ll likely say “to protect consumers against losses from errors or fraud regarding their EFTs, such as debit card transactions.” Note that Regulation E applies only to consumers, not businesses. Regulation E offers consumers protections, yes, but is it possible that the Regulation E debit card dispute protections have also contributed to an increase in first-person fraud (defined as fraud committed against the financial institution by the institution’s own customer)? Perhaps.
Consumer customers know that Regulation E allows them to dispute electronic charges on their covered accounts, such as checking accounts, and that their financial institutions have to investigate those disputes. The nature and timing of that investigation is covered by Regulation E. Some customers have also figured out that some institutions will automatically refund the consumer’s disputed amount, without an investigation, if the disputed amount is under a certain dollar amount. They provide the refund because the cost to the institution of conducting and documenting the investigation far exceeds the cost of simply refunding the disputed amount and skipping the investigation (if it’s under a certain dollar amount.)
There’s also the regulatory risk to the institution that their investigation takes too long, reaches the wrong conclusion, or isn’t documented well enough. Many financial institutions have received exam findings – even consent orders – regarding Regulation E weaknesses. To avoid that risk, financial institutions just refund the money.
Artificial Intelligence Risk
Add Artificial Intelligence to the mix. Some Artificial Intelligence robots (bots) will conduct intake analysis on a consumer’s Regulation E dispute, consider the dollar amount of the disputed charges, and make a decision on the claim.
The risk is that the bot may automatically make the refund decision and schedule the refund without a human even seeing it, if it’s under a certain amount. That’s a big payday for the consumer with ill-intent. If controls aren’t built into the Artificial Intelligence solution, a consumer could theoretically submit unlimited disputes just under the dollar threshold, and cash-out handsomely without the institution’s knowing any of it until it’s too late.
Controlling the Risk
The solution for financial institutions is to implement controls to look for patterns of Regulation E dispute behavior, regardless of whether Artificial Intelligence is used or not. The controls should include:
- Reports on disputes just below the cutoff amount;
- Reports on consumers with repetitive disputes;
- A process for filing SARs on repeated dispute behavior that appears suspicious, even if under the filing threshold; and
- Written procedures for account-closure based on the abusive behavior. There is no requirement that a financial institution continue to do business with someone who is defrauding them.
No one ever wants to think that their own customers are defrauding the institution. However, human behavior is what it is. Regulation E serves a valuable purpose for well-intentioned consumers who have been harmed by fraudsters, and we don’t want a few bad apples to spoil the whole bushel. Keep the bushel, but implement controls to find the bad apples.
For more information on how CorCom can assist with your compliance needs, please contact email@example.com.