AB 2674 creates a new Division 21 in the California Financial Code focused on financial abuse and deception. The bill forces depository institutions (banks and credit unions) to maintain written procedures and to provide customer‑facing employees with up‑to‑date information and training at least once every six months; it then prescribes concrete steps institutions must take when they suspect a transaction results from deception or undue influence.
The measure matters because it does three things at once: it standardizes how front‑line bank staff should identify and respond to suspected scams, it conditions a statutory liability shield on complying with those procedures (with explicit exceptions), and it establishes fast timelines and meaningful monetary remedies that can be imposed against institutions that fail to employ the required preventive measures. That combination changes operational priorities for compliance, digital product teams, and legal departments while expanding remedies available to victims of financial abuse.
At a Glance
What It Does
The bill requires depository institutions to train customer‑interacting employees at least every six months on new patterns of financial abuse, and to maintain procedures to intervene in suspect transactions. For in‑person and non‑in‑person suspect transactions the law prescribes specific interventions (advising independent verification, encouraging a national fraud hotline, optional contact of an authorized trusted third party) and mandates a device‑optimized on‑screen warning for remote transactions.
Who It Affects
All banks and credit unions doing business in California and their customer‑interacting employees are directly covered, including staff who handle in‑branch, telephone, and electronic transactions. Compliance, digital product, and fraud operations teams must implement UX changes, investigation workflows, and recordkeeping; customers (including vulnerable adults and minors) see expanded protections and remedies.
Why It Matters
AB 2674 sets operational minimums for front‑line responses to suspected scams while offering a conditional safe harbor that shields institutions from liability only if they follow the statute. It also creates a new private right of action with statutory and treble damages, raising litigation and reputational stakes for institutions that miss or mishandle suspect transactions.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill begins by defining core terms—'account,' 'customer,' 'customer‑interacting employee,' 'depository institution,' 'suspect transaction,' and 'trusted third party'—to limit coverage to consumer accounts and to people who actually transact on them. That framing matters because the obligations apply to any employee or contractor whose role includes communicating with customers, and the term 'suspect transaction' is intentionally broad: it covers transfers, withdrawals, or deposits where the surrounding facts appear suspicious or match known scam patterns.
On the front end, the statute requires institutions to give customer‑facing employees current information about new deception tactics and training to spot signs of abuse, no less often than once every six months. The bill forbids dismissing warning signs on the basis of a customer’s age, language capacity, or education, and it requires written procedures that guide staff how to intervene and document their actions.For in‑person suspect transactions, the institution must take a set of named steps: advise the customer to independently verify the request with the person for whom the transaction is being made, encourage the customer to contact a nationally recognized nonprofit fraud hotline, and optionally contact a customer‑provided trusted third party if the institution has no reason to believe that person will harm the customer.
The law also requires a disclosure in the customer’s usual language stating that the institution, if it has complied with the statute, cannot be held liable for harms from that transaction.For remote suspect transactions that are not expedited, the institution must display a prominent, device‑optimized warning in the customer’s preferred language. The text the statute prescribes emphasizes verification, the pressure tactics scammers use, and warns that the transaction cannot be reversed; it also requires the last two sentences to appear in bold and larger type.
The bill preserves a contractual carve‑out allowing institutions to deny transactions under contract terms without giving the preventative warnings.If a customer believes the institution failed to provide a required preventive measure, the customer has 60 calendar days from the suspect transaction to notify the institution orally or in writing with enough information to identify the account and transaction. The institution then has 30 calendar days to investigate (with a one‑time 15‑day extension if it cannot reasonably finish), and the statute defines 'document' broadly to include account records, internal call notes, audio/video records, and ATM logs.
If the bank determines it should have acted but did not, it can cure the violation by notifying the customer and refunding the suspect transaction amount plus interest within one business day of completing its investigation.The bill creates multiple private remedies. A customer may recover $100 per day for an institution’s failure to complete the required investigation on time.
If the institution failed to follow the title or to refund the customer, the customer can sue for actual damages, statutory damages of $5,000–$10,000 per violation, attorney’s fees, injunctive and declaratory relief (including a declaration that the customer owes nothing and that any security interest is void), and any equitable relief the court deems appropriate. The statute also authorizes treble damages where the court finds the institution unreasonably concluded it did not err, and it separately mandates treble damages when the victim is a senior citizen under the Civil Code definition.
The Five Things You Need to Know
The bill requires banks and credit unions to provide employees who interact with customers with current information and training on financial abuse at least once every six months.
For non‑in‑person, non‑expedited suspect transactions the institution must show a device‑optimized warning in the customer’s preferred language with the last two sentences in bold and larger type.
An institution that complies with the statute’s preventive measures cannot be held liable for harms from the specific suspect transaction, except the liability shield does not apply when the customer is a minor.
A customer who alleges a missed preventive measure has 60 days to notify the institution; the institution then has 30 days (plus one 15‑day extension) to investigate and may cure a violation by notifying and refunding the transaction amount with interest within one business day after completing its investigation.
The statute creates layered remedies: $100 per day for missed investigations, statutory damages of $5,000–$10,000 per violation (plus actual damages, fees, and equitable relief), and treble damages where the court finds an unreasonable institutional conclusion or where the victim is a senior.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that limit scope and trigger obligations
This section sets the vocabulary: it narrows coverage to consumer customer accounts and lines of credit, defines who counts as a 'customer‑interacting employee,' and describes what counts as 'financial abuse or deception' and a 'suspect transaction.' Practically, these definitions determine when the procedural and training duties kick in and which accounts and workforce roles face the new requirements; institutions should map these definitions onto their product and staffing catalogs to see where obligations apply.
Training, procedural duties, and prescribed preventive measures
Section 60001 demands semiannual information/training for customer‑facing staff and requires written procedures to intervene in suspect transactions. It prescribes a set of actions for in‑person encounters (advise independent verification, encourage a national fraud hotline, optionally contact a trusted third party, and give a liability disclosure in the customer’s usual language) and mandates a specific on‑screen warning for remote, non‑expedited transactions. The provision also contains a critical operational detail: an institution may deny a suspected transaction under contractual terms without delivering the interventions, and institutions get a conditional safe harbor from liability if they comply with the section—except for transactions involving minors.
Customer notice, investigation timeline, evidence list, and cure
This section creates a customer‑triggered remediation pathway. A customer has 60 days to notify the bank if they believe the institution failed to provide a required preventive measure. The institution must investigate within 30 calendar days (with a one‑time 15‑day extension if needed), using any relevant documents—explicitly including call notes, audio and video recordings, and ATM logs—to decide whether it should have intervened. If the institution concludes it should have intervened and refunds the transaction amount plus interest within one business day of finishing the investigation, the statute treats that refund as curing the violation—an administrable remedy that will shape banks’ remediation playbooks.
Private rights of action, damages, and enhanced remedies
Section 60003 authorizes multiple civil claims. Customers can recover $100 per day for failures to complete investigations, and, for substantive failures to follow the title or to refund, they can seek actual damages, statutory damages set by the court at a minimum of $5,000 up to $10,000 per violation, injunctive and declaratory relief (including voiding alleged security interests), attorney’s fees, and other equitable remedies. The section raises stakes further by permitting treble damages where courts find the institution unreasonably denied error, and it mandates treble damages for failures involving senior victims—factors likely to influence both settlement dynamics and institutions’ risk calculus.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Vulnerable account holders (seniors and adults at risk): They receive mandated frontline interventions, clearer warnings in their preferred language, and expanded remedies (including treble damages for seniors) when banks fail to act.
- Families and authorized trusted contacts: Where customers have provided contact information, institutions may involve these trusted third parties to stop or slow suspect transactions, giving relatives and designated agents a formal avenue to intervene.
- Consumer advocates and nonprofit fraud hotlines: The law directs customers toward nationally recognized nonprofit fraud hotlines and elevates their role in triage and support, likely increasing referrals and the visibility of these services.
Who Bears the Cost
- Depository institutions (banks and credit unions): They must budget for semiannual training, update branch and digital workflows, implement device‑optimized warnings, retain and produce broader categories of records, and face heightened litigation risk from statutory and treble damages.
- Small and regional banks with limited compliance resources: These institutions will disproportionately feel operational and technical burdens to update UX, build investigation workflows, and respond to discovery demands for internal audio/video records.
- Customer‑interacting employees and contractors: Frontline staff gain new duties to assess and document suspected abuse, escalate appropriately, and execute prescribed scripts and disclosures—raising training demands and potential stress when balancing fraud prevention with customer service.
Key Issues
The Core Tension
The bill’s central dilemma is protecting vulnerable account holders through mandatory, documentable preventive steps while avoiding rules that incentivize overcautious denials or create large litigation exposure for good‑faith institutional judgment calls; the statute improves frontline defenses but simultaneously raises the risk that compliance costs and damages create perverse operational incentives.
The bill balances operational prescriptions with a conditional liability shield, but that balance is fragile in practice. The safe harbor pressures institutions to document every step; yet the statute simultaneously creates strong monetary incentives for plaintiffs to sue when procedures were imperfect.
That dynamic could push institutions toward defensive behavior—either excessive denials or conservative delays—because failing to follow a procedural requirement can trigger statutory damages and treble awards, even when fraudsters adapt tactics rapidly and staff make judgment calls in ambiguous situations.
“Trusted third party” contact is a practical tool but a double‑edged sword. The statute allows institutions to contact an optional trusted third party if they do not have reason to believe that person will cause harm, but it does not define the standard for when contact is unsafe.
That ambiguity creates a real operational dilemma: contacting a purportedly trusted relative can stop some scams but can also enable family members who are the abusers. Similarly, the law broadens the evidentiary record the institution must consider and preserve (internal notes, audio/video, ATM logs), which improves accountability but increases discovery burdens and privacy risks for customers and employees.
Finally, several implementation questions remain unanswered in the text: what precisely qualifies as an 'expedited' transaction that is exempt from the remote warning requirement; how regulators should audit compliance with the semiannual training mandate; and how courts will assess whether an institution 'unreasonably' concluded it did not err. Those gaps mean institutions will need to rely on conservative internal policies, which could unintentionally restrict legitimate, time‑sensitive transactions or drive up operational costs that ultimately affect consumers.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.