SB 505 adds a chapter to the California Financial Code that makes operators of stored‑value platforms (issuers of digital stored value) responsible for reimbursing customers who lose funds as the direct result of a “fraudulently induced transfer.” The bill prescribes how customers must be able to submit claims (mail, phone, email, web, or mobile app), sets tight investigation and reimbursement timelines, requires provisional credits when investigations are extended, and directs operators to notify customers and amend terms by a statutory date.
Separately, the bill bars digital wallet providers and money transmitters from permitting user logins without two‑factor or multifactor authentication, with that authentication requirement becoming operative January 1, 2028. The combined changes reallocate the economic risk of social‑engineering losses toward platform operators while imposing operational and security obligations that will affect compliance, product, and customer‑support functions across the payments ecosystem.
At a Glance
What It Does
Requires stored‑value platform operators to reimburse customers for losses directly caused by fraudulently induced transfers and to provide multiple, specified channels for filing claims. Separately, requires two‑factor or multifactor authentication for any user login to a digital wallet or money‑transmission account beginning January 1, 2028.
Who It Affects
Digital wallet providers, money transmitters, prepaid/stored‑value issuers, and their customer‑support and compliance teams; California customers who hold or send stored value; and the Department of Financial Protection and Innovation as enforcement authority.
Why It Matters
The bill shifts immediate financial exposure for social‑engineering fraud from consumers to platform operators and codifies procedural timelines and provisional credit rules that will govern dispute resolution. The authentication mandate raises baseline security requirements that may force technical changes, additional identity‑verification processes, and potential user‑experience tradeoffs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 505 creates a statutory cause of regulatory obligation: if a customer on a stored‑value platform initiates a transfer because they were deceived by fraud (a “fraudulently induced transfer”), the operator must reimburse the customer for losses directly caused by that deception. Operators must set up claim intake through five specified channels — physical mail, a telephone number, email, the platform website, and the mobile app — and must publish clear directions for filing a claim that are reachable without logging in.
Once a claim arrives, the operator must promptly investigate. The bill sets a 10‑business‑day default timeline to complete investigations and requires operators to report results within three business days of finishing.
If the operator determines a fraud occurred, it must reimburse the customer within one business day. The bill forbids conditioning an investigation on a police report and allows operators to take up to 45 days to complete an investigation only if they provisionally credit the customer within the initial 10 business days, notify the customer quickly of the provisional credit and any further information needed, and allow the customer full use of the provisionally credited funds while the inquiry continues.Operators must notify customers of their new rights in a clear, conspicuous notice by July 1, 2026, and must amend contracts or user agreements to reflect the reimbursement obligation.
The commissioner gains explicit restitution and refund authority to order monetary relief to harmed customers in addition to existing enforcement powers.Separately worded sections of the chapter impose a security requirement: digital wallet providers and money transmitters may not permit any user to log in without employing two‑factor or multifactor authentication. That authentication requirement becomes operative January 1, 2028, giving firms time to implement changes to login flows, identity proofing, and fallback processes.Taken together, the statute creates a fast‑moving dispute resolution framework that favors immediate remediation for consumers while creating operational requirements—both procedural and technical—for platform operators, and it centralizes enforcement with the financial regulator rather than creating an explicit private statutory cause of action in the text of the bill.
The Five Things You Need to Know
The bill requires operators of stored‑value platforms to reimburse customers for losses directly caused by a fraudulently induced transfer.
Operators must offer five claim channels (mail, phone, email, website, and mobile app) and publish filing directions accessible without account login.
Investigations must ordinarily finish within 10 business days, with results reported within three business days and reimbursement within one business day after a finding of fraud.
If more time is needed, operators may take up to 45 days only if they provisionally credit the customer within the first 10 business days, notify the customer within two days, and allow full use of the provisional funds during the extended investigation.
Digital wallet providers and money transmitters must require two‑factor or multifactor authentication for any user login beginning January 1, 2028.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Core definitions: fraudulently induced transfer and stored‑value platform
The chapter defines the key terms that trigger obligations. A “fraudulently induced transfer” is a transfer initiated in response to deceptive conduct intended to trick a customer into sending stored value to an account outside their control. A “stored value platform” is any issuer service that lets customers send stored value to other customers of the same issuer. These definitions set the scope of reimbursements and will be pivotal in disputes over whether a particular loss fits the statutory category.
Operator reimbursement obligation
This section places a strict financial responsibility on operators: reimburse any loss directly caused by a fraudulently induced transfer. The statutory phrase “directly caused” injects a causation limit that can be litigated—operators may argue intervening causes or contributory customer negligence—but the default rule is clear: operators bear the loss absent a narrow counterargument.
Claims channels and public disclosure requirements
Operators must provide multiple intake channels (mail, the phone number displayed under §2107, email, website, and mobile app) and publish clear filing instructions on web and app interfaces accessible without login. Requiring public‑facing directions prevents hiding the remedy behind account access and reduces friction for victims who cannot log in after fraud.
Investigation timing, reporting, and reimbursement deadlines
Upon receiving a claim, operators must promptly investigate and normally finish in 10 business days, report results within three business days of completion, and reimburse within one business day after finding that fraud occurred. The section also bars requiring a police report as a precondition to start an investigation—shortening time to remediation for victims but shifting investigative burden to firms.
45‑day extension with provisional credit and customer access
If an operator needs more information, it can extend investigation time up to 45 days only by provisionally crediting the customer within 10 business days, notifying the customer within two days about the provisional credit and what additional information is needed, and allowing full use of the provisionally credited funds. This mechanism balances operators’ need for time with consumer access to funds but creates liquidity and fraud‑control considerations for issuers.
Notice and contract amendment deadline
Operators must notify customers of their rights under the chapter in a clear, conspicuous notice by July 1, 2026, and must amend user agreements or contracts to include the reimbursement promise. That hard deadline forces firms to update policies, disclosures, and backend processes well before the authentication mandate takes effect.
Regulatory enforcement: commissioner’s monetary remedies
In addition to existing authorities, the commissioner may order refunds, restitution, damages, or other monetary relief to harmed customers for violations of the chapter. The provision gives the regulator a direct monetary enforcement tool but does not expressly create a private statutory cause of action within the bill’s text.
Authentication definitions, login mandate, and operative date
Separate text in the chapter defines two‑factor and multifactor authentication and defines “user login.” The bill then prohibits any provider from allowing a user to log in without two‑factor or multifactor authentication. That requirement becomes operative on January 1, 2028, providing an implementation window for technical, UX, and helpdesk changes across digital wallet and money‑transmission services.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers who are victims of social‑engineering fraud — they receive fast remediation and access to provisionally credited funds during disputes.
- Vulnerable users and low‑tech customers — having public, no‑login claim channels and a statutory right to reimbursement reduces barriers for those who lose account access.
- Regulator (DFPI) — gains express monetary remedy authority to order refunds or restitution, strengthening enforcement leverage.
- Advocacy organizations and compliance professionals — clearer statutory standards produce measurable benchmarks for assessing provider practices and compliance programs.
Who Bears the Cost
- Digital wallet providers and money transmitters — face direct reimbursement expenses, increased fraud‑monitoring, customer‑support workload, and engineering costs to implement MFA and claims workflows.
- Smaller or niche stored‑value issuers — may face acute liquidity pressure from provisional credits and reimbursements and higher per‑customer compliance costs than larger firms.
- Operations and customer support teams — must staff faster dispute timelines, process provisional credits quickly, and manage multi‑channel intake with audit trails.
- Consumers may indirectly bear higher fees or reduced product features — issuers are likely to reprice services or tighten transfer flows to offset increased fraud liability and compliance costs.
Key Issues
The Core Tension
The bill confronts a classic trade‑off: protect consumers from social‑engineering losses by shifting financial responsibility to platforms, versus imposing costs, liquidity demands, and potential usability and access problems on those platforms. Strong consumer remediation reduces harm but risks moral hazard for users and economic strain and operational friction for issuers—there is no frictionless way to have both quick reimbursement and minimal cost or access impact.
The statute pushes immediate loss responsibility to platform operators but leaves open several implementation and legal questions. First, the phrase “directly caused by a fraudulently induced transfer” narrows liability, but the bill does not define standards for customer contributory fault or the degree of deception required.
That gap will create disputes about whether transfers made after repeated prompts, misuse of credentials, or negligent sharing of codes qualify for reimbursement.
Second, the provisional credit rule protects consumers’ access to funds but raises operational and financial risks for issuers. Firms must decide how to provisionally credit (full amount, capped amount), fund those provisional credits from liquidity or reserve lines, and manage subsequent recoveries if investigations later conclude against the customer.
The bill gives no safe harbor for operators who provisionally credit in good faith but later determine the transfer was legitimate.
Third, the authentication mandate (two‑factor or multifactor) sets a security baseline but does not specify acceptable authentication factors, account recovery procedures, or exceptions for accessibility. Requiring MFA across the board may increase account lockouts for users who lack reliable secondary factors, and without guidance on fallback, firms may face tradeoffs between security and customer access.
Finally, although the commissioner can order monetary relief, the text does not expressly create a standalone private statutory cause of action; whether individual customers can sue under this chapter or must rely on other consumer statutes for litigation remedies remains unclear.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.