Compliance Blog

Back to Basics: Member Liability for Unauthorized Transactions Under Reg Z and Reg E

The holiday season is upon us, which means that credit unions may see an uptick in claims of unauthorized transactions and alleged billing errors. While many credit unions want to work with their members to reduce the losses a member may incur from unauthorized or fraudulent transactions, there are times when a credit union may seek to shift the liability to the member. However, both Regulation E and Regulation Z place important limits on how much liability a credit union may impose on a member. This post focuses on these liability limits, for more on when a transaction is considered unauthorized, see this NAFCU Compliance Blog post.

Member Liability Under Regulation E

Section 1005.6 describes when a credit union may hold the member liable for unauthorized electronic fund transfers (EFTs). With regard to the amount of liability the credit union can impose on the member, section 1005.6 essentially divides members into two separate categories, with the dividing line being whether the member’s unauthorized EFTs involve a lost or stolen access device.

For unauthorized EFTs which do not involve an access device, the member’s liability will depend on whether the member notifies the credit union of the unauthorized EFTs within 60 days of when the credit union sends the first periodic statement including the unauthorized EFTs. In other words, if the member looks at his or her periodic statement, sees the unauthorized EFTs, and notifies the credit union before the 60-day window expires, then Regulation E will not allow the credit union to impose any liability on the member. On the other hand, if the member fails to notify the credit union within the 60 day window, then section 1005.6 allows the credit union to impose full liability on the member for any unauthorized EFTs that occur after that 60 day period. The following chart outlines the time periods for the different liability limits:

Time Period

Amount of Liability

EFTs occur up to 60 days after sending the periodic statement reflecting the first EFT.

No liability may be imposed.

EFTs occur more than 60 days after sending the periodic statement reflecting the first EFT.

Full liability for all unauthorized EFTs.

For a member whose access device is lost or stolen, section 1005.6 allows the credit union to impose liability in three tiers:

Tier 1. If a member notifies the credit union of the lost or stolen access device within the first two business days after learning of the theft or loss, then the member’s liability will be limited to the lesser of (a) $50 or (b) the amount of the unauthorized EFTs that occurred before the member notified the credit union. This means if the member notifies the credit union within the first two business days after learning her debit card has been lost or stolen, then her liability cannot exceed $50. The day the member learns of the loss or theft does not count toward the two business-day limit, so if a member learns she lost her debit card on Wednesday, she has until Friday at midnight to notify the credit union for her liability to be limited to Tier 1.

Tier 2. If the member does not notify the credit union within the first two business days after learning of the lost or stolen access device, then the credit union may impose the lesser of (a) $500 or (b) the amount imposed under Tier 1 (maximum $50) for transactions during those first two business days, plus the amount of any unauthorized EFTs which occur after those first two business days, until the member notifies the credit union. In this situation, the member could face liability of up to a maximum of $500. However, section 1005.6(b)(2)(ii) states, for this liability tier to apply, the credit union must establish the additional unauthorized EFTs would not have occurred had the member notified the credit union during those first two business days after the access device was lost or stolen.

Tier 3. Finally, if the member does not report the unauthorized EFTs within 60 days of when the credit union sends the first periodic statement showing the unauthorized EFTs, then the member will be liable for the full amount of any unauthorized EFTs that occur after the 60 day period, until the member notifies the credit union of the unauthorized EFTs. This is in addition to the amounts already imposed under Tier 1 and Tier 2.

The following chart outlines the liability amounts under each tier:

Tiers

Amount of Liability

Tier 1 – EFTs occurring up to 2 business days after the member learns of the loss or theft.

The amount of any unauthorized EFTs.

Max liability: $50

Tier 2 – EFTs occurring more than 2 business days after the member learns of the loss or theft and within 60 days of sending the periodic statement reflecting the first EFT.

The amount imposed under Tier 1, plus the amount of any unauthorized EFTs.

Max liability: $500

Tier 3 – EFTs occurring more than 60 days after sending the periodic statement reflecting the first EFT.

The amount imposed under Tier 2, plus the amount of any unauthorized EFTs.

Max liability: Unlimited amount

Regulation E does not require credit unions to impose liability on the member. Section 1005.6 provides the maximum amount of liability credit unions may impose on their members for unauthorized EFTs, but credit unions may always choose to impose less liability.

Member Liability Under Regulation Z

If the unauthorized transaction is a credit card transaction, then section 1026.12(b) describes the amount of liability a credit union may impose on the member. The liability a member may incur under Regulation Z is quite different than the potential liability contemplated by Regulation E. Section 1026.12(b)(2) limits the member’s liability to the lesser of: (a) the amount of services, goods, money and labor obtained by the unauthorized use or (b) $50. In other words, liability for unauthorized credit card transactions cannot exceed $50.

The staff commentary to section 1026.12(b)(2)(iii) notes no liability may be imposed when the physical card is not involved, such as for transactions over the internet or telephone. This is a critical distinction between Regulation Z and Regulation E, as Regulation E does allow a member to incur liability for unauthorized EFTs that do not involve the physical card, where Regulation Z does not. However, there is an exception – liability may still be imposed if the credit union provides some other sufficient means of identifying the member that does not appear on the card itself.

Again, there is no requirement to impose liability on members for unauthorized credit card transactions. The staff commentary states credit unions that opt to impose no liability are not required to comply with the liability notice provisions and identification requirements in section 1026.12(b)(2).

Card Network Rules

The card networks, such as Visa or Mastercard, may have their own liability rules that credit unions may be contractually obligated to follow as part of their agreement with the card network. Regulation Z and Regulation E set the maximum amount of liability that a credit union may impose on its member, but credit unions and card networks may contractually agree to impose even less liability than provided for in the regulations. Credit unions may want to review the rules applicable to their cards to determine how they affect their members’ potential liability.

As we head into the holidays, credit unions may want to familiarize themselves with the provisions described above, as well as any applicable card network liability rules. As noted above, however, some credit unions may choose to impose no liability on their members, so credit unions may want to consider if that option works best for them.

About the Author

Nick St. John, NCCO, NCBSO, Regulatory Compliance Counsel, NAFCU

Nick St. John, Regulatory Compliance Counsel, NAFCUNick St. John, was named regulatory compliance counsel in March 2020. In this role, Nick helps credit unions with a variety of compliance issues.

Read full bio