Compliance Blog

On June 4, 2021 the CFPB published a new compliance aid – some frequently asked questions about Regulation E. Specifically, these FAQs address issues surrounding unauthorized use and investigations of these claims by members. As a reminder, Regulation E establishes limitations on consumers’ liability for unauthorized electronic fund transfers (EFTs), set forth in section 1005.6. The rule also addresses how to investigate claims of errors, which by definition includes but is not limited to unauthorized EFTs. Section 1005.11 provides the requirements for the error resolution process,  including time limitations, the extent of investigation and the requirement to provisionally credit a consumer’s account if more than ten business days is needed to complete an investigation. Several past NAFCU Compliance Blog posts discuss these issues, such as this one on unauthorized use and this one on member liability under Regulation E.

Some of the FAQs seem to stem from the bureau’s Summer 2020 Supervisory Highlights, which noted issues with Regulation E compliance like waivers and investigations of errors. Some of the CFPB’s FAQs are rather straight-forward. For example, FAQ number three addresses whether a member’s negligence can be considered when determining potential liability for an unauthorized EFT. For example, what if a member “wrote the PIN on a debit card or on a piece of paper kept with the card”? The FAQ notes that this actually is clearly addressed in comment (6)(b)-2 in the official staff commentary, which states that “negligence by the consumer cannot be used as the basis for imposing greater liability” than what is allowed under the rule. So, the answer is no, negligence does not affect a member’s liability for unauthorized transfers.

FAQs number one and two address issues when a third party “fraudulently induces” a member into sharing account access information. These kinds of fraud are increasingly common, and the first question discusses whether these situations are “unauthorized EFTs” as defined in the rule. The CFPB indicated that the answer is yes because obtaining an access device through fraud or robbery is an unauthorized EFT and gives a few specific examples:

…Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information: (1) a third party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.

(Emphasis added.)

Similarly, question two addresses whether transfers initiated with fraudulently obtained account information are transfers initiated by someone who was “furnished the access device” by the member. Under Regulation E, the Bureau concluded that being induced by fraud into giving someone account information is not furnishing an access device.

Other FAQs are also worth reviewing. For example, question four reminds credit unions of the anti-waiver provisions in the Electronic Funds Transfer Act, which Regulation E implements, that do not allow financial institutions to use contractual language to limit consumers’ rights under the act. Questions six and seven address the ability to require additional information from consumers, reminding credit unions that they may not require filing of a police report or other documentation, or for a member to first contact a merchant about an authorized EFT to initiate an error resolution investigation. The full list of FAQs can be found here.