Compliance Blog

Unauthorized Use Liability: Digital Wallets and Payment Apps

Written by Jennifer Aguilar, Regulatory Compliance Counsel, NAFCU

In recent years, the way that consumers are paying for goods and services as well as how they are managing their accounts has been changing rapidly. Mobile payment apps and digital wallets are making payments quicker and easier. However, just like any other form of payment, payments made using apps or digital wallets are also susceptible to fraud. Whether it is someone obtaining your member's debit or credit card information from her digital wallet or someone hacking a payments app, it is important to understand when these fraudulent transactions are covered by Regulation E or Z's unauthorized use and liability provisions and when they are not.

There are two main types of payment apps and digital wallets and understanding the difference is the key to determining whether the liability provisions apply. First, there are apps that store the member's payment information (usually a debit or credit card number) and charge the card each time a good or service is purchased – think Samsung Pay or Uber. These apps are rather straightforward when it comes to unauthorized use liability. As the debit or credit card is charged each time the app is used, each transaction is covered under either Regulation E or Z's unauthorized use and liability provisions.

Second, there are apps where funds are stored in the app. The member uses her debit or credit card to load a set amount of funds into the app for later use – think Starbucks or Venmo. As users can sometimes use these apps without charging a debit or credit card, not every transaction is covered by Regulation E or Z's unauthorized use and liability provisions. Instead, whether a transaction is covered will depend on whether it is the "funding" transaction or a post-funding transfer. Let's go through a couple scenarios that will help illustrate which transactions are covered. In each of the examples below, we'll use a fictional app called "CU Pay."

Scenario 1: Jane Member loads $75 onto her CU Pay app using her debit card. Jane leaves her phone on the kitchen counter where her son's friend, Brian, picks it up. Brian discovers the CU Pay app on Jane's phone sees the $75 balance. He transfers $50 to himself and $25 to his girlfriend. Later that evening, Jane discovers the transactions and notifies her credit union of the loss.

While Brian was not authorized to make the transfers, neither of transfers he made is covered. Under Regulation E, unauthorized use occurs only when transfers are made from the member's deposit or other asset account. As Brian did not transfer funds from Jane's deposit account, the transfers do not meet the definition of unauthorized use. So, when the credit union is notified of this type of loss, it does not trigger Regulation E's error resolution process and, from the credit union's perspective, the member is liable for the $75 loss. As Regulation Z uses a similar definition, these transactions would also not be covered under Regulation Z's billing error and liability provisions if Jane had used her credit card to load the funds. Jane may, of course, attempt to recover the funds from the company that operates CU Pay but the credit union is not obligated to refund the loss.

Scenario 2: Using the same facts from Scenario 1, suppose that in addition to the two transfers from the app, Brian also loads $200 onto the app using Jane's stored debit card information and transfers the full $200 to himself.

Now, the $200 transaction is unauthorized use under Regulation E. This time, Brian has actually transferred funds from Jane's checking account without authority. If Jane timely notifies the credit union of the transaction, Regulation E's liability provision applies and she may be held liable for at most $50. Here too, Regulation Z's definition tracks Regulation E, so if Brian had used Jane's stored credit card information, Regulation Z's liability provision would apply.


In each of the scenarios above, it is irrelevant that the fraudster never obtained the physical card or the card information. It only matters whether the funds were transferred from the member's deposit or credit card account. For apps like CU Pay, once funds are loaded onto the app, they are no longer covered by Regulation E or Z's liability provisions; only the initial funding transaction is covered. If the debit or credit card used to load funds is a branded card, such as Visa or MasterCard, then the card network's zero liability provision may also apply. Understanding when these regulations or network rules apply is important to ensure that your credit union is not paying out unnecessary claims. Credit unions who receive notice of transactions that are not covered under Regulation E or Z may want to suggest the member contact the company that operates the app.


About the Author

Jennifer Aguilar, NCCO, NCBSO, APRP, Senior Regulatory Compliance Counsel, NAFCU

Jennifer Aguilar, NCCO, Regulatory Compliance CounselJennifer Aguilar, NCCO, NCBSO, APRP joined NAFCU as regulatory compliance counsel in February 2017 and was named Senior Regulatory Compliance Counsel in March 2019. In this role, Aguilar helps credit unions with a variety of compliance issues.

Read full bio