Consumer's Liability for Unauthorized Transfers
The purpose of the Electronic Funds Transfer Act and Regulation E is to protect individual consumers engaging in electronic funds transfers (EFTs). Toward that end, the Act and Regulation include an unauthorized EFT within the definition of “billing error” so that the consumer protection rules we reviewed in the previous section apply when someone makes an unauthorized EFT. The Act and Regulation also put limits on the amount for which a consumer would be liable in the event of an “unauthorized” EFT. The rules that spell out these limitations are complicated, but you can understand them if you take them one step at a time, and that is what we will do in this section.
Before we go through those steps, though, we should refresh your memory regarding exactly what constitutes an “unauthorized” EFT. An unauthorized EFT is an EFT from a consumer’s account from which the consumer receives no benefit and that is made by someone other than the consumer who does not have actual authority to make the transfer. However, if the consumer furnished the person with the access device, gave the person actual authority to make EFTs, and then did not notify the institution that transfers by this person are no longer authorized, the transfer will not be considered unauthorized. Also, if the transfer is initiated with fraudulent intent by the consumer or by someone acting in concert with the consumer, or if the financial institution or its employee initiates the transfer, the transfer will not be considered unauthorized. [12 CFR 1005.2(m)] Finally, a reversal of a direct deposit is not an unauthorized EFT if you made a credit to the wrong consumer’s account, made a duplicate credit to the consumer’s account, or made a credit in the wrong amount. [Commentary, 12 CFR 1005.2(m)-5]
Keep in mind that the notices you send under these rules may be sent by electronic communication if certain conditions are met. See the earlier section in this chapter under the heading “Special rules for electronic disclosures.” Also keep in mind that since an unauthorized EFT fits within the definition of ”error,” you need to follow the investigation procedures we spelled out in the previous section of this chapter entitled “Billing-Error Procedures.”
One last thought before we start. The rules we describe below may be “preempted” if your access card is a VISA or MasterCard. These companies require that the institution offer a form of “zero liability” for unauthorized transfers. Since these provisions are more beneficial to the consumer than the Regulation E rules, they would control.
Step one (conditions you must meet before consumer suffers any liability)
The consumer will not be liable at all for any unauthorized EFTs unless you have met all of these conditions:
You have provided to the consumer, in writing, a summary of the consumer’s liability for unauthorized EFTs, the telephone number and address that the consumer should use to notify you of an unauthorized EFT, and your business days. [12 CFR 1005.6(a)] Remember, these items are required on your initial disclosure form and so you will have provided them in that fashion if you prepared and delivered your initial disclosure properly.
If the unauthorized transfer involves an access device, the device is “accepted.” [12 CFR 1005.6(a)] An “accepted” access device is one that has been delivered to and accepted by a consumer in a fashion permitted by the rules we will look at later concerning the issuance of access devices. [12 CFR 1005.2(a)(2)]
If the unauthorized transfer involves an access device, you have provided a means to identify the consumer to whom the access device was issued. [12 CFR 1005.6(a)] A personal identification number (PIN) is the most common means, but photographs, signatures, or fingerprints are also acceptable means.
If you have met these conditions, then the consumer may be liable for unauthorized EFTs subject to the rules we’ll describe now.
Step two (timely notice of loss or theft of access device)
This step applies only if the unauthorized transfer is due to the loss or theft of the consumer’s access device. If the consumer’s access device is lost or stolen and the consumer notifies you of that fact within two business days of learning of that fact, the consumer will be liable for no more than the lesser of $50 or the amount of unauthorized transfers that occur before the consumer gives the notice. [12 CFR 1005.6(b)(1)] For example, if the consumer loses his card on Tuesday, notifies you of that on Wednesday, and $45 of unauthorized transfers had been made with the card on Tuesday, the consumer will be liable for the $45. However, if $60 in unauthorized transfers had been made on Tuesday, the consumer would only be liable for $50.
The two business day period starts on the first business day after the day the consumer learns of the loss or theft of the access device. It expires at 11:59 P.M. of the second business day following the consumer’s discovery. So, if the consumer learns of the loss or theft on Friday at 6 P.M., and assuming Saturday is a business day for the institution, the time period would expire at 11:59 on Monday, assuming Monday is a business day. It makes no difference what time of day the consumer learns of the loss or theft, nor does it matter what the institution’s business hours are. [Commentary, 12 CFR 1005.6(b)(1)-3]
Step three (no timely notice of loss or theft of access device)
This step also applies only if the unauthorized transfer is due to the loss or theft of the consumer’s access device. If the consumer’s access devise is lost or stolen and the consumer does not notify you of that fact within two business days of learning of that fact, the consumer will be liable, up to a maximum of $500, for the sum of: (1) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and (2) the amount of unauthorized transfers that occur after the close of two business days and before notice to you, provided you can show that these transfers would not have occurred had the consumer notified the institution within that two-day period. [12 CFR 1005.6(b)(2)]
Step four (timely notice of unauthorized transfers appearing on periodic statement)
Regardless of whether the unauthorized transfer occurs because of the loss or theft of an access device, the consumer must promptly report to you any unauthorized transfers that appear on the consumer’s periodic statement. If the consumer fails to report any unauthorized transfer that appears on the statement within 60 days of your transmittal of the statement, the consumer will be liable for any subsequent unauthorized transfers that occur after the close of the 60 days and before notice to you if you can show that the transfers would not have occurred had the consumer notified you within the 60-day period. If the unauthorized transfer is not due to a lost or stolen access device, then the consumer’s liability is limited to these transfers. If the transfer is due to a lost or stolen access device, the consumer may also be liable under steps two and three above. [12 CFR 1005.6(b)(3)]
If the account is a payroll card account for which no periodic statement is provided, the 60-day period above starts on the earlier of:
The date the consumer electronically accesses the consumer’s account, provided that the information about the transfer was made available to the consumer at that time; or
The date the financial institution sends a written history of the consumer’s account transactions requested by the consumer in which the unauthorized transfer is first reflected.
These time periods require that you either keep track of when the consumer electronically accesses the account or when you send written history to the consumer. If you would rather not keep track of those, you can choose to comply by treating a notice from the consumer as timely if you receive it within 120 days of the date of the recording of the transfer.
[12 CFR 1005.18(c)(3)]
We have just a few final thoughts about the consumer’s liability in the event of an unauthorized transfer. First, the time periods mentioned in these rules in which the consumer must notify you will be lengthened if extenuating circumstances exist that caused a delay in the notification. Examples of such circumstances are hospitalization and extended travel. The time periods will then be lengthened by a reasonable time. [12 CFR 1005.6(b)(4)]
Second, it is possible that your state law limits the consumer’s liability in the event of an unauthorized transfer even more strictly than does Regulation E. (See our later section in this chapter summarizing individual state laws and regulations.) Or, your own agreement with the consumer may do that, either because that is your normal policy or because a third-party credit or debit card company whose cards you issue requires the more protective rule. If either your state law or your own agreement with the consumer limit the consumer’s liability more strictly than does Regulation E, the state law or agreement will control rather than Regulation E. [12 CFR 1005.6(b)(6)]
Third, the notice the consumer must give you under these rules can be in person, by telephone, or in writing and is considered given when the consumer takes such steps as are reasonably necessary to provide you with the information, whether or not a particular person or anyone at your institution actually receives the information. [12 CFR 1005.6(b)(5)(i)] If the consumer mails the notice, it is considered given when deposited in the mail. [12 CFR 1005.6(b)(5)(iii)]
Finally, you are considered by the Regulation to have received notice when you become aware of circumstances that lead to the reasonable belief that an unauthorized EFT involving the consumer’s account has been or may be made regardless of whether the consumer actually transmits the necessary information to you. [12 CFR 1005.6(b)(5)(iii)]