Earlier in the year we published an article about Regulation E unauthorized transfers. In June, the CFPB clarified the scenarios and transactions are to be considered fraud.
Prior to this clarification there was debate over whether a customer could be liable for giving their online banking information to a fraudster and essentially “authorizing” the subsequent fraudulent transaction. There were some schools of thought that argued that the customer authorized the transaction even though the customer did so under fraudulent circumstances.
No need to debate anymore
The CFPB has clarified that if a consumer shared account access information with a third party via fraudulent means, such a trickery, the subsequent transfer is fraudulent. The trickery doesn’t have to be verbal, such as the examples we provided in the prior regulation E article whereby a fraudster calls a consumer claiming to be from the cable or power company. The trickery can also be from other forms of social engineering, a phishing email, and any other fraud to gain access to a consumer’s device or account. The CFPB also clarified that a consumer being negligent and writing a PIN on a debit card (for example) doesn’t negate Regulation E protections. In clarifying the rule, the CFPB removed all ambiguity from the scenario where the consumer provides the required information to a fraudster who conducts the electronic transfer out of the consumer’s account. The transfer is unauthorized because of the fraudster’s fraudulent intent.
What remains fuzzy, however, is what happens when a fraudster induces the consumer him/her self to make the transfer. In this scenario, the fraudster still tricks the consumer, but it’s the consumer who ends up making the transfer to the fraudster. The CFPB did not clarify the consumer’s liability under this scenario.
The CFPB also reminded institutions that other entities, such as a payment card or network, publish rules surrounding electronic fraud, but those rules are not to trump Regulation E. If the other rules provide more protections to consumers, that is acceptable, but if they provide fewer protections to consumers, institutions must follow Regulation E. Also, the CFPB reminded institutions that an institution must still investigate a consumer’s dispute without requiring the consumer to take further steps. (Note, the institution can still require the consumer to put the dispute in writing in order to provide provisional credit.)
With Regulation E, the devil is in the details. This would be a good time to review those details against the institution’s policies, procedures, forms, and systems to ensure the institution is complying with the requirements of Regulation E.