Regulation E Staff Training A Review of Regulation E

ACH Dispute Handling and Resolution

ACH Stop Payment

Debit Card Dispute Handling and Resolution

Questions to Ask when a Dispute is received A Review of Regulation E Regulation E is all about clear and readily identifiable communication, disclosure and to ensure that a does not inflict financial harm on the consumer.

CONSUMER PROTECTION What Does Regulation E Do? • Regulation E provides the framework for establishing the rights, liabilities, and responsibilities of participants in EFT systems.

• The sole purpose of Regulation E is consumer protection.

• Customer Service Representatives should understand the type of claims that can be made and know the timeframes. What does Regulation E Cover? • Regulation E covers remittance transfers and any transfer of funds initiated though an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing the Financial Institution to debit or credit a consumer consumer’s account.

• Types of transactions covered include: ATM, ACH, bill payment, debit card, gift card, electronic check conversion, etc. What does Regulation E NOT Cover? • Checks or drafts, • Check guarantee or authorization programs, • Wire transfers (with exception of international wire transfers that are covered under Remittance Transfer rules), • Securities and commodities transfers, • Employee assisted telephone transfer initiated between the consumer and Financial Institution outside of a telephone bill-payment or other written plan, or • Automatic transfers (Any transfer of funds under an agreement between a consumer and a financial institution which provides that the institution will initiate individual transfers without a specific request from the consumer.) Main Components of Regulation E

• Disclosure requirements • Issuance of access devices • Error resolution procedures and timeframes • Consumer responsibility related to unauthorized transactions • Record retention. Regulation E Notification Requirements • The timeframe to meet responsibilities under Regulation E begins at consumer notification. • Notification can be provided in writing or verbally. • Notification is given when a consumer takes steps reasonably necessary to provide the Financial Institution with the pertinent information, whether or not a particular employee of the Financial Institution actually receives the information. Examples of Regulation E Notifications • Consumer contacts the financial institution and informs the CSR that there is an unauthorized EFT on their statement or they see a transaction online that they did not authorize.

• Consumer emails customer service inquiring about a transaction. Once the consumer indicates the transaction was not authorized, the Financial Institution’s timeframe for required action begins.

• Consumer inquires at Teller Line about an account balance that is less than expected. Once the consumer states there is an unauthorized transaction the financial institutions timeframe for action begins. Provisional Credit Requirements

• Financial Institutions have the option to require a written notice within 10 business days of a verbal notification of error in order for the client to receive provisional credit.

• A consumers failure to provide written notice does not relieve the Financial Institution from completing a timely investigation. It does alleviate the requirement to provide provisional credit. ACH Network Unauthorized Procedures Defining Unauthorized and Revoked ACH Entries Unauthorized Revoked An unauthorized debit entry is an • Used when the Receiver states entry in which: that the authorization for the ▪ The authorization requirements debit entry as revoked directly it have not been followed in the Originator under the terms accordance with the NACHA and conditions set forth in the Operating Rules; authorization agreement. ▪ A transaction was initiated in an amount different than that authorized by the Receiver; ▪ A transaction was initiated for settlement earlier than authorized by the Receiver. Consumer vs. Corporate Unauthorized

Consumer Unauthorized Corporate Unauthorized

1.Must be accompanied by a Written 1.Not required by the NACHA Statement of Unauthorized Debit Operating Rules to have a Written (WSOUD) as required under the NACHA Statement Operating Rules.

2.Must be returned within 24 hours 2.Must be signed by the and the customer and include why the from the date of the customer is claiming the item is unauthorized/revoked transaction. unauthorized/revoked. 3.Corporate/commercial clients 3.Must be returned within 60 calendar should have ACH Positive Pay to days from the settlement date. ensure the system is alerting them of incoming debits that fall outside of the acceptable transactions. Consumer vs. Corporate/Commercial Unauthorized/Revoked Entries Return Codes and Deadlines Corporate/Commercial Consumer Unauthorized/Revoked Return Unauthorized/Revoked Return Codes and Codes and Deadlines Deadlines Must be returned within 60 calendar days Must be returned within 24 hours from the date from the settlement date. Must be of the unauthorized/revoked transaction. accompanied by a Written Statement of Unauthorized Debit (WSOUD) • R29 - Corporate Customer Advises Not Authorized • R05 – Unauthorized Debit to Consumer AccountUsing Corporate SEC code • R07 – Authorization Revoked by Consumer (may not be used • R31 – Permissible Return Entry for ARC, BOC, POP or RCK Entries) • R10 – Customer Advises Unauthorized, improper, ineligible or part of an Incomplete transaction (used for any entry except for CCD/CTX) • R37 – Source documented presented (ARC, BOC and POP Entries Only ) • R51 – Item Related to RCK Entry is Ineligible or RCK Entry is improper (RCK Entries only) • R53 – Item and RCK Entry Presented for Payment (RCK Entries Only) Required Supporting Documentation – Written Statement of Unauthorized Debit (WSOUD)

Written Statement of Unauthorized ACH Debit (WSUD)

Section I – Account /Transaction Information Receiver’s Name A consumer must complete a Receiver’s AccountNumber Date(s) and Amount(s) of Debit(s) – please list sequentially in date order

Written Statement of Unauthorized Originator/Company (Party Debiting Account/Payee) NOTE: This form can only be used for one specific Originator/Company (Not Multiple Originators)

Section II – ReceiverAssertion Debit if they are I (the undersigned) hereby attest that I have reviewed the circumstances of the above electronic (ACH) debit(s) to my account and determined that the debit(s) were not authorized by me and the following items (identified with checkmarks) are the reason(s) for the entry(s) being defined to the best of my ability as unauthorized: [R10] I did not authorize, and have not ever authorized, (Company Name)to transmitting the return of originate one or more ACH entries to debit funds from my account. (Consumer transactions ONLY) [R10] I Authorized (Company Name) to originate one or more ACH entries to debit funds from my account, but: (for Consumer transactions ONLY) Amount debited is different than what I authorized. Amount I authorized is $_ _,or; an ACH transaction for Revoked, The debit was made to my account on a date earlier than the date on which I authorized. I authorized the debit to be made to my account on (or no earlier than) , 20 . Other (specify) . [R07] Authorization Revoked – I authorized (Company Name) to originate one Unauthorized, or Improper Source or more ACH entries to debit funds from my account, but on , 20 I revoked that authorization by notifying (Company Name) in the manner specified in the original authorization with that company. (PPD and recurring WEB transactions ONLY) [R10] Required notice not provided in accordance with requirements of ACH Rules [ARC, POP, BOC] Document through the ACH [R10] Signature is not authentic or authorized, and/or the item has been altered [ARC, POP, BOC] [R10] Amount of entry was not accurately obtained from the source document [ARC, POP, BOC] [R10] Source document is improper to be initiated as an ACH entry [ARC, POP, BOC] [R37] Both the source document AND the ACH entry were presented for payment [ARC, POP, BOC] network. NOTE: 2020 NACHA Rules [R10] I opted‐out of check conversion activity [ARC, BOC] [R05] Unauthorized Corporate Entry (corporate SEC Code used – CCD) posting to a consumer account [R51 ‐ RCK ONLY] Required notice not provided, signature not authentic /authorized, or item has been altered separates R11 and R10. Ensure [R51 ‐ RCK ONLY] Amount of entry was not accurately obtained from the item [R51 ‐ RCK ONLY] Signature on item is not authentic or authorized, and/or the item has been altered [R53 ‐ RCK ONLY] Both the item AND the ACH entry were presented for payment your WSOUD reflects this change. Section III – Signature of Receiver and Assertion of Authority I am an authorized signer, or otherwise have the authority to act, on the account identified in this statement. I attest that the debit above was not originated with fraudulent intent by me or any person acting in concert with me. I have read this statement in its entirety and attest that the information provided on this statement is true and correct.

Signature Date

03/2010 Unauthorized/Revoked ACH Consumer Entries

• Consumer transactions (PPD, BOC, WEB, ARC, RCK, WEB and TEL) are covered under Regulation E error resolution procedures.

• Consumer unauthorized or revoked ACH transactions may be returned up to the 60th calendar day after the original settlement date of the entry.

• The consumer must complete a Written Statement of Unauthorized Debit that identifies the item as being unauthorized.

–NACHA Operating Rules state that revoked or unauthorized transactions returned utilizing the ACH Network must be accompanied by a Written Statement of Unauthorized Debit. Check Converted Unauthorized ACH Consumer Entries

• Check Converted Items Defined: Electronic check conversion is a process in which your check is used as a source of information--for the check number, your account number, and the number that identifies your financial institution. The information is then used to make a one-time electronic payment from your account - an electronic fund transfer. NOTE: Only consumer entries may be converted.

• Check Truncated Items Defined: The conversion of a physical check into a substitute electronic form for transmission to the paying bank. In the ACH world, an example of a check truncated entry is an RCK entry. NOTE: Only consumer checks may be truncated. Improper Check Converted Transactions (ARC, BOC, POP)

▪ ARC, BOC, or POP ▪ Source document used was not eligible source document (ARC, BOC, POP) ▪ Check used as source document was paid by RDFI (ARC, BOC, POP) ▪ ARC or BOC ▪ Notice not provided by Originator in accordance with Rules (ARC or BOC) ▪ Amount not accurately obtained from source document (ARC or BOC) Improper Check Truncated Transactions (RCK)

▪ Notice not provided by Originator in accordance with Rules ▪ Item related to RCK entry is not an eligible item ▪ Signature(s) on item are not authorized or authentic ▪ Item has been altered ▪ Amount not accurately obtained from item ▪ Both RCK entry and item have been paid Ineligible vs. Eligible Check Converted and Truncated Entries Eligible for Conversion Ineligible for conversion • Pre‐Printed Check Serial Number • Auxiliary On‐Us (Business Check) • Amount of $25,00 or less • Third Party check • RCK < $2,500 • Credit Card/ Home Equity check • Has Routing Number, Account • Drawn on Investment Company Number & Check Serial Number • Official / Cashier’s Checks / in magnetic ink (MICR) Money Orders • Source Document (Check) • Drawn on State/ local Presentment government • Meets Authorization Requirements • Government check • Check dated 180 days or less • Not payable in US currency prior to RCK Incomplete Transactions for ARC, BOC, and POP ▪ Allows for the return of a debit entry to a consumer account or any Receiver with respect to an ARC, BOC or POP within 60 days of the Settlement Date for an Incomplete Transaction.

▪ In certain business arrangements, a Third Party Sender (i.e. third party that initiates a utility bill for a receiver). In events where the Third Party does not correctly credit the Receiver’s payment obligation but still debits the Receiver, the consumer may wish to initiate a request to return the entry as unauthorized. Unauthorized Credits ▪ An unauthorized credit is also subject to Regulation E.

▪ Ensure that your staff is prepared to handle consumer’s unauthorized credits.

▪ Remember, this is NOT an unauthorized debit so don’t use a WSOUD and a wrong return reason code.

▪ Have them sign an unauthorized credit form and return as R23. Recommended Supporting Documentation for Returning an Unauthorized Credit

A consumer or corporate customer should complete an unauthorized credit form if they are requesting the return of an ACH unauthorized credit. NACHA Network Rules Compared to Regulation E

NACHA Operating Rules Regulation E Upon notification of an ACH dispute, there are no timing Upon consumer notification of a dispute, the financial institution is requirements under NACHA Operating Rules to investigate. required to begin the investigation.

Under Network Rules, there are timing requirements to return the Regulation E does not require that a financial institution use the ACH ACH consumer dispute entry within 60 calendar days of the Network for resolving ACH disputes. settlement date of the original entry.

NACHA Operating Rules require that you have consumer sign a Regulation E requires the consumer to notify the financial institution Written Statement of Unauthorized Debit before initiating the within 60 calendar days of the first statement date of the monthly returns of PPD, POP, ARC, BOC, RCK, WEB, and TEL entries. statement.

NACHA Operating Rules focuses on the requirements under the Regulation E is focused on the financial institutions requirements to Rules if you use the network to obtain the credit for the initiation disclose, investigate, provide provisional credit and close the of unauthorized debits. investigation in accordance with Regulation E.

In the ACH Network, a converted or truncated check is considered In accordance with Regulation E, the ARC, RCK, POP, and BOC are an ARC, RCK, POP, RCK, and BOC. considered ECK entries. Stop Payments on ACH and Debit Cards Stop Payments Stop Payment Defined ▪ Is an administrative return but initiated by a customer requesting the payment to be stopped, and ▪ Is used to stop one transaction or all future transactions. ▪ Can be used to stop a consumer or commercial transaction. ▪ Can be used for ACH and Debit Card transactions

Deadline for Placing a Stop Payment ▪ The consumer may order a stop payment (orally or in writing) up to three banking days prior to the expected Settlement Date. ▪ RDFI may require written confirmation within 14 days of an oral stop payment request. ▪ A Stop Payment Form must be completed when a Client wishes to place a stop payment on an item. ACH Stop Payment

ACH Stop Payments – This allows the consumer to stop ONE transaction or ALL FUTURE ACH entries. Receiving DFIs place a stop payment on the ACH entry within their core system based on the instruction from the consumer and/or the corporate customer.

▪ Consumer Stop Payment Order – Enables a consumer to stop a specific ACH transaction in a six-month period.

▪ Consumer Stop Payment for all Future – Enables a consumer to stop all future ACH Transactions.

▪ Corporate Stop Payments – Enables a corporate customer to stop a specific transaction in a six-month period. Debit Card Stop Payment

Preauthorization Payment Cancellation Services (Stop Payment for Debit Cards) – The Preauthorized Payment Cancellation Service (PPCS) is a cost-effective way for Issuers to handle customers’ stop payment requests for preauthorized electronic funds transfers, such as recurring and installment payments. Using the service, issuers can inform acquirers and their merchants, via an authorization response, that a cardholder has requested a stop payment for either one specific payment or all subsequent payments. ▪ Stop Payment Order – Enables a consumer to stop a specific preauthorized payment.

▪ Revocation of Authorization Order – Enables a consumer to stop all future preauthorized payments from a particular merchant.

▪ Revocation of all Authorization Orders – Enables an Issuer to cover all automatic bill payment revocations for multiple merchants with one Preauthorization Payment Cancellation Services order. Handling Debit Card Disputes in Accordance with Regulation E Consumer Notification

▪ If the consumer does not notify the financial institution within 60 calendar days, the Financial Institution is not required to comply with the 10 business day/45 day investigation rules.

▪ Business debit cards are not applicable to Regulation E (unless you provide this type of protection in your terms and conditions agreement for your business customer).

▪ A financial institutions terms and conditions agreement should provide specifics on business debit cards. Consumer Notification and Liability for Unauthorized Transactions

Timely Notification of Unauthorized Untimely Notification of Unauthorized Debit Card Transaction Debit Card Transaction

No consumer liability if the client No liability to the consumer in the first makes notification within 60 calendar 60 calendar days from the days from the transmission of the first transmission of the first statement statement showing the unauthorized showing the unauthorized transaction. transaction. Unlimited liability for unauthorized transactions occurring 61st calendar days after transmittal of statement and before notice to the financial institution. Consumer Notification and Liability for Loss or Theft of an Access Device

Timely Notice of the or Untimely Notice of the Loss or Theft or an Access Device Theft or an Access Device

Consumer’s Liability may not exceed Consumer’s Liability increases to no $50.00 if the Financial Institution was more than $500.00 if the customer notified within 2 days of the consumer fails to provide timely notice within 2 learning of the loss or theft of an days of the consumer learning of the access device. loss or theft of an access device. Regulation E Debit Card Financial Institution Error Resolutions and Timeframes Errors that qualify for resolution process

▪ Unauthorized EFT. (An EFT initiated by someone other than the account holder that provided no benefit to the accountholder.)

▪ Incorrect EFT to or from the consumer’s account.

▪ The omission of an EFT from a periodic statement.

▪ A computational or bookkeeping error made by the financial institution relating to an EFT. Errors that qualify for resolution process

▪The consumer’s receipt of an incorrect amount of money from an electronic terminal.

▪EFT not identified correctly.

▪Consumer’s request for documentation or for additional information or clarification to determine if an error exists. • A routine inquiry about the consumer’s account balance, Errors that DO NOT qualify for resolution • Request for information for tax or other recordkeeping process purposes,

• Request for duplicate copies of documentation. Dispute Timeframe - Consumer Notification

Consumer Notification = Day the Dispute is made. • The error resolution (dispute) process begins the day consumer notifies Financial Institution (oral or written).

• Notification is given when a consumer takes steps reasonably necessary to provide the Financial Institution with the pertinent information, whether or not a particular employee of the Financial Institution actually receives the information.

The consumer notified the financial institution on the 4th of January so the disputetimeframe should begin on the 4th. Provisional Credit Timeframe

• Financial Institutions have the option to require a written notice within 10 business days of a verbal notification of error in order for the client to receive provisional credit.

• A consumers failure to provide written notice does not relieve the Financial Institution from completing a timely investigation. It does alleviate the requirement to provide provisional credit.

If the verbal notification was given on the 4th, the financial institution may require the consumer to require a written notice within the ten day businessperiod. Completion of the Investigation

• Financial institution must conclude the investigation within 10 business days.

• If the account is a new account that has been opened less than 30 calendar days, then the financial institution may conclude the investigation in 20 business days.

If the consumer notification was given on January 4th, the financial institution must conclude the investigation no later than January 18th. Extending the Investigation The Financial Institution may extend the time to conclude the investigation to a total of 45 calendar days given the following conditions:

▪ Provisionally credits the client’s account for the amount of the claimed error (with interest) within 10 business days.

▪ Notifies the client of the credit within 2 business days, and

▪ Gives client full use of the credit during the investigation.

Extending the investigation is conditional based on the above requirements set forth byRegulation E. The absence of the above requirements could place financial harm on the customer duringthe investigation process. Extending the Investigation

The Financial Institution may extend the to conclude the investigation to a total of 90 calendar days for the following types of debit card disputes: ▪ POS Debit Card Transactions ▪ Transactions initiated from outside the U.S. or ▪ New Accounts

Extending the investigation is conditional based on the above requirements set forth byRegulation E. The absence of the above requirements could place financial harm on the customer duringthe investigation process. Results of a Debit Card Dispute Investigation

Investigation finds no error Investigation determines an error occurred occurred • The Financial Institution will • The error will be corrected within mail/deliver a written explanation one (1) business day. within three (3) business days of the conclusion of the investigation. • Financial Institution will communicate in writing to the client within three (3) business • Provide notification to client that days. provisional credit was reversed. The Financial Institution will honor payment orders for five (5) business days. Debit Card Network Rules Compared to Regulation E

Debit Card Network Rules Regulation E Upon notification of a debit card dispute, the debit card Upon consumer notification of a dispute, the financial institution is network assumes the institution will follow Regulation E required to begin the investigation immediately. requirements. Under the debit card network Rules, if you use the network for Regulation E does not require that a financial institution use any investigation purposes, you are required to follow your particular network for resolving ACH disputes. network Rules requirements for obtaining credit.

Your debit card network has its own deadline requirements for Regulation E requires the consumer to notify the financial accepting a dispute. This may be 120 days for example. institution within 60 calendar days of the first statement date of the monthly statement.

Your network for debit card disputes will require that you Regulation is about clear and readily clear information regarding obtain specific pieces of information prior to initiating the the status of the investigation which includes ensuring the request (i.e. police report, dispute directly from the client). consumer receives all important information from the beginning to the end of the investigation. Questions To Ask When A Debit Card Dispute is Received Q: What is the amount of the transaction?

Introductory Q: What is the date of the Debit Card transaction? Dispute Q: What is the name of the Questions company?

Q: What is the last authorized transaction made by you? Q: Do you have your debit card in your possession? ▪ Here you want to understand if the consumer has their card with them so that you can provide this information as part of the investigation. This information is important when working with your bankcard association to further determine if the authorization was made remotely or in- person.

▪ This question determines a card present vs. a card not present dispute.

▪ Digital Wallet transactions such as ApplePay, SamsungPay and AndroidPay are considered card present transactions. Q: Is this debit card dispute an unauthorized transaction or for a lost or theft of your access device? Here you are wanting to establish if this is an unauthorized item or if the consumer has lost their debit card or if their debit card was stolen. This provides information on timely vs. untimely notification for unauthorized (60 calendar days) vs. timely vs. untimely loss or stolen debit card (2 days). Q: When did you first discover that you lost your debit card? ▪ This question is important for documenting the date the consumer first discovered that their debit card was lost/stolen or there was an unauthorized transaction.

▪ For example, if the consumer first identified that they had an unauthorized transaction three months prior, this is outside of the consumer notification requirements based on Regulation E. Q: Have you contacted the merchant? ▪This question is not a condition for conducting an investigation but information that should be documented to share with the merchant.

▪Bankcard associations usually require this information to be answered as part of their investigation. Terri Sands, CAMS – Audit, Certified Fraud Examiner (CFE), Accredited ACH Professional (AAP), At-Risk Adult Crime Tactics (ACT) Specialist, Founder of Secura Risk Management [email protected]

www.securariskmanagement.com Membership Opportunities Available – Join Today! 1-800-515.8617