Regulation E Five Best Practices for Handling Disputes
Thursday, April 21, 2016 10:00-12:00 Central
Presented by:
Susan Costonis, C.R.C.M. Compliance Training & Consulting for Financial Institutions
E-mail: [email protected]
Reg E – Five Best Practices for Disputes 1 TABLE OF CONTENTS
Reg E – Five Best Practices for Disputes 2 Overview for Handling Regulation E Disputes & Inquiries
Reg E – Five Best Practices for Disputes 3 WEBINAR OVERVIEW
Financial institutions began issuing EMV chip cards in 2015* and will probably continue the process throughout 2016. While the new technology may help reduce fraud for “in- person transactions”, the potential for online fraud continues to grow. Will your financial institution experience more debit card fraud investigation in 2016? Our topic for the webinar will focus on several simple steps to handle Reg E customer disputes and inquiries. Understanding the rules will help you satisfy the regulators but can also SAVE YOUR FINANCIAL INSTITUION MONEY by only paying the claims that you are required to reimburse for unauthorized transactions. We will review the steps required to handle disputes and inquiries and the time frames for resolving a claim for an unauthorized transaction. The only way you can be sure that your front line staff is complying with this high-profile consumer protection regulation is by providing effective training and providing sound procedures.
What You Will Learn The basic disclosure requirements of Reg E and the definitions that guide the error resolution process. What questions should you ask a customer about a disputed transaction? What are five “best practices” for handling a Reg E dispute? What should be included in an investigation report? How do you determine if a customer is liable for an unauthorized transaction? You’ll learn practical suggestions for conducting and documenting an investigation. Resources to educate customers about fraud prevention *(EMV stands for “Europay, MasterCard, and Visa, the three companies that developed the technology to improve payment security and reduce fraud).
Who Should Attend This webinar will benefit Customer (Member) Service Reps, New Account Reps, Teller Supervisors, Deposit Operations staff, Security and Compliance Officers. NOTE: This webinar will NOT address Visa or MasterCard zero liability rules; only the Federal Reg E dispute provisions are included.
QUESTION: A customer reported that they lost their card. The customer told the personal banker that they'd written their PIN on the card. There have been several ATM withdrawals that the customer reports weren't done by him. Isn't the customer liable since he wrote his PIN on the back of the card? Our account disclosure says that the customer agrees to keep their card and PIN secure. Can we deny the claim?
ANSWER: The consumer's liability will be determined by whether or not they reported
Reg E – Five Best Practices for Disputes 4 the loss of the card within the prescribed time frames. Unfortunately, the commentary to Reg E 1005.6(s) says this: "Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers." REMEMBER:
Life’s not always fair….and Reg E is about CONSUMER PROTECTION
1. A consumer may be held liable, for an unauthorized electronic fund transfer involving the consumer's account only if the financial institution has provided the disclosures required by Sec. 1005.7(b)(1), (2), and (3). If the unauthorized transfer involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued. 2. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Consumer behavior that may be negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. 3. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device or unauthorized transactions on a periodic statement. 4. Documentation of the investigation process and proving that the bank followed the timing requirements is critical.
Reg E – Five Best Practices for Disputes 5 COMPLIANCE WARNING ABOUT POLICE REPORTS
Your financial institution may have a “policy” to require that customers file a police report. Whether the customer follows this “policy”, Reg E requires that the financial institution must start an investigation and provide provisional credit if the investigation cannot be completed within the timeframes outlined in the regulation. Provisional credit cannot be debited simply because the consumer didn’t file a police report. READ THE REPORT ABOUT A RECENT FDIC REG E CIVIL MONEY PENALTY. ARTICLE SOURCE: http://www.journalgazette.net/article/20111029/BIZ/310299939 Published: October 29, 2011 3:00 a.m.
MarkleBank fined $82,500 for violation FORT WAYNE – A local bank has been fined for failing to follow federal rules. But the CEO says the error was minor. The Federal Deposit Insurance Corp. has assessed MarkleBank a penalty of $82,500 for violating Regulation E, which governs how banks resolve errors involving automated teller machines and debit cards. FDIC spokeswoman LaJuan Williams-Young said her agency won’t release details beyond those contained in a three-page final order signed Sept. 9 and released Friday. Mike Marhenke, president and CEO of Independent Alliance Banks Inc., said the issue revolved around whether bankers could require customers to file a police report before giving temporary credit for unauthorized withdrawals from their accounts. Staff at both banks under his watch required police reports because they simply missed that provision in the detailed regulations banks are required to follow, Marhenke said. Independent Alliance Banks is a two-bank holding company that owns Grabill Bank and MarkleBank. “The last compliance exam, we were doing the same thing, and (inspectors) didn’t say a thing,” Marhenke said. Marhenke said banking regulators are “sharpening their teeth” in preparation for the Dodd-Frank Act, which will unleash hundreds of new regulations on financial institutions. Independent Alliance Banks expects to double or triple its two-person compliance department in the coming year to keep up with the rules changes, he said. Although Marhenke doesn’t know how many times the issue came up, he said the typical situation would be if a child had taken a parent’s ATM card and withdrawn cash. In those cases, parents often choose not to file a police report. The regulation requires that banks temporarily restore the disputed amount while bank officials conduct an investigation. Once they discover who removed the money, the customer is required to file a police report to keep the restored money. If the customer declines, the bank takes back the disputed funds. Since the fine, which Marhenke considers too high, MarkleBank and Grabill Bank have changed procedures. Fines are assessed based on a bank’s size, with larger banks receiving much higher penalties. MarkleBank is small enough for a fine of $82,500 to sting. “Were we taking advantage of customers? No,” Marhenke said. “I don’t believe we ever took advantage of a customer. They got us on a technicality.”
Reg E – Five Best Practices for Disputes 6 FDIC AND CONSUMER “HARM
The FDIC added a NEW section to the Compliance Exam procedures in June 2014 and updated the section in November, 2015 called “Evaluating Consumer Harm”; it is in II- 2.1 and can be found at this link: http://fdic.gov/regulations/compliance/manual/index.html
Here is one section that involves error resolution and the potential for consumer harm.
Reg E – Five Best Practices for Disputes 7 BIG PICTURE ON REG E AND CONSUMER DISPUTES
Reg E – Five Best Practices for Disputes 8 REGULATION E OVERVIEW
Regulation E implemented provisions of the Electronic Funds Transfer Act in 1979 and is one of the oldest consumer deposit regulations. Congress was skeptical about the reliability of computers to process financial transactions at a time when computer processing was limited to ATM networks and automated clearing house (ACH) activity. Now the information from a consumer’s paper check can be used to create a one-time electronic transfer covered by Regulation E. It is extremely important to keep in mind the intent of this regulation when looking at what financial institutions must do to prove adequate compliance, particularly when investigating and resolving errors. It’s very clear from the broad definition of an unauthorized electronic fund transfer and limitations on liability in the Reg E commentary that the primary objective of the regulation is to protect the consumer.
1005.2(m)Unauthorized Electronic Fund Transfer is a: 1. Transfer by institution's employee. A consumer has no liability for erroneous or fraudulent transfers initiated by an employee of a financial institution. 2. Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized. 3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. 4. Forced initiation. An EFT at an automated teller machine (ATM) is an unauthorized transfer if the consumer has been induced by force to initiate the transfer.
1005.6(b)Limitations on Amount of Liability 1. Application of liability provisions. There are three possible tiers of consumer liability for unauthorized EFTs depending on the situation. A consumer may be liable for (1) up to $50; (2) up to $500; or (3) an unlimited amount depending on when the unauthorized EFT occurs. More than one tier may apply to a given situation because each corresponds to a different (sometimes overlapping) time period or set of conditions. 2. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)–2 regarding termination of the authority of given by the consumer to another person.) 3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.
Reg E – Five Best Practices for Disputes 9 Reg E – Five Best Practices for Disputes 10 What are the rights and responsibilities of the consumer under Regulation E? Consumer Rights Consumer Responsibilities The right to accept (or refuse) an access device; the right to validate an access code.* The right to an initial disclosure that outlines: 1. The consumer’s liability if the card is lost or stolen 2. A telephone number for reporting the loss or theft of the card or an unauthorized transfer 3. A notice of the business days for the financial institution 4. A description of error resolution procedures** 5. Description of the kinds of electronic transfers and any limits on the frequency or dollar amounts of transfers 6. Any charges for using EFT services 7. How to stop a pre-authorized transfer 8. The financial institution’s liability for any failure to make or stop transfers 9. The conditions for giving information to a third party 10. NEW – Remittance Transfer disclosures & error resolution 10/28/13 The right to receive a periodic statement describing the electronic . fund transfers The right to receive receipts from electronic terminals *** The right to receive a notice of any fees for making an EFT or balance inquiry : The RIGHT to OPT-IN for ODP payments of one-time electronic items OPT-IN for ODP payments of one-time electronic items The right to receive a change in terms notice The right to new protections for GIFT CARD purchases NEW in October 28, 2013- Remittance Transfer rules AND Error resolution procedures The right to dispute unauthorized transfers and limit the loss with The responsibility to notify a financial proper notification. The right to have the error explained in 10 institution within two business days of business days (20 for new accounts) or receive provisional credit of the loss of a device or code and within the disputed amount if the investigation takes 45 calendar days or 90 60 calendar days from receipt of a calendar days for POS, foreign-initiated transactions of for new periodic statement to limit the accounts.**** consumer’s liability. ***** The right to receive notices about preauthorized transfers (by The responsibility to notify a financial positive or negative notice or availability of a phone line to call; the institution to stop payment of a right to be notified of varying payments at least 10 days in advance preauthorized EFT at least 3 business or to choose a range of amounts to be told only when the transfer days before the scheduled date falls outside the range Preauthorized EFT’s from a consumer’s account must be authorized by the consumer in writing * A creditor can’t require that a consumer repay a loan by EFT except for overdraft checking plans. An employer or government agency can require that salary or a government benefit be paid by an EFT, however a consumer has the right to choose the institution that will receive the funds. ** An error resolution notice (long form) must be provided annually or a short notice with each periodic statement *** A financial institution is not required to make a receipt available for transfers of $15 or less **** Errors for new accounts when an EFT was involved within 30 days of the first deposit. ***** Extenuating circumstances like vacation or a hospital stay can allow more than 60 calendar days. A consumer can Reg E – Five Best Practices for Disputes 11 be required to put an oral notice in writing, however investigation can’t be delayed.
Reg E – Five Best Practices for Disputes 12 What are the rights and responsibilities of the Financial Institution under Regulation E? Financial Institution Rights Financial Institution Responsibilities The right to issue a solicited access device The responsibility to provide an initial disclosure The right to issue an unsolicited device that that outlines: requires validation and the consumer’s identity 1. The consumer’s liability if the card is lost or has been verified by a reasonable means 2. A telephone number for reporting the loss or (provided that there is a clear explanation that theft of the card or an unauthorized transfer the device is not validated and how to dispose 3. A notice of the business days for the financial of it if validation isn’t desired) institution The right to renew an accepted access device 4. A description of error resolution procedures or in substitution of a device issued by an 5. Description of the kinds of electronic transfers acquired institution and any limits on the frequency or dollar amounts of transfers 6. Any charges for using EFT services 7. How to stop a pre-authorized transfer 8. The financial institution’s liability for any failure to make or stop transfers 9. The conditions for giving information to a third party. 10. The responsibility to give a new disclosure if an additional service is added. The responsibility to provide a periodic statement describing the electronic fund transfers* The responsibility to provide receipts at electronic terminals that include the amount, date, and type of transfer, a code of four digits or less to identify the account and a terminal location and the third party transfer information ** The responsibility to provide a notice of any fees for making an EFT or balance inquiry The responsibility to provide a change in terms notice as required The responsibility to provide an error resolution notice at least once a calendar year or with each periodic statement. NEW: The responsibility to only charge fees for OPD coverage of a one-time electronic debit IF a consumer has chosen to opt-in; provide disclosures and monitor use The right to refund unauthorized funds transfers in The responsibility to investigate the report of an unauthorized accordance with the consumer notification requirements. funds transfer when a consumer gives reasonable notice in Certain time frames are extended for foreign- person, by phone or in writing or when the institution transactions, POS debit card transactions, and new becomes aware that an unauthorized EFT has been or may be accounts. The right to request a written statement made. The responsibility to follow the time limits, requests for regarding the error, but investigation can’t be delayed. documentation or clarification, provide written explanation of Provisional credit is not required when required written the investigation, and refund unauthorized EFT’s according to
Reg E – Five Best Practices for Disputes 13 notice isn’t provided. Provisional credit can be debited the error resolution procedures of 1005.11.*** Unconditional if an error didn’t occur with 5 days notice & no OD fees. use of provisional credit must be given. The right to receive notices about stopping a The responsibility to stop payment when appropriate notice is preauthorized transfer at least 3 business days before the given; the responsibility to outline written stop payment scheduled date and to require a written notice within 14 requirements including the address for sending the notice. The days of an oral notification. The right to not provide a responsibility to provide either a positive or negative notice of notice of transfer if the payor gives the consumer preauthorized transfers to a consumer’s account or availability positive notice that the transfer has been made. of a phone line for the consumer to call and confirm the deposit. The responsibility to credit the amount of the transfer the date the funds are received. The responsibility of the payee or financial institution to send the consumer written notice of the amount and date of the transfer at least 10 days before the scheduled date when the amount varies from the previous transfer under the same authorization or from the preauthorized amount (the consumer can choose to only receive notice when the transfer falls outside a specified range of amounts or when the transfer differs from the most recent on by more than an agreed amount). NEW: The responsibility to comply with new GIFT CARD disclosures and restrictions on expiration dates and fee charges NEW – Effective October 28, 2013 – Remittance Transfer Rules & Error resolution – more disclosures, training & procedures The responsibility to only require that a consumer repay a loan by EFT for overdraft checking plans * The periodic statement transaction information should include the amount, date, and type of transfer, the account number, any fees, the account balance at the beginning and close of the statement, the address and phone number for inquiries, the phone number for preauthorized transfers if the phone notice option is selected. ** The terminal location may be the city, state or foreign country and a code identifying the terminal number with either the street address, generally accepted name or name of the operator if not owned by the financial institution. ** A financial institution is not required to make a receipt available for transfers of $15 or less; foreign terminal receipts are not required if an inquiry for clarification or documentation is treated as an error resolution under 1005.11 *** The term error means: (i) An unauthorized electronic fund transfer; (ii) An incorrect electronic fund transfer to or from the consumer's account; (iii) The omission of an electronic fund transfer from a periodic statement; (iv) A computational or bookkeeping error made by the financial institution relating to an electronic fund transfer; (v) The consumer's receipt of an incorrect amount of money from an electronic terminal; (vi) An electronic fund transfer not identified in accordance with Secs. 1005.9 or 1005.10(a); or (vii) The consumer's request for documentation required by Secs. 1005.9 or 1005.10(a) or for additional information or clarification concerning an electronic fund transfer, including a request the consumer makes to determine whether an error exists under paragraphs (a)(1) (i) through (vi). The term error doesn’t include: i) A routine inquiry about the consumer's account balance; (ii) A request for information for tax or other recordkeeping purposes; or (iii) A request for duplicate copies of documentation.
Reg E – Five Best Practices for Disputes 14 “NEW” REG E UNDER THE CFPB
The Consumer Financial Protection Bureau (CFPB) has taken authority for several consumer protections regulations, including Regulation E. Bureau of Consumer Financial Protection —12 CFR Chapter X Part 1005 — Electronic Fund Transfers (Regulation E)
The references under the Federal Reserve’s version of the regulation were 205.XX; now Regulation E is listed as 1005.1 – 1005.20. Regulation E will be amended with a new Subpart for Remittances Transfers. Subpart B became effective October 28, 2013 and is numbered 1005.30-1005.36
OLD REG E NEW REG E 205.1 1005.1 205.2 1005.2 205.3 1005.3 205.4 1005.4 205.5 1005.5 Ended at 205.20 1005.36 is the last section
You will find a complete chart of the sections and appendices of Reg E in the next section of this manual. NOTE: Examiners expect financial institutions to have the current version of the regulation referenced in audit programs and internal procedures. UPDATE YOUR REFERENCES TO REGULATION E!!
Reg E – Five Best Practices for Disputes 15 REGULATION E CHART
It’s important to understand the definitions, rights, and responsibilities outlined in the various subparts of the regulation and especially the commentary. The portions of the regulation that will help you in handling customer disputes are 1) Definitions – 1005.2 2) Liability for unauthorized transfers – 1005.6 – IMPORTANT! 3) Procedures for resolving errors – 1005.11 - IMPORTANT!
Regulation E - Electronic Funds Transfer Chart of Sections and Appendices Subpart A General Section 1005.1 Authority and purpose Section 1005.2 Definitions Section 1005.3 Coverage Section 1005.4 General disclosure requirements; jointly offered services Section 1005.5 Issuance of access devices Section 1005.6 Liability of consumer for unauthorized transfers Section 1005.7 Initial disclosures Section 1005.8 Change in terms notice; error resolution notice Section 1005.9 Receipts at electronic terminals, periodic statements Section 1005.10 Preauthorized transfers Section 1005.11 Procedures for resolving errors Section 1005.12 Relation to other laws Section 1005.13 Administrative enforcement; record retention Section 1005.14 Electronic transfer service provider not holding consumer’s account Section 1005.15 Electronic fund transfer of government benefits Section 1005.16 Disclosures at automated teller machines Section 1005.17 Requirements for Overdraft Services Section 1005.18 Requirements for financial institutions offering payroll card accounts Section 1005.20 Requirements for gift cards and gift certificates Subpart B Requirements for Remittance Transfers, effective October 28, 2013 Section 1005.30 Remittance transfer definitions. Section 1005.31 Disclosures. Section 1005.32 Estimates. Section 1005.33 Procedures for resolving errors Section 1005.34 Procedures for cancellation and refund of remittance transfers Section 1005.35 Acts of agents Section 1005.36 Transfers scheduled in advance Appendix A to Part 1005 Model Disclosure Clauses and Forms Appendix B to Part 1005 Reserved Appendix C to Part 1005 Issuance of Staff Interpretations Appendix I to Part 1005 Official Staff Interpretations
Reg E – Five Best Practices for Disputes 16 DEFINITIONS: ACCESS DEVICE
1. Access device:
Access is a card, code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.
Examples
The term access device includes debit cards, personal identification numbers (PINs), telephone transfer and telephone bill payment codes, and other means that may be used by a consumer to initiate an electronic fund transfer (EFT) to or from a consumer account. The term does not include magnetic tape or other devices used internally by a financial institution to initiate electronic transfers
Reg E – Five Best Practices for Disputes 17 DEFINITIONS: BUSINESS DAY
1. Business day
A day on which the offices of the consumer's financial institution are open to the public for carrying on substantially all business functions.
2. Duration
A business day includes the entire 24-hour period ending at midnight, and a notice required by the regulation is effective even if given outside normal business hours. The regulation does not require, however, that a financial institution make telephone lines available on a 24-hour basis.
Reg E – Five Best Practices for Disputes 18 DEFINITIONS: UNAUTHORIZED ELECTRONIC FUND TRANSFER
1. Unauthorized electronic fund transfer means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.
2. The term does not include an electronic fund transfer initiated:
a. Furnished access device
By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized;
If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.
b. With fraudulent intent by the consumer or any person acting in concert with the consumer; or
Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.
Forced initiation. An EFT at an automated teller machine (ATM) is an unauthorized transfer if the consumer has been induced by force to initiate the transfer.
3. By the financial institution or its employee
A consumer has no liability for erroneous or fraudulent transfers initiated by an employee of a financial institution. The reversal of a direct deposit made in error is not an unauthorized EFT when it involves:
a. A credit made to the wrong consumer's account;
b. A duplicate credit made to a consumer's account; or
c. A credit in the wrong amount (for example, when the amount credited to the consumer's account differs from the amount in the transmittal instructions).
Reg E – Five Best Practices for Disputes 19 COVERAGE: ELECTRONIC FUNDS TRANSFER
1. General
The term electronic fund transfer means any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer's account. The term includes, but is not limited to-- Point-of-sale transfers; Automated teller machine transfers; Direct deposits or withdrawals of funds; Transfers initiated by telephone; and Transfers resulting from debit card transactions, whether or not initiated through an electronic terminal. Electronic fund transfer using information from a check as a source of information for a one-time electronic fund transfer (Mandatory as of 1/1/07) Collection of returned item fees via electronic fund transfer
Reg E – Five Best Practices for Disputes 20 Regulation E Disclosures
Reg E – Five Best Practices for Disputes 21 A-2--MODEL CLAUSES FOR INITIAL DISCLOSURES (SEC. 1005.7(B))
(a) Consumer Liability (Sec. 1005.7(b)(1)). (Tell us AT ONCE if you believe your [card] [code] has been lost or stolen, or if you believe that an electronic fund transfer has been made without your permission using information from your check. Telephoning is the best way of keeping your possible losses down. You could lose all the money in your account (plus your maximum overdraft line of credit). If you tell us within 2 business days after you learn of the loss or theft of your [card] [code] ,you can lose no more than $50 if someone used your [card][code] without your permission. (If you believe your [card] [code] has been lost or stolen, and you tell us within 2 business days after you learn of the loss or theft, you can lose no more than $50 if someone used your [card] [code] without your permission.)
If you do NOT tell us within 2 business days after you learn of the loss or theft of your [card] [code], and we can prove we could have stopped someone from using your [card] [code] without your permission if you had told us, you could lose as much as $500.
Also, if your statement shows transfers that you did not make, including those made by card, code or other means, tell us at once. If you do not tell us within 60 days after the statement was mailed to you, you may not get back any money you lost after the 60 days if we can prove that we could have stopped someone from taking the money if you had told us in time.
If a good reason (such as a long trip or a hospital stay) kept you from telling us, we will extend the time periods.
(b) Contact in event of unauthorized transfer (Sec. 1005.7(b)(2)). If you believe your [card] [code] has been lost or stolen or that someone has transferred or may transfer money from your account without your permission, call:
[Telephone number] or write: [Name of person or office to be notified] [Address]
You should also call or write to the number or address listed above if you believe a transfer has been made using the information from your check without your permission.
(c) Business days (Sec. 1005.7(b)(3)). For purposes of these disclosures, our business days are (Monday through Friday) (Monday through Saturday) (any day including Saturdays and Sundays). Holidays are (not) included.
(d) Transfer types and limitations (Sec. 1005.7(b)(4))--(1) Account access. You may use your [card][code] to: (i) Withdraw cash from your [checking] [or] [savings] account.
Reg E – Five Best Practices for Disputes 22 (ii) Make deposits to your [checking] [or] [savings] account. (iii) Transfer funds between your checking and savings accounts whenever you request. (iv) Pay for purchases at places that have agreed to accept the [card] [code]. (v) Pay bills directly [by telephone] from your [checking] [or] [savings] account in the amounts and on the days you request.
Some of these services may not be available at all terminals.
(2) Electronic check conversion. You may authorize a merchant or other payee to make a onetime electronic payment from your checking account using information from your check to: (i) Pay for purchases; or (ii) Pay bills.
(3) Limitations on frequency of transfers.--(i) You may make only [insert number, e.g., 3] cash withdrawals from our terminals each [insert time period, e.g., week]. (ii) You can use your telephone bill-payment service to pay [insert number] bills each [insert time period] [telephone call]. (iii) You can use our point-of-sale transfer service for [insert number] transactions each [insert time period]. (iv) For security reasons, there are limits on the number of transfers you can make using our [terminals] [telephone bill-payment service] [point-of-sale transfer service].
(4) Limitations on dollar amounts of transfers--(i) You may withdraw up to [insert dollar amount] from our terminals each [insert time period] time you use the [card] [code]. (ii) You may buy up to [insert dollar amount] worth of goods or services each [insert time period] time you use the [card] [code] in our point-of-sale transfer service.
(e) Fees (Sec. 1005.7(b)(5))--(1) Per transfer charge. We will charge you [insert dollar amount] for each transfer you make using our [automated teller machines] [telephone bill-payment service] [point-of- sale transfer service]. (2) Fixed charge. We will charge you [insert dollar amount] each [insert time period] for our [automated teller machine service] [telephone bill-payment service] [point-of- sale transfer service]. (3) Average or minimum balance charge. We will only charge you for using our [automated teller machines] [telephone bill-payment service] [point-of-sale transfer service] if the [average] [minimum] balance in your [checking account] [savings account] [accounts] falls below [insert dollar amount]. If it does, we will charge you [insert dollar amount] each [transfer] [insert time period].
(f) Confidentiality (Sec. 1005.7(b)(9)). We will disclose information to third parties about your account or the transfers you make:
Reg E – Five Best Practices for Disputes 23 (i) Where it is necessary for completing transfers, or (ii) In order to verify the existence and condition of your account for a third party, such as a credit bureau or merchant, or (iii) In order to comply with government agency or court orders, or (iv) If you give us your written permission.
(g) Documentation (Sec. 1005.7(b)(6))--(1) Terminal transfers. You can get a receipt at the time you make any transfer to or from your account using one of our [automated teller machines] [or] [point-of-sale terminals]. (2) Preauthorized credits. If you have arranged to have direct deposits made to your account at least once every 60 days from the same person or company, (we will let you know if the deposit is [not] made.) [the person or company making the deposit will tell you every time they send us the money] [you can call us at (insert telephone number) to find out whether or not the deposit has been made]. (3) Periodic statements. You will get a [monthly] [quarterly] account statement (unless there are no transfers in a particular month. In any case you will get the statement at least quarterly). (4) Passbook account where the only possible electronic fund transfers are preauthorized credits. If you bring your passbook to us, we will record any electronic deposits that were made to your account since the last time you brought in your passbook.
(h) Preauthorized payments (Sec. 1005.7(b) (6), (7) and (8); Sec. 1005.10(d))--(1) Right to stop payment and procedure for doing so. If you have told us in advance to make regular payments out of your account, you can stop any of these payments. Here's how:
Call us at [insert telephone number], or write us at [insert address], in time for us to receive your request 3 business days or more before the payment is scheduled to be made. If you call, we may also require you to put your request in writing and get it to us within 14 days after you call. (We will charge you [insert amount] for each stop- payment order you give.)
(2) Notice of varying amounts. If these regular payments may vary in amount, [we] [the person you are going to pay] will tell you, 10 days before each payment, when it will be made and how much it will be. (You may choose instead to get this notice only when the payment would differ by more than a certain amount from the previous payment, or when the amount would fall outside certain limits that you set.) (3) Liability for failure to stop payment of preauthorized transfer. If you order us to stop one of these payments 3 business days or more before the transfer is scheduled, and we do not do so, we will be liable for your losses or damages.
(i) Financial institution's liability (Sec. 1005.7(b)(8)). If we do not complete a transfer to or from your account on time or in the correct amount according to our agreement with you, we will be liable for your losses or damages. However, there are some exceptions. We will not be liable, for instance:
Reg E – Five Best Practices for Disputes 24 (1) If, through no fault of ours, you do not have enough money in your account to make the transfer. (2) If the transfer would go over the credit limit on your overdraft line. (3) If the automated teller machine where you are making the transfer does not have enough cash. (4) If the [terminal] [system] was not working properly and you knew about the breakdown when you started the transfer. (5) If circumstances beyond our control (such as fire or flood) prevent the transfer, despite reasonable precautions that we have taken. (6) There may be other exceptions stated in our agreement with you.
(j) ATM fees (§ 1005.7(b)(11)). When you use an ATM not owned by us, you may be charged a fee by the ATM operator [or any network used] (and you may be charged a fee for a balance inquiry even if you do not complete a fund transfer).
Reg E – Five Best Practices for Disputes 25 Regulation E Consumer Liability and Error Resolution
Reg E – Five Best Practices for Disputes 26 LIABILITY AND ERROR RESOLUTION – THE BIG PICTURE
What’s it all about? There are two “sides” of the coin that all employees need to understand. Electronic banking is part of the global economy. Debit card activity can generate income for a financial institution and offers convenience to customers. Debit cards are also easily lost and stolen or “skimmed” by criminals.
When a consumer reports the loss of an access device, or unauthorized use of a device the financial institution must take steps to protect the customer and financial institution and investigate any unauthorized use that is reported or discovered. One side of the coin is customer liability. The liability is determined by how promptly the customer reports the loss of a device or discovers unauthorized use. The financial institution must investigate to determine if an error occurred and determine how much liability the customer has versus how the amount of fraud loss that the financial institution will have. This is the other side of the coin.
All employees must understand the importance of responding to the customer’s notice about the loss of the device or unauthorized use. Employees who are responsible for investigating the claims of unauthorized use must understand the time frames and steps required to process error resolution.
Were the required disclosures provided? Is it an accepted device? When did the consumer discover the loss of a device and when did they discover any u nauthorized use? Was the use authorized by the consumer and did they receive any benefit from the use? When was the financial institution (FI) Notified by the Consumer? Did the financial institution respond in the required time frames Was provisional credit given in time if the investigation was extended beyond 10 business days? Did an error or unauthorized transaction occur? Did the FI properly determine the consumer’s liability based on the time of notification and the time of the transactions? Did the FI inform the consumer of the results of the investigation? If provisional credit is taken back, was it done correctly?
Reg E – Five Best Practices for Disputes 27 LIABILITY OF CONSUMER FOR UNAUTHORIZED TRANSFERS.
1. Conditions for liability
A consumer may be held liable, within the limitations described in paragraph (b) of this section, for an unauthorized electronic fund transfer involving the consumer's account only if the financial institution has provided the disclosures required by Sec. 1005.7(b)(1), (2), and (3). If the unauthorized transfer involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.
a. Means of identification
A financial institution may use various means for identifying the consumer to whom the access device is issued, including but not limited to:
Electronic or mechanical confirmation (such as a PIN).
Comparison of the consumer's signature, fingerprint, or photograph.
b. Multiple users
When more than one access device is issued for an account, the financial institution may, but need not, provide a separate means to identify each user of the account.
2. Limitations on amount of liability
A consumer's liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:
There are three possible tiers of consumer liability for unauthorized EFTs depending on the situation. A consumer may be liable for (1) up to $50; (2) up to $500; or (3) an unlimited amount depending on when the unauthorized EFT occurs. More than one tier may apply to a given situation because each corresponds to a different (sometimes overlapping) time period or set of conditions.
Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers.
Reg E – Five Best Practices for Disputes 28 The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.
a. Timely notice given
If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.
1. $50 limit applies
The basic liability limit is $50. For example, the consumer's card is lost or stolen on Monday and the consumer learns of the loss or theft on Wednesday. If the consumer notifies the financial institution within two business days of learning of the loss or theft (by midnight Friday), the consumer's liability is limited to $50 or the amount of the unauthorized transfers that occurred before notification, whichever is less.
2. Knowledge of loss or theft of access device
The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.
3. Two-business-day rule
The two-business-day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two-business-day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.
Reg E – Five Best Practices for Disputes 29 b. Timely notice not given
If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $500 or the sum of:
$50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and
The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.
c. $500 limit applies
The second tier of liability is $500. For example, the consumer's card is stolen on Monday and the consumer learns of the theft that same day. The consumer reports the theft on Friday. The $500 limit applies because the consumer failed to notify the financial institution within two business days of learning of the theft (which would have been by midnight Wednesday). How much the consumer is actually liable for, however, depends on when the unauthorized transfers take place. In this example, assume a $100 unauthorized transfer was made on Tuesday and a $600 unauthorized transfer on Thursday. Because the consumer is liable for the amount of the loss that occurs within the first two business days (but no more than $50), plus the amount of the unauthorized transfers that occurs after the first two business days and before the consumer gives notice, the consumer's total liability is $500 ($50 of the $100 transfer plus $450 of the $600 transfer, in this example). But if $600 was taken on Tuesday and $100 on Thursday, the consumer's maximum liability would be $150 ($50 of the $600 plus $100).
1. Periodic statement; timely notice not given
A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer
Reg E – Five Best Practices for Disputes 30 may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.
a. Unlimited liability applies
The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft.
b. Transfers not involving access device
The first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.
c. Periodic statements with unauthorized transfers with lost or stolen access device
If a periodic statement shows unauthorized transfers made with a lost or stolen access device, all three tiers of liability may apply. The consumer must notify the institution within 60 calendar days after the periodic statement was sent, or bear the liability for an unauthorized transfers made after the 60 day period until the institution is notified.
Reg E – Five Best Practices for Disputes 31 The consumer’s liability for unauthorized transfers before the statement is sent, and up to 60 days following, is based on the first two tiers of liability:
1. Up to $50 if the consumer notifies the institution within two business days of learning of the loss or theft of the access device;
2. Up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft of the access device.
SEE EXAMPLE ON THE NEXT PAGE
Reg E – Five Best Practices for Disputes 32
Example of Periodic statements with unauthorized transfers with lost or stolen access device
A consumer’s periodic statement shows a $200 debit electronic debit made with the consumer’s access device that the consumer did not authorize. Additional unauthorized transfers totaling $700 are made with the access device within 60 days of the statement being sent. On the 66th day, another $800 unauthorized transaction is made with the access device. On the 71st day, the consumer discovers the access device is missing, and gives notification the next day. Of the $900 in transfers made in the 60 days of the statement being sent, the consumer may have the maximum liability of $50 because the consumer notified the institution within two business days of learning of the loss of the device. However, the consumer may have the maximum liability of $500 if the fact that the consumer had received statements showing unauthorized transfers made with the access device is deemed to have provided a reasonable opportunity for the consumer to discover that the device was lost.
.
Reg E – Five Best Practices for Disputes 33 Reg E – Five Best Practices for Disputes 34 4. Extension of time limits
If the consumer's delay in notifying the financial institution was due to extenuating circumstances, the institution shall extend the times specified above to a reasonable period. Examples of circumstances that require extension of the notification periods under this section include the consumer's extended travel or hospitalization.
5. Notice to financial institution
Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.
a. Receipt of notice
A financial institution is considered to have received notice for purposes of limiting the consumer's liability if notice is given in a reasonable manner, even if the consumer notifies the institution but uses an address or telephone number other than the one specified by the institution.
b. Notice by third party Notice to a financial institution by a person acting on the consumer's behalf is considered valid under this section. For example, if a consumer is hospitalized and unable to report the loss or theft of an access device, notice is considered given when someone acting on the consumer's behalf notifies the bank of the loss or theft. A financial institution may require appropriate documentation from the person representing the consumer to establish that the person is acting on the consumer's behalf.
c. Content of notice Notice to a financial institution is considered given when a consumer takes reasonable steps to provide the institution with the pertinent account information. Even when the consumer is unable to provide the account number or the card number in reporting a lost or stolen access device or an unauthorized transfer, the notice effectively limits the consumer's liability if the consumer otherwise identifies sufficiently the account in question. For example, the consumer may identify the account by the name on the account and the type of account in question.
The consumer may notify the institution in person, by telephone, or in writing. Written notice is considered given at the time the consumer mails the notice or delivers it for transmission to the institution by any other usual means. Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made.
Reg E – Five Best Practices for Disputes 35 CONSUMER LIABILITY FOR UNAUTHORIZED TRANSFERS CHART
Consumer Action Consumer Liability
Loss/Theft Access Device - Reported Maximum of $50.
Consumer notifies the bank within two business days of loss of access device Loss/Theft Access Device - Not Reported Maximum of $500.
Consumer does not notify the bank within two business Includes (1) $50 or the amount of unauthorized days of loss of access device and the bank establishes that electronic fund transfers that occur before the it could have prevented the losses had it known. close of the two business days, whichever is less; and (2) the amount that the bank could have prevented after the close of the second business day and before the institution was notified.
Add these two amounts. If the sum is less than $500, liable for that amount, if it is more than $500, liable for $500. Unauthorized Transaction on Periodic Statement – $0 Reported
Consumer reports within (60) days of transmittal of the periodic statement any unauthorized electronic funds transfer. Financial institution must extend 60 day period for extenuating circumstances, such as illness. Unauthorized Transaction on Periodic Statement - Not Shall not exceed: Reported
Consumer fails to report within 60 days of transmittal of (1) $50 or amount transferred if less than $50 the periodic statement any unauthorized electronic funds during the 60 day period. transfer that appears on the statement. (2) Any amount that occurs after 60 days if the bank can prove that the loss would not have occurred except for the consumer’s failure to notify the bank
Notice to a bank is given when a consumer takes such steps as are reasonably necessary to provide the bank with the pertinent information, whether or not any particular officer, employee, or agent of the bank does in fact receive the information. Notice may be given to the bank, at the consumer’s option, in person, by telephone, or in writing. Notice in writing is considered given at the time the consumer deposits the notice in the mail or delivers the notice for transmission by any other usual means to the bank. Notice is also considered given when the bank becomes aware of circumstances that lead to the reasonable belief that an unauthorized electronic fund transfer involving the consumer’s account has been made.
Reg E – Five Best Practices for Disputes 36 REG E FAST FACT QUIZ
Source: http://www.attustech.com/newsletters/march-2012-newsletter- readmore.htm • When does an institution need to begin investigating an alleged EFT error? Upon notice from the customer, regardless of the form of notice, i.e. written or verbal via any channel.
• How long does an institution have to resolve an alleged error? They have 10 business days from the date of notice to resolve the claim, or for new accounts 20 business days. • Can the investigation timeframe be extended? Yes, if the institution can’t resolve the alleged error within the timeline described above, the investigation may be extended to 45 calendar days, or for new accounts, POS and foreign transactions to 90 calendar days, PROVIDED that the consumer receives and is granted full use of provisional credit for the amount of the alleged error no later than the 10th or 20th business day, respectively.
• What is an institution required to do in order to extend the timeframe? It must inform the consumer within 2 business days after the provisional credit is given of the date and the amount of the credit provided, and grant access to and full use of the funds during the investigation period. • What must happen after the investigation is completed? The institution must report its results to the consumer within 3 business days of determining whether an error occurred or not. • What happens if the investigation finds an error DID occur? The institution must correct it within 1 business day and the consumer must be notified that any provisional credit already received is final. • What happens if the investigation finds an error DID NOT occur? If an error did NOT occur or occurred in a manner or an amount different from the original claim, the results must include an explanation of findings and also inform the consumer of the right to request the documents used in the investigation. If that right is exercised, the institution must promptly provide copies. • If an error DID NOT occur, can the institution debit the consumer’s account for the provisional credit? It may debit the consumer’s account as long as notice is given of the date and amount of the debit, and the fact that for 5 business days after the notice, the institution must honor checks, drafts or similar instruments payable to third parties and preauthorized transfers from the consumer’s account, even for payments resulting in overdrafts. However, institutions are ONLY required to honor items that would have been paid otherwise if the provisional credit had not been revoked. The following scenarios describe common responses by front line personnel to a consumer's claim of an EFT error that, despite their seeming logic, are incorrect and therefore, in violation of Reg E. #1: Jane Doe comes to the teller window to report that her statement shows that a
Reg E – Five Best Practices for Disputes 37 merchant charged her account twice for a purchase she made with her check card. The teller informs the customer that bank policy requires that she contact the merchant first to try to resolve the matter before they will act on her claim. The customer agrees and leaves, and the teller helps the next customer. What went wrong? The claim was not accepted upon notice as required. The customer adequately notified her bank of the alleged EFT error just as she was told to do in the disclosure provided to her at the time she opened her account or accepted the check card and annually thereafter. Therefore, Reg E mandates that it open an investigation into that claim. Although it seems logical to send the customer to the merchant involved in the error and is sometimes required by a card network, it’s not required or permitted by Reg E. #2: Bob White speaks to his personal banker about an issue with his debit card – it appears that when he used the card at the gas pump it was skimmed and a counterfeit card was made and used to initiate fraudulent transactions. The personal banker agrees to check into the charge but never opens up a Reg E claim because he believes that is only for cases involving error, while fraud is only handled in accordance with card network rules. What went wrong? The claim was not accepted upon notice as required. In terms of Reg E, an “error” equates to any unauthorized EFT – mistake, fraud or otherwise. A counterfeit card is a stolen “access device”. Although card network rules are taken into account, Reg E’s error resolution procedures still apply. #3: Sally Jones arrives at her credit union and notifies the customer service representative (CSR) that she recently discovered an unauthorized ACH transaction that has been posting to her account for the last 3 months. The CSR informs Sally that she will open an EFT error claim for the transactions on the two most recent statements. The customer asks why only those transactions and not the first one and the CSR explains that Ms. Jones needed to report the transactions within 60 days after her account was debited. The customer accepts this explanation and the CSR opens the claim on the two most recent transactions alleged to be errors. What went wrong? A claim was accepted but all reported transactions were not included. The CSR, like many people, mistakenly determined the period of her institution’s liability to the most recent transactions when, in fact, Reg E states that the consumer must notify the institution within 60 calendar days following the date of the statement on which the first unauthorized transaction appeared. When such timely notice doesn’t occur, the consumer may be liable for transactions posted after the 60-day period ends, which are the most recent transactions. In the case of Ms. Jones, she is not liable for the first transaction – or any others that appear on the same statement as the first and the 60 days following the date it was sent. This confusion typically stems from the contradiction in return timeframes under NACHA rules and Reg E. A consumer’s liability is never dependent upon an institution’s ability to return a transaction through the ACH system or to recover the funds by any means. #4: Mr. and Mrs. Smith report to their institution’s fraud unit unauthorized transactions associated with a stolen ATM card. The fraud investigator explains that it is bank policy to require a police report prior to opening an investigation and crediting their account. What went wrong? The bank has placed a greater burden on the customer than what is required of them by Reg E. The claim was denied on an erroneous basis. Reg E states that the investigation must begin upon notice from the customer. Although a police
Reg E – Five Best Practices for Disputes 38 report may assist in the institution’s investigation, it cannot be a requirement for accepting the claim or starting that investigation. And the failure by the customer to provide a police report cannot increase his or her liability. #5: While on the phone with his bank’s customer service call center about another matter, John Johnson verbally reports an ACH transaction on his most recent bank statement that he believes is not unauthorized. The CSR tells Mr. Johnson that she can’t accept and submit the claim for investigation until he provides a signed WRITTEN STATEMENT OF UNAUTHORIZED DEBIT (WSUD): What went wrong? The bank has placed a greater burden on the customer than what is required of them by Reg E. The claim was denied on an erroneous basis. Although the institution may require the consumer to provide written confirmation within 10 business days after giving the notice, the bank must begin investigating the claim when that notice is received even if it’s reported verbally. If the customer is properly informed written confirmation is required and it is not provided, the bank may forego provisional credit and base the investigation on information they received verbally and “on-hand” within its four walls. BUT, proper written confirmation can come in many different forms. It cannot be narrowly defined by an institution as the WSUD. If the information described in the institution’s Reg E disclosure is provided in a written format, the customer has met his or her obligation. Better to Closely Examine Yourself than Be Harshly Examined by Your Regulator. A new tactic has sprung up at examination time – examiners going out to front line and other employees and point blank posing questions about EFT error claims, similar to the ones above. This is seemingly to determine the knowledge level of your staff regarding Reg E, as well as of your own policy. It is uncovering two problematic issues that previously went undetected by examiners: 1) inconsistencies between an institution’s actual practices, its disclosures and Reg E requirements; and 2) cases in which claims are erroneously denied or handles incorrectly. The nature of these mistakes makes it very likely that they are widespread and systemic, which will make any repercussions for Reg E violations that much more consequential, and correlating UDAAP issues that much more probable. Conduct a self evaluation of your staff’s Reg E knowledge and examine your policy and the system you use to track and document EFT error claims. Do all three together support your institution’s compliance with the numerous and confusing EFT claim investigation procedures and time requirements? If they don’t, better to discover it yourself and implement steps to correct it than to have your regulator discover it.
PROCEDURES FOR RESOLVING ERRORS
1. Definition of error
a. Types of transfers or inquiries covered
The term error means:
Reg E – Five Best Practices for Disputes 39 An unauthorized electronic fund transfer;
An incorrect electronic fund transfer to or from the consumer's account;
The omission of an electronic fund transfer from a periodic statement;
A computational or bookkeeping error made by the financial institution relating to an electronic fund transfer;
The consumer's receipt of an incorrect amount of money from an electronic terminal;
An electronic fund transfer not identified in accordance with Secs. 1005.9 or 1005.10(a); or
The consumer's request for documentation required by Secs. 1005.9 or 1005.10(a) or for additional information or clarification concerning an electronic fund transfer, including a request the consumer makes to determine whether an error exists.
1. Terminal location
With regard to deposits at an ATM, a consumer's request for the terminal location or other information triggers the error resolution procedures, but the financial institution need only provide the ATM location if it has captured that information.
2. Verifying an account debit or credit
If the consumer contacts the financial institution to ascertain whether a payment (for example, in a home-banking or bill- payment program) or any other type of EFT was debited to the account, or whether a deposit made via ATM, preauthorized transfer, or any other type of EFT was credited to the account, without asserting an error, the error resolution procedures do not apply.
3. Loss or theft of access device
A financial institution is required to comply with the error resolution procedures when a consumer reports the loss or theft of an access device if the consumer also alleges possible unauthorized use as a consequence of the loss or theft.
Reg E – Five Best Practices for Disputes 40 4. Error asserted after account closed
The financial institution must comply with the error resolution procedures when a consumer properly asserts an error, even if the account has been closed.
5. Request for documentation or information
A request for documentation or other information must be treated as an error unless it is clear that the consumer is requesting a duplicate copy for tax or other record-keeping purposes.
b. Types of inquiries not covered
The term error does not include:
A routine inquiry about the consumer's account balance;
A request for information for tax or other recordkeeping purposes; or
A request for duplicate copies of documentation.
Reg E – Five Best Practices for Disputes 41 A financial institution shall investigate promptly and, except as otherwise provided in this paragraph (c), shall determine whether an error occurred within 10 business days of receiving a notice of error. The institution shall report the results to the consumer within three business days after completing its investigation. The institution shall correct the error within one business day after determining that an error occurred.
1. Notice to consumer
Unless otherwise indicated in this section, the financial institution may provide the required notices to the consumer either orally or in writing. 2. Written confirmation of oral notice
A financial institution must begin its investigation promptly upon receipt of an oral notice. It may not delay until it has received a written confirmation.
3. Charges for error resolution
If a billing error occurred, whether as alleged or in a different amount or manner, the financial institution may not impose a charge related to any aspect of the error-resolution process (including charges for documentation or investigation). Since the act grants the consumer error-resolution rights, the institution should avoid any chilling effect on the good-faith assertion of errors that might result if charges are assessed when no billing error has occurred.
4. Correction without investigation
A financial institution may make, without investigation, a final correction to a consumer's account in the amount or manner alleged by the consumer to be in error, but must comply with all other applicable requirements of Sec. 1005.11.
5. Correction notice
A financial institution may include the notice of correction on a periodic statement that is mailed or delivered within the 10- business-day or 45-calendar-day time limits and that clearly identifies the correction to the consumer's account. The institution must determine whether such a mailing will be prompt enough to satisfy the requirements of this section, taking into account the specific facts involved.
Reg E – Five Best Practices for Disputes 42 6. Correction of an error
If the financial institution determines an error occurred, within either the 10-day or 45-day period, it must correct the error (subject to the liability provisions of Secs. 1005.6 (a) and (b)) including, where applicable, the crediting of interest and the refunding of any fees imposed by the institution. In a combined credit/EFT transaction, for example, the institution must refund any finance charges incurred as a result of the error. The institution need not refund fees that would have been imposed whether or not the error occurred.
7. Extent of required investigation
A financial institution complies with its duty to investigate, correct, and report its determination regarding an error described in Sec. 1005.11(a)(1)(vii) by transmitting the requested information, clarification, or documentation within the time limits set forth in Sec. 1005.11(c). If the institution has provisionally credited the consumer's account in accordance with Sec. 1005.11(c)(2), it may debit the amount upon transmitting the requested information, clarification, or documentation.
b. Forty-five day period
If the financial institution is unable to complete its investigation within 10 business days, the institution may take up to 45 days from receipt of a notice of error to investigate and determine whether an error occurred, provided the institution does the following:
Provisionally credits the consumer's account in the amount of the alleged error (including interest where applicable) within 10 business days of receiving the error notice. If the financial institution has a reasonable basis for believing that an unauthorized electronic fund transfer has occurred and the institution has satisfied the requirements of Sec. 1005.6(a), the institution may withhold a maximum of $50 from the amount credited. An institution need not provisionally credit the consumer's account if:
1. The institution requires but does not receive written confirmation within 10 business days of an oral notice of error; or
2. The alleged error involves an account that is subject to Regulation T (Securities Credit by Brokers and Dealers, 12 CFR part 220);
c. Compliance with all requirements
Reg E – Five Best Practices for Disputes 43 Financial institutions exempted from provisionally crediting a consumer's account must still comply with all other requirements of Sec. 1005.11.
Informs the consumer, within two business days after the provisional crediting, of the amount and date of the provisional crediting and gives the consumer full use of the funds during the investigation;
Corrects the error, if any, within one business day after determining that an error occurred; and
Reports the results to the consumer within three business days after completing its investigation (including, if applicable, notice that a provisional credit has been made final).
d. Extension of time periods
The time periods in paragraphs (c)(1) and (c)(2) of this section are extended as follows:
The applicable time is 20 business days in place of 10 business days under paragraphs (c)(1) and (c)(2) of this section if the notice of error involves an electronic fund transfer to or from the account within 30 days after the first deposit to the account was made.
The applicable time is 90 days in place of 45 days under paragraph (c) (2) of this section, for completing an investigation, if a notice of error involves an electronic fund transfer that:
1. Was not initiated within a state; 2. Resulted from a point-of-sale debit card transaction; or 3. Occurred within 30 days after the first deposit to the account was made.
POS debit card transactions. The extended deadlines for investigating errors resulting from POS debit card transactions apply to all debit card transactions, including those for cash only, at merchants' POS terminals, and also including mail and telephone orders. The deadlines do not apply to transactions at an ATM, however, even though the ATM may be in a merchant location.
e. Investigation
With the exception of transfers covered by Sec. 1005.14, a financial institution's review of its own records regarding an alleged error satisfies the requirements of this section if:
Reg E – Five Best Practices for Disputes 44 The alleged error concerns a transfer to or from a third party; and
There is no agreement between the institution and the third party for the type of electronic fund transfer involved.
Reg E – Five Best Practices for Disputes 45 OCC ERROR RESOLUTION PROCEDURES FLOW CHART
Source : OCC Deposit Services Handbook page 44 http://www.occ.treas.gov/handbook/depserv.pdf
Reg E – Five Best Practices for Disputes 46 NOTES
Reg E – Five Best Practices for Disputes 47 SUMMARY OF RESOLUTION OF ERRORS
The customer is responsible for notifying the bank of an error. The bank is responsible for investigating the mistake.
Steps Action Consumer Notifies Bank of an Error: Must be oral or written. No later than 60 days after the bank An error is defined as: (1) unauthorized electronic sent periodic statement. funds transfer; (2) incorrect EFT; (3) an omission FI may require written confirmation within 10 business days from periodic statement; (4) computational or of an oral notice. The FI must advise the consumer of this bookkeeping errors; (5) an ATM receipt for an requirement and provide the address to which the written incorrect amount; (6) transfers incorrectly identified confirmation should be sent. on a statement. Error is Investigated by Bank: Bank Investigates Options: (Amended Sept 24, 1998) 1) Results are provided to consumer 10 business days 1) The FI may take up to 45 calendar days (90 for foreign- initiated and point-of-sale debit cards) to finish investigation. Under this option the FI must recredit the disputed funds and interest to the consumer and notify them of this fact within two days. Also, if the institution did take 45 days to investigate, the FI must inform the consumer that it will honor without charge checks, drafts, or similar paper instruments payable to third parties and pre-authorized debits for five business days after the notice is sent. However, the FI only has to honor items that it normally would have paid if the recredited funds had not been debited. 2) For new accounts (30 days after account opened, the rule allows a financial institution 20 business days to resolve an alleged error before it must provisionally credit the consumer’s account and up to 90 calendar days to complete the investigation.) If an Error did Occur: Within one day of determining the error 1) Correct the error, including crediting interest or refunding charges; and 2) provide an oral or written report of the correction to the consumer within 3 days.. If an Error did not Occur: The bank must mail or deliver written explanation within 3 business days of concluding its investigation. Also, if the institution did take 45 days to investigate, the FI must inform the consumer that it will honor without charge checks, drafts, or similar paper instruments payable to third parties and pre- authorized debits for five business days after the notice is sent. However, the FI only has to honor items that it normally would have paid if the recredited funds had not been debited.
Reg E – Five Best Practices for Disputes 48 FDIC LIABLITY CHART
Reg E – Five Best Practices for Disputes 49 PRACTICAL SOLUTIONS FOR RESOLVING ERRORS
There are some important points to remember when determining the consumer’s liability for unauthorized transfers. First, the extent of the liability is determined solely by the consumer’s promptness in reporting the access device loss or theft after learning of such an event. Secondly, negligence by the consumer can’t be used to impose greater liability than provided by the regulation. So even when the consumer wrote their PIN number on the card the bank can’t reject the claim of unauthorized use. The burden of proof is on the bank to show that the transaction was authorized. There is no regulatory standard for what should be included in an investigative file. To help determine whether the transaction was authorized and show a good faith effort to comply with error resolution procedures, some of the following items might be included:
Documentation or written, signed statements provided by the consumer Transaction history (showing both the authorized and unauthorized electronic transactions (UET) with any fees highlighted that were charged as a result of the disputed items). Historical information on the consumer’s pattern of use (time, frequency, location and types and amounts of transactions). Location of the transaction in relation to the consumer’s home, business, or shopping locations Consumer’s location at the time of the transaction Information from the merchant or ATM operator about the transaction Problems reported by the consumer regarding the access device or ATM Signature information on POS transactions Police reports, if made (most regulators will say that you can’t require a consumer file a police report in order to proceed with an investigation) Film from security cameras, if available. Claim workflow sheet Copy of provisional credit and customer notification if applicable Copy of the letter finalizing the claim Copies of all correspondence Evidence that no NSF’s were charged if provisional credit was removed
Reg E – Five Best Practices for Disputes 50 REG E CASE STUDIES FOR ERROR RESOLUTION
There are seven types of errors that are recognized in 1005.11. Here are some examples and some of the common consumer expectations about resolving these errors.
1. Unauthorized EFT’s means a transfer from a consumer’s account initiated by a person other than the consumer without actual authority and from which the consumer receives no benefit. Suppose a consumer has authorized a magazine subscription to make monthly ACH charges then changes his/her mind and writes a letter to cancel the monthly debit. The letter and the next monthly fee cross, and the consumer contacts the bank and disputes the charge. In reality, the transfer was not unauthorized for several reasons. There had been actual authority which wasn’t revoked by the time the last debit was processed. The consumer received a benefit because the subscription account was credited. The consumer hadn’t notified the bank of the revocation of authority. 2. Incorrect transfers to or from an account are another type of error. A good example is a restaurant-originated debit card transaction for more than the sales slip where the customer paid a cash tip. Another would be a direct payroll deposit that exceeds the amount due according to the employee’s pay stub (but this “error” probably won’t be disputed). 3. An EFT missing from a statement can include debit card transactions that don’t get processed by the card-issuing bank, a missing payroll direct deposit or unprocessed merchant refund. 4. Computation or bookkeeping errors don’t happen as often but could include incorrect service charge calculations or foreign exchange calculations. 5. Receipt of incorrect amount from an electronic terminal is a classic “short dispense” transaction from an ATM. Sometimes an ATM operator might switch the dispenser trays for $10’s with $20’s in older machines or there is a mechanical problem with the AMT. Less likely is an over-dispensing of cash reported. 6. EFT not properly identified on receipt or statement of recurring transfer notice under 1005.10(a). A computer malfunction could list an incorrect terminal location. 7. Request for EFT documentation or more information happens when customers don’t recall a transaction or often when a joint account holder forgets to report a transaction to the holder who reconciles the statement.
There are also special card network rules with Visa and MasterCard. Each network has its own version of “zero liability” programs designed to encourage cardholders to make purchases. Card issuers who elect to use these features must subscribe to the respective programs. NEITHER of these programs is a substitute for Regulation E. They simply provide additional consumer protection not alternative protection. The Visa program shortens the 10-day provisional credit deadline in Reg E to five business days. Cardholders assume no liability for unauthorized transactions unless the card issuer “reasonably determines that the unauthorized transaction was caused by gross negligence or fraudulent action of the cardholder”, including a “delay for an unreasonable time in
Reg E – Five Best Practices for Disputes 51 reporting unauthorized transactions”. The Visa rule applies to purchases made at a merchant, by phone, or via the internet. It doesn’t apply to transactions made with a business credit card or debit card, at an ATM, or other than through the Visa Network
The MasterCard program gives benefit to the cardholders whose accounts are in good standing, have exercised “reasonable care in safeguarding the card” and “have not reported more than two unauthorized events in the past 12 months”. MasterCard restricts its program to consumer accounts in the United States, used for purchases in stores, by phone, or via the internet. In either program, there is considerable room for an issuer to determine when the consumer has crossed the line for zero liability. However, the safety net of normal 1005.6 and 1005.11 remain for the consumer to dispute the transactions.
Reg E – Five Best Practices for Disputes 52 FIVE BEST PRACTICES
The five “best practices” for handling customer disputes and inquires follow the five REQUIREMENTS of Regulation E.
The five “best practices” that relate to these requirements include the following: Requirement Best Practice 1. Complete an investigation 1. Train all staff to understand the both the importance of recognizing a Reg E dispute or inquiry and that it is “time-sensitive” and must be sent to the responsible area IMMEDIATELY. Provide adequate training and resources for the area that handles the disputes. 2. Determine liability, if any 2. Standardize the procedures for investigation and test them against YOUR regulators exam procedures. Use the “Reg E Calculator” tool in the Resources section. 3. Provide provisional credit, if 3. Include a monitoring function in your Reg E Audit program to test the calculation required , provision, and debiting of provisional credit 4. Report the results to the 4. Use the sample letters in the Resource section or create form letters. Include a customer monitoring function in your Reg E Audit program to verify that notice has been provided as required 5. Document the case and keep 5. Include a monitoring function in your Reg E Audit program to review records for two years investigation files and record retention.
Reg E – Five Best Practices for Disputes 53 FDIC CONSUMER EXAMINATION MANUAL – REVISED FEBRUARY 2014
http://www.fdic.gov/regulations/compliance/manual/index_pdf.html
The FDIC Consumer Exam Manual was updated in February 2014 (see table below). The Reg E procedures were updated in 2013 to include the ODP procedures and the Gift Card provisions. A NEW section was ADDED for remittance transfer rules that became effective October 28, 2013
Section VI-2 has pages 2.1through 2.75. Please take special note of these pages:
Reg E – Five Best Practices for Disputes 54 COMMON REG E VIOLATIONS & SOLUTIONS
This information is from a Compliance Consulting Newsletter.
Reg E – Five Best Practices for Disputes 55 Reg E – Five Best Practices for Disputes 56 Solutions: Cut the risks of common Reg. E violations Most of the common violations can be avoided by following the timing and notice requirements of Reg. E through an effective system of controls. Here are some processes to implement: Develop a uniform method for documenting received claims -- whether the notice was oral or in writing. Use procedures that ensure the prompt submittal of claims to the appropriate department upon receiving a notice of an alleged error. Establish a system that ensures the prompt investigation of these claims. Ensure the adequate documentation and tracking of steps and status of the investigation. Employ a tickler system that prompts the appropriate personnel of approaching timeframes. Most important, ensure the adequate training of all employees involved in the error resolution. To provide further assurance of adherence, periodically review claims to verify the effectiveness of the established procedures and to identify the need for additional training
Reg E – Five Best Practices for Disputes 57 Regulation E Resources
Reg E – Five Best Practices for Disputes 58 PRACTICAL STEPS FOR INVESTIGATION
A reasonable investigation under Regulation E might include review of one or more of the following items:
· Documentation or written, signed statements provided by the customer. · Historical information on the customer's pattern of use (time, frequency, location, and types and amounts of transactions). · Location of the transaction in relation to the customer's residence, place of business, or normal shopping locations. · Customer's location at the time of the unauthorized transaction. · Problems reported by other customers regarding the access device or ATM. · Signature information on point of sale transactions. · Police reports, if available. · Film from security cameras, if available.
A bank's duty to investigate errors is triggered by any oral or written notice from a consumer that satisfies 12 CFR 1005.11(b). This section requires the consumer to report an error no later than 60 days after the institution sends the periodic statement or provides the passbook documentation on which the alleged error is first reflected. Additionally, the consumer must give the institution sufficient information to identify the consumer's name and account number. The consumer must also indicate why he or she believes an error occurred and, to the extent possible, the type, date, and amount of the error. The institution may request a written, signed statement relating to a notice of error, but it may not delay initiating or completing an investigation pending receipt of the statement (12 CFR Part 205, Supplement I, Official Staff Interpretations, 11(b)(1) -- 2). A national bank may request a customer's reasonable cooperation in any such investigation. However, it may not deny a claim of error based solely on the cardholder's failure to comply with such a request.
The institution is generally required to determine whether an error occurred within 10 business days and report to the consumer within 3 business days of completing the investigation. If the institution cannot complete the investigation within 10 business days, it may take up to 45 days to complete its investigation if it provisionally credits the account within 10 business days. The institution has 1 business day after determining that an error occurred to correct the error. If the institution finds that no error occurred, it must give the consumer a written explanation of its findings.
If you have any questions regarding this advisory letter, you may contact your supervisory office or the Community and Consumer Policy Division at 202-874-4428.
NOTE: While this advisory letter is from the OCC for National Banks, Regulation E is still a federal regulation and the guidelines suggested would be followed by all regulators.
Reg E – Five Best Practices for Disputes 59 UNAUTHORIZED EFT WORKFLOW SHEET
Reg E – Five Best Practices for Disputes 60 Reg E – Five Best Practices for Disputes 61 SAMPLE: EFT NOTICE OF ERROR CLAIM FORM
Use this form for PIN based transaction only – transaction description must read “POS” or “WITHDRAWAL” Do not use this form for signature based transaction or when the transaction description indicated a MasterCard/Visa debit card was used.
Section 1 - Completed By Bank
Today’s Date______Account Number______Card No.______SSN______Customer Name______Home/Work Phone______
Address______List the dates, amounts, and locations of the transactions being reported as errors/unauthorized. NOTE: If amount requested differs from amount received, complete “$ Received” line.
Date of Trans. Amount Posted Location of $ Received ATM/POS Yes___ No ___ Yes___ No ___ Yes___ No ___ Yes___ No ___ Yes___ No ___
(Add additional sheets as needed, have each initialed.)
Section 2 – Completed by Customer During the investigation, card privileges will be suspended. To assist in this investigation, please report this incident to the applicable local law enforcement agency and provide the bank with the contact information and case number. On what date did you first realize the unauthorized withdrawals from your account? ______ My card was lost ___ stolen ____ on or about ______. On the back of this form, explain how card and PIN were obtained in order for the unauthorized transactions to have occurred. Please provide names of individuals you have allowed to use your card: Name ______Relationship______
Reg E – Five Best Practices for Disputes 62 Address ______Home / Work Phone ______
Name ______Relationship______
Address ______Home / Work Phone ______
Notice to the Customer 1. Under Regulation E, which implements the Electronic Fund Transfer Act, a financial institution has a minimum of 10 business days to research an alleged error before any re-crediting is required. Notification of the results of the investigation and of any re- crediting will be delivered by mail. 2. The transaction(s) described above were not originated with fraudulent intent by me or any person acting for or with me. I neither conducted, authorized, nor benefited from these transactions. I declare under penalty of perjury that the foregoing is true and correct to the best of my knowledge. 3. For reports of unauthorized use, I understand that I may be asked to cooperate in the prosecution of the person(s) improperly using my card and to review suspect’s photos taken during the transaction.
Customer Signature ______Date: ______
Employee Name ______Employee Signature ______
Route this form to:______Deactivate Card: ______Investigator Assigned: ______
TO BE COMPLETED BY CUSTOMER
Reg E – Five Best Practices for Disputes 63 SAMPLE EFT ERROR REPORT
SECTION I: Customer Information Time/Date: ____:______
Name: Card No. ______
Checking No.: ______Savings No.: ______
Customers Home Phone: Business: ______Cell: ______
SECTION II: Dispense Difference ATM Location: ______
Amount Requested: $______
Amount Received: $______
Amount Difference: $______
Did ATM Balance At The End Of The Day? _____Yes _____No If No: $______Over $______Short
Section III: Disputed Withdrawals/Deposits Total Disputed Amount: $______
List the dates, amounts, and locations of the transactions being reported as errors / unauthorized. NOTE: If amount requested differs from amount received, complete “$ Received” blank
Date ______$______Posted: yes__ no__ Location______$ Received ______Date ______$______Posted: yes__ no__ Location______$ Received ______Date ______$______Posted: yes__ no__ Location______$ Received ______Date ______$______Posted: yes__ no__ Location______$ Received ______Date ______$______Posted: yes__ no__ Location______$ Received ______
(For more transactions, use additional forms and have customer sign each form) Are you in possession of your ATM card (s)_____Yes _____No If No, what date did you realize it was missing?:______Lost ______or stolen______Where do you believe it was lost? ______
Reg E – Five Best Practices for Disputes 64 When did you first report this to the bank? ______If reported: to whom: ______
1. Have you ever authorized anyone to use your ATM card(s)_____Yes _____No If yes, whom: ______2. Is there another account owner who may have made this withdrawal? Who ______3. Do you suspect anyone?: ______4. Where is your card(s) kept? ______5. Where is your PIN code kept? ______6. Is the PIN code written on the card? ______7. Have you ever reported any other ATM errors, other than this one?_____ Yes _____No 8. If yes: When: ______Amount $______9. Have you contacted the police? ____ Yes ____ No If Yes, who ______When ______If no, will you consider filing a report and providing us with a copy? ____ Yes ____ No 10. Have you contacted the merchant in an attempt to resolve this error?_____ Yes _____No ____ NA Merchant Name: ______Date______11. For returned merchandise, do you have proof of return?______Yes _____No (Attach if available) 12. For cancelled service, provide date and reason for cancellation ______13. For service cancelled over telephone, name of contact and telephone number ______14. For service cancelled via fax, letter or e-mail, provide a copy of the sent e-mail or letter or fax confirmation ______
Reg E – Five Best Practices for Disputes 65 WE REQUIRE A WRITTEN CONFIRMATION TO BE RECEIVED BY US WITHIN TEN (10) BUSINESS DAYS. Your written confirmation should be mailed to: Bank Name Attn: J Doe, Dept. 205 123 Any Street City, State 12345
Your letter should contain the following: 1. Your name 2. Your account number 3. A brief description of the error and how you think it happened 4. To the extent possible, the type, date, and amount of error
Customer's statement if this is their formal claim:
Signing an affidavit containing false information is a criminal offense. Please be sure all information is accurate before signing this form. This matter may be forwarded to the appropriate law enforcement agency for follow-up investigation.
Under Regulation E, which implements the Electronic Fund Transfer Act, a financial institution has a minimum of 10 business days to research an alleged error before any re- crediting is required. Notification of the results of the investigation and of any re- crediting will be delivered by mail. ______Customer Date
______Bank Employee Date
Reg E – Five Best Practices for Disputes 66 REGULATION E CALCULATOR
Error Resolution Consumer Liability for Unauthorized Use - Reg E versus Reg Z (See the Commentary to 1005.12(a) for summary reference) Error Consumer's Liability for Account Type Resolution Unauthorized Use Credit Card Reg. Z Reg. Z (includes HELOC with credit 1026.13 1026.12 card) Overdraft Line Reg. E Reg. E (initiated by an EFT)* 1005.11 1005.6 Overdraft Line Reg. Z U.C.C. ** (no EFT involved) 226.13 Reg. E Reg. E Debit Card 1005.11 1005.6 Reg. E Reg. E Deposit Account w/EFT trans 1005.11 1005.6 Example: POS transaction or ATM withdrawal that triggers an overdraft Reg Z 1026.13(i) Commentary states that for this situation the timing and notice requirements of Reg E at 1005.11 apply. (Commentary to Reg E 1005.12(a) also confirms.) ** While this is a credit transaction covered by Reg Z for error resolution issues, the only provision limiting customer liability in Reg Z is specific to credit cards. Therefore, the customer's liability is determined by the action that caused the overdraft. For example, if the overdraft was caused by a check, the customer's liability is addressed in the U.C.C for unauthorized checks. Important Points: 1) The 5 / 10 and 45 / 90 day time frames for error resolution start when the oral notice is given, even if the bank requires a written follow up letter. 2) If the bank requires a written follow up letter and it is not received within the 10 business day time frame, then it does not need to provide provisional credit at all. However, it still needs to resolve the error within the original time frames. 3) The customer always has 10 business days to provide the written notice if one is requested. It is not moved to five days for VISA or MasterCard debit cards. VISA and MasterCard defer to Reg E on this issue. This guide sheet is provided as a courtesy and is intended to be used as a tool to assist others in understanding certain regulatory requirements. While every effort was made to provide correct information, there are no stated or implied warranties or guaranties regarding anything contained in this document. Claim Amount $ $
Reg E – Five Best Practices for Disputes 67 Date bank notified of claim - Original date incl. Oral report - - Was written confirmation required-received 1005.11(b)(2) Standard 10-day 1005.11(c)(1) Resolution Date - - Resolved w/in 10 business days of original claim 1005.11(c)(1) Notified customer of outcome w/in 3 business days 1005.11(c)(1) If valid, corrected error w/in 1 day 1005.11(c)(1) If no error-advise of right to request documents 1005.11(d)(1) Standard 45-day 1005.11(c)(2) Resolution Date - - Resolved w/in 45 calendar days of original claim 1005.11(c)(2) Pay provisional credit w/in 10 bus. days 1005.11(c)(2)(i) Advise of provisional credit w/in 2 business days 1005.11(c)(2) (ii) If valid- corrected error w/in 1 business day 1005.11(c)(2)(iii) report to consumer w/in 3 business days 1005.11(c)(2)(iv) If no error-advise of right to request documents 1005.11(d)(1) Notified customer of debit date & amount 1005.11(d)(2)(i) Pay 3rd party items for 5 bus. days, no cost 1005.11(d)(2) (ii) New Account 20-day (30 day claim) 1005.11(c)(3) Resolution Date - - Resolved w/in 20 business days of original claim 1005.11(c)(3)(i) Notified customer of outcome w/in 3 business days 1005.11(c)(1) If valid, corrected error w/in 1 day 1005.11(c)(1) If no error-advise of right to request documents 1005.11(d)(1) New Account 90-day (30 day claim) 1005.11(c)(3)(ii)(C) Resolution Date - - Resolved w/in 90 calendar days of original claim 1005.11(c)(3) (ii)(C)
Reg E – Five Best Practices for Disputes 68 HELPING CUSTOMERS PROTECT THEIR SECURITY
There are ways customers can assist to improve their security
Check your account often for suspicious activity – either through the Internet, phone or ATM statements.
Enroll in mobile fraud alerting programs that your bank may offer to warn of suspicious activity on your accounts.
If you have a reason to suspect fraud, contact your financial institution right away by phone, your online banking site, or at the branch.
Other general safety recommendations provided by the American Bankers Association include: o Be wary of your surroundings and of other people who may be near you at the ATM or retail point-of-sale. o Use your body or hand to “shield” the ATM kor point-of-sale keyboard as you enter your PIN. Be wary of those trying to help you, especially when an ATM "eats" your card. They may be trying to steal your card number and PIN. o Always take your receipts or transaction records with you and check them against your statements. Report unauthorized transactions immediately. o Do not give your personal or financial information to anyone who calls you over the phone or through text and email. Thieves often pose as bank representatives to steal this information; however, banks already have this information and will not request it from you. o Keep a record of card numbers, expiration dates and 1-800 numbers for banks so you can contact the issuing bank easily in cases of theft. Do not leave your bank statements, checkbooks, or credit/debit cards lying around the house or on your desk at work. No one should have access to this information but you. o Contact the Federal Trade Commission at www.consumer.gov/idtheft, or call the FTC, at 1-877-438-4338, or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, D.C., 20580. o Periodically obtain credit reports from each nationwide credit reporting agency. If any information on the credit report appears fraudulent, request that the credit reporting agency delete that information from the credit report file. Under federal law, consumers are entitled to one free copy of their credit report every 12 months from each of the three nationwide credit reporting agencies. Obtain a free copy by going to
Reg E – Five Best Practices for Disputes 69 www.AnnualCreditReport.com or by calling 1-877-322-8228.
FTC RESOURCES
This is from the FTC website: http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit- cards
What is Identity Theft? Immediate Steps to Repair Identity Theft Repairing Your Credit After Identity Theft Sample Letters and Forms for Victims of Identity Theft
If your credit, ATM, or debit card is lost or stolen, federal law limits your liability for unauthorized charges. Your protection against unauthorized charges depends on the type of card — and when you report the loss.
Report Loss or Theft Immediately Acting fast limits your liability for charges you didn’t authorize. Report the loss or theft of your card to the card issuer as quickly as possible. Many companies have toll-free numbers and 24-hour service for such emergencies. Once you report the loss of your ATM or debit card, federal law says you cannot be held liable for unauthorized transfers that occur after that time.
Follow up with a letter or email. Include your account number, the date and time when you noticed your card was missing, and when you first reported the loss. Check your card statement carefully for transactions you didn’t make. Report these transactions to the card issuer as quickly as possible. Be sure to send the letter to the address provided for billing errors. Check if your homeowner's or renter’s insurance policy covers your liability for card thefts. If not, some insurance companies will allow you to change your policy to include this protection.
How to Report Fraudulent Transactions
1. Contact your ATM or debit card issuer.
1. Report the fraudulent transaction. Act as soon as you discover a withdrawal or purchase you didn’t make.
2. Write a follow up letter to confirm that you reported the problem.
Reg E – Five Best Practices for Disputes 70 1. Keep a copy of your letter.
2. Send it by certified mail and ask for a return receipt.
3. Update your files.
1. Record the dates you made calls or sent letters.
2. Keep copies of letters in your files. How to Limit Your Losses The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA) offer protection if your credit, ATM, or debit cards are lost or stolen.
Credit Card Loss or Fraudulent Charges Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.
ATM or Debit Card Loss or Fraudulent Transfers. If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:
If you report: Your maximum loss: Before any unauthorized charges are $0 made. Within 2 business days after you learn $50 about the loss or theft. More than 2 business days after you learn about the loss or theft, but less than 60 $500 calendar days after your statement is sent to you, All the money taken from More than 60 calendar days after your your ATM/debit card account, and possibly statement is sent to you. more; for example, money in accounts linked to your debit account. If someone makes unauthorized transactions with your debit card number, but your card is not lost, you are not liable for those transactions if you report them within 60 days of your statement being sent to you.
Reg E – Five Best Practices for Disputes 71 How to Protect Your Cards and Account Information For Credit and ATM or Debit Cards Don’t disclose your account number over the phone unless you initiate the call. Guard your account information. Never leave it out in the open or write it on an envelope. Keep a record of your account numbers, expiration dates, and the telephone numbers of each card issuer so you can report a loss quickly. Draw a line through blank spaces on charge or debit slips above the total so the amount can’t be changed. Don't sign a blank charge or debit slip. Tear up copies and save your receipts to check against your monthly statements. Cut up old cards — cutting through the account number — before you throw them away. Open your monthly statements promptly and compare them to your receipts. Report mistakes or discrepancies as soon as possible. Carry only the cards you'll need. For ATM or Debit Cards Don't carry your PIN in your wallet, purse, or pocket — or write it on your ATM or debit card. Commit it to memory. Never write your PIN on the outside of a deposit slip, an envelope, or other papers that could be lost or looked at. Carefully check your ATM or debit card transactions; the funds for this item will be quickly transferred out of your checking or other deposit account. Periodically check your account activity, especially if you bank online. Compare the current balance and transactions on your statement to those you've recorded. Report any discrepancies to your card issuer immediately.
Reg E – Five Best Practices for Disputes 72 SKIMMING HAPPENS
DATE: April 8, 2016 Source: http://www.nytimes.com/2016/04/09/your-money/safeguarding-your-atm- information-as-fraud-escalates.html?_r=0
FRAUD using A.T.M. “skimming” devices is on the rise, new data show. Skimming involves stealing debit card numbers by putting an illegal card reading device on an A.T.M. Criminals use the devices in tandem with hidden cameras that record personal identification numbers entered onto the keypad. They then make duplicate cards using the information and drain cash from bank accounts.
FICO Card Alert Service, which monitors activity at A.T.M.s for bank clients, is reporting a sixfold increase in the number of machines in the United States compromised by criminals in 2015, compared with 2014. The service is an arm of analytic software company FICO, best known for providing consumer credit scores. The FICO service, which monitors hundreds of thousands of A.T.M.s, first reported an increase in the fraud about a year ago. The company said it was contractually barred from disclosing the actual number of incidents, but noted that the number for all of 2015 was the highest the service had ever recorded.
This month, a man was arrested in San Diego County, Calif., and charged with placing skimming devices on Wells Fargo A.T.M.s across the county. He was accused of using stolen data from nearly 4,900 cards to create counterfeit cards that were then used to steal nearly half a million dollars, much of which was sent overseas.
Hilary O’Byrne, a Wells Fargo spokeswoman, said in an email statement that the bank tests new security devices and technology to safeguard its A.T.M.s, but she declined to provide details because “we don’t want to compromise those efforts.” Wells Fargo conducts regular inspections of A.T.M.s and their keypads, she said, and takes reports of suspicious activity seriously.
While the episode shows that banks are not immune, nonbank A.T.M.s, meaning those in locations like convenience stores, are increasingly the targets, said T. J. Horan, vice president for fraud solutions at FICO. In 2015, he said, 60 percent of the compromises were at nonbank A.T.M.s, up from about 39 percent in 2014.
And while A.T.M. fraud was previously concentrated in big cities on the East and West Coasts, it is now spreading throughout the country, Mr. Horan said. Although more banks are issuing credit and debit cards containing tiny computer chips that are more difficult to counterfeit, not all retailers accept them yet. So most cards still have magnetic strips attached to the back of the cards as well. This makes it possible to steal the information from the strips, and allows criminals to use the counterfeit cards created by skimming. “Cards with magnetic stripes are vulnerable to skimming, period,” Mr. Horan said. “It’s a bit of a transition period Catch-22.”
Reg E – Five Best Practices for Disputes 73 Mr. Horan said criminals were also using a “quick hit” approach, moving faster to make it harder for banks to react. The estimated loss per card is about $600.
Here are some questions and answers about A.T.M. safety. ■ How can I tell if an A.T.M. has a skimmer? Kurt Baumgartner, principal security researcher with the cybersecurity company Kaspersky Lab, said customers should take note of anything that looks unusual about an A.T.M., particularly the slot where the card is inserted. If the fixture wiggles, or appears to be attached with glue, that’s an indication that a skimming device is attached. Skimmers are also a big problem at gas station pumps, but it’s getting harder to detect skimmers at those locations because they are increasingly installed inside the pumps, Mr. Baumgartner said. So consumers, he said, should be vigilant in keeping track of their bank account to note any unfamiliar transactions. ■ If my card is skimmed, will I get any stolen money back? In most cases, yes. Under the Electronic Fund Transfer Act, consumers generally aren’t liable for funds stolen from their bank account through fraud like skimming, as long as it’s reported within 60 days, said Paul Stephens, policy director of the Privacy Rights Clearinghouse, a consumer group. What’s more, many banks say they offer a blanket “zero liability” policy for such incidents. Ms. O’Byrne, the Wells Fargo spokeswoman, said, “Customers affected by any type of fraud are fully reimbursed.”
Still, Mr. Stephens said there was some possibility that you could be without cash for a few days in some situations, while the bank investigates. For that reason, he suggests that if you are a frequent debit card user, you may want to keep a separate savings account at a different financial institution, so you have backup funds available in case there’s a delay in restoring stolen cash. ■ How can I avoid having my card skimmed? Michael Lee, chief executive of the ATM Industry Association, said consumers could reduce their risk when using A.T.M.s by covering the keypad with their free hand while they enter their PIN. This prevents “shoulder surfing” — in which someone behind you watches you enter your PIN — or having the number recorded by an illegal camera. “The PIN is the front door key, and if you protect the PIN fraud cannot be committed against that cardholder,” Mr. Lee said in an email. Mr. Stephens also suggested avoiding A.T.M.s in nonbank locations because direct video surveillance may be less likely at those locations.
Reg E – Five Best Practices for Disputes 74 CFPB BULLETIN ON AUTO DEBITS
The CFPB issued bulletin 2015-06 on November 23, 2015: this is the link: http://www.consumerfinance.gov/newsroom/cfpb-alerts-companies-about-obtaining- consumer-authorization-for-recurring-auto-debits/
The Consumer Financial Protection Bureau (CFPB) issued a bulletin alerting companies that they must obtain authorization before automatically debiting a consumer’s account. The bulletin also reminds companies that they are required by law to provide notifications to consumers that clearly describe the terms of preauthorized auto debits. In addition, the Bureau is publishing action letters today for consumers seeking to revoke a company’s authorization to auto debit an account.“This bulletin makes clear that companies must get a consumer’s authorization before automatically debiting their account,” said CFPB Director Richard Cordray. “Consumers also have the right to stop these charges at any time. They can use our action letters or submit a complaint to the Bureau if they are having problems managing or stopping auto debits.”
The CFPB is concerned that some companies may be failing to meet the legal requirements for obtaining authorizations from consumers for recurring auto debits. Also, through its supervisory work, the CFPB observed that one or more companies provided consumers with a notice of the terms for preauthorized auto debits that failed to disclose critical information, such as the amount and timing of the payments the consumer agreed to. If consumers are not given clear information on the terms of auto debits, they may not be able to manage payments or ensure their account balance is large enough to avoid being hit with overdraft or non-sufficient fund fees. In some cases, consumers have also reported companies not obtaining proper authorization to auto debit an account.
The bulletin stresses that the Bureau expects all companies to get required consumer authorization before automatically debiting a consumer’s account. Companies must also keep clear records on what the consumer has authorized and provide consumers with a copy of those terms. This information can include the amount the consumer agreed to, the recurring nature of the debits, and the timing of the payments. To help ensure that consumers are informed, the CFPB encourages companies to provide a copy of these terms prior to initiating the first auto debit, when practical.
Here’s a list of the sample letters: A sample letter to send to a company or merchant to revoke the consumer’s permission to auto debit the account A sample letter to send to a bank or credit union to provide notice that the consumer revoked a company’s authorization to automatically debit the account A sample stop payment order to instruct a bank or credit union to stop allowing the company to take payments from the consumer’s account A sample letter to a bank or credit union providing notice of an unauthorized debit from a consumer’s account
Reg E – Five Best Practices for Disputes 75 CFPB PROPOSES PREPAID ACCOUNT RULE
The CFPB proposed a change to Regulation E and to Regulation Z on December 23, 2014. The comment period ENDED on March 23, 2015. The proposal was 235 pages. This is a link to the proposal: https://federalregister.gov/a/2014-27286
The proposal would create comprehensive consumer protections for prepaid financial products. The proposal would expressly bring such products within the ambit of Regulation E as prepaid accounts and create new provisions specific to such accounts. The proposal would generally cover those prepaid accounts that are cards, codes, or other devices capable of being loaded with funds and usable at unaffiliated merchants or for person-to-person transfers, and are not gift cards (or certain other related types of cards). The proposal would modify Regulation E to establish disclosure requirements specific to prepaid accounts that would require financial institutions to provide certain disclosures to consumers prior to and after the acquisition of a prepaid account. The proposal would also include an option for an alternative to Regulation E's periodic statement requirement that would permit prepaid product providers to make available to consumers certain methods for access to account information in lieu of sending periodic statements.
Additionally, the proposal would apply Regulation E's limited liability and error resolution provisions to prepaid accounts, with certain modifications, including applying these provisions after account registration. Moreover, the proposal would require prepaid account issuers to provide the Bureau with terms and conditions for prepaid accounts, which it would post on a Web site maintained by the Bureau.
Issuers would also be required to post the terms and conditions on their own Web sites or make them available upon request. Finally, the proposal would also contain amendments to Regulations Z and E to regulate prepaid accounts with overdraft services or credit features. Among other things, prepaid cards that access overdraft services or credit features for a fee would generally be credit cards subject to Regulation Z and its credit card rules. Moreover, the proposal would require that consumers consent to overdraft services or credit features and give them at least 21 days to repay the debt incurred in connection with using such services or features. Further, Regulation E would be amended to include disclosures about overdraft services or credit features that could be linked to prepaid accounts. The compulsory use provision under Regulation E would also be amended so that prepaid account issuers would be prohibited from requiring consumers to set up preauthorized electronic fund transfers to repay credit extended through an overdraft service or credit feature.
This is a link to the CLOSED comments http://www.regulations.gov/#!documentDetail;D=CFPB-2014-0031-0001 NOTE: 6,066 comments were received.
Reg E – Five Best Practices for Disputes 76 BASIC PROVISIONS: Revise Regulation E to define a prepaid account and extend Regulation E protections to general purpose reloadable (GPR) cards and other non-reloadable prepaid accounts, which may include peer-to-peer transfers, digital wallets that store funds, and virtual currency products; and Amend Regulation Z’s definition of “credit card” to include a prepaid card that accesses a credit plan, such as overdraft services, or certain other credit plans linked to prepaid accounts that are accessed by account numbers. DETAILS: Prepaid companies must give consumers at least 21 days to repay their debt tied to a prepaid card before charging a late fee that is "reasonable and proportional" to the violation of the account terms.
The total fees for a prepaid credit during the first year an account is open cannot exceed 25% of the credit limit. The interest rate on new purchases can be increased but companies should give consumers 45 days advance notice in which the consumer can cancel the account during that time.
Companies cannot offer another credit product until the consumer has first registered the prepaid account for 30 days.
Prepaid companies are restricted from automatically moving funds from a prepaid account to repay another debt unless the consumer has "affirmatively" allowed it. In such a case, the company cannot withdraw funds more than once per month. DISCLOSURE FOR REG E The proposed rule details when a financial institution is required to make certain disclosures and provides model short form and long form disclosures. The short form would consist of a “static” disclosure that would set forth fees that must be disclosed for all prepaid account products, even if such fees are not charged or if those features are not offered in connection with a particular prepaid account product. The long form would set forth all of a prepaid account product’s fees and their qualifying conditions under which those fees could be imposed, except for accounts that consumers acquire in retail stores or orally by telephone.
Reg E – Five Best Practices for Disputes 77 ERROR RESOLUTION SAMPLE DOCUMENTATION LETTERS
Provisional Credit Letter
Dear
On _
The final resolution of your claim will be determined as quickly as possible, but no later than _
If we deny your claim for any reason, this provisional credit will be deducted from your account. You will be notified in this event.
Should you have questions regarding this provisional credit, please do not hesitate to call me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
Reg E – Five Best Practices for Disputes 78 1Resolution of Claim - Error
Dear
This letter is to inform you that we have concluded our investigation regarding your claim of unauthorized electronic fund transfer(s) dated _
{Case facts inserted here.}
Based on the facts of our investigation, your claim is found to be valid. As of _
Claim Amount:...... $______Less your liability:...... $______Plus fees, charges & interest. .$______Amount of deposit...... $ ______
Should you have questions regarding this claim, please do not hesitate to call me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
1 Certified mail is not a regulatory requirement.
2 Certified mail is not a regulatory requirement. Resolution on Claim - Error - Provisional Credit
Dear
This letter is to inform you that we have concluded our investigation regarding your electronic fund transfer(s) claim dated _
{Case facts inserted here.}
Based on the facts of our investigation, your claim is found to be valid. On _
We apologize for any inconvenience this error may have caused you.
Should you have questions regarding this claim, please do not hesitate to call me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
3 Certified mail is not a regulatory requirement. Resolution of Claim - No Error
Dear
This letter is to inform you that we have concluded our investigation regarding your electronic fund transfer(s) claim dated _
{Case facts inserted here.}
Based on the facts of our investigation, we do not find that an error has occurred. Therefore, no funds will be deposited to your account as a result of this claim.
The evidence which was used to resolve your claim will be available to you upon request.
Should you have questions regarding this claim’s process, please do not hesitate to call me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
4 Certified mail is not a regulatory requirement. Resolution of Claim - No Error - Provisional Credit Debited
Dear
This letter is to inform you that we have concluded our investigation regarding your electronic fund transfer(s) claim dated _
{Case facts inserted here.}
Based on the facts of our investigation, we do not find that an error occurred. Your account _<(number)>_ was given a provisional credit (temporary until we completed the investigation) in the amount of _<$amount>_ on _
As of this date, the provisional credit amount is being deducted from your account. We will honor checks, drafts and similar paper instruments payable to third parties and preauthorized transfers against your account (based on this amount being charged back and the availability of other funds you have) for five business days from today. Additionally, we will not charge you any handling fees if your account becomes overdrawn because of the deduction.
Please contact me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
5 Certified mail is not a regulatory requirement. Final Determination of Claim - Withdrawn
Dear
You advised us that you have chosen to withdraw your electronic fund transfer claim originally filed on _
{Facts of case.}
Based on the above facts, you have concluded that no error occurred as originally believed.
Please contact me at _
Sincerely,
Susie Investigator ATM Department
Certified Mail #
6 Certified mail is not a regulatory requirement.
83Reg E- Handling Customer Disputes & Inquires Total Training Solutions