CFPB Provides Guidance on Unauthorized Transfers

Recent technological developments in banking and other financial services, combined with the effects of the pandemic, have led consumers to increasingly adopt digital payment solutions. At the same time, reports of digital fraud¹ and disputed electronic funds transfers (EFTs) are on the rise.

In response to these trends, the Consumer Financial Protection Bureau (CFPB) recently provided guidance in updated FAQs² on unauthorized EFTs, consumer liability for unauthorized EFTs, and the related obligations of financial institutions.

What Are Unauthorized EFTs?

Regulation E³ defines an unauthorized EFT as an EFT "from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit."⁴

However, Regulation E also provides that an unauthorized EFT does not include an EFT initiated "by a person who was furnished the access device to the consumer's account by the consumer"⁵ (emphasis added). An "access device" is a "card, code, or other means of access to a consumer's account . . . used by the consumer to initiate electronic fund transfers."⁶

Consumer Liability for Unauthorized EFTs

The definition of what is an unauthorized EFT is of critical importance to consumers and financial institutions, as Regulation E also limits a consumer's liability for an unauthorized EFT. Consumer liability is capped at a maximum of $50, provided the consumer notifies its financial institution within two business days of learning of the loss or theft of an access device;⁷ or $500 if the consumer fails to provide such notice.⁸

• Note, however, that a consumer must provide notice to the financial institution within 60 days of receiving a periodic statement on which an unauthorized EFT appears; if the consumer fails to do so, the consumer may have unlimited liability for any unauthorized EFTs after that 60-day period.⁹

Upon being notified by a consumer of an unauthorized EFT, a financial institution must promptly investigate and make a determination as to whether the transaction was an unauthorized EFT. As part of its guidance, the CFPB reaffirmed that if a consumer has provided timely notice and the financial institution determines that an unauthorized EFT occurred, the foregoing liability protections apply.

Victims of Digital Fraud Benefit From Limited Liability for Unauthorized EFTs

What happens, then, if the consumer was tricked or forced into furnishing such access? There is an argument based on the plain language of Regulation E that since the consumer has "furnished the access device" to the third party, the transaction may not qualify as an unauthorized EFT. However, the official interpretation of Regulation E provides the contrary answer—an unauthorized EFT¹⁰ includes any transfer initiated by a person who obtained an access device through fraud, robbery, or force.¹¹

The CPFB's recent guidance affirms and clarifies this approach, noting that if a consumer is fraudulently induced into sharing account access with a third party, the subsequent transfer is an unauthorized EFT. This includes commonplace examples of digital fraud, including instances where a consumer receives a call from someone pretending to be a representative from the consumer's financial institution, as well as phishing or other methods to gain access to a consumer's computer and obtain such information.

The CFPB made clear that a consumer is entitled to receive the liability protections of Regulation E, even if that consumer acted negligently. While there is a cogent argument that consumers should bear some responsibility for their actions, the official interpretation of Regulation E expressly provides that negligence by a consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.¹² The interpretation notes that even consumer behavior that constitutes negligence under state law, including writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized EFTs.

Limitations on Ability of Financial Institutions to Avoid Liability

The remainder of the CFPB's guidance serves to squarely protect consumers and limit the ability of financial institutions to charge consumers with liability for unauthorized EFTs:

• No Reliance on Separate Agreements: Financial institutions often include in their agreements with consumers provisions with respect to the determination of unauthorized EFTs, limitations of liability, and other modifications or waivers of Regulation E protections. However, the CFPB's guidance notes that financial institutions cannot rely on such provisions, as the EFTA includes an anti-waiver provision that provides that an agreement with a consumer may not contain any waiver of any right conferred or cause of action created by the EFTA.¹³
• No Reliance on Network Rules: Similarly, a financial institution may not rely on private network rules that provide less protection for consumers than federal law. Although private network rules may offer additional consumer protections beyond Regulation E, less protective rules do not reduce a financial institution's Regulation E obligations.¹⁴
• No Consumer Obligation to Contact Merchants, File Police Reports or Provide Additional Information: A financial institution must begin its investigation of the unauthorized EFT promptly upon receipt of notice from the consumer. The official interpretation makes clear that a financial institution may not delay initiating or completing an investigation by requiring the consumer to first take certain steps, such as contacting the merchant in question, filing a police report, or providing additional information to the financial institution.¹⁵ Requiring a consumer to do any of these may be a violation of Regulation E.¹⁶

Takeaways

The FAQ's clarify the CFPB's view that consumer protection is paramount. Although this general stance should not be surprising, it is a timely reminder.

Financial institutions should consider reviewing existing documentation and practices for compliance purposes, including confirming that agreements do not contain waivers of consumer rights and that unauthorized EFT investigation policies and practices track the limits set forth in Regulation E.

FOOTNOTES

1  See, for example, DataVisor's Digital Fraud Trends Report and TransUnion's analysis of the increase of digital fraud.
2  CFPB's FAQs can be found here.
3  Regulation E was issued by the CFPB pursuant to the Electronic Fund Transfer Act (15 U.S.C. 1693 et seq.) (EFTA) and, among other things, addresses the protection of individual consumers engaging in EFTs.
4  12 CFR § 1005.2(m).
5  12 CFR § 1005.2(m)(1).
6  12 CFR § 1005.2(a)(1).
7  12 CFR § 1005.6(b)(1).
8  12 CFR § 1005.6(b)(2).
9  12 CFR § 1005.6(b)(3).
10  See 12 CFR § 1005.2(m)(1).
11  Comment 1005.2(m)-3 and 1005.2(m)-4 .
12  See Comment 1005.6(b)-2.
13  15 U.S.C. § 1693.
14  12 CFR § 1005.11(b)(1)(i).
15  See Comments 1011(b)(1)-2 and 1011(c)-2.
16  See USAA Federal Savings Bank, Consumer Financial Protection Bureau.