In this Compliance Clip (video), Adam explains the nuances of authorized but fraudulent debit card transactions. He discusses the distinctions in liability for consumers when a scammer initiates a transaction versus when the consumer unknowingly authorizes it.

Video Transcript

The following is a transcript of this video.

This Compliance Clip is going to talk about authorized but fraudulent debit card transactions. This is a Regulation E topic.

The question I received was this: is there a distinction in liability for debit card transactions for when 1) a customer gives their information to a scammer but doesn't authorize or know a charge is going to be applied and the scammer has fun spending on their card - so, later on, the scammer initiates a transaction versus 2) when a customer falls for the story the scammer is saying, gives the scammer their card information and knows a transaction is going to happen, and then later realizes, “oh man, I've been scammed”, and then they dispute the charge as fraudulent with their financial institution.

So there are two different scenarios here. In the first one, the customer gave their information but didn't realize the charge was going to happen. In the second one, they knew a charge was going to happen but realized it was under fraudulent pretenses.

Where are we going to find the answer? Let's take a look at the CFPB's Regulation E Frequently Asked Questions, as well as Regulation E Section 1005.2(m), which is the definition of an unauthorized EFT.

First of all, let's take a look at the CFPB's Frequently Asked Questions. Instead of looking at all of them, and there are quite a few, we can pause this video, read them, and then understand that the CFPB has made it clear that a consumer has liability protections when a scammer initiates a transaction. In the CFPB's Frequently Asked Questions, they give a number of scenarios related to disputes under Regulation E. Each one of the scenarios talks about how a fraudster was the one who initiated the transaction from the information obtained either directly from the consumer or stolen. And so, the CFPB was very careful, at least it seems this way, that the CFPB was very careful in wording all of their answers that are covered under Regulation E and an unauthorized EFT to say that the fraudster was the one who initiated the transaction. So, the CFPB is very clear.

Now, let's go on to Regulation E and the definition of an unauthorized EFT, which is found in 1005.2(m). Let's take a look here to understand what the definition is. An unauthorized EFT includes transactions that are from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transaction and from which the consumer receives no benefit. So, an unauthorized EFT has to be all of these things. It has to be from a consumer's account initiated by a person other than the consumer who doesn't have actual authority. So, if I gave my brother authority to use my debit card, that would be quite foolish, but that would be authorized. It would not be unauthorized. And so it has to be initiated by somebody who does not have authority to initiate the transfer and from which the consumer receives no benefit. So that's the definition of an unauthorized EFT.

The commentary goes in and talks about some additional things. The commentary says this, an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through robbery or fraud. So it includes a transfer initiated by a person other than the consumer who obtained the information through fraud or robbery. So that gives us enough information to answer scenario one. In scenario one, the customer did not initiate the transaction. The fraudster did, and they obtained it through a scammy situation. Therefore, that would be covered by liability protections. So the consumer has a right to dispute this, and if your investigation finds that it was, in fact, a transaction the consumer did not initiate, then the consumer has liability protections.

Now, under scenario two, it's a bit more tricky. Under scenario two, the consumer did initiate the transaction, which means that this transaction would not technically meet the definition of an unauthorized EFT because it was not initiated by a person other than the consumer without actual authority. It was initiated by the consumer. So this was not specifically initiated by a person other than the consumer without actual authority, it was initiated by the consumer, and therefore, it's likely that this may not qualify as an unauthorized EFT.

Now that said, you have to be very careful to make sure that any transaction that you're going to deny where there's potential fraud or potential scam does, in fact, not meet the definition of an unauthorized EFT. It's very easy to say AO doesn't meet the definition, but we have to make sure it truly does not meet the definition of an unauthorized EFT or the other provisions allowed to be disputed under Regulation E. So I would caution you instead of blanketly denying all disputes that relate to scams, you have to really make sure you understand what is and what is not an unauthorized EFT.

Now, if you want to go on the conservative side and make sure you don't have any scrutiny from examiners, the best thing to do is to consider just paying the dispute for the consumer. If it's a low dollar amount, that might not be a big deal. If it's a large dollar amount, you're going to want to have a risk conversation, maybe consult some professionals to see if this, in fact, is an unauthorized EFT. Maybe consult with your exam team. But this is an area that used to be a little more black and white than it is today. Consumer advocates and even the regulators who are pushing for consumer protection have really been pushing the line of where Regulation E falls.

The bottom line is you have to make sure that if you're going to deny a transaction that's disputed, you need to make sure it is not an unauthorized EFT. It has to not meet the definition of an unauthorized EFT. If it does meet the definition of an unauthorized EFT, you would of course have to comply with Regulation E and the liability provisions that are included there.

I'm not going to give you a black-and-white answer. You have to own this yourself. You have to understand whether or not you have an unauthorized EFT or whether you do not. And based on that is how you make your decision on disputes.

So this is a complicated topic. If you're looking for more information on Regulation E, we have two programs in our store. We have Regulation E Bootcamp and Reg E Error Resolutions.

That’s all I have for you today.