VIDEO: Unauthorized EFTs Using Stolen Credentials
In this Compliance Clip (video), Adam discusses whether or not electronic fund transfers (EFTs) that were initiated through fraud or robbery are considered unauthorized EFTs under Regulation E. Adam also cites examples of unauthorized EFTs, based from the CFPB’s FAQs on unauthorized electronic fund transfers.
Video Transcript
The following is a transcript of this video.
This Compliance Clip is going to discuss unauthorized EFT using stolen credentials. Basically, what happens if we have an EFT that comes through the dispute process in our bank where there were credentials that were stolen and obtained through fraud or robbery. So the question that we have is this, “Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized electronic funds transfer?” Part of the reason this is being asked is in the past, there was a lot of assumption that this was not covered under the dispute process, but we have received some guidance, and so we can take a look at this from two different angles.
The first place we're going to look, of course, is Regulation E, which is 1005.2(m). That's the section that applies to this under the definition section. Then we will look at the frequently asked questions under the EFT section from the CFPB, under the Error Resolution section, under the Unauthorized EFT section. So we're gonna look at a frequently asked question from the CFPB. So let's look at a couple of things.
First, we're gonna look at 1005.2(m) of Regulation E. In the regulation it says this, “Unauthorized electronic funds transfer means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” So that is the plain Jane definition of an unauthorized electronic fund transfer, which of course the consumer would have some liability protection. Now, the commentary goes on to give us a little further guidance on what we need to do in regards to whether the account was used through fraud or through other means, even if the consumer maybe did technically authorize it but didn't realize that they were authorizing it. So here's what the commentary says. It says, “An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.” Now again, a lot of times in the past, people would interpret this to say that if the consumer authorized it, that's their fault. Even if it was obtained by a malicious person, they authorized it and so they have to pay for it. Well, this appears to clearly say that if it was obtained through fraud or robbery, then it is considered an unauthorized EFT and the consumer would have protections.
Now, if we take a look at the frequently asked question from the CFPB. Frequently Asked Question No. 4 provides some examples of what an unauthorized EFT is, especially when there are stolen credentials involved. Specifically, they give a couple of examples here. They say, one example is, let's say a consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, a lender or employer, offering direct deposit and a fraudster obtains the consumer's account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided payment-to-payment application to initiate a credit push payment outta the consumer's deposit account. That clearly was obtained through fraud, and that would provide the consumer with some liability protections and qualify as an unauthorized EFT.
Another example, let's say a consumer shares their debit card information with a person-to-person payment provider, in order to use a mobile wallet. A fraudster then hacks into the consumer's phone and uses the mobile wallet to initiate a debit card transfer out of the consumer's deposit or prepaid account. So that's another clear example of fraud.
Then finally, we have an example where a thief steals the consumer's physical wallet and initiates a payment using the consumer's stolen debit card.
So these are all examples of an unauthorized EFT under Regulation E.
That's all I have for you for this Compliance Clip.