Regulation E consumer liability: When are you responsible for unauthorized EFTs?
Financial institutions can find it challenging to navigate the complexities of determining consumer liability for unauthorized electronic funds transfers (EFT). While examiners scrutinize procedures for resolving errors under Regulation E, the rules determining consumer liability are often misunderstood or misinterpreted.
Determining consumer liability depends on the consumer reporting the unauthorized EFTs involving their account, the timing of the notification and understanding what liability tier(s) are applicable.
The question to ask your staff members involved in EFT error disputes is, “Do you deny a claim solely because it was received more than 60 days after the transmittal of the periodic statement showing the first unauthorized EFT?”
Establishing consumer liability
If so, training and process changes may be necessary. Consumer liability will apply to unauthorized EFTs [§1005.6] received after more than 60 days; however, procedures for resolving errors [§1005.11] will not apply.
To establish consumer liability, the institution will have to determine if the transaction(s) was unauthorized. If so, determine the date of the first unauthorized transaction and the date of the 60th calendar day after the transmittal of the periodic statement showing the first unauthorized EFT.
Once that has been determined, the consumer is not liable for any unauthorized EFTs that occurred on or before the 60th calendar day after the institution’s transmittal of the periodic statement showing the first unauthorized EFT (when an access device is not involved).
However, the consumer is liable for any unauthorized EFT if the transfer occurred more than 60 calendar days after transmittal of a periodic statement showing the first unauthorized EFT, provided the institution can establish that the unauthorized EFT would not have occurred had the consumer notified the institution within the 60-day period.
When determining consumer liability for unauthorized EFTs involving an access device, the applicable liability tier will depend on when the consumer learned of the loss or theft of an access device, when the financial institution received notice and when the financial institution transmitted the periodic statement showing the first unauthorized transaction to the consumer.
First-tier liability: The consumer notifies the financial institution within two business days of when the consumer learned of the loss or theft of the access device. The consumer’s liability cannot exceed $50.[§1005.6(b)(1)]
For example: Notification within two business days of learning of loss or theft of card/code
- Card/code lost Monday, January 8
- Consumer learns of loss on Wednesday, January 10
- Consumer notifies the financial institution before midnight Friday, January 12
First-tier liability example
| Day | Fraudulent charges | Consumer liability |
|---|---|---|
| Monday 1/8 | $100 | $50 |
| Tuesday 1/9 | $300 | $0 |
| Wednesday 1/10 | $200 | $0 |
| Thursday 1/11 | $200 | $0 |
| Friday 1/12 | $100 | $0 |
| Total | $900 | $50 |
Second-tier liability: The consumer notifies the financial institution more than two business days after learning of the loss or theft of the access device. The consumer’s liability cannot exceed $500, provided the financial institution establishes that the unauthorized EFTs would not have occurred had the consumer provided notice within two business days after learning of the loss or theft of the access device.[§1005.6(b)(2)]
For example: Notification after two business days of learning of loss or theft of card/code, but within 60 calendar days after the statement is sent
- Card/code lost Monday, January 8
- Consumer learns of loss on Wednesday, January 10
- Consumer notifies the financial institution on Tuesday, January 16
Second-tier liability example
| Day | Fraudulent charges | Consumer liability |
|---|---|---|
| Monday 1/8 | $100 | $50 |
| Tuesday 1/9 | $100 | $0 |
| Wednesday 1/10 | $0 | $0 |
| Thursday 1/11 | $500 | $450 |
| Friday 1/12 | $100 | $0 |
| Total | $800 | $500 |
Third-tier liability: The consumer is liable for the total amount of unauthorized EFTs occurring more than 60 calendar days after transmitting the statement and before the consumer notified the financial institution. The consumer is liable only to the extent of the first and second-tier liability for the unauthorized transactions that occurred before this period. [§1005.6(b)(3)]
For example: Notification after two business days of learning of loss or theft of card/code, and more than 60 calendar days after the statement is sent
- Card/code lost Monday, January 8
- Consumer learns of loss on Wednesday, January 10
- Consumer notifies the financial institution on April 21
Third-tier liability example (with access device)
| Period | Fraudulent charges | Consumer liability |
|---|---|---|
| January 8 to January 31 (First statement sent January 31) |
$2,600 | $500 |
| February 1 to April 1 (60 days after the first statement was sent) |
$2,000 | $0 |
| April 2 to April 21 (Tier 3) | $3,000 | $3,000 |
| Total | $7,600 | $3,500 |
For example: Notification after two business days of learning of the unauthorized EFT not involving an access device, and more than 60 calendar days after the statement is sent
- The first unauthorized transaction occurred on Monday, January 8
- Consumer becomes aware of unauthorized transactions on Wednesday, January 10
- Consumer notifies the financial institution on April 21
Unauthorized EFT example (no access device)
| Period | Fraudulent charges | Consumer liability |
|---|---|---|
| January 8 to January 31 (First statement sent January 31) |
$2,600 | $0 |
| February 1 to April 1 (60 days after the first statement was sent) |
$2,000 | $0 |
| April 2 to April 21 (Tier 3) | $3,000 | $0 |
| Total | $7,600 | $3,000 |
The consumer has no liability for fraudulent or erroneous transactions initiated by a financial institution employee. However, the consumer is fully liable if they granted someone authority to use the access device and the person exceeds authority until the consumer notifies the financial institution that the person’s authority has been revoked.
How Wipfli can help
If your financial institution needs help understanding consumer liability for unauthorized transactions, as defined by Regulation E, Wipfli specialists can assist with consulting, training, monitoring or audits. Contact us to learn more about how we can help. Our compliance consultants can provide the support you need for your organization.
Read more about regulatory compliance:
