CUNA Mutual Group on Tuesday released a risk alert regarding the CFPB’s recent FAQs on electronic funds transfers, clarifying what constitutes unauthorized EFTs under Regulation E.
In its FAQs, the CFPB clarified that transfers using an “access device” obtained through robbery or fraud are considered unauthorized EFTs under the regulation and that the clarification is critical in that some credit unions impacted by the fraud scams may deny members’ Regulation E claims because the members voluntarily provided their login credentials or debit card information to the fraudsters. Further, refusing to re-credit members victimized in the scam increases litigation risk for violating Regulation E, according to the CFPB.
The risk alert states that credit unions should ensure that their processes for investigating members’ claims of unauthorized EFTs, including re-crediting members, comply with Regulation E, and that credit unions cannot deny a member’s Regulation E dispute by asserting that the member voluntarily provided their access device (login credentials or debit card details) to a fraudster.
Specifically, the risk alert states that:
- credit unions cannot consider a member’s negligence when determining liability for unauthorized EFTs;
- credit unions cannot modify or waive certain protections granted by Regulation E, such as waiving Regulation E liability protections if a member shares account information with a fraudster;
- private network rules do not trump the protections granted by Regulation E;
- credit unions cannot require members to file a police report or other documentation as a condition of initiating an error resolution investigation;
- credit unions cannot require members who file a Regulation E claim with the credit union to first contact the merchant about the unauthorized EFT; and
- for transfers meeting definition of an unauthorized EFT, credit unions must comply with section 1005.11(b)(1) of Regulation E if the consumer provides timely notice of an error.
CUNA Mutual Group’s risk alerts may be accessed on their Protection Resource Center. Log-in is required.