CFPB releases unauthorized EFTs and error resolution FAQs

Agency Rule-Making & Guidance CFPB Consumer Finance EFTA Regulation E

On June 4, the CFPB released eight new FAQs regarding compliance with the Electronic Fund Transfer Act (EFTA) and Regulation E. Highlights from the FAQs are listed below:

• As explained by the commentary to Regulation E, unauthorized electronic funds transfers (EFTs) include transfers by a person who obtained an access device from a consumer through fraud or robbery. “Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.”
• “If a third party fraudulently induces a consumer to share account access information,” subsequent EFTs initiated using that information are not excluded from the definition of an unauthorized EFT under the exclusion for transfers initiated by persons who “furnished the access device to the consumer’s account by the consumer.”
• Financial institutions cannot consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E because it establishes “the conditions in which consumers may be held liable for unauthorized transfers, and its commentary expressly states that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.”
• Financial institutions cannot rely on a consumer agreement that “includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party” when determining whether the EFT was unauthorized and what liability provisions apply. The EFTA “includes an anti-waiver provision stating that ‘[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by [EFTA].’”
• Less protective rules do not change a financial institution’s Regulation E obligations, even if private network rules and other agreements provide additional consumer protections beyond Regulation E.
• “A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.”
• “If a consumer has provided timely notice of an error under 12 CFR § 1005.11(b)(1) and the financial institution determines that the error was an unauthorized” EFT, Regulation E’s liability protections under Section 1005.6 would apply. “Depending on the circumstances regarding the unauthorized EFT and the timing of the reporting, a consumer may or may not have some liability for the unauthorized EFT.”