The Electronic Fund Transfer Act (the “EFTA”) was enacted for the purpose of protecting consumers and limiting their liability when transferring funds electronically. The EFTA, as implemented by Regulation E, is administered by the Consumer Financial Protection Bureau (the “CFPB”), a U.S. government agency aimed at protecting consumers in the financial industry. Due to continuous developments in electronic banking capabilities and the COVID-19 pandemic, electronic fund transfers (“EFT”) have become an increasingly important means of transferring consumer funds. Online transactions, however, increase the risk to both consumers and financial institutions of fraudulent access to consumer accounts. In light of this risk and the growth of online transactions, the CFPB recently clarified and updated its guidance regarding “unauthorized electronic fund transfers” in its Electronic Fund Transfers FAQs (updated June 4, 2021), available here (the “FAQs”).
The EFTA (15 U.S.C. § 1693a(12)) defines an “unauthorized electronic fund transfer” to mean:
“an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit, but the term does not include any electronic fund transfer (A) initiated by a person other than the consumer who was furnished with the card, code, or other means of access to such consumer’s account by such consumer, unless the consumer has notified the financial institution involved that transfers by such other person are no longer authorized, (B) initiated with fraudulent intent by the consumer or any person acting in concert with the consumer, or (C) which constitutes an error committed by a financial institution.” (See also a similar definition under Regulation E, 12 C.F.R. § 1005.2(m)).
If a transaction is considered “unauthorized” under the EFTA and such transaction is timely reported to the financial institution, a consumer’s liability is substantially limited for the loss incurred.
The FAQs clarify what falls into the category of an unauthorized EFT. Specifically, the FAQs state that when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E. The FAQs highlight two common examples of this type of unauthorized EFT: (1) a third party calling the consumer and pretending to be a representative from the consumer’s financial institution to trick the consumer into providing account login information, texted account confirmation code, debit card numbers, or other information that could be used to initiate an EFT from the consumers account, and (2) a third party using phishing or other techniques to gain access to a consumer’s computer and observe the consumer entering account login information.
The FAQs additionally note that (a) a consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E (and thus, EFTs initiated using account access information obtained through fraud or robbery will fall within the Regulation E definition of unauthorized EFT), and (b) negligence by the consumer in these situations, such as writing a PIN on a debit card or a piece of paper kept with the card, cannot be used as a basis for imposing greater liability on the consumer than allowed under Regulation E.
The FAQs also discuss financial institutions’ inability to limit their liability in these situations. The EFTA includes an anti-waiver provision which prohibits a writing or other agreement from containing a provision which constitutes a waiver of any right conferred or cause of action created by the EFTA. In other words, an agreement cannot restrict a consumer’s rights beyond what is provided in the EFTA, and any contract or agreement attempting to do so is a violation of the EFTA. Further, if a private network’s rules provide less consumer protection than federal law, a financial institution must still comply with Regulation E obligations. However, a private network’s rules may provide additional consumer protections beyond Regulation E.
Finally, the FAQs discuss a financial institution’s obligations upon receipt of an unauthorized EFT notification from a consumer. Upon receipt of an oral or written notice of error from a consumer, a financial institution must promptly begin its investigation. The financial institution may not delay the investigation pending receipt of additional information from the consumer. Further, the FAQs specify that a financial institution may not require that the consumer file a police report or contact the merchant about the unauthorized EFT prior to initiating the financial institution’s error resolution investigation.
In response to the FAQs, financial institutions should ensure that their policies and procedures address unauthorized EFTs in the event of third-party fraud and consider methods of mitigating the risk imposed by such fraud.