Articles
Reg. E and Third-Party Payment Apps – March 2025
More to Reg. E than Reg. E? – November 2024
Payment Fraud on the Rise – January 2023
New Challenges with Unauthorized Transactions – November 2022
Error Resolution Mistakes: Everything Old is New Again – February 2020
Prepaid Card or Not? Part I – February 2019
Prepaid Rule: The Long & Short of It – Part 2 – March 2019
FAQs
Compulsory Use of Preauthorized Transfer
Compulsory Use of Preauthorized Transfer
Question: Can a bank require employees to have their payroll deposited into an account at that bank?
Answer: No. Section 1005.10(e) Compulsory Use, of Regulation E prohibits this practice. It states the following:
No financial institution or other person may require a consumer to establish an account for receipt of electronic fund transfers with a particular institution as a condition of employment or receipt of a government benefit.
The commentary to this section provides more clarification:
An employer (including a financial institution) may not require its employees to receive their salary by direct deposit to any particular institution. An employer may require direct deposit of salary by electronic means if employees are allowed to choose the institution that will receive the direct deposit. Alternatively, an employer may give employees the choice of having their salary deposited at a particular institution (designated by the employer) or receiving their salary by another means, such as by check or cash.
Also, Iowa Code 91A.3 states that an employee may elect to have the wages sent for direct deposit to a financial institution designated by the employee or upon written request by the employee, wages due may be sent to the employee by mail.
Question: We would like to require, as a condition for consumers to qualify for our home equity line of credit, that repayments be made via auto-debit from an account at either our bank or from another financial institution. Is this allowable?
Answer: No. While Regulation E, Section 1005.3 generally exempts from coverage any transfer under an agreement between a consumer and a financial institution for automatic transfers from the consumer’s account to an account of the financial institution, the financial institution remains subject to Section 913 of the Electronic Fund Transfers Act, as implemented in Section 1005.10(e) of Regulation E, regarding the compulsory use of electronic fund transfers. Section 913 of the Act prohibits a financial institution from conditioning the extension of credit to a consumer on such consumer’s repayment by means of preauthorized electronic fund transfers.
The Official Staff Commentary to Reg. E clarifies, however, that an alternative repayment plan may be offered to consumers to encourage use of preauthorized transfers. For example, a creditor may offer a rate reduction for borrowers who elect to repayment via an auto-debit.
Covered Accounts
Question: Does Reg. E apply to Health Savings Account (HSA) transactions conducted with a bank-issued debit card?
Answer: Technically, no. An “account” is defined in Reg. E 1005.2(b)(1) as “a demand deposit account (checking), savings, or other consumer asset account (other than the occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family or household purposes”. Reg. E, per 1005.2(b)(2) states “the term does not include an account held by a financial institution under a bona fide trust agreement”. The commentary clarifies that while the term “bona fide trust agreement” is not defined by the Electronic Funds Transfer Act or Reg. E, the bank must look to state or applicable law for interpretation.
The IRS, as referenced in IRS Publication 969, defines an HSA as a tax-exempt trust or custodial account set up with a qualified HSA trustee. The qualified trustee could be a bank, insurance company, or anyone already approved by the IRS to be a trustee of an IRA or Archer MSA. So, per the IRS, an HSA is a bona fide trust agreement and therefore the HSA account would not be covered by Reg. E even if the bank provided the account owner with a debit card.
Before the bank decides not to provide Reg. E protections, keep in mind, if the transactions are conducted using a card with a Visa or Mastercard logo and the transaction is processed using their network, then the transaction would be subject to their program rules which most likely include zero-liability protections. We recommend the bank clarify this with their Visa or Mastercard representative. If in fact their zero-liability protection applies to unauthorized debit card transactions conducted in relation to an HSA, the bank may determine it is necessary to investigate to determine if the transaction was or wasn’t authorized. However, unless otherwise required under Visa or Mastercard rules, the provisional credit, notice and timeframe requirements under Reg. E would not apply. As a reminder, since Reg. E doesn’t apply to HSA accounts, the bank should not provide the Reg. E disclosure at the time of account opening or when the debit card is issued. If the bank did provide this disclosure, it may be perceived as a contractual obligation to provide these protections.
Disclosure Matters
Question: Are banks required to provide the full Regulation E disclosure when they reissue a debit card to customers who have lost their cards?
Answer: No. Section 1005.7 of Regulation E requires that the bank provide disclosures “at the time a consumer contracts for an electronic fund transfer service or before the first electronic fund transfer is made…” Comment 1 to §1005.7(a) of Regulation E further explains that disclosures must be given in close proximity to the event requiring disclosure, such as when the consumer contracts for a new service. In this case, the bank is not providing a new electronic fund transfer service but simply replacing a lost card.
Error Resolution
Question: We had a customer contact us about an unauthorized debit card purchase. In her initial discussion with us, she admitted that she had given her son her card to purchase gas, and that he made the “unauthorized” transaction. She did not inform the bank that she had revoked her son’s authorization prior to the unauthorized transaction.
Since we know this does not meet the definition of “unauthorized EFT” per Reg. E, can we just tell her that, or do we still need to consider it a Reg. E “claim” and take additional action?
Answer: Because the consumer is notifying the bank of what they believe is an error (unauthorized transaction, in this case), the bank should still follow its error resolution procedures to document a claim of possible error was made, an investigation was conducted, what the bank’s determination was (and why), and that the consumer was given a written explanation of the results of the investigation, etc. This will help mitigate the risk of examiner criticism or legal action from a customer.
The bank determines what it deems to be a sufficient investigation through its policies and procedures. The bank may determine that the verbal admission by the customer indicating she gave her son permission to use the card and did not revoke authority with the bank is sufficient evidence and could be the extent of the bank’s investigation. That is a risk-based decision. However, the bank must investigate per its procedures, and it should be documented that their error resolution procedures were followed.
Question: Are there reasons other than unauthorized transactions that a bank would need to complete a Reg. E error resolution process?
Answer: Yes. While unauthorized transactions are the most commonly investigated Reg. E disputes, the error resolution rules apply to all types of Reg. E “errors.” Reg. E defines an “error” as:
(i) An unauthorized electronic fund transfer;
(ii) An incorrect electronic fund transfer to or from the consumer’s account;
(iii) The omission of an electronic fund transfer from a periodic statement;
(iv) A computational or bookkeeping error made by the financial institution relating to an electronic fund transfer;
(v) The consumer’s receipt of an incorrect amount of money from an electronic terminal;
(vi) An electronic fund transfer not identified in accordance with § 1005.9 or § 1005.10(a); or
(vii) The consumer’s request for documentation required by § 1005.9 or § 1005.10(a) or for additional information or clarification concerning an electronic fund transfer, including a request the consumer makes to determine whether an error exists under paragraphs (a)(1)(i) through (vi) of this section.
If a consumer notifies the bank that they believe any of these errors occurred, the error resolution requirements are triggered. That means you would still conduct an investigation, provide provisional credit when appropriate, provide the consumer with a written explanation of the investigation and its conclusions, and make sure everything is documented, just as you would for an unauthorized EFT error resolution.
Question: We have a Reg. E dispute that involves a claim of an unauthorized transaction by a merchant. We know, per the CFPB’s recent clarification, that once we finalize provisional credit and notify the consumer, we can’t take the credit back. Our bank has observed times when the consumer receives a refund from the merchant after the bank has finalized provisional credit. To avoid taking a loss, can the bank “extend” the investigation timeframe to the maximum allowed (either 45 or 90 days depending on the transaction) to “conclude” the investigation, allowing the bank to take back a merchant credit if one is received during this timeframe?
Answer: Unfortunately, regulators have consistently expressed that this is not an acceptable practice. The bank must complete its investigation promptly and take action once a determination has been made. Reg. E § 1005.11(c) states that a bank must:
- Investigate promptly;
- Report the results to the customer within three days after completing its investigation; and
- Correct the error within one business day after determining that an error occurred.
What constitutes an “investigation” is not defined in Reg. E, however regulators have repeatedly cited banks for extending their “investigation” until the last day allowed by regulation solely for the purpose of waiting to see if the merchant credit comes through. Examiners have criticized this practice as not completing their investigation on a timely basis. If the bank is no longer actively investigating the error claim to determine whether an error occurred, and it has not been able to prove the transaction was authorized, the bank is required to finalize provisional credit and notify the consumer of the results of their investigation. The 45 or 90 days is the maximum time allowed to investigate. Banks should not consistently extend their investigation timeline to these maximum dates.
Question: We recently concluded a Reg. E investigation, determined that the asserted error was an unauthorized transaction, and notified the consumer the bank finalized the provisional credit. A few days later, our bank noticed the merchant refunded the customer as well. We understand, per Reg. E, the bank can’t reverse provisional credit once finalized, but are we allowed to take back the merchant credit after the notice of final credit was provided to the consumer?
Answer: Reg. E does not specifically state the bank can or cannot take back a merchant credit in this scenario. Therefore, the IBA reached out to the Consumer Financial Protection Bureau (CFPB) who governs Reg. E for clarification. CFPB stated, consistent with IBA’s existing understanding, they believe it is a violation of Reg. E to reverse the merchant credit once the bank has finalized provisional credit. Reg. E focuses on consumer protections and is not concerned about the bank’s ability to reduce its losses (i.e., taking back merchant credit after finalizing provisional credit). To support this determination, the CFPB referenced the Consumer Compliance Outlook issued by the Federal Reserve in 2021. Read that publication here. The Federal Reserve states:
Issues with Making Investigations Final
Once an investigation is completed, a customer may not reassert the same error. Similarly, the financial institution cannot reopen the investigation or reverse the credit, unless the transaction is a remittance transfer in which the remittance transfer provider has corrected the same error. Regulators have found these situations can be challenging for institutions. For example, if an institution determines an error occurred and credits a customer’s account, but later finds that a merchant refunded the customer or that the transaction was authorized, it cannot reverse the credit.
Steps to help mitigate this risk include educating the appropriate staff about the customer protections under Regulation E for errors. Depending on a bank’s culture, training covering Regulation E can benefit deposit operations employees as much as it benefits compliance staff. Attending the same training together can help ensure different areas understand when the bank’s discretion ends and its legal obligations begin.
While the Consumer Compliance Outlook publication constitutes guidance, and banks are not required to comply with guidance, it does give banks insight on regulatory interpretation. In the current UDAP environment, guidance is very beneficial in helping banks mitigate potential risk.
If a customer informs the bank of the double credit after the bank finalizes provisional credit and voluntarily offers to allow the bank to take back the merchant credit, the bank should take caution in doing so as regulators may assume the bank has pressured or coerced the consumer to do so. The IBA recommends that if the consumer voluntarily offers to provide the merchant credit to the bank, the bank should document this in writing (e.g., request the customer provide written documentation authorizing this reversal to act). Banks should refrain from having a pre-printed form for this type of authorization.
Some banks have raised the theory of “undue enrichment” implying this occurs when the consumer receives double reimbursement for a single unauthorized transaction. However, the CFPB stresses this is a legal theory that would be determined by the court through litigation. It cannot be applied to the Reg. E process.
Question: Our bank’s Reg. E dispute policy requires the customer to provide their dispute in writing. In a recent incident, we provided provisional credit to the customer and gave them full use of those funds. We did not receive their written dispute within 10 business days. Can we take back the provisional credit?
Answer: No. Reg. E requires the bank provide provisional credit if its investigation cannot be completed within 10 business days of receipt of the dispute from the customer. The regulation then goes on to state that if the bank requires the customer to provide written confirmation of the dispute, the bank may delay providing provisional credit if the written confirmation is not received within 10 business days. The regulation does not permit a bank to reverse provisional credit already provided to the customer because written confirmation of the dispute was not received. In this case, the bank provided provisional credit and full use of the funds earlier than required by Reg. E, then did not receive written confirmation.
Question: Is there an exception in Regulation E that allows us to reverse provisional credit in the event of a merchant credit to the customer after we ended our investigation and made the credit final? If so, is there a time limit?
Answer: No, if you have made a provisional credit final and notified the customer prior to the merchant credit to the customer’s account, you cannot reclaim the final provisional credit. Final means final. You can let the cardholder know that he’s been paid twice and suggest the cardholder refund the funds to the bank, but you cannot demand it and you can’t take the funds from the account without the customer’s permission.
Question: We have a customer who was persuaded by a fraudster (someone pretending to be a bank employee) to give the fraudster their online banking ID and password. Even after we have provided multiple communications advising customers to not share this information, they did it anyway. In addition, our terms and conditions and disclosures clearly state customers should NOT share this information. In this case, the fraudster accessed the customer’s online banking account using the credentials the customer provided, transferred all the funds from their savings account into their checking account and then used our bill pay service to send most of the money out of the account to an account outside the bank, or in another cases used Zelle to move the funds out of the bank. The fraudster also changed the email address on the account, so the customer didn’t receive notice of the transfer. Our questions are:
- Are these transactions considered “unauthorized” under Reg. E even though our customer provided their log-in credentials?
- What is the customer’s liability for these transactions?
Answer: Unfortunately, this exact scenario is being reported repeatedly by IBA member banks. When the account owner provides their access device (i.e., online banking credentials) to a third party due to fraud or robbery, and that third party initiates a transaction the account owner did not approve or receive benefit from, it does constitute an “unauthorized transaction” in Reg. E. See the Official Staff Commentary to §1005.2(m):
2(m) Unauthorized Electronic Fund Transfer
-
-
- Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.
-
Even though the bank has warned the account owner of such fraud and told them they are not share their log-in information, when that information is obtained through fraud, the regulation still considers the transaction to be “unauthorized.” It should also be noted Reg. E does not allow your agreement with the customer to alter the terms of the protections provided in Reg. E. See the Official Staff Commentary related to consumer liability:
1005.6(b) Limitations on Amount of Liability
-
- Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers …
- Limits on liability. The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.
The Consumer Financial Protection Bureau has a series of FAQ on their website addressing fraud and unauthorized transactions. See Electronic Fund Transfers FAQs | Consumer Financial Protection Bureau. Questions 3-7 address a variety of fraud scenarios and are a good resource and training tool. The IBA has also developed a tool that provides several Reg. E error resolution examples that can be found on the IBA website here.
In regard to the customer’s liability, Reg. E’s normal liability limits would apply. Thus, liability is based on whether your customer provided the bank timely notice of the error. Since the transactions were not initiated with a lost or stolen card, if the customer notified the bank within 60 days of the first periodic statement on which the unauthorized transactions occurred, the customer has no liability. If the customer failed to notify the bank on a timely basis, the customer would have no liability for unauthorized transactions in first 60 calendar days after statement but then would have full liability for all unauthorized transfers occurring more than 60 calendar days after the first period statement on which unauthorized transfers occurred and before notice to the bank. See the IBA’s Reg. E Liability Guide — Regulation E Consumer Liability Guide.
Question: Section 1005.6(b)(1) of Regulation E states that if a consumer provides timely notice when their access device is lost or stolen, their liability cannot not exceed certain amounts. The notice is considered “timely” if provided to the bank within two business days after the consumer learns of the loss or theft of their access device. My question is when does the two-day period start?
Answer: Comment 3 to section 1005.6(b)(1) of Regulation E states that the two business day period does not include the day the consumer learns of the loss or theft and does not include any day that is not a business day. For clarification, the regulation defines “business day” as any day on which the offices of the consumer’s bank are open to the public for carrying on substantially all business functions. So Day 1 is the day after the consumer learns they no longer have their access device, assuming Day 1 is a business day. Day 2 is the following business day.
It is also important to understand the two-day period consists of two full 24-hour periods. This two-day timing is without regard to the bank’s business hours or the time of day that the consumer learns of the loss or theft. The consumer has until 11:59 of Day 2 to notify the bank. The commentary provides the following example: “… a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution’s business day on Monday.”
Question: If a customer disputes a transaction on an interest-bearing account under Reg. E, and we provide provisional credit, when are we required to credit the interest that the disputed transaction would have earned?
Answer: Section 1005.11(c)(2)(i) of Reg. E states that if the bank is unable to complete its investigation within ten business days of receiving the dispute, the bank can take additional time to complete the investigation if it provides provisional credit, including interest where applicable. In other words, the interest should be provided with the provisional credit.
In its Summer 2021 issue of Supervisory Highlights, the Consumer Financial Protection Bureau reviewed a series of recently cited Reg. E violations. One of the findings was “Excluding interest from the provisional credit” as a violation of Reg. E’s provisional credit requirements. This finding reinforces that interest is to be provided with the provisional credit.
Question: If a teenager uses the parent’s debit card number without parent’s knowledge, are these transactions authorized?
Answer: No. If the parent NEVER gave the child permission to use her debit card, then all transactions performed by the child would be unauthorized. However, if the parent gave their child their debit card to use for a specific transaction and they used it for other purchases before the parent contacted the bank to terminate permission, those additional purchases would be considered authorized under Reg. E.
Question: Do you suggest that banks request customers file a police report when disputing transactions?
Answer: Under Reg. E, the bank cannot require the customer file a police report as a condition to dispute a transaction. The bank can suggest the customer file a report but regardless of whether or not this happens, the bank must investigate the claim and if the bank determines the transaction was unauthorized, it must reimburse the customer up to the limits defined in the regulation.
Question: A customer has claimed there was an unauthorized transaction on his account using his debit card. However, his debit card is in his possession; he never lost it. Can the Bank assume that the customer completed the unauthorized activity and deny the claim immediately based on the fact he still has the debit card?
Answer: No, debit cards and card numbers are frequently skimmed these days. So, just because the debit card that was used for the transaction (now being claimed as unauthorized) is in the customer’s possession does NOT mean the transaction was authorized by the customer and his claim is invalid. The Bank must investigate and proceed with the error as defined within Section 1005.11 of Reg. E. (July 2020)
Question: One of our customers received a call from a person representing themselves as a bank employee. The caller asked the customer to verify their online banking password and username, which our customer provided. Within a day of this call, three transactions were initiated from on online banking platform from the account totaling more than $1,000 which our customer says he did not initiate. We are assuming the transactions were initiated by the caller asking for the customer’s online banking log-in information. Are these transactions considered “unauthorized” under Reg. E when our customer provided his online banking username and password?
Answer: Unfortunately, yes. Reg. E defines an “unauthorized transaction” as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit…”
The Official Staff Commentary then goes on to explain:
2(m) Unauthorized Electronic Fund Transfer
3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.
Because access to the account was obtained from the consumer through fraud and the customer received no benefit from the transactions, the electronic transactions are considered “unauthorized” under Reg. E. (January 2020)
Question: Our bank policy is to require written confirmation of an EFT (electronic funds transfer) error from the customer if the customer makes their Reg. E error claim over the phone. Can we postpone beginning the investigation and not provide provisional credit until the customer provides their written notice of an error?
Answer: First, Reg. E prohibits an institution from requiring written notice as a condition for starting an investigation. You may however, request customers provide written confirmation of their error claim, but cannot delay your investigation until the written confirmation is provided.
OSC to 11(b)(1) Timing; Contents
2. Investigation pending receipt of information. While a financial institution may request a written, signed statement from the consumer relating to a notice of error, it may not delay initiating or completing an investigation pending receipt of the statement.
OSC to 11(c) Time Limits and Extent of Investigation
2. Written confirmation of oral notice. A financial institution must begin its investigation promptly upon receipt of an oral notice. It may not delay until it has received a written confirmation.
If the consumer does not provide the written confirmation within 10 business days, the institution is not required to provide provisional credit.
1005.11(c)(2)(i)
Provisionally credits the consumer’s account in the amount of the alleged error (including interest where applicable) within 10 business days of receiving the error notice. If the financial institution has a reasonable basis for believing that an unauthorized electronic fund transfer has occurred and the institution has satisfied the requirements of § 1005.6(a), the institution may withhold a maximum of $50 from the amount credited. An institution need not provisionally credit the consumer’s account if: (A) The institution requires but does not receive written confirmation within 10 business days of an oral notice of error.
(February 2020)
Question: Under Regulation E, can the bank place a hold or restrict access to provisional credit? We have a customer who is disputing a transaction and we believe it is a false claim. Her periodic statement includes a transaction through a website and she claims she did not authorize this transaction. We are afraid she will spend the all the provisional funds before we collect the supporting evidence and we will not be able to take back the provisional credit.
Answer: No, the bank cannot place a hold or restrict access to the provisional credit. The consumer must have full use of the provisional credit during the investigation period. The OSC to Reg. E, § 1005.11(c)(2)(ii), states that the bank can take up to 45 days to complete the investigation of the disputed transaction if the bank provides the provisional credit and gives the consumer full use of the funds during the investigation. This means the bank cannot place a hold on the provisional credit or restrict access to those funds. If the bank does not want to provide provisional credit, it must complete its investigation and report the results to the consumer within 10 business days of the consumer’s assertion of the unauthorized transaction. (January 2019)
Question: We have a customer that used a third-party payment app on their phone, like Venmo or Apple Pay, and is now disputing a transaction conducted with that app. If the customer disputes a transaction conducted on a third party payment app of their choosing, is the dispute subject to our institution’s Reg. E error resolution process and liability provisions?
Answer: Possibly. Unfortunately, it will depend upon the circumstances related to the unauthorized transaction. When handling error claims related to payment apps and other digital payment services, it is important to conduct an investigation to ensure you understand the details of the transaction because each app or service works differently — it may initiate a debit to a linked card, an ACH debit, or load funds to a payment app.
When handling disputes related to payment apps, one must consider the definition of “account” in Reg. E. The Prepaid Account Rule amended the definition of “account” to include digital wallets that include the following characteristics:
- Are issued on a prepaid basis in a specified amount or not issued on prepaid basis but capable of being loaded with funds thereafter;
- Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, or at automated teller machines, or to conduct person-to-person transfers, and
- That is not a checking account, share draft account or negotiable order of withdrawal account.
The Prepaid Account rule also provided clarity regarding the responsibility of payment app and digital wallet providers in the dispute process. The provider’s terms and conditions statement must outline consumer rights and responsibilities as well as the provider’s responsibilities. Terms and conditions can vary significantly from one provider to the next because not all products offer the same funding options or payment experiences.
Reg. E error resolution responsibilities are determined by when and where the error occurs. If the transaction being disputed involved a transfer between the consumer’s deposit account at your institution and the app (to fund the account within the app), then the responsibility for resolution falls on your financial institution. If instead, the transaction being disputed involves a transfer from the app to a third-party, then the app provider is responsible for resolution. A third situation could occur involving both these scenarios in which case your financial institution and the app provider would be responsible for resolution. Let’s use an example to illustrate: Your customer Joe downloads a new payment app, Money Mover, on his phone and links his deposit account at your institution to his Money Mover app. Joe then adds $250 to his Money Mover app from his deposit account. Unfortunately, a few days later Joe’s Money Mover app is hacked and the hacker initiates a $150 transfer to a third party using the Money Mover app. Joe wants to dispute the $150 transfer as unauthorized, but with whom — your institution or Money Mover?
The movement of funds from Joe’s deposit account to the Money Mover app was truly authorized by Joe; Joe initiated that transaction so the transfer of $250 from Joe’s deposit account to the Money Mover app is not being disputed. Rather, the hacker removed $150 from the preloaded funds in the app without Joe’s authorization. Since all of the actions related to the dispute are contained within the app environment, Money Mover is responsible for resolving Joe’s error claim.
Now let’s change the scenario slightly. Joe initiated the $250 transfer from his deposit account to his Money Mover app/account. The hacker initiated a $300 transfer to a third party via Money Mover, an amount that exceeds the $250 that Joe preloaded to the app from his deposit account. If, per the terms and conditions of the app, Money Mover initiated a transfer of $50 more from Joe’s deposit account at your institution to cover the balance of the $300 Money Mover transfer, although Joe agreed to allow Money Mover to transfer funds to cover an authorized transaction, in this situation Joe did not authorized the $50 debit since he didn’t authorize the $300 transaction. When Joe discovers the $50 debit from his deposit account at your institution and disputes that transaction, your institution will be responsible for resolving that dispute.
In this last scenario, there are two “financial institutions” involved, both with Reg. E error resolution responsibilities for the same transaction. Even if Joe files a claim directly with Money Mover, it does not relieve your institution from its Reg. E obligations if Joe files a claim with you. In each scenario, your institution must still investigate and determine if any or all of the liability for the unauthorized transaction falls within your institution’s responsibility. Reg. E does not permit the institution to refuse to investigate a claim until Joe first tries to resolve it directly with the Money Mover app. However, when investigating error claims related to payment apps, institutions may find it helpful to use the full investigation timeframes allowed by Reg. E (up to 90 days for POS transactions if provisional credit is provided) to have time to include in the investigation process the claim resolution provided by the payment app provider.
So, what does all this mean for your institution? Unfortunately, institutions will not be able to assume they have no Reg. E error responsibilities if a payment app or other digital payment service was involved in the disputed transaction. Rather, each investigation requires your institution to understand how the transaction was conducted in order to determine whether your institution or the payment app or digital service provider (or both) are responsible for resolution of the error claim.
(January 2021)
Question: When you say access device, what do you mean?
Answer: Under Reg. E, an access device is defined as:
(a)(1) “Access device” means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.
- Examples. The term “access device” includes debit cards, personal identification numbers (PINs), telephone transfer and telephone bill payment codes, and other means that may be used by a consumer to initiate an electronic fund transfer (EFT) to or from a consumer account. The term does not include magnetic tape or other devices used internally by a financial institution to initiate electronic transfers. Transactions initiated using only the card data (such as online transactions) would not fall in this category
Question: Can you provide an example where a dispute involves an access device?
Answer: Sure! A customer notified you on January 10th that he noticed three transactions came out of his account that he didn’t authorized. All three transactions were performed using his debit card at an ATM.
- The first posted on 10/21 for $99.99;
- The second on 11/15 for $105.99 and
- A third on 12/30 for $109.99.
The customer indicated that he realized he misplaced his card on 10/26 but was sure it was in his apartment somewhere. Since these are all “card present” transactions using an access device (a physical plastic card), he is required to notify the bank within 2 business days of when he discovered his card was lost/stolen to limit his liability to $50 for all transactions. Since he knew he was missing his card on 10/26, he had until 10/28 to notify the bank. Since he failed to do that, to limit his loss to $500 for all transactions, he needed to notify the bank within 60 days of when the transaction was processed. So 60 days from 10/26 is 12/25. He missed both of those deadlines because he didn’t tell you until January.
Just because he missed these deadlines doesn’t mean he is responsible for ALL the transactions. Although he failed to give you timely notice, his liability is still limited to $50 (first tier liability) for the first transaction of $99.99 since it occurred within 2 business days of his discovery of a lost card (actually it was performed prior to the date he noticed). Furthermore, the customer is responsible for a maximum of $500 for all transactions that appeared within the first 60 days (second tier liability). He is therefore fully responsible for the $105.99 plus the $50 for the “first tier” since the two together are less than $500. Finally the last transaction for $109.99 is 100% his responsibility as it was outside that timeline. So to recap, the customer is responsible for $265.98 ($50 + $105.99 + $109.99) and the bank must reimburse him for $49.99. There is a good example in the commentary for section 1005.6(b) that also demonstrates these tiers.
Question: Do we have to complete an investigation for disputed transactions under Regulation E after an account is closed? Our customer identified online transactions on his January 2018 periodic statement that he did not authorize, but he did not dispute these transactions with the bank at that time. He closed his account February 15. On February 22, he disputed those transactions.
Answer: Yes, the bank must comply with the error resolution process, even on closed accounts. The Official Commentary to Section 1005.11(a)-4 of Regulation E states that if the consumer properly asserts an error after the account is closed, the bank must comply with the error resolution procedures. In this case, the customer notified the bank within 60 days of receiving the periodic statement that contains the disputed transactions, so the bank would have to complete an investigation into the disputed transactions following requirements of Regulation E.
Question: If our local grocery store has chip enabled machines but does not have the chip turned on and there is consumer fraud, can we charge back the transaction to the that merchant?
Answer: In general, if the bank issued a chip card and a fraudulent transaction occurred using that card, the entity with the lesser technology would have liability. So in your scenario, if the bank issued a chip card but the merchant did not process the transaction using chip-enabled technology, then the merchant has the lesser technology even if they had chip-enabled equipment. In these situations, contact your processor to see if this transaction is eligible for charge back.
Question: If the chip card doesn’t work because the card is fraudulent and the merchant uses the fall back option and the card is swiped, who is responsible…merchant or issuer?
Answer: The EMV rules state that if the card is processed using the chip technology and the transaction is declined, the merchant is to ask for a different form of payment and not force the card through using the strip. If they fail to follow these rules, it would be reasonable that the bank would have chargeback ability. Talk with your processor for confirmation.
Reg. E Opt-In
Question: I was reading the Federal Deposit Insurance Corp.’s Financial Institution Letter (FIL-19-2023) regarding approved positive, settle negative (APSN) transactions. It basically states we cannot charge an overdraft fee when the bank authorized the transaction against a positive balance and the transaction posts against a negative balance. However, if we have a Reg. E opt-in program, and the consumer opted in, we can charge this fee, correct?
Answer: Unfortunately, no. An APSN transaction is a transaction that is approved against the consumer’s own funds which later settles against a negative balance. For these transactions, the bank cannot charge an OD fee — period. Your bank’s Reg. E opt-in program is different. Under a Reg. E opt-in program, the bank makes available discretionary funds to authorize debit card transactions that would typically be declined for insufficient funds. In essence, you are providing the bank’s funds for these authorizations. In exchange for the benefit of using the bank’s funds for these authorizations, a consumer who opts in to the program has agreed to pay an OD fee if it clears against a negative balance. The bank should work closely with its vendor to ensure the software can differentiate between transactions approved against the consumer’s own funds and those authorized against the bank’s funds via their overdraft protection program
Question: Our bank offers an automatic overdraft program. However, the program is not available to new accounts owners for the first 60 days the account is open. Our deposit software set up requires the completion of a Regulation E. A-9 Model Consent Form for Overdraft Services for all consumer transaction accounts at the time the account is opened. So the customer “opts-in” at the time of account opening but the automatic overdraft program is not actually made available to them for at least 60 days. For the first 60 days, the pay/return decision is done manually and fees are assessed accordingly. Are we in compliance with Regulation E?
Answer: While the Bank is complying with Section 1005.17(b) of Regulation E which outlines the opt-in requirements, the overdraft service the consumer is opting-in to is not immediately available. Since the automatic overdraft program is not available during the first 60 days of the account opening, the account is not eligible for a fee assessment when one-time debit and ATM transactions are paid into overdraft status.
Regulators refer to this practice as a “pre-emptive” opt-in and warn this practice can lead to violating the Federal Trade Commission’s Section 5 prohibitions against Unfair or Deceptive Acts or Practices (Section 5) as it causes consumer harm. The consumer is harmed because they are being assessed a fee for a transaction that must be paid and for which no fee would be assessed if the consumer had not pre-emptively opted-in.
If the bank choses to have consumers complete the opt-in process at account opening, strong internal procedures must be in place to ensure the opt-in status is not enforced until after the overdraft service is available on the account. This may entail some type of manual tickler system to maintenance the opt-in status of the account on the bank’s core system after the overdraft service becomes available. Alternatively, the opt-in process could be completed after the overdraft service has been activated, rather than at account opening.
Also, ensure the bank’s procedures include changing the opt-in status on the core system if the overdraft service is suspended or terminated at any time during the life of the account. Failing to do so could result in consumers being charged fees for one-time debit and ATM transactions when they no longer have access to the bank’s overdraft program. (January 2019)
Question: My bank does not automatically pay or return items, instead decisions are made on a case-by-case basis each day. Do the Reg. E overdraft rules apply?
Answer. If you charge for the payment of an overdraft, then yes, the Reg. E overdraft rules apply. It does not matter if the pay/return decision is made on a case-by-case basis or via an automated system. The term ‘‘overdraft service’’ is defined in section 1005.17(a):
“…a service under which a financial institution assesses a fee or charge on a consumer’s account held by the institution for paying a transaction (including a check or other item) when the consumer has insufficient or unavailable funds in the account. The term ‘‘overdraft service’’ does not include any payment of overdrafts pursuant to—
(1) A line of credit subject to the Federal Reserve Board’s Regulation Z (12 CFR part 1026), including transfers from a credit card account, home equity line of credit, or overdraft line of credit;
(2) A service that transfers funds from another account held individually or jointly by a consumer, such as a savings account; or
(3) A line of credit or other transaction exempt from the Federal Reserve Board’s Regulation Z (12 CFR part 1026) pursuant to 12 CFR 1026.3(d).
Question: I’m confused about the Reg. E definition of “overdraft services.” Does this mean that if a consumer does not “opt in,” we can’t require that they have another deposit account with transfer abilities or require an overdraft line of credit tied to the checking account? My concern is, under network rules, we can’t return debit card transactions or ATM transactions once they have been authorized, so how are we supposed to protect ourselves other than freezing an account at first overdraft or closing it?
Answer. The opt-in rule only applies to overdrafts paid via discretionary review or automated overdraft protection programs. The rule does not apply to transfers from other accounts or overdraft lines of credit. See section 1005.17(a):
(a) Definition. For purposes of this section, the term “overdraft service” means a service under which a financial institution assesses a fee or charge on a consumer’s account held by the institution for paying a transaction (including a check or other item) when the consumer has insufficient or unavailable funds in the account. The term “overdraft service” does not include any payment of overdrafts pursuant to –
(1) A line of credit subject to the Federal Reserve Board’s Regulation Z (12 CFR part 1026), including transfers from a credit card account, home equity line of credit, or overdraft line of credit;
(2) A service that transfers funds from another account held individually or jointly by a consumer, such as a savings account; or
(3) A line of credit or other transaction exempt from the Federal Reserve Board’s Regulation Z (12 CFR part 1026) pursuant to 12 CFR 1026.3(d). (Emphasis added.)
Your bank may certainly offer transfers from other accounts or an overdraft line of credit, properly disclosed under Reg. Z. Those types of overdraft services are not covered by the new Reg. E notice and opt-in requirements, and would therefore permit payment of ATM and one-time debit card transactions into overdraft status AND the bank would be able to impose fees as disclosed in the bank’s contracts for these overdraft services.
Question: Does the Federal Reserve Board (FRB) define what it means by “discrimination” under the revisions to Reg. E relative to customers who do not opt-in to overdraft for ATM and one-time debit card transactions?
Answer: In the Reg. E final rule regarding consumer opt-in to ATM and one-time debit card transactions, the FRB prohibits institutions from varying account terms, pricing, conditions and features of a deposit product for consumers who do not opt-in. The Board’s objective in issuing this prohibition on “discrimination” is so that consumers will not be “harmed” if they don’t opt-in to the payment of these types of overdrafts. For example, an institution might attempt to provide an opt-in account with no monthly fee to consumers who opt-in and an account that assesses a monthly fee to consumers who do not opt-in. This would be deemed discriminatory.
Question: Do the Reg. E rules place a limit on the number or amount of overdraft fees an institution can impose on a consumer account?
Answer: Reg. E does not limit the number of or amount of overdraft fees that an institution can impose on a customer account. However, the rules do state the institution must disclose in its opt-in notice the maximum number of overdraft fees or charges that may be assessed per day, or if applicable, that there is no daily limit.
Also keep in mind the February 2005 Interagency Joint Guidance on Overdraft Protection Programs identified daily limits on consumer costs as a “best practice.”
Question: Do the Reg. E rules requiring an Opt-In of ATM and one-time debit transactions resulting in an overdraft apply at the customer level or account level?
Answer: Opt-in occurs at the account level, not at the customer level. Also, the customer can only opt-in for accounts already open. An institution cannot have the customer opt-in for accounts already open and all futures accounts that may be opened.
Question: Regarding Reg. E’s opt-in requirements for the payment of overdrafts resulting from ATM and one-time debit transactions, our bank offers overdraft lines of credit and linked savings accounts for overdraft protection purposes. If a consumer overdraws an account from a one-time debit transaction or ATM transaction over and above the credit limit on their line of credit or the available savings balance, do Reg. E overdraft rules prohibit us from charging an overdraft fee?
Answer: Overdraft lines of credit and savings transfer services are not subject to the opt-in rules. If the customer exceeds the credit limit, savings account balance transfer or transfer limitations, the bank may deny the transaction, or return it and charge an NSF fee. Any ATM or one-time debit transaction that overdraws the consumer’s account beyond the credit limit or link account balance must be handled in accordance with Reg. E’s prohibitions on assessing an overdraft fee unless the consumer has opted in. However, nothing would prevent the bank from obtaining the consumer’s opt-in in case this scenario should occur.
Question: Can we vary our payment order or hold practices based on whether or not a customer has opted-in to our overdraft protection program for ATM withdrawals and one-time debit transactions?
Answer: No. Section 1005.17(b)(3) of Reg. E makes it very clear banks must provide customers who do NOT opt-in the same “account terms, conditions, and features” as those customers who do opt-in.
(3) Same account terms, conditions, and features. A financial institution shall provide to consumers who do not affirmatively consent to the institution’s overdraft service for ATM and one-time debit card transactions the same account terms, conditions, and features that it provides to consumers who affirmatively consent, except for the overdraft service for ATM and one-time debit card transactions.
Payment order and funds availability would both be considered “terms and conditions.”
Record Retention
Question: How long are we required to keep records on disputed transactions under Regulation E?
Answer: Regulation E requires banks to retain records at least two years from the date disclosures are required to be made or action is required to be taken. This requirement is found in Section 1005.13(b)of Regulation E. (April 2021)
REMITTANCE TRANSFER RULE
Question: We sell prepaid cards. We understand that in certain situations, prepaid cards may be subject to the new remittance transfer rules. However, we never know whether the card purchaser sends the card to a person in a foreign country. How do we determine when to deliver the pre-payment disclosures and receipt when selling prepaid cards?
Answer: In order for any transfer to be covered by these final rules, there must be 1) a request that a transfer be made, 2) the provider’s direct involvement in the transfer, and 3) a designated recipient located in a foreign country. As such, providers of prepaid cards must provide the disclosures only when the prepaid card purchaser instructs the remittance transfer provider to send a prepaid card to a specified recipient, the provider directly sends the card and the recipient is located outside the United States.
See the discussion in the official staff commentary, section 1005.30(c)-2.iii:
iii. Where the sender does not specify information about a designated recipient’s account, but instead provides information about the recipient, a remittance transfer provider may make the determination of whether the funds will be received at a location in a foreign country on information that is provided by the sender, and other information the provider may have, at the time the transfer is requested. For example, if a consumer in a State gives a provider the recipient’s email address, and the provider has no other information about whether the funds will be received by the recipient at a location in a foreign country, then the provider may determine that funds are not to be received at a location in a foreign country. However, if the provider at the time the transfer is requested has additional information indicating that funds are to be received in a foreign country, such as if the recipient’s email address is already registered with the provider and associated with a foreign account, then the provider has sufficient information to conclude that the remittance transfer will be received at a location in a foreign country. Similarly, if a consumer in a State purchases a prepaid card, and the provider mails or delivers the card directly to the consumer, the provider may conclude that funds are not to be received in a foreign country, because the provider does not know whether the consumer will subsequently send the prepaid card to a recipient in a foreign country. In contrast, the provider has sufficient information to conclude that the funds are to be received in a foreign country if the remittance transfer provider sends a prepaid card to a specified recipient in a foreign country, even if a person located in a State, including the sender, retains the ability to access funds on the prepaid card.
Ultimately, the obligation is on the purchaser (the sender) to notify the prepaid card provider if the card will be delivered to a specific recipient in foreign location.
If a consumer is just purchasing a prepaid card for his/her use and the provider is delivering it to the consumer, there is no “covered” remittance transfer even if the consumer carries the card to a foreign country and uses the card there. The prepaid card is covered only when it is sent by the provider to a foreign recipient. Also see commentary to section 1005.30(e)-2:
-
-
-
- Sent by a remittance transfer provider.
-
-
i. The definition of “remittance transfer” requires that a transfer be “sent by a remittance transfer provider.” This means that there must be an intermediary that is directly engaged with the sender to send an electronic transfer of funds on behalf of the sender to a designated recipient.
ii. A payment card network or other third party payment service that is functionally similar to a payment card network does not send a remittance transfer when a consumer provides a debit, credit or prepaid card directly to a foreign merchant as payment for goods or services. In such a case, the payment card network or third party payment service is not directly engaged with the sender to send a transfer of funds to a person in a foreign country; rather, the network or third party payment service is merely providing contemporaneous third-party payment processing and settlement services on behalf of the merchant or the card issuer, rather than on behalf of the sender. In such a case, the card issuer also is not directly engaged with the sender to send an electronic transfer of funds to the foreign merchant when the card issuer provides payment to the merchant. Similarly, where a consumer provides a checking or other account number, or a debit, credit or prepaid card, directly to a foreign merchant as payment for goods or services, the merchant is not acting as an intermediary that sends a transfer of funds on behalf of the sender when it submits the payment information for processing.
iii. However, a card issuer or a payment network may offer a service to a sender where the card issuer or a payment network is an intermediary that is directly engaged with the sender to obtain funds using the sender’s debit, prepaid or credit card and to send those funds to a recipient’s checking account located in a foreign country. In this case, the card issuer or the payment network is an intermediary that is directly engaged with the sender to send an electronic transfer of funds on behalf of the sender, and this transfer of funds is a remittance transfer because it is made to a designated recipient. See comment 30(c)-2.ii.
In summary, the occasions in which prepaid cards will be covered as remittance transfers include 1) where the purchaser (sender) directs the remittance transfer provider to send the prepaid card to a recipient located in a foreign country and the card issuer/provider sends the card to the recipient, or 2) when the prepaid card is used as the source of funding from a sender and a remittance transfer provider debits the prepaid card to send the funds to a recipient in a foreign country.
Question: One of the many projects I am working on is the Reg. E remittance transfer rule. As of now, it looks like we will fall under the 500 “de minimis” threshold and will not be covered by the rule. However, sometimes when a customer requests an international wire, the international bank will have a relationship with a U.S. correspondent bank, so we send the funds to the U.S. correspondent bank for credit to the international bank. Is this type of transfer covered by the remittance rules?
Answer: These wires, if originated by a consumer, are covered as “remittance transfers,” given the definition and examples of “remittance transfers” in Reg. E, section 1005.30(e) and associated staff commentary:
(e) Remittance transfer. (1 ) General definition. A “remittance transfer” means the electronic transfer of funds requested by a sender to a designated recipient that is sent by a remittance transfer provider. The term applies regardless of whether the sender holds an account with the remittance transfer provider, and regardless of whether the transaction is also an electronic fund transfer, as defined in § 1005.3(b).
3. Examples of remittance transfers.
i. Examples of remittance transfers include:
A. Transfers where the sender provides cash or another method of payment to a money transmitter or financial institution and requests that funds be sent to a specified location or account in a foreign country.
B. Consumer wire transfers, where a financial institution executes a payment order upon a sender’s request to wire money from the sender’s account to a designated recipient.
Based on discussion in the preamble to the final rule, in the case of wire transfers, the depository bank is considered the “provider” of the remittance transfer and the correspondent is considered an “intermediary”.
Question: We want to ensure our bank is tracking the required “types” of transactions that qualify as “remittance transfers” under Regulation E’s Remittance Transfer rules (§1005.30 to §1005.36) to determine if we are nearing the threshold to be considered a covered remittance transfer provider, thus requiring us to provide applicable disclosures to those senders. What “types” of transfers are considered “remittance transfers” for purposes of this rule?
Answer: Remittance transfers are electronic transfers of funds that are more than $15 requested by consumers in the United States and sent to people or companies in foreign countries. These transfers consist of many types of international transfers to include cash-to-cash money transfers, international wire transfers, international ACH transactions (IATs) and certain prepaid card transfers. However, a check mailed abroad would not be a remittance transfer. Keep in mind these are only consumer-initiated transactions. Thus, transfers initiated by a commercial customer are not covered under these rules. Also, the sender of the transaction does not need to have an account with the bank; nor does the transfer need to be an electronic fund transfer under the Electronic Fund Transfer Act.
Question: How can we determine if our bank has reached the threshold to be considered a “remittance transfer provider” under Regulation E’s Remittance Transfer rule, found in subpart B of the regulation?
Answer: A “remittance transfer provider” is any company (banks, thrifts, credit unions, money transmitters and broker dealers) that provides remittance transfers for a consumer in the normal course of its business, regardless of whether the consumer holds an account with that person. Whether you provide remittance transfers in the normal course of business depends on facts and circumstances, such as the total number and frequency of transfers you provide to consumers. The rule does provide a safe harbor exemption from the definition of remittance transfer provider. If you provided 500 or fewer remittance transfers in the previous calendar year, and you have provided 500 or fewer remittance transfers in the current calendar year, then you will not be considered to be providing remittance transfers in the normal course of business and thus, will not be considered a “remittance transfer provider.” However, if you provided 500 or fewer remittance transfers in the prior year but have now exceeded 500 in the current year, you become a “remittance transfer provider” and have up to six months to come into compliance with the rule.
Prepaid Accounts
Question: Our bank offers a prepaid account product that is not exempt from the Prepaid Rule (e.g. travel cards). We only sell our cards in person and provide the short-form and long-form disclosures prior to sale. Do we still need to have the long-form disclosure on our website?
Answer: No, the rule states that if the disclosures are provided in written form prior to acquisition, there is no requirement to provide the Long-Form via the issuer’s website and telephone. (April 2019)
Question: We offer a travel card product for purchase and place the customer funds in an internal bank account until used. I understand the Prepaid Card rule requires we send periodic statements. How does that work?
Answer: The issuer (in this case your bank) must provide the consumer a periodic statement for each monthly cycle for which an EFT occurred and at least quarterly if no EFT has occurred per Reg. E. If provided electronically, your bank must comply with E-sign. Each periodic statement must include, as applicable: the amount of the EFT; date the EFT was debited or credited; the type of the EFT and type of account to/from which the funds were transferred; if EFT was initiated at an electronic terminal, the terminal location; and the name of any third party to/from whom the funds were transferred. It must also include the prepaid account number; the amount of any fees assessed against the account; the balance in the account at the beginning and end of the statement period; the address and telephone number for inquiries or notices of error; if FI uses telephone notice option for preauthorized EFTs, a telephone number to call to determine if preauthorized EFTs have occurred; and a summary total of all fees assessed against the prepaid account for the prior calendar month and for the calendar year-to-date.
However, there is an exception to this rule for issuers that meet the following conditions:
- The account balance is available through a readily available telephone line;
- An electronic history of the consumer’s transaction account is available (such as through the bank’s website) that covers at least a 12 month history from the date the consumer accesses the history; and
- A written history of the consumer’s account transactions is provide promptly in response to an oral or written request and the history covers the last 24 months of transactions.
If your bank wishes to use this exception, the bank must modify the initial disclosures to reflect this exception. (April 2019)
Question: Our bank is the issuer for a prepaid account plan and intends to use the exception to the periodic statements. What information must be included in the account history?
Answer: If the issuing FI makes available the transaction history in electronic form, the history must display all of the information required to be included in periodic statements including the amount of any fees assessed and the summary totals of all fees assessed by the FI against the account for the prior calendar month and calendar year-to-date. The FI must make the electronic account history available in a form consumers can keep, such as on a website in a format that is capable of being printed or stored electronically using a web browser. If the FI makes the transaction history covering at least 12 months available to the consumer through its website and also offers a mobile app through which history is available, the mobile app need not provide a full 12 months of history. (April 2019)
Question: If the prepaid account is closed or inactive, does the bank still have a duty to provide the transaction history upon request?
Answer: Yes. Even if the prepaid account is closed or becomes inactive, the issuing FI must continue to provide a written account transaction history covering at least 24 months prior to the date the issuing FI receives the consumer’s request for the history. If the account has been closed or inactive for 24 months or longer, the issuing FI is no longer required to provide written account transaction histories. (April 2019)
Question: What modifications are required to be made to the initial disclosure if my bank, as the account issuer, wants to use the alternative to providing the periodic statements?
Answer: The issuing FI must include information on how to access the prepaid account information and must replace the error resolution notice otherwise required by Reg. E with an error resolution notice that reflects the modified error resolution procedures. The modified disclosures must include: telephone number the consumer can call to obtain the account balance; the means by which a consumer can obtain an electronic account transaction history (such as the address of a website); and a summary of the consumer’s right to receive a written account transaction history upon request, including a telephone number to call to request that history. This modified error resolution should be substantially similar to the notice contained in paragraph (b) of Model Clauses A-7 of Reg. E. (April 2019)
Question: If we offer a prepaid account product not exempted under the Prepaid Account rules, what information must be on the card?
Answer: The prepaid card must include two disclosures: the financial institution’s name and their telephone number and a website URL that the consumer can use to contact the issuing financial institution about the prepaid card (such as the terms and conditions, account balance information, how to request a transaction history, or to notify the financial institution of any unauthorized transactions). These two disclosures must be on the card and cannot just be included in the packaging or other material or on a sticker or label affixed to the card. (April 2019)
Question: What information is required to be disclosed on the initial disclosures that are required to be provided prior to card acquisition for prepaid cards?
Answer: In addition to the pre-acquisition disclosures (Short-Form and Long-Form disclosures), the issuing financial institution must provide the initial acquisition disclosure. In general, this disclosure must include the following information: liability of consumers for unauthorized EFTs; telephone number and address of issuing FI; what constitutes a “business day”; the types of EFTs that may be made, and limitations on frequency and dollar amount; fees and other information that are disclosed on the Long-Form disclosure; a summary of the consumer’s right to receipts and periodic statements, as well as notices regarding preauthorized EFTs under Reg. E; a summary of the consumer’s right to stop payment of a preauthorized EFT and the procedures for placing a stop-payment order; a summary of the FI’s liability to the consumer under section 910 of EFTA for failure to make or to stop certain EFTs; a disclosure of circumstances under which, in the ordinary course of business, the FI may provide information concerning the consumer’s account to third parties; an error resolution notice that is substantially similar to Model Form A-3 of Reg. E; and ATM fees for an EFT or balance inquiry. Since each FI may have a different prepaid card program, review section 12 CFR 1005.7(b) for details. (April 2019)
Question: As a prepaid account issuer, our bank won’t have transaction histories available for accounts opened prior to April 1, 2019. Is that acceptable?
Answer: If, on April 1, 2019, the issuing FI does not have readily accessible the data necessary to make available or provide account transaction histories for 12 or 24 months (as applicable), the issuing FI can make available or provide such histories using the data for the time period it has until it has accumulated the data necessary to comply in full with the Prepaid Rule’s transaction account history requirements per 12 CFR 1005.18(h)(3)(i). However, all issuing FIs must fully comply with the electronic account history requirement no later than April 1, 2020 and the written account transaction history requirement no later than April 1, 2021. The same is true for the summary totals of all fees. While the issuing FI must display the summary totals beginning April 1, 2019, the issuing FI may display the summary totals using the data it has until it has accumulated the necessary summary totals required to comply with the rule. The first monthly total would appear on the May 2019 statement showing all fees assessed in April. It would also display the year-to-date totals beginning April 1, 2019. On Jan. 1, 2020, all issuing FIs must begin displaying the year-to-date fee totals for calendar year 2020. (April 2019)
Question: Under the Prepaid Account rules, are consumers protected against unauthorized transactions?
Answer: Yes. The consumer receives similar, but not identical, protections under Reg. E as they do for a debit or ATM card transaction. A consumer may only be held liable for an unauthorized EFT (subject to certain dollar limits), if the issuing FI provides the following disclosures: a summary of the consumer’s liability for unauthorized EFTs; a telephone number and address for reporting that an unauthorized EFT has been or may be made; and the issuing FI’s business days. These disclosures must be included in the initial disclosure for the prepaid account. If the FI has not provided them, the consumer is not liable for any part of the unauthorized EFT involving the prepaid account. In addition to the disclosures, both of the following additional conditions must be met before the issuing FI can impose liability on the consumer: access device must be an accepted access device (in general, when customer requests and receives the access device, and signs or uses it to transfer money or obtain money, property or services) and the issuing FI must provide a means to identify the consumer to whom the access device was issued (e.g. use of PIN, comparison of consumer’s signature, fingerprint, or photograph). (April 2019)
Question: What are the notification timeframe’s that would limit a consumer’s liability for an unauthorized EFT?
Answer: The CFPB developed two charts for this purpose. One shows consumer liability for unauthorized EFTs when the issuing financial institution provides periodic statements (Attachment A), and one shows consumer liability for unauthorized EFTS when the issuing FI relies on the periodic statement alternative (Attachment B). Both can be found in the Prepaid Rule Small Entity Compliance Guide starting on Page 167. (April 2019)
PERIODIC STATEMENTS
Question: If monthly statements are generated due to electronic fund transfers that have occurred in a deposit account, must the statements be delivered to the customer? If yes, must a hard copy statement be delivered, or may we deliver an electronic statement via our Internet banking site.
Answer: Reg. E section 1005.9(b) requires “for any account to or from which electronic fund transfers can be made, the financial institution must mail or deliver a statement for each monthly or shorter cycle in which an electronic fund transfer has occurred, but at least a quarterly statement if no transfer has occurred.” Section 1005.7(a) requires that the statement be provided in a “readily understandable written” format. The E-Sign Act, signed into law on June 30, 2000 allows depository institutions to deliver by electronic communication any disclosure required by Reg. E, as long as the consumer agrees to such delivery. The electronic delivery must be an electronically transmitted message that allows visual text to be displayed on equipment such as a personal computer monitor. Before consent can be given, a consumer must be provided with an agreement with specific content as outlined in the E-Sign Act. Financial institutions should review any products delivered through electronic means and the systems that support them to ensure compliance with applicable provisions of the Act. The E-Sign Act is available at https://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf. Title I contains details on the consumer consent provisions, specific exception to the requirements, and related definitions.