"Selective" EFT Disputes on x-box and others are being received in high volumes. A scenario is customer disputes specific transactions, but not all, saying things like I authorized my son for some but he says he didn't do these. We have had some luck with customer reviewing their x-box accounts and realizing they were the child's ($14,000 over 9 months). But the word seems to be out and this type of dispute is rising. In practice is there anything banks are doing. These are fraud but with no way to prove, under Reg E we are starting to loose significant dollars.

In your first scenario, allowing the son to play the xbox (or whatever) that has the debit card tied to it is virtually the same as handing him the card and not re-taking possession. I would be inclined to find that these fail to meet the Reg E definition of unauthorized in 1005.2(m).

If you use the Search function above for "xbox" I believe you'll find a few threads with more detailed discussion of similar disputes.

This response is from David Dickinson:

There's quite a bit of controversy about this. Bottom line: Reg E has not kept up with technology.

I'm not saying you have to agree, but let me give you a scenario.
Imagine a cardholder gives their son permission to charge $20 in iTunes songs for his birthday. The cardholder reads him the debit card # and he enters it into his computer for the purchase. The next week, he clicks on "download" and order $100 in more songs. The cardholder didn't give him permission to purchase these songs and the cardholder watched him purchase the $20 last week last week, so the cardholder knew he didn't exceed the granted authority level. The computer stored the cardholder's debit card information.

This is a “gray area” but it is our opinion that since the cardholder received their card back from the son, any future transactions are unauthorized and protected under Regulation E. In debating this topic, some reference the wording “unless the consumer has notified the financial institution that transfers by that person are no longer authorized” in the Commentary to §1005.2(m) #2. Do you want cardholders calling you saying “I gave my card to my son and authorized him to use it for a purchase of $20. He returned my card to me, so any transactions by him after this are not authorized.”? We would all agree that cardholders shouldn’t give their cards to anyone and your agreements indicate they should not, but again, contracts can’t contradict a regulation.

While your cardholder agreement may not allow a customer to give the card to a family member, Regulation E still protects the cardholder. In fact, Regulation E states that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. The Commentary to 1005.6(b) #2 states:
Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers.

I've seen no official opinions and can see why the person in the bank says it authorized and people like me on the outside looking in say not so fast. It is gray and the facts of each may influence the case.

While this advice does nothing for those claims pending, how about a stuffer or statement footer telling your customers that saving card info on any device that they allow others to use may cost them if there are unauthorized transfers. At least make them aware of the problem. It won't hurt.

Thx QCL. I had some hiccup in the database and I couldn't see that it posted even once.

My two cents: don't forget that the card number itself is the access device (along with the expiration date). In the hypothetical above, the card number was not given back to Dad; son kept it.

I understand what you're saying John, but just thinking outside the box - how is the xbox any different than a skimming device? From Dad's perspective, he didn't give his son the card. He authorized a purchase and kept his card. The son entered the info in the x-box that stored the information for later purchases, How is that different from me giving my waiter my card to authorize the purchase of my dinner? The waiter stores my card info and gives me my card back and then later uses the card info for unauthorized transactions.

The father is going to pay one way or the other. I either decline the unauthorized claim or I sue the son for damages and pursue criminal action. For $20 - OK - I would refund the $20 and cancel the card, not reissue and maybe close the account. For $14,000 I would pursue every legal means necessary to make this family's life miserable.

There is such a thing as responsibility for your actions, stupid as they may be, regardless of the consumer protection laws.

Brian: As you know, BOL is having some technical difficulties with posts. I'm finding that if you cut/paste something, the entire post appears blank. I'm betting that's what's happening to you.

I don't disagree Randy (although "making their life miserable might be a little strong).

My point is what I said in my first post: Reg E has not kept up with technology. I'm interested in how others view my scenario (that Andy posted for me) and the skimming analogy I gave in my response to John above.

Devil's Advocate: What if the father understood that what the son was doing was putting the card "on file?" Or the father was the one that entered it onto the son's account in the first place? I mean, maybe it's the son's x-box account, but if dad was the one entering the card number, isn't he the one authorizing the transaction and accepting the TOS?

If Dad was authorizing one purchase, why didn't he go back and remove the billing information? Or wouldn't he ask "what is this for" before handing the card number over?

Of course, as stated this is an entirely grey area both for the FI and from a regulatory standpoint. At what point does the access device stop being an access device?

I think an interview of the cardholder would be necessary. If the father knew he was storing his card info on the X-box, I think you have some room for argument. But I don't agree that means he authorizes all future transactions.

I often give out my card number when I purchase things online or over the phone. The merchant has my info. Does that mean I authorize the merchant to use that card whenever they want or does it have to be when I want? Of course it's when I want. Just devil's advocate too: how is that different than giving my card info to my son?

At what point does the access device stop being an access device?
Good question. I wish we had more guidance from the regulators on this.

Just to jump in...

Isn't the whole purpose of Reg E to protect the consumer from fraud or illicit activity as it relates to electronic transactions. Could an argument be made that in this case no fraud occurred. The purchases were made legitimately and the purchaser benefited from the transaction. I'm not sure you can draw an analogy with a skimmer or a business retaining card information for the purpose of defrauding the customer. Both of those scenarios involve illegal activity. And in both these scenarios the person with the information was never an authorized user.
Technically speaking, the consumer has to notify the financial institution that they have withdrawn the authority of the authorized user (1005.2(m)(2)) or it is not an "unauthorized electronic funds transfer". So if he gave the card info to his son, he must notify the bank. While this could be potentially cumbersome and obnoxious for the bank, that is still what the regulation states.
I definitely agree that if the bank determines they cannot deny the claim, then they have to pursue legal action. The threat of that might clear up the whole claim to begin with.

Just my opinion.

I suspect when the card info is entered in the X-box system the terms indicate it is for future charges. I had a friend who was x-box tech support years ago and they fielded MANY of these calls.

To the OP, I would get a look at that and when dad said here, use my card, he agreed to that thru his son. It may not be what he intended.

Would the CFPB agree with me? I don't know, but a card number and an agreement entered into with that card are the best pieces of evidence in the investigation, not the intent.

Interesting debate. As an FYI - I have an Ebay app on my iPhone. When I purchase something I use Paypal. The software asks if I went to store the password to Paypal (which I don't). Maybe this is similar?

Hm... but in the case of the Paypal app, is the Paypal password the bank's access device or Paypal's access device?

In my case it's Paypal's. My point, I guess, is it's very easy to have these things accessible without realizing it.

First, this is an interesting discussion. I don't pretend to push the things I've stated. Just playing devil's advocate. I think it's much like skimming to someone that is naive to the technology & Reg E specifically states negligence can't be used to increase the consumer's liability.

If my son makes transactions I didn't authorize, I think there is fraud. I didn't give him my card. I told him he could have x amount. If he exceeds that, it may not be an "unauthorized transaction" per Reg E, but the reg states it's because he has my card and does more than I authorized. I can draw distinct differences with the e-retention devices.


So you want me to call my bank & say "I gave my son my card info & told him he could spend $20 on his iTunes/X-box purchases. But that's it." And you want me to do that every time. Really? And you want evetpry customer to do this. You'd np better hire more phone receptionist.

Very interesting discussion.

David, in the scenarios you have suggested, IMO the most important distinction is the granting of authority to use the card. The commentary in 1005.2(m)2 calls for both the furnishing of the access device and the granting of authority to use it.

In the waiter and phone order analogies, while your access device was furnished to someone else, you never gave authority for their use. Handing the card to the waiter is effectively no different than walking to the back with him to swipe the card yourself (other than providing a good opportunity to skim). You have never given him authority to use the card, you are simply using him as a means of swiping it for your use. Any subsequent use would clearly be unauthorized.

I agree wholeheartedly that Reg E is behind on this. I also agree that many cardholders are likely naive to the thought of opening up their liability in this way, and that should be considered when making decisions on each individual case.

In my mind, I have trouble separating this from an instance where I give my card and PIN to someone to take out $20.00 at the ATM and that person takes $200.00. Or, one better... while running my errand, this person then also goes to Best Buy and uses my Card and PIN to buy an X-Box. I only authorized $20.00...

I guess it goes back to what the "access device" is... Is it the physical card, or card number + cvv2 + expiration? What if the parent never handed the card over to the child when the xbox billing info was set up, and all the parent did did was read off the numbers? In that case, the physical access device never left the parent's hands.

Hopefully someday soon, someone involved in regulatory interpretation has this conversation. It's probably going to be a while before the X-Box generation is in a position to make those interpretations.

That's exactly the scenario I had in my head. Add to that, the ignorance of the parent that didn't understand the card # was stored on the system and the "fraud" of the child who later uses the stored information to purchase beyond what the parent "authorized".

These are all interesting and I don't think Reg E properly addresses it. My concern is the push toward consumer protection and I think the arguments being made that indicate the consumer is not allowed compensation are crumbling. Not that I disagree with any of the arguments.

I appreciate this discussion too. It's nice to flesh out these things. I do feel that if we are going to call the transactions unauthorized or fraudulent and use the regulation to furnish protection to the consumer, then it's hard to make an argument against following the letter of the regulation regarding the consumer's responsibilities. However, that's not to say when you exit the hypothetical realm and into specific scenarios the FI wouldn't act in a way that's beyond the protections of the regulation in the favor of the consumer. Especially considering, as was already stated, the consumer protection environment in which we currently function.

It is the parents entering the card info to the device (x-box, child's cell) to allow the child to purchase games. They have not set up security features to force re-entering of card info for each purchase. Instead, they are saying they told their child they could not buy any more games and therefor they are claiming it is unauthorized.

We can argue not setting up security features is negligence, but Reg E states neligence on behalf of the consumer cannot increase their liability.