Reg E: To Pay Or Not To Pay
by Kathleen Patrick
The U.S. Congress enacted Regulation E (the Electronic Fund Transfers Act) in November, 1978. The Act establishes the basic rights, liabilities, and responsibilities of both consumers who use electronic money transfer services, and the financial institutions that offer these services.
As those of us involved in the financial industry know only too well, the emphasis in Reg. E has always been on the rights of the consumer, with few responsibilities balancing those rights by requiring consumers to take any responsibility to safeguard their cards, their PINs, or their receipts.
ATM fraud is covered under Regulation E as "unauthorized fund transfers." These are defined as electronic fund transfers from an account that was initiated by someone other than the account holder, without the account holder's permission. Also, to qualify as "unauthorized," the account holder must not have received any benefit from the transfer. In other words, he did not receive the funds in any form. Reg E does not treat the following transactions as unauthorized transfers:
- It is not unauthorized if the customer gave his card and PIN to the person making the transfer unless the customer notified the financial institution that this person is no longer authorized to conduct transactions. You may have difficulty getting your customer to admit that he ever gave permission in the first place.
- Also not included as unauthorized is any transaction initiated by the customer with the intent to defraud the financial institution.
Good luck proving this one!
The problem is developing the necessary information to prove any wrongdoing on the part of our customer, even though very conservative industry estimates state that 60% to 70% of claimed unauthorized withdrawals actually were made either by our account holder, a member of the family, or a close friend.
Ten Days To Decide
The task is made even harder by further constraints within the regulation which require institutions to investigate a claim, determine whether an error occurred, and notify the customer of the results of the investigation within ten business days. In those ten business days, you must:
- deny the ATM claim;
- accept the claim as being valid and pay the customer; or,
- if you're not ready to do either of the above, you must give your customer provisional credit and continue your investigation while the customer has full access to those funds.
In other words, the regulation forces you, in many instances, to give additional funds to the very person involved in the fraud.
Over the years we have developed some scenarios to help financial institution personnel make decisions concerning the payment of ATM claims. The scenarios are based on questions that often arise during our seminars and seem to cause the most confusion. We hope these will assist you in your decision-making process:
- What if my customer allows others to use his card?
This is a common question. My customer claims she let her boyfriend use her ATM card, but now he has cleaned out the account without her permission and she wants us to make good her loss! What do we do? Your customer has the right to let anyone she wants to use her ATM card to access her account. The point in your favor is the law states specifically that if she withdraws that authorization, she must notify your institution in writing that she has done so. If the customer did not send you a letter stating her boyfriend is no longer allowed to use the card (and most of them don't), you have a right to deny this claim.
If she does notify you-change the ATM card and the PIN immediately.
- What if my customer writes his PIN on the back of his card?
Unfortunately, even if your customer were to publish his number on a billboard on Main Street, the loss is on your institution. Believe it or not, Regulation E does not place any requirement on the customer to protect his PIN!
- What if my customer reports that his card was stolen by force? Is my institution responsible for his loss?
Yes. Theft of the card is not grounds for you to deny this claim. If the card was stolen while at one of your machines, please consider reimbursing your customer immediately. You may want to reimburse the whole amount of the loss and not withhold the allowable $50. Be pleasant and very cooperative and count yourself lucky if you are not sued for lack of sufficient security at the ATM.
- My customer reported he was the victim of a fraud/confidence scheme that resulted in his giving away his ATM card and PIN. Do we have to pay?
Yes, again. Stupidity on the part of your customer does not, unfortunately, protect your institution. Again, the customer has no responsibility under the law to protect his card and/or PIN.
- My customer has reported unauthorized withdrawals. He has lost his card, but claims that his PIN was memorized and no one else knew the PIN. Do we pay?
This can be an interesting claim. It will require you to very carefully review your transaction journal. Regulation E states that you can deny a claim if your records do not indicate that an error occurred. In this instance, go back to the first transactions made after the date the card was lost. If you do not see an invalid PIN attempt on the first transaction, you have a good reason to deny the claim. After all, if no one else knows the PIN, how could this mysterious third party correctly enter the PIN on the first try? Your records indicate that no error occurred.
- The customer has reported unauthorized use of his ATM card and PIN, but both are still in his possession. What do we do?
A claim of this type takes a tactful, face-to-face interview with your customer. You need to explore the possibility that someone, perhaps a family member, could have taken the card, used it, and then returned the card without the customer's knowledge. Photographs of the transaction will be extremely helpful.
Again, you may have a basis to deny this claim because your records (the transaction journals) do not indicate an error.
- My customer left his ATM card in the machine and subsequent withdrawals were made. Isn't that negligence on his part and isn't he responsible?
No, these withdrawals cannot be considered authorized. (See the second sentence in answer No. 4!) Unfortunately, you have to pay the claim.
These scenarios have been developed over many years experience in combatting ATM fraud and in providing physical protection for ATMs and customers. We hope they will help you handle claims as you review them with your compliance officer and your legal counsel.
Good luck! Kathleen Patrick, a veteran of 20 years in the banking industry, is a Principal of Finsecor, Inc., a consulting firm specializing in providing security services to financial institutions. Originators of the "Secure Site" program, Finsecor does ATM security evaluations, lighting and branch inspections, security training and policy and procedure writing. They can be reached at (800) 200-9966.
Copyright © 1996 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 6, No. 9, 7/96
First published on 07/01/1996