Here is the sitution. Customer, not very computer savy by the way, ended up with Spyware on his computer. The spyware logged all his online banking information, passwords, personal information, and security question answers.
Someone accessed his account, from Nigeria, and made a $7,000.00 electronic Bill Payment.
Does this fall under Regulation E?
According to the company that controls our Bill Pay, this does not fall under Reg E because the funds are transferred from the customer's account into an internal account. The funds are then debited in one lump sum, through ACH by the Bill Pay company, from the internal account and credited to the different accounts requested by our customers.
They are stating that this setup makes each individual bill payment an exception to Regulation E, and we do not have to credit back customers for unauthorized transactions in this case.
I am kind of doubtful. The way I see it, it makes us liable for the Unauthorized Funds Transfer because it was processed to our internal account, while we are authorizing the ACH Debit by the Bill Pay Company so there is no dispute involved. That leaves us holding the bag when the customer wants his money back.
We were able to recover the funds for the customer in this case, but with the growth of technology and cyber theft I expect to see it more often and wanted to get everyone's opinion on it.