We have a consumer accountholder whose online banking passwords were breached and transfers were made from one their accounts to another so that a series of four bill payments could be made to individuals in other states. Once the payments were made the funds were immediately wired out of the country. This resulted in a substantial amount of loss to the customer and now management is wondering who is liable. Are these transactions covered under Regulation E?

Most likely covered under Reg E.

See the commentary to 1005.3.

vi. A payment made by a bill payer under a bill-payment service available to a consumer via computer or other electronic means, unless the terms of the bill-payment service explicitly state that all payments, or all payments to a particular payee or payees, will be solely by check, draft, or similar paper instrument drawn on the consumer's account, and the payee or payees that will be paid in this manner are identified to the consumer.

Since we know the customer's information was breached from their end and their is no way of getting the money back, how should the Bank proceed? Is provisional credit required and what type of investigation can be done?

It looks like you have investigated. There is little more to do here than pay the customer's claim and move on. If you determine that the loss occurred due to your customer falling for a phishing scam, not having up to date anti-virus software, etc. you can choose not to permit this customer access to internet banking to avoid additional losses down the road.

Essentially the customer lost an access device, which could be a card (common) or a code (as in this case). You have the same issue, but a less common media to access the funds. A question is, with multifactor authentication how did this happen? As Brian noted, malware of some type may have been used so the consumer wasn't practicing safe computing. It can be important that you figure out how this happened and that you include that in the training information you provide other customers so the bank doesn't suffer another loss. I assume the consumer didn't just give logon credentials away. Again, even if they did we still use the same Reg E tests the difference is the access device was different - being dumb doesn't increase the consumer's liability. The difference is you have a smaller daily limit on a debit card than billpay and wires.

I absolutely agree that if the consumer was negligent, I would not give them that product or service again and certainly not if their computer has malware. You could pay the consumer back and find a new claim immediately as those funds could be taken.