I hope they do not put out more half-baked FAQ's. The CFPB should address this in a rulemaking that amends either the regulation or the Official Staff Comments, and is subject to the notice and comment process. That would require them to confront and address the many ways in which these transactions actually occur (which industry groups would surely provide in the comment process). When they put out FAQ, the answers are just based on their ivory tower fantasies about the transactional world.

"Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E."


There is a big difference between that and me going to a website and think I am ordering a gadget for $19.99 and putting in my card information and getting charged for $19.99 and the merchandise never showing up and then I claim that the websidte was fraudulent since it is no longer active.

That is not what that is talking about. The third party did not induce the consumer to share their card information and then just go use it somewhere or somehow. The customer initiated and approved the transaction that occurred.

I see that FAQ as no different from what we have been saying.

If it's a fake website, then I don't see how you can argue it's not fraudulently induced. The third-party did indeed induce the customer into sharing their info by having a fake website and obtaining the debit card info therefrom.

{Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.}

If this doesn't pretty much answer the initial post, then I don't know what it would take to convince you otherwise, lol. You're pretty much just stuck in your ways on this, which is cool. I can be the same way on certain issues.

Taken in totality, FAQs 3, 4, and 5 should pretty much lead one to conclude what I have been stating on this thread throughout: https://www.consumerfinance.gov/com...ansfers/electronic-fund-transfers-faqs/.

unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer

a third party uses that information to make an EFT from the consumer’s account,

(1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and

(2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.}

In none of those situations do you have a consumer sitting at their computer on a website and consciencely entering their debit card information thinking that they are buying a widget for $19.99. After which they approach the bank and then say that the website was fraudulent, and they want the bank to refund their $19.99. That pure and simple is a consumer problem with a merchant whether the merchant exists, or they do not. Like I said before, it is no different than me ordering a box of kitty litter from Walmart and Walmart fails to deliver it.

Now, if the perps that set up the website, took the information that the consumer entered and initiated hundreds of dollars of gift card purchases, then those transactions would be covered under Regulation E. However, the $19.99 will never be the liability of the bank.

Am I stuck in my ways? Sure, I am, because after 40 years of doing this thing called compliance, I know how to read the regulations and the guidance and form a pretty good opinion. If you have a different opinion and wish to hand out the bank's assets to consumers that are not entitled to the protections afforded under Regulation E, that is totally your prerogative.

You are missing the whole point of those questions and answers, as not one of them deals with the customer actually initiating a transfer in which they later have buyer's remorse.

Yes, I agree they don't EXACTLY describe the specific scenario we are discussing. But, again, taken in totality it is relatively easy to conclude these are unauthorized EFTs. We both are confident in our ability to read Regulations and Guidance and form a pretty good opinion, though there is a right answer and a wrong one here . I'm good with my take.

I see it as very different from Walmart and kitty litter. Walmart is not obtaining the debit card info via fraud. That is the difference. There is no fraud involved. However, if the customer input debit card info to WalFart for kitty litter, then that is a different story. WalFart doesn't exist and is using fraud, i.e. the appearance of being able to legitimately sell and deliver kitty litter (which it actually cannot do), to obtain payment information.

So in your view both Walmart and Walfart are "initiating" the transaction, and the consumer is not initiating either transaction?

NABW - using your logic, if a scammer tells your customer to go to Walmart and buy gift cards with their debit card and then provide the scammer the gift card information from the card purchased, that is fraud, and you would refund the $500 the customer spent on gift cards.

I started to pose a very similar scenario yesterday and scrapped the idea. I am interested know the answer, and if no, then where the difference lies.

Initiating the transaction depends on how it is executed, but, again, the difference with Walmart and Walfart is one is authorized and the other is unauthorized (by definition of 1005.2 due to fraud).

I wouldn't consider the gift card situation to be the same because the access device is not obtained via the scam. The customer is making a purchase of a valid product (gift card) at a valid retailer (Walmart). That would be like the customer buying a pair of Nike's from Foot Locker with a card swipe and then giving the Nike's to somebody who told them "I will send you a Large flat screen TV in a week if you give me a pair of Nike's." The scammer obtained the Nike's from the customer through fraud, but did not obtain the access device.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.}

Walfart obtains the access device, i.e. the card number, expiration date, etc., through fraud (fake website for kitty litter).

First of all, who says the website is fake? Is it because it is no longer there? Who makes that determination? Was it legitimate at the time of the transaction and business has since gone out of business?

Was the price of what you were trying to buy or do $19.99? Did you willingly give the website or person your debit card information? Were you charged $19.99?

If the answer to those three questions is yes, then this is not a Regulation E issue, regardless of any other factors.

They did not obtain the access device through fraud. The customer gave it to them willingly for a purchase. Whether the merchandise/product ever shows up is not a Regulation E issue. I am just not sure how else to say it and will just leave it at that.

You are more than free to manage your Regulation E compliance anyway you choose. We can let other people be their own judge of what is required.

I am in full agreement that this is not an unauthorized transaction. It was initiated by the consumer. Case closed. Now, that being said... You're going to send a resolution notice stating, "claim is being denied due to transaction authorized by cardholder", or something like that. The model letter says the customer can request to review the documentation used in the determination. What would that specific documentation look like? A written recap of the conversation between employee and customer where the customer admittedly made the purchase? Would that be sufficient to support a claim denial during examination?

The customer admiting to initiating the charge is sufficient to deny a claim because it does not meet the definition of an EFT error.

Just a reminder that while there are no Reg E protections for a situation where the customer initates a charge and does not receive the merchandise, Visa/Mastercard have chargeback rights for "non-receipt of merchandise" and we still have a contractualy obligation as the card issuer to attempt to assist the cardholder. The only difference is that we do not have to provide provisional credit or adhere to Reg E investigation timeframes. We can also make the customer jump through Visa/Mastercard hoops of contacting the merchant and documenting their side of the story in a written letter.

Absolutely it would. Customer statements - especially those made at the time of first contact are always essential to any Regulation E investigation and in some case such as this, it would be all you needed.

Thanks guys and yes, great reminder Brian!

Everyone arguing for it not being an unauthorized EFT just totally seems to ignore the piece of the Regulation that discusses the access device being obtained by fraud. I'm not sure why that is the case, lol. You can't just ignore the part about fraud, especially as it seems nobody ignores the part about robbery.

The website is fake. We are talking about scams this whole time. Nobody is talking about a store suddenly going out of business. The access device is obtained through fraud. Again, if the website had a big statement that said "this store and these products do not actually exist and if you order anything, you will get nothing and we will just take your money" then I highly doubt the customer is going to willingly give the website their debit card information. The SOLE reason they are giving the website the card information is due to a scam, i.e. FRAUD. The have been scammed (FRAUD) into believing the website and product is legitimate; therefore, they provide their access device, i.e. the other side OBTAINS it.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who OBTAINED the access device from the consumer through FRAUD or robbery.}

"initiated by a person who OBTAINED the access device from the consumer"

The only person that initiated this transaction was the consumer themself. Regulation E does not protect a consumer from a "buyer beware" transaction.

Under your definition, anytime someone uses their debt card for anything, it never involves a transaction initiated by the consumer - whether that involves a legitimate merchant or not.

.

So if I buy a Gucci purse thru Facebook, and I get it and it says it was made in China, I can dispute it with you because they obtained my access device fraudulently?

No one is ignoring that piece of the reg. The critical term is initiated. Let me try this...

1) First, everyone here agrees that the site thisisnotascam.com is not a legitimate site.
2) I visit this site, and I learn that my factory warranty may be expired!
3) I willingly and freely, of my own accord and without coercion, INITIATE the transaction by entering my card #, expiration, ccv code, and amount of transfer. I initiated and authorized $100 for the purchase of this totally real and not fake extended warranty.
4) Shockingly, I never received proof of the warranty.

At this specific moment I conducted this transaction. I approved this transaction. I INITIATED this transaction. Not only is "initiated" critically important here, but so is "I"

Also at this point, thisisnotascam.com has obtained my access device, but they DID NOT authorize the $100, I did. I agreed, freely, that they could have this $100. They did not forcibly obtain the authorization - it was given freely.

So yes, they obtained my information through fraudulent means, but they did not INITIATE this transaction, they did not AUTHORIZE this transaction - again, I did... I said, "Here, take my money!" So Reg E does not cover this transaction. Visa/MC does, sure (service not received), but not Reg E.

Now....thisisnotascam.com has initiated 5 more transactions totaling $1,000. HERE is where that provision of Reg E comes in. They obtained my info through fraud AND THEY INITIATED these transactions. I did not authorize these transactions, I did not initiate these transactions, and I did not enter my information for these transactions... For these, I did not say, "Here, take my money!" These 5 new transactions are now covered by Reg E.

To your argument that if the website states "this store and these products do not actually exist" no one would ever fall for it.....many times they practically do!!!

Want to lose 100 pounds? Give us all your bank info and we'll tell you the secret!
Your computer seemed to work fine 5 seconds ago, but I just happen to be a really nice guy and I see you're infected with thousands of malicious viruses - give me your card information and I'll fix it all up!
Hey - there's a rich prince that wants to give all of his money to a deserving American. He knows you're the perfect candidate. Give us your information so we can pay for the transfer!

People give their information out to these site ALL. THE. TIME. Stupid? Yes. Authorized by the consumer? Yes. Consumer regret? No doubt. But these simply are not covered by Regulation E.

Beautifully done Burkemi!
I think you spelled it out clearly enough for anyone to see. If there are those that would like to give away more of your banks money in instances where it is not required, please feel free, but lets not try to convince others that they have the same responsibility to do so.

No, as I said before, a swipe at a store is clearly initiated by the customer. Nobody else plays a role in the transaction. The customer is directly interacting with the charge machine.

Anyways, I submitted the following to the CFPB.

I have been engaged in a discussion with other Regulatory Compliance experts regarding unauthorized EFTs vis-a-vis fraud scenarios. The Official Interpretation to 12 CFR 1005.2(m) states that included in the definition of unauthorized EFT is when the access device is obtained by fraud.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.}

So, if a scammer contacts a customer via telephone and says, "I am with Microsoft and I noticed that your computer has a bunch of viruses on it. I can clean these off of your system for $49.99 if you provide me your debit card information." Customer proceeds to provide the debit card information to the telephone scammer and gets charged $49.99 and, obviously, receives no services from the fake operator. Is this an unauthorized EFT due to the debit card information being obtained due to fraud and it could be understood that the telephone operator initiated the transaction because they actually submit the information that provides the payment? Or, is this not an unauthorized EFT because, even though the card information was obtained through fraud, the customer initiates the transaction by providing the card information to the telephone scammer?

Okay, I give in . Mercy.

I spoke with the CFPB representative and he stated that although "initiate" isn't given a definition in the Regulation, his understanding and that of others he spoke with, is that it is synonymous with authorization. So, providing the debit card info over the phone because of fraud does not meet the definition of an unauthorized EFT because giving the card info is considered the initiation of the transaction. Therefore, it seems that fraud is basically limited to when an account is hacked or otherwise results in some type of theft of the card information, such as if someone can see your keystrokes or screen or whatever and takes the information the customer may have used to make a purchase on a separate website and then uses it for other transactions.

I was reading too much into "initiated" and giving it too broad of a definition. I don't mind being wrong!