Our customer got her first computer and got a virus. An alarming and forceful message popped up that basically said, "This is Microsoft and we can clean the virus from your pc." She called the number and gave them her debit card information to pay for the cleanup.

Reg E 1005.2(m) says: “Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated: (1.) By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized; (2.) With fraudulent intent by the consumer or any person acting in concert with the consumer; or (3.) By the financial institution or its employee.

The commentary goes on to say: (3.) Access device obtained through robbery or fraud. - An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.

Question: Would this be considered obtaining access through fraud? Or, since she gave the fraudster her info, would you consider it an authorized transaction?

Many thanks!

She authorized the transaction.

10-4...thanks Randy!

She is a victim of fraud, but in that she made a bad purchase decision and for a fraudulent service. The bank followed her orders for payment. She didn't have a gun to her head nor did someone steal her card, they defrauded her on the purchase.

Reg E doesn't care that the consumer is happy with the product or service, but that they did the transaction, authorized it or benefited from it.

Subsequent charges made after the cost of the cleanup could be valid claims, but this one is not, she paid for an education. I would reissue the card so this group can't sell off the card data.

Hmmm. Tough call to me. A similar situation would be a scam where a customer purchased something from a non-existent entity. I'm not so sure these are so easily dismissed as an authorized transaction. At the end of the day in both scenarios the following is true:

(3.) Access device obtained through robbery or fraud. - An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.

The debit card information is obtained via fraud, i.e. the person saying "hey, this is Microsoft, I can clean up your PC if you give me your debit card number." If the person said, "hey, this is a scammer and I can't really do anything to fix your PC, but give me your debit card number anyways," then it is highly unlikely the customer would do so. @Andy - Gun to the head/stolen card are both robbery scenarios. What scenario would be "fraud" as mentioned in the commentary in your understanding if this is not an example of it?

If the perps used the card information that she provided to purchase other items, then the access device could be considered obtained through fraud. But if they told her that it was going to be $79.99 to clean up her PC and she authorized it, then it was not fraud. It would be no different than if she ordered a dozen boxes of girl scout cookies and they never showed up. She may have a claim through other card issuer protections, but not through Regulation E.

Randy's point is a critical one that goes to proper interpretation of the portion of the OSC quoted by Compliance NABW: "An unauthorized EFT includes a transfer INITIATED BY a person who obtained the access device from the consumer through fraud or robbery."

Who initiated the transaction in this case? It wasn't the fraudsters; it was the customer. She was tricked into initiating the transaction, but she still initiated it. Thus, by definition it can't be unauthorized.

Yeah, IDK, it's a tough call. They still "initiate" the transfer in terms of they are plugging the card number in to the system to transact the EFT. I do not see it similar to the girl scout cookie scenario if you are dealing with a legitimate business that truly sells Girl Scout cookies. In that case you have an entity/person that you can have a merchant dispute with. In the case of a scammer, there is no person or entity to dispute with. You order Nike's from the online Nike store and they don't show. The Nike store actually has Nike's to provide you. That's not fraud. A scammer has no actual goods. It's strictly fraud to get the debit card information.

By your definition, no one ever "initiates" a transaction with their own card - only the merchant does it. But that's not how Reg. E sees it - the definition of "access device" is that it can be used by the consumer to initiate transfers. If I give my debit card to the cashier at the grocery store, I'm still initiating the transfer. The store is not initiating it. I don't have to contact my bank after each time I visit a merchant to tell the bank the merchant isn't allowed to do any more transfers in order for me to avoid liability for those subsequent transfers under 1026.2(m).

And I'd disagree with your last sentence, which again gets to the crux of the matter. It's not fraud "to get the debit card information." It's fraud to get the consumer to pay the fraudster; the debit card just happens to be the way they get the money from the consumer. To go back to Randy's post - if the fraudster used the card info to initiate OTHER transactions in addition to the initial one, those would be unauthorized. And those would be transactions based on fraud "to get the debit card information."

I agree with both rainman and Compliance NABW which makes me wishy-washy.

We have members that have called "fake Cash App" and the fraudster "helps them" with their account and then has the member perform a "test" transaction. The member does so and of course the money is gone.

What are the thoughts on these transactions?

If you are in the grocery store and you swipe your card, that is an obvious example of the customer initiating their transaction. If you are right there with the cashier and you hand them your card, then there is no force or fraud in initiating the transaction. It is authorized. If you admit that it's obtained by fraud to do subsequent transactions, then how is it not obtained by fraud for the initial transaction? That doesn't make sense to me. Again, if the customer knew it was a scam, then they would not be handing over the information.

@Valley Girl - I think your scenario is similar to what we are discussing. I would be of those that would consider this an unauthorized EFT. The customer is being duped by a non-existent entity. There is no legitimate merchant to do any kind of dispute with. It's total fraud.

The question for Reg. E is not whether the customer was scammed. The question for Reg. E is whether a particular transaction was authorized or not. If the customer provides their card information to a merchant (real or otherwise) to do a $50 charge to the customer's account, it's authorized. (I would also say it's initiated by the customer, just like an Amazon online purchase.) But if the "merchant" then keeps the card info and uses it to do subsequent transactions, those subsequent transactions are unauthorized. But those subsequent unauthorized transactions don't alter the fact that the customer authorized the first transaction (even if the customer never got goods or services in exchange for that first transaction).

We'll probably have to end up not agreeing here, but, I am not disputing the customer "authorized" the transaction. However, in the very definition of unauthorized EFT, you have the following:

(3.) Access device obtained through robbery or fraud. - An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.

So, although practically speaking the transaction was authorized by the customer, by the definition of Reg. E you do not have an authorized EFT because it was obtained by fraud.

Let's do a robbery scenario - Bad guy points a gun at customer and says "give me your debit card." Or, bad guy points a gun at customer and says "withdraw cash from ATM." Although in both cases, the transaction was "authorized" by the person using the debit card, it was obtained via robbery; therefore, it is an unauthorized EFT. If you can explain to me why a robbery scenario is different that a fraud scenario, please feel free to do so. I don't see this as any different than "give me your debit card number to fix your computer" and the person saying that has no ability to provide that service. If fraud only applies to subsequent transactions, I would love to see somebody support that. I highly doubt "fraud" as a category is that limited by Reg. E such that you have to get initially duped and then get stuck again for you to actually have some rights under 1005.11.

Does the bad guy have to take you to another ATM and point the gun at your head again for the robbery rights to kick in?

It does contain an aspect of whether the customer was scammed, as by the very definition of an unauthorized EFT it includes transaction where the customer is scammed, i.e. fraud occurs.

Here's the key phrase


1. You trick me into giving you my card or card number and you use my access device for unauthorized charges. - Reg E covers this as it was obtained through robbery or fraud.

2. You trick me into thinking I'm buying a puppy from you and I initiate a cash app/paypal transfer to send you money. I initiated the transfer so Reg E does not protect me and there are no chargeback rights since I received the services I authorized (the merchant in this case is cash app/paypal)

3. You trick me into authorizing a charge over the phone which you key into a merchant terminal. I initiated the transfer so Reg E does apply but since the fraudsters used a merchant terminal, the bank has chargeback rights for merchandise/services not received.

I will disagree with your characterization of the regulation which appears to be that whenever the consumer is scammed, the transfer is unauthorized. But that's not what the regulation (or more accurately, the official staff commentary) actually says. It says that "An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery."

If you go to the grocery store and use your debit card to purchase groceries, who is initiating the transfer - you or the store? If you make an online purchase from Amazon charged to your debit card by inputting the debit card info on their site, who is initiating the transfer - you or Amazon? If a scammer convinces you to go to www. nottherealamazon. com and use your debit card to "purchase" something that you never receive (because it's a scam), who initiated that transfer - you or the scammer?

To me, the cash app scenario is like the scams where the consumer purchases gift cards and then gives the gift card information to the fraudster. We don't process those disputes as Reg E (or merchant disputes). The fraudster never handles or has access to the access device in either scenario. I understand that no regulation can fit every situation, but a clearer definition of "initiated" and "obtained" would be nice.

Because the regulation isn't clear, I have given final credit on the "cash app" scenario rather than risk run afoul of the reg.

I believe I came to a similar understanding at a previous point in time regarding this topic. It sounds like you do agree with me as far as the initial post in the thread. If the lady gave her debit card number to the person on the phone and they take the card number to give themself money, then would you agree this is a Reg. E Error? You would consider that the scammer obtained the debit card number by fraud and initiated the transaction?

I still don't think the customer "initiates" the transaction at notthrealamazondotcom. Nothing happens with the card at the fake site other than your number and info being captured to use to take the funds.

And just who provided that number and info - the consumer. You can give away the bank if you choose to - most choose not to give away more than what is already required.

Yes, due to fraud. Just like they provide the card if somebody points a gun at them.

The consumer willingly used the fake website - nobody was holding a gun to their head.

Were they stupid, yes.

Does Regulation E protect against such stupidity - no.

Maybe their card issuer rules might cover it if they ordered merchandise that has failed to show up, for example, but we are not talking about card rules. They authorized the charge and that is really the end of the story as far as Regulation E is concerned.

I'm with Randy, this is not a Reg E protected situation based on the scenario presented.

Over the last year, the CFPB has issued two sets of FAQs - June 2021 and December 2021 - that appear to be more consumer friendly than the approach some have taken in the past.

For example, the answer to current FAQ 5 (Section: Error Resolution: Unauthorized EFTs) says this: "Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E."

In addition, the answer to current FAQ 6 (Section: Error Resolution: Unauthorized EFTs) says this: "A consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E."

That said, the FAQs seem to sort of tip-toe around the specific "initiated" discussion found in this thread. I understand that the FAQs are not regulations, but I do think Compliance NABW has a good point on the "obtained through robbery or fraud" argument, which I have always felt could be interpreted more consumer-friendly than many bankers often do.

At the end of the day, this is ultimately becoming a risk management decision. On one hand, being conservative and erring on the side of the consumer will avoid examiner criticism (and help the consumer). On the other, taking a traditional Reg E "initiated" stance will save the bank money. I will be curious to see if future CFPB FAQs address this topic.

I hope they do not put out more half-baked FAQ's. The CFPB should address this in a rulemaking that amends either the regulation or the Official Staff Comments, and is subject to the notice and comment process. That would require them to confront and address the many ways in which these transactions actually occur (which industry groups would surely provide in the comment process). When they put out FAQ, the answers are just based on their ivory tower fantasies about the transactional world.

"Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E."


There is a big difference between that and me going to a website and think I am ordering a gadget for $19.99 and putting in my card information and getting charged for $19.99 and the merchandise never showing up and then I claim that the websidte was fraudulent since it is no longer active.

That is not what that is talking about. The third party did not induce the consumer to share their card information and then just go use it somewhere or somehow. The customer initiated and approved the transaction that occurred.

I see that FAQ as no different from what we have been saying.

If it's a fake website, then I don't see how you can argue it's not fraudulently induced. The third-party did indeed induce the customer into sharing their info by having a fake website and obtaining the debit card info therefrom.

{Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.}

If this doesn't pretty much answer the initial post, then I don't know what it would take to convince you otherwise, lol. You're pretty much just stuck in your ways on this, which is cool. I can be the same way on certain issues.

Taken in totality, FAQs 3, 4, and 5 should pretty much lead one to conclude what I have been stating on this thread throughout: https://www.consumerfinance.gov/com...ansfers/electronic-fund-transfers-faqs/.

unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer

a third party uses that information to make an EFT from the consumer’s account,

(1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and

(2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.}

In none of those situations do you have a consumer sitting at their computer on a website and consciencely entering their debit card information thinking that they are buying a widget for $19.99. After which they approach the bank and then say that the website was fraudulent, and they want the bank to refund their $19.99. That pure and simple is a consumer problem with a merchant whether the merchant exists, or they do not. Like I said before, it is no different than me ordering a box of kitty litter from Walmart and Walmart fails to deliver it.

Now, if the perps that set up the website, took the information that the consumer entered and initiated hundreds of dollars of gift card purchases, then those transactions would be covered under Regulation E. However, the $19.99 will never be the liability of the bank.

Am I stuck in my ways? Sure, I am, because after 40 years of doing this thing called compliance, I know how to read the regulations and the guidance and form a pretty good opinion. If you have a different opinion and wish to hand out the bank's assets to consumers that are not entitled to the protections afforded under Regulation E, that is totally your prerogative.

You are missing the whole point of those questions and answers, as not one of them deals with the customer actually initiating a transfer in which they later have buyer's remorse.

Yes, I agree they don't EXACTLY describe the specific scenario we are discussing. But, again, taken in totality it is relatively easy to conclude these are unauthorized EFTs. We both are confident in our ability to read Regulations and Guidance and form a pretty good opinion, though there is a right answer and a wrong one here . I'm good with my take.

I see it as very different from Walmart and kitty litter. Walmart is not obtaining the debit card info via fraud. That is the difference. There is no fraud involved. However, if the customer input debit card info to WalFart for kitty litter, then that is a different story. WalFart doesn't exist and is using fraud, i.e. the appearance of being able to legitimately sell and deliver kitty litter (which it actually cannot do), to obtain payment information.

So in your view both Walmart and Walfart are "initiating" the transaction, and the consumer is not initiating either transaction?

NABW - using your logic, if a scammer tells your customer to go to Walmart and buy gift cards with their debit card and then provide the scammer the gift card information from the card purchased, that is fraud, and you would refund the $500 the customer spent on gift cards.

I started to pose a very similar scenario yesterday and scrapped the idea. I am interested know the answer, and if no, then where the difference lies.

Initiating the transaction depends on how it is executed, but, again, the difference with Walmart and Walfart is one is authorized and the other is unauthorized (by definition of 1005.2 due to fraud).

I wouldn't consider the gift card situation to be the same because the access device is not obtained via the scam. The customer is making a purchase of a valid product (gift card) at a valid retailer (Walmart). That would be like the customer buying a pair of Nike's from Foot Locker with a card swipe and then giving the Nike's to somebody who told them "I will send you a Large flat screen TV in a week if you give me a pair of Nike's." The scammer obtained the Nike's from the customer through fraud, but did not obtain the access device.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.}

Walfart obtains the access device, i.e. the card number, expiration date, etc., through fraud (fake website for kitty litter).

First of all, who says the website is fake? Is it because it is no longer there? Who makes that determination? Was it legitimate at the time of the transaction and business has since gone out of business?

Was the price of what you were trying to buy or do $19.99? Did you willingly give the website or person your debit card information? Were you charged $19.99?

If the answer to those three questions is yes, then this is not a Regulation E issue, regardless of any other factors.

They did not obtain the access device through fraud. The customer gave it to them willingly for a purchase. Whether the merchandise/product ever shows up is not a Regulation E issue. I am just not sure how else to say it and will just leave it at that.

You are more than free to manage your Regulation E compliance anyway you choose. We can let other people be their own judge of what is required.

I am in full agreement that this is not an unauthorized transaction. It was initiated by the consumer. Case closed. Now, that being said... You're going to send a resolution notice stating, "claim is being denied due to transaction authorized by cardholder", or something like that. The model letter says the customer can request to review the documentation used in the determination. What would that specific documentation look like? A written recap of the conversation between employee and customer where the customer admittedly made the purchase? Would that be sufficient to support a claim denial during examination?

The customer admiting to initiating the charge is sufficient to deny a claim because it does not meet the definition of an EFT error.

Just a reminder that while there are no Reg E protections for a situation where the customer initates a charge and does not receive the merchandise, Visa/Mastercard have chargeback rights for "non-receipt of merchandise" and we still have a contractualy obligation as the card issuer to attempt to assist the cardholder. The only difference is that we do not have to provide provisional credit or adhere to Reg E investigation timeframes. We can also make the customer jump through Visa/Mastercard hoops of contacting the merchant and documenting their side of the story in a written letter.

Absolutely it would. Customer statements - especially those made at the time of first contact are always essential to any Regulation E investigation and in some case such as this, it would be all you needed.

Thanks guys and yes, great reminder Brian!

Everyone arguing for it not being an unauthorized EFT just totally seems to ignore the piece of the Regulation that discusses the access device being obtained by fraud. I'm not sure why that is the case, lol. You can't just ignore the part about fraud, especially as it seems nobody ignores the part about robbery.

The website is fake. We are talking about scams this whole time. Nobody is talking about a store suddenly going out of business. The access device is obtained through fraud. Again, if the website had a big statement that said "this store and these products do not actually exist and if you order anything, you will get nothing and we will just take your money" then I highly doubt the customer is going to willingly give the website their debit card information. The SOLE reason they are giving the website the card information is due to a scam, i.e. FRAUD. The have been scammed (FRAUD) into believing the website and product is legitimate; therefore, they provide their access device, i.e. the other side OBTAINS it.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who OBTAINED the access device from the consumer through FRAUD or robbery.}

"initiated by a person who OBTAINED the access device from the consumer"

The only person that initiated this transaction was the consumer themself. Regulation E does not protect a consumer from a "buyer beware" transaction.

Under your definition, anytime someone uses their debt card for anything, it never involves a transaction initiated by the consumer - whether that involves a legitimate merchant or not.

.

So if I buy a Gucci purse thru Facebook, and I get it and it says it was made in China, I can dispute it with you because they obtained my access device fraudulently?

No one is ignoring that piece of the reg. The critical term is initiated. Let me try this...

1) First, everyone here agrees that the site thisisnotascam.com is not a legitimate site.
2) I visit this site, and I learn that my factory warranty may be expired!
3) I willingly and freely, of my own accord and without coercion, INITIATE the transaction by entering my card #, expiration, ccv code, and amount of transfer. I initiated and authorized $100 for the purchase of this totally real and not fake extended warranty.
4) Shockingly, I never received proof of the warranty.

At this specific moment I conducted this transaction. I approved this transaction. I INITIATED this transaction. Not only is "initiated" critically important here, but so is "I"

Also at this point, thisisnotascam.com has obtained my access device, but they DID NOT authorize the $100, I did. I agreed, freely, that they could have this $100. They did not forcibly obtain the authorization - it was given freely.

So yes, they obtained my information through fraudulent means, but they did not INITIATE this transaction, they did not AUTHORIZE this transaction - again, I did... I said, "Here, take my money!" So Reg E does not cover this transaction. Visa/MC does, sure (service not received), but not Reg E.

Now....thisisnotascam.com has initiated 5 more transactions totaling $1,000. HERE is where that provision of Reg E comes in. They obtained my info through fraud AND THEY INITIATED these transactions. I did not authorize these transactions, I did not initiate these transactions, and I did not enter my information for these transactions... For these, I did not say, "Here, take my money!" These 5 new transactions are now covered by Reg E.

To your argument that if the website states "this store and these products do not actually exist" no one would ever fall for it.....many times they practically do!!!

Want to lose 100 pounds? Give us all your bank info and we'll tell you the secret!
Your computer seemed to work fine 5 seconds ago, but I just happen to be a really nice guy and I see you're infected with thousands of malicious viruses - give me your card information and I'll fix it all up!
Hey - there's a rich prince that wants to give all of his money to a deserving American. He knows you're the perfect candidate. Give us your information so we can pay for the transfer!

People give their information out to these site ALL. THE. TIME. Stupid? Yes. Authorized by the consumer? Yes. Consumer regret? No doubt. But these simply are not covered by Regulation E.

Beautifully done Burkemi!
I think you spelled it out clearly enough for anyone to see. If there are those that would like to give away more of your banks money in instances where it is not required, please feel free, but lets not try to convince others that they have the same responsibility to do so.

No, as I said before, a swipe at a store is clearly initiated by the customer. Nobody else plays a role in the transaction. The customer is directly interacting with the charge machine.

Anyways, I submitted the following to the CFPB.

I have been engaged in a discussion with other Regulatory Compliance experts regarding unauthorized EFTs vis-a-vis fraud scenarios. The Official Interpretation to 12 CFR 1005.2(m) states that included in the definition of unauthorized EFT is when the access device is obtained by fraud.

{3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.}

So, if a scammer contacts a customer via telephone and says, "I am with Microsoft and I noticed that your computer has a bunch of viruses on it. I can clean these off of your system for $49.99 if you provide me your debit card information." Customer proceeds to provide the debit card information to the telephone scammer and gets charged $49.99 and, obviously, receives no services from the fake operator. Is this an unauthorized EFT due to the debit card information being obtained due to fraud and it could be understood that the telephone operator initiated the transaction because they actually submit the information that provides the payment? Or, is this not an unauthorized EFT because, even though the card information was obtained through fraud, the customer initiates the transaction by providing the card information to the telephone scammer?

Okay, I give in . Mercy.

I spoke with the CFPB representative and he stated that although "initiate" isn't given a definition in the Regulation, his understanding and that of others he spoke with, is that it is synonymous with authorization. So, providing the debit card info over the phone because of fraud does not meet the definition of an unauthorized EFT because giving the card info is considered the initiation of the transaction. Therefore, it seems that fraud is basically limited to when an account is hacked or otherwise results in some type of theft of the card information, such as if someone can see your keystrokes or screen or whatever and takes the information the customer may have used to make a purchase on a separate website and then uses it for other transactions.

I was reading too much into "initiated" and giving it too broad of a definition. I don't mind being wrong!

Thank you for sharing this Compliance NABW.

Thanks for following back up.

Unfortunately I can almost hear the discussion in the CFPB halls, "hey guys, on the next FAQs, how about this interpretation of initiating a transfer and fraud...". It'll be up there with "an ACH agreement is not an agreement but a debit card common bond is."

Thanks for the follow-up. This thread was an interesting read.

Here's a take on this that I haven't seen yet: Customer gets a call saying his wife's info has been compromised on Amazon. They tell him to send $2,500 through CashApp (to "his wife" with the information they give him) Our transaction limit is $1,000 so the transaction failed. Customer called, we tell him the limit is 1K, but as we are talking we realize it is a scam. We tell the customer this is a scam, do NOT send these people anything. He gets frustrated with the banker, is transferred to the manager who tells him the same thing. Manager goes in to shut down his card since he is still insistent this isn't fraud and, as she looks at the screen (before closing the card) a $1,000 transaction comes through. Does Reg E apply?

It depends. Did the customer initiate the transfer or did the customer get tricked into giving their access device to the fraudsters and the fraudsters initiate the transfer?

Reg E applies to the latter, but not to the former.

Does it apply how? Did they authorize a transaction for $1,000. If they did, it is an authorized transaction.

Customer initiated the transfer. My bigger question (that may be irrelevant) is that we TOLD him it was fraud and he initiated anyway. If, since he initiated, Reg E doesn't apply anyway, then the fact that we TOLD him it was fraud and he kept going really doesn't matter. Thanks for helping me walk through this.

If we had a customer who didn't listen to us regarding the transaction, sent the money anyways and then submitted a claim they would soon be an ex-customer.

From the description the scammer didn't get the info and initiate the transfer. The customer initiated the transfer and was informed it was a scam. They chose to send the funds. The transfer was executed as requested by the consumer.

It is different if they coerced the consumer for access info or billed more than was authorized. That was not the case. I'd deny it and not reissue. My fear is once they know the rules, they will be more likely to abuse them.

Interesting FDIC Supervisory Highlights on some of what we discussed here. They are taking a broad view of scam fraud as it relates to obtaining credentials/access devices. They still have not "jumped" yet to the debit card itself, but another thing to take note of is that with P2P transactions, they seem to be putting the onus on the depository institution and the app provider, i.e. Zelle, CashApp, etc. They say Error Resolution under Reg. E is the responsibility of both. Maybe they are only talking about the limited requirements of 1005.14(c), but they don't really seem to be restricting it to that.

https://www.fdic.gov/regulations/ex...s/documents/ccs-highlights-march2022.pdf

Here's their reason for not restricting it to 1005.14(c): "When an MPP 5 | Consumer Compliance Supervisory Highlights entered into an agreement with a consumer, that agreement extended to the financial institution holding the consumer’s account."

Really?

Yeah, it doesn't seem to be in line with the Regulation. My understanding is it depends on how the transaction works, but, if the debit card is not what is accessed with the P2P, then the 1005.14(c) "out" usually applies.

Besides the chargeback rights Brian mentioned, does the bank have any responsibility to make the customer whole if the merchant does not?

Or does the bank have any responsibilities in the authorized transaction but never received goods/services scenario besides assisting with the chargeback process?

Thank you.

There are no Reg E protections for when the customer initiates the transfer and is charged the correct amount. You attempt to assist the cardholder as your Visa/MC contract requires, but that is where your responsibilities end.

Brian - thank you for confirming.