Please let me know if my opinion is correct on the following... a fraudster spoofs a bank phone number and impersonates the bank’s fraud department. The fraudster makes the customer believe there is fraud on the account and asks the customer to share online/mobile credentials then a subsequent text to validate identity. The fraudster issues payments from a real-time mobile payments function, such as Zelle.

In my opinion, unfortunately, the transactions are unauthorized (unless otherwise indicated by the consumer) and we cannot impose liability on the customer just because the credentials were shared (negligence). The customer did not give the credentials to authorize a transaction but thought they were assisting the institution with preventing fraud. I would consider this account takeover with subsequent transactions thus the bank is liable and must provide a refund notwithstanding other caveats such as timing of customer notification, etc.

The commentary to the definition of an unauthorized electronic funds transfer (1005.2(m)) notes that 'unauthorized' includes:

3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.

Yes. These transactions are unauthorized and covered by Reg E.

Brian - I agree with your comments that this is unauthorized. As an aside, I reviewed our Online Banking Agreement and in there we state " You should never provide your Username and password to another individual. If you provide your Username and password to another individual, you are authorizing them to act on your behalf and you are responsible for their actions. We are not liable for the actions of individuals you provide your Username and password to." Obviously the intent was to inform the consumer if they need to safeguard their user information.

What about this example (happens a lot at our bank): Customer willfully provides online credentials to "friend" for them to make a mobile deposit into their account. However, the "friend" initiates a electronic funds transfer debit (popmoney transfer, electronic bill payment, etc.) from their account. Essentially the "friend" exceeded the customers authority by making debit transactions instead of a deposit. Typically, the customer is convinced they have a friend but in reality they are fraudsters (i.e. Romance Scam victims).

Would this be considered an unauthorized electronic funds transfer subject to Reg E?

Warning: Gray Area (like so much of Reg E's authorized/unauthorized provisions)

One could argue that, when the basis of the entire "friendship" is fraudulent (romance scams, for example), the access device (the number, code, etc.) is obtained fraudulently, and all the transactions by the "friend" are unauthorized.

On the other hand, when the basis for the relationship isn't fraudulent (college roommate, family member, drinking buddy, BFF, and so on), and the cardholder initiates the sharing of the access device, I think the old Reg E rule about an individual exceeding his/her authority before the cardholder notifies the bank that the individual is no longer authorized to use the card fits the situation.

Of course, figuring out where the boundary between those scenarios lies is the challenge.

Thanks for the analysis. I agree it is a gray area.

On the heels of that, though - stupidity isn't a viable reason to deny a claim. In situations where there is too much gray to see through to the other side of the lake, your best bet is to err on the side of your customer. Then politely refuse another debit card.