Consider this, however (my opinion of the situation):
For 1005.14 to apply here, FBPay would have to issue an access device that can access the consumer's bank account without FBPay having an agreement with the bank. That isn't the scenario here. In this case, the cardholder gave card information (not account information) to FBPay, so the transaction comes to the bank via traditional card network connections. It's another version of the cardholder providing the access device to a third party with authorization to use it to complete transactions until notifying the card issuer that the authorization is cancelled.
Contrast that with a customer with a bank debit card who sets up an account with Venmo and gives Venmo routing and account number information to tap or credit the bank account for Venmo receipts and payments. They also give Venmo debit card information that connects indirectly to the same bank account.
If the customer issues a Venmo payment and has no money in their Venmo account, Venmo will debit the funds using either the account information or the debit card information, depending on instructions from the customer. If the transaction comes in via ACH, Venmo is the responsible financial institution under 1005.14. If it comes in as a debit card transaction, the issuing bank is responsible for EFT compliance.
John S. Burnett
Fighting for Compliance since 1976
Bankers' Threads User #8