We have a customer who provided her access device to a person. The person used the access device information to initiate several additional transactions (over a three month period). The customer did not call us to tell us that transfers by this person were no longer authorized (until very recently). According to the definitions of Unauthorized electronic fund transfer, it appears that these transactions would not qualify, and that the consumer would be liable. Is this true?

You're correct. Section 205.2(m) defines an "unauthorized EFT" as:

Unauthorized electronic fund transfer means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated:

(1) By a person who was furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized;
(2) With fraudulent intent by the consumer or any person acting in concert with the consumer; or
(3) By the financial institution or its employee.

DD, can I get your opinion on a similar situation? Customer and girlfriend lived together until recently and he "allowed" her to use his debit card to pay bills (this is an individual account). They are no longer together and she has now used the card to purchase items at on-line catalog site.

The way I see this is that we are not liable for these purchases, am I correct, even though he said they were "unauthorized?"

Thanks!

I agree with you. If the boyfriend admitted that he gave the girlfriend permission to sue the card, then future transactions by her are not "unauthorized". However, the day he tells the bank about this, all future transactions by her are not considered unauthorized.

Thanks DD, that was my take on it as well.

all future transactions by her are not considered unauthorized.

Actually, the day he tells you she is no longer authorized to use it, all future transactions ARE unauthorized.

There is more info needed. I read the reg to say that:

David gives me his card, he asks me to get out $100. I take out $200. $100 is unauthorized.

David gives me his card and asks me to take out $100. I do so and return his card. I later take the card without his knowledge/permission and take out $100. That is unauthorized. The evergreen authority some read into the definition at §205.2(m)(1) is negated by the OSC @ 2(m)3. I believe that once the consumer has re-secured the card, they are protected again. I'll discuss this in my upcoming webinar.

Quote:

---

negated by the OSC @ 2(m)3

---

Andy-- I am unfamiliar with this cite. Can you provide a link?

It's the official staff commentary, or official staff interpretations, Supplement I to Regulation E.

John, I guess I am confused as to the statements provided (which is not unusual for me!). It seems like the Reg allows for the scenario I noted: boyfriend gives her card and allows her to use it. Now she makes other transactions which he said are "unauthorized." Since he gave it to her and never notified us that she was no longer allowed to use it, he is liable. However, once he notified us, we did not allow any additional transactions.

What am I missing here?

Andy, my question is whether (in your example) David has really "secured the card." 205.2(a)(1) says that an access device is a card, code, or other means of access, or any combination thereof, that is used to initiate EFTs. 205.2(m) says an unauthorized EFT doesn't include an EFT initiated by someone who was furnished with the access device by the consumer, unless the consumer has notified the financial institution . . .

To me, there are two significant things about that phrase:

1) there's no further restriction (like your example) on "was furnished" - it doesn't say "was furnished unless it was subsequently taken away." (Or, to paraphrase our most recent president, it depends on what the definition of "was" is.)

2) it's the "access device" that's in question. In your example, David didn't just give you the card - he also gave you the PIN. It's the PIN that allowed you to access the account using the card. It seems to me that it's the combination of the card and PIN that is the "access device." In your example, David didn't erase the PIN from your memory, and didn't call the bank to change the PIN. You still had it, and that allowed you to use the card when you took it (without David's knowledge or authority).

For that reason, in your example, I think there is a darn good case that the second EFT was not unauthorized. I don't think the OSC to 2(m)(3) necessarily makes it authorized. To the extent that the PIN is a part of the "access device," then I don't think you can say that the access device was obtained through robbery or fraud. David gave it to you voluntarily and couldn't take it back.

And let's step back and look at the big picture here. When this issue comes up, it's almost always because the cardholder gave authority to someone that they've now had a falling out with, or that did them wrong. The cardholder didn't take proper measures to protect themselves after having given their PIN to someone. When you give your PIN to someone, the bank is helpless to prevent unauthorized transfers by that person unless you notify the bank of the problem. Most people understand that, and though they don't like the fact that someone stole from them, they will live with the fact that the bank won't roll over and take the loss. And also with that backdrop, I'll bet most courts would also side with the bank in interpreting the regulation to say that the transfer wasn't "unauthorized."

Please poke holes in my argument if you wish - that's why I posted it!

Rainman suggests we take a "step back and look at the big picture here." If we truly take in the big picture, we have to realize that the Electronic Fund Transfer Act and Regulation E are unabashedly consumer-oriented. They are part of the Consumer Credit Protection Act. That there is some minimal protection for banks when consumers create these informal "authorized user" arrangements on their own is, frankly, a small gift to financial institutions.

But let's not kid ourselves. There are two potentially conflicting concepts involved here. On the one hand, there is the concept of "authorized user." On the other hand, there is the concept of an access device being obtained through "robbery or fraud."

If the card and PIN are voluntarily (and with no fraud involved) given to someone with authority to use them, and that person retains the card and PIN and exceeds the authority given (by doing a larger transaction than authorized, a different transaction than authorized, or more transactions than authorized), the regulation is pretty clear that none of those transactions will fit the definition of "unauthorized" EFT if the cardholder doesn't notify the card issuer that use is no longer authorized.

However, if someone takes an access device from a wallet without permission and uses it (with or without a PIN, and regardless of whether the PIN was given to that person earlier), that's use of an access device obtained by robbery, and would be unauthorized.

So the question that isn't answered in the regulation or the commentary is whether the "authorized user" status given by the cardholder to someone else terminates when the access device is given back to the cardholder, or, as Andy suggests, whether the "robbery" rule trumps the "authorized user" rule.

Since we stepped back to look at the bigger picture, let's guess what the result would be if one of our customers challenged Rainman's decision in court. I haven't seen any case citations to back me (or Rainman) up. I'll simply suggest that courts would tend to liberally construe the language of the regulation and commentary in favor of the consumer, rather than in favor of the bank. And I base that opinion on the stated purpose of the EFTA, which isn't to protect the bank.

John, you may be right about the court construction, but you may not. Frankly, I think a lot depends on the circumstances and the "likability" of the plaintiff.

As a legal issue, I think you're glossing over the question of whether the "access device" was obtained by fraud or robbery. In our example, the ATM card can't be used at the ATM without the PIN. Under the regulation, I believe that it's the combination of the PIN and the card that is the "access device." Half of the access device (the PIN) was voluntarily given, and half (the card) was not.

As a practical issue, the bank has to look at these on a case by case basis. In our example, David's going to sue the bank to recover the "unauthorized" withdrawals. The bank is going to haul Andy in as a defendant because he's the one who got the money. And the bank is also going to raise the defense that the transfer was not "unauthorized" under the regulation because David gave Andy the PIN. I'd be that in at least half of the cases, when David realizes that: a) Andy's going to be a defendant, and b) the court will see that David gave Andy the PIN, David will decide he doesn't want to go forward with the case. And I'll also bet that in half of the remaining cases, the court will side with the bank, either because the court agrees that the access device was at least partly obtained voluntarily, or because the court just doesn't think it's right for David to win when his own actions prevented the bank from being able to stop the unauthorized transaction. On the remaining 25% of the cases where the bank decides it's likely to lose because the facts are not as clear or because the plaintiff has a lot of appeal, the bank should go ahead and make the payment.

But why take a blanket stance that you should always pay these when you have reasonable arguments that the Regulation doesn't require payment and you're likely to be foreced to pay only a portion of them?

I think that a bank must decide how it will handle situations like this, and Rainman may be correct that they have to be looked at on a case by case basis.

I respect Rainman's opinion and trust that he respects mine. Reasonable people have disagreed on exactly this issue for a long time. I think we both agree that there is no "black and white" answer. As for David and Andy in Rainman's post just above, I believe that David will probably not pursue the case in many if not most cases. From a very practical perspective, most consumers haven't the will, the time, or the money to drag a bank into court, so Rainman's "bets" are probably safe. These folks also often walk with their accounts. Some bankers might say "good riddance" when that happens.

My perspective? I work for an enterprise that often offers advice to banks. Although I may lay out alternative approaches, I will generally recommend the more conservative (read: risk averse) approach.

John, I wouldn't take the trouble to debate with you if I didn't respect your opinion!

Also, remember that you can't penalize someone (increase liability, you can take the card back) for aggravated ignorance. If they write the PIN on the card, that is OK by the Reg. So if they give someone the PIN, that is less than writing it on the card. So don't penalize them for providing that.

The bottom line is that it is a consumer protection regulation, as John noted. I think you'd be hard pressed to claim the theft of the card and its subsequent use as authorized any more than you could say the data given in a phishing expedition was authorized.

I have a question lets say I gave someone my pin and atm card to take out money then I call the bank afterwards and tell them I didnt authorize the transactions, who is liable for the transactions?

you are - you authorized that person to use your card

And if your bank catches you in the act, you could be charged with bank fraud. Don't even think about it!

What if I said I didnt authorize him to use it but I gave him the PIN, Im just curious because Im being blamed for using apersons card and the other person says they didnt authorize me to use it. And I did actually because she authorized me to. And I will show up on the ATM camera. What can I do in my defense. I wish I had the ability to just guess pin codes.

You tell the bank investigator that you were given the access device and code with the owners express consent to use it for the transactions completed, if that is the case. The investigator will determine based on the evidence if they believe the transactions were authorized or not. There is no "reasonable belief" standard to meet.