Hi All,

I am still new to Reg E (and compliance in general) and feeling things out. I appreciate any input

An issue that seems to occur frequently is that a client will get scammed/phished/etc. by a fraudster to provide their Online Banking access credentials and to get past multi-factor authentication. Once the fraudster gains access to Online Banking, the fraudster sends unauthorized Zelle EFTs. If it ended there, I think that the EFTs would be unauthorized, and therefore covered by Reg E, since the client did not authorize the transaction and the transfer was initiated by a person who obtained the access device from the client through fraud.

However, in order to complete the Zelle transaction, the client must confirm the transaction by text message to the phone number associated with the individual's account.

The client did not authorize the transaction at the time he provided the access credentials to the fraudster, nor at the time when the fraudster initiated the fraudulent transaction. However, the client did authorize the transaction through the text message prior to the EFT being completed. Without that step the EFT would not have been sent. Is this type of authorization by the client enough to remove the EFT from the realm of unauthorized transactions?

This strikes me as an odd set of circumstances. Did you confirm with the customer that they actually confirmed that transaction via text? It seems possible to me that the fraudster could change the confirmation number that receives the text. Alternatively, the customer may have thought they were confirming money coming in or a separate Zelle transaction. I think this information informs the investigation but I don't think I would consider it authorized just because of the text confirmation without inquiring further.

I agree with Inspector. A customer who is negligent enough to fall for a phishing scheme is equally negligent to not understand a purpose of the confirmation text they are receiving. I'd put this in the same vein as the numerous posts we see on BOL asking if we can deny a claim because a consumer responded to an automated fraud alert software that debit card purchases were authorized when they actually weren't.

My approach to claims like these are to honor the claim and then remove the customer's access to ever use Zelle because it's usually only a matter of time before they are making another claim.

and then remove the customer

Well, you got that part right