Credit Union Requirements under Regulation E (EFT)

We recently had a member contact us about his debit card being stolen, and we told him that we would give him provisional credit once he files a police report. Did we handle this properly?

In short, no, this was not handled properly. Regulation E, issued pursuant to the Electronic Fund Transfer Act, dictates the proper handling of an unauthorized transaction concerning an ATM/Debit card, and we can assure you that nowhere in the regulation does it allow delayed provisional credit based on the retrieval of a police report. The member/credit union liability set forth in section 205.6 of Regulation E is based solely upon whether a transaction was authorized or unauthorized and whether the member notified the credit union in a timely manner or did not notify the credit union in a timely manner.

An unauthorized transfer is defined in Section 205.2 as “one from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” It does not include: 1) A transfer by a person who was furnished the access device to the member’s account by the member, unless the credit union has been notified by the member that transfers by that person are no longer authorized; 2) a transfer initiated with fraudulent intent by the member or any person acting in concert with the member; or 3) a transfer conducted by the credit union or its employee. A common misconception is that because the member had his or her PIN with the card, sometimes even written on it, the credit union can hold the member completely liable, because of negligence. That is not the case. Regulation E states: “consumer behavior that may constitute negligence under state law, such as writing a PIN on a debit card, does not affect the consumer’s liability for unauthorized transactions under Regulation E.”

Now that we understand what an unauthorized transaction must consist of, we need to look at timely notification, since that is the second factor in determining the extent of the member’s liability. If your member notifies the credit union within two business days of discovering the loss or theft of the access device (card/PIN), the member will be liable for a maximum of $50 or the amount of the transaction if less than $50. If the member discovers the loss or theft of an access device, but does not notify the credit union within two business days, the member will be liable up to $500. The last tier of liability involves a transfer not involving an access device of any kind. The member has 60 days from the transmittal of a periodic statement to review their statement for unauthorized transfers. The member will never be liable for any unauthorized transfers within that initial 60-day period. If the member discovers errors within the 60-day period, but does not contact the credit union, the member may be responsible for any amount from the 61^st day until the day of notification to the credit union.

Each one of the liability tiers are described in the EFT disclosure you provide your members, so it is very rare to see the $500 liability imposed since members know the timeline requirements. Therefore it is most typical to see the credit union absorb any amount over $50 in an unauthorized transaction. This is certainly a thorn in the side of all of you who call us, but the bottom line is Regulation E is a consumer regulation, designed for your member’s protection. In many cases VISA and Mastercard have decreased member liability to $0. Once the member has claimed an unauthorized transaction has occurred, and he or she has provided written notice, the onus is completely on the credit union to determine otherwise. If the credit union investigates the unauthorized claim, but has not come to a conclusion within 10 business days, provisional credit must be provided to the member.