Unauthorized Transactions and Error Resolution Procedures

The Compliance team receives a lot of questions about unauthorized transactions, so today’s blog is going to provide an overview of the error resolution procedures under the Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E. Regulation E has specific procedures in place that a credit union must follow when a member informs it of an unauthorized transaction. Regulation E provisions apply to all electronic fund transfers (“EFTs”), such as digital payments, debit card and ACH transactions.

 
Defining “Unauthorized EFT”
With that said, let’s start out by going over what the regulation says about an unauthorized EFT. Section 1005.2(m) defines it stating: 

“[A]n electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated: 

1. By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized;
2. With fraudulent intent by the consumer or any person acting in concert with the consumer; or
3. By the financial institution or its employee.” (Emphasis added).
    

This means, if a transaction was initiated by someone who obtained access to a member’s device without authority to make any transfers, this would be considered an unauthorized EFT. However, if the member gives their son or daughter permission to use their debit card and then they make a purchase for more than what the member expected, it is not considered an unauthorized EFT because the member gave their son or daughter the permission to use the card. 

Error Resolution Procedures
Once a member has notified the credit union of the unauthorized EFT and it meets the definition of the type of transfer covered, section 1005.11 is triggered, which discusses the procedures for resolving the error. Paragraph (b) of the section discusses the members’ timing of the notice of error for when a credit union must comply with these procedures stating if the members notice:

“(i) Is received by the institution no later than 60 days after the institution sends the periodic statement or provides the passbook documentation, required by § 1005.9, on which the alleged error is first reflected; 
(ii) Enables the institution to identify the consumer's name and account number; and 
(iii) Indicates why the consumer believes an error exists and includes to the extent possible the type, date, and amount of the error, except for requests described in paragraph (a)(1)(vii) of this section.” 

Based on the above, a member has 60 days from the date the credit union sent the periodic statement that reflects the unauthorized EFT to make such notification. The notification must include information sufficient for the credit union to identify the member, their account number and unauthorized EFT. Oral notification from a member is sufficient to trigger the error resolution procedures. Additionally, a credit union can require members to provide written confirmation of an unauthorized EFT within ten days of the oral notice, but the timing requirements are still based on the date it received the oral notice. Section 1005.6 discusses the various amounts of liability that can be passed on to a member for unauthorized EFTs which depends on the timing of the member’s notification to the credit union and will not be discussed in this blog. Furthermore, the EFTA explicitly allows for a private cause of action where a member can sue for civil liability when their rights under the Act are violated. Successful plaintiffs may be awarded actual and statutory damages, as well as attorney’s fees. 

Investigating the Error
Paragraph (c) describes the time limits for a credit union to investigate the unauthorized EFT after a member provides the notice of error:

“A financial institution shall investigate promptly and, except as otherwise provided in this paragraph (c), shall determine whether an error occurred within 10 business days of receiving a notice of error. The institution shall report the results to the consumer within three business days after completing its investigation. The institution shall correct the error within one business day after determining that an error occurred.” (Emphasis added).

In other words, a credit union has ten business days (which does not include the day the error was reported) to complete the investigation and determine if an error has occurred, three business days to notify the member, and one business day to correct the error. Please note that paragraph (c) outlines two situations for when the ten day timeframe can be extended. First, a 20-day timeframe applies if the EFT at issue was made within 30 days after the first deposit to the account. Second, a credit union may take up to 45 days if it does all the following:

• Provisionally credits the member’s account in the amount of the alleged unauthorized EFT at issue within ten days of receiving notice from the member;
• Informs the member of the amount and date of the provisional credit within two days of making such credit;
• Allows the member full use of the credited funds;
• Corrects any EFT within one business day of determining it was unauthorized; and
• Reports the results of the investigation to the member within three business days of completing the investigation. 
   

During the investigation, a credit union may ask the member for documentation or other information from the member. However, a credit union may not postpone the investigation nor deny a claim based solely on the member’s failure to provide such documentation. For example, although the credit union can request a copy of a police report the member has filed, it cannot require the member to provide a police report before it begins or completes its investigation of the error. Similarly, the credit union cannot deny the member’s claim because a police report was not provided, nor because a member refused to dispute the transaction with the merchant. 

If it is determined that no unauthorized EFT occurred, section 1005.11(d) requires the credit union to provide the member with a written explanation of its findings and inform the member of his or her right to request documentation supporting that finding. Documentation must be provided upon request. In addition, section 1005.11(d) outlines notification requirements for debiting the provisional credit given to the member during the investigation. Otherwise, if a member reasserts the same error after a credit union fully complies with the error resolution requirements, section 1005.11(e) provides the credit union has no further responsibilities under this section for the same error.

Other Error Resolution Procedures
Lastly, other non-Regulation E error resolution processes may be implicated. For example, if the transaction involved an ACH credit or debit, a credit union may want to reference NACHA rules and/or reach out to their NACHA representative to ask any questions regarding the rules and requirements of the credit union’s ACH process. Additionally, it may be helpful to review the card network agreement. The card networks, such as Visa/Mastercard/American Express/Discover, have their own rules that credit unions may be contractually obligated to follow as part of their agreement with the card network, which could possibly include restrictions on cardholder disputes. Credit unions may want to consult with their card network representative when determining how the rules could impact their rights or obligations. 

For additional information, America’s Credit Unions has a blog post from last year which discusses regulatory agencies’ outline of Regulation E pitfalls. The post discusses steps credit unions can take to help ensure Regulation E compliance as well as common violations. Another compliance blog posted last year discussed the CFPB and New York Attorney General’s Office attempted to expand liability for fraudulent wire transfers. 

The CFPB has FAQs which can aid in compliance with the EFTA and Regulation E. In addition, the CFPB’s 2025 supervisory priorities have given some insight into where the new administration stands on this issue. As always, the Compliance Team can be reached at compliance@americascreditunions.org with any questions.