Fraud and Regulation E

Last week, America’s Credit Unions hosted its Regulatory Compliance Certification School. Congrats to all the new Certified Credit Union Compliance Officers (CUCOs)! Now you are all experts on all the rules and regulations that impact credit unions! Let’s apply some of that knowledge to fraud, specifically, Regulation E and fraudsters. 

Before we dive into fraud and go into additional detail on the different types of errors, let’s revisit one of our previous Regulation E blogs . That blog explained that under Regulation E, an “unauthorized electronic fund transfer” (EFT) is defined as any EFT from an account initiated by someone other than the consumer without authority to initiate the transfer and from which the member receives no benefit. Unauthorized EFTs include transfers using an access device that was obtained by robbery or fraud, and transfers a member was forced to initiate. The term does not include transfers where the member acted fraudulently or when the member gave someone else permission to use her access device. 

Credit Union Impersonation Scams

Let’s look at an example of fraud that we all may know too well. A fraudster calls Henry pretending to be his credit union and Henry provides the fraudster with his account information and verification code. The fraudster uses his information to initiate EFTs from his account. According to the commentary of Regulation E, the EFTs are unauthorized because the information was obtained via fraud, even though Henry voluntarily provided his information to the fraudster. The same would hold true if Henry provided the fraudster with access to their peer-to-peer (P2P) payment account because it directly or indirectly holds an account belonging to Henry and the EFT was initiated by a person other than the member without authority to initiate the transfer (i.e., the fraudster). Here is another blog with more information on P2P payments and fraud.

Regulation E’s rules and commentary as well as the CFPB’s Electronic Fund Transfer FAQs (FAQs) all support the conclusions above because the definition of unauthorized transfer includes the situation in which an access device was obtained through fraud. Sometimes this is confusing because no debit card was involved and credit unions often associate the term access device with a debit card. After all, debit cards are common access devices used by members to make electronic transfers. However, it is important to remember that an access device is also a “code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”

This type of scenario comes up quite often for the compliance team, as fraudsters continuously implement new strategies to trick people out of their account information, passwords, and other codes needed to gain access and make transfers. Fraudsters may pretend to be a credit union employee, the member’s employer, an IRS agent, a family member in need, or any other number of people they assume the member will trust. Ultimately, if account access is obtained through fraud, a subsequent transfer initiated by the scammer is unauthorized under Regulation E.

Consumer Negligence

Another question that we hear is how to handle a member who is naïve, overly gullible or even just plain negligent? Will a credit union be liable for a member who consistently provides account access to fraudsters?

First, regarding negligence, the commentary and the CFPB’s FAQs has expressly stated that negligence by a member cannot be used as the basis for imposing greater liability than is permissible under Regulation E. This means that a member who writes their PIN on the back of their debit card or on a piece of paper kept with the card, will not be held more liable than those who don’t. As such, a credit union may not use this as the basis for imposing more liability than is permissible under Regulation E. So, what can a credit union do?

A credit union dealing with this issue may want to try a variety of different strategies to reduce the risk of loss to these types of schemes. For example, some credit unions have implemented fraud alerts for members that have previously been the victim of fraud. For these members, the credit union sends an alert after every transaction and not just transactions that trigger the credit union’s normal fraud system. 

Additionally, some credit unions provide a brief guide, video, or training explaining different types of fraud and shedding light on the ways some people may try to gain account access. This is a strategy that can be used for all members so they are more alert and can more easily recognize when they are being targeted by a fraudster. In more severe cases, where members have given out access to information on several occasions, credit unions have relied on their limitation of services policies to limit the types of transactions the member is able to make. 

If your credit union is struggling with these types of unauthorized transfers, try reaching out to the Compliance Community for advice from your peers.