Credit union compliance staff have been inundated with new rules and regulations during the past couple of years, but that doesn’t mean your compliance procedures must lag for those regs that haven’t changed. For example, at a recent CUNA Regulatory Compliance School, NCUA indicated that some of the most common consumer complaints it receives are related to unauthorized transactions and Regulation E.
If your member provides you with written notice that his debit card has been stolen and someone is using his card and making unauthorized transactions, what do you do? First, consult your error resolution procedures. And if you don’t have any, create them.
Your member’s story may or may not be true, but that’s what you have to determine. Check to see that you have the information you need from the member (name, account number, and details of the error) because it’s difficult to investigate if you don’t know what you’re looking for.
Let’s assume the member’s notice provides the information you need, is timely (provided within 60 days of the statement on which the error appeared), and is in writing. In the event you receive an oral notice, you still must investigate, but other provisions of the rule might not apply. Assuming a proper notice in all respects, you need to follow your procedures and investigate.
Generally speaking, you have 10 business days to investigate whether an error occurred (you have more time for new accounts or if you grant provisional credit). That means you shouldn’t waste any time.
Keep in mind that you may not require members to complete an affidavit or a police report to begin the investigation. You may request that they do so, but you can’t require it as a condition of investigating the error.
If you find that unauthorized transactions were conducted on the member’s account, you need to credit the account (if you haven’t already) and notify the member. If you find the member authorized the transactions, you still need to notify the member of the results of your investigation. Reg E provides specific timeframes in which you must take these actions.
So, it’s important to have a process in place to address Reg E complaints and to track that the credit union is responding in time. But, the bigger question usually is, were the transactions unauthorized and if so, how much liability does the member have?
There are three tiers of liability under Reg E with respect to unauthorized transfers:
1. Up to $50;
2. Up to $500; and
If an access device such as a member’s debit card is involved, the liability may be up to $50, or up to $500, depending on when the member notifies the credit union.
If the member doesn’t report an unauthorized electronic funds transfer that appears on the member’s periodic statement within 60 days of the statement being sent, the member could have unlimited liability for transactions that occur after the 60 days and until the member notifies the credit union. The unlimited liability may apply in conjunction with the first two tiers of liability.
For example, if the member’s statement shows that unauthorized transfers are made, the member must tell the credit union within 60 days after the statement was sent; otherwise, the member faces unlimited liability for transfers made after the 60-day period. But the member’s liability for any unauthorized transfers before the statement was sent and up to 60 days following is determined based on the $50/$500 tiers of liability.
In addition to the three tiers of liability under Reg E, Visa and Mastercard as well as state laws may impose less liability on the member. In that case, the network rules or state law may control.
Many considerations come to mind when complying with Reg E and the sections that govern unauthorized transfers. So, it pays to review your procedures and make sure you’re following all the rules.