Regulation E requires you to reimburse the customer for the unauthorized ACH transactions that occurred within the first sixty days after your bank provided a periodic statement showing the unauthorized transactions.
For unauthorized transactions on consumer accounts that do not involve a debit card or other access device, Regulation E requires banks to reimburse only the unauthorized transactions that occur within the first sixty days after transmitting the customer’s first periodic statement showing the unauthorized transactions. After those first sixty days, the customer is liable for all unauthorized transactions, up to the date on which the customer notifies the bank about the unauthorized transactions.
For resources related to our guidance, please see:
- Regulation E, 12 CFR 1005.6(b)(3) (“A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. . . .”)
- Official Interpretations, Regulation E, 12 CFR 1005, Paragraph 6(b)(3), Comment 2 (“The first two tiers of liability do not apply to unauthorized transfers from a consumer’s account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution’s transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. . . .”)
- Philadelphia Fed, Consumer Compliance Outlook, Error Resolution Procedures and Consumer Liability Limits for Unauthorized Electronic Fund Transfers (Fourth Quarter 2012) (“Unauthorized EFTs Not Involving an Access Device: Comment 6(b)(3)-2. The consumer liability rules are slightly different when an unauthorized EFT does not involve an access device. Most important, the first two tiers of liability do not apply; that is, the institution may not hold a consumer liable for any portion of any unauthorized EFT not involving an access device that occurred on or before the 60th calendar day after the institution’s transmittal of the periodic statement showing the first unauthorized EFT. Instead, an institution may only hold the consumer liable for an unauthorized EFT not involving an access device if the transfer occurred more than 60 calendar days after transmittal of a periodic statement showing the first unauthorized EFT out of the consumer’s account and before the consumer gives notice to the financial institution, provided the institution establishes that the unauthorized EFT would not have occurred had the consumer notified the institution within the 60-day period.”)