In our view, you are required to reimburse the customer for debit transactions that you determine are unauthorized, regardless of whether the transaction was verified through the Verified by Visa program. Our understanding of the Verified by Visa program is that it is a free service for cardholders intended to verify customer identity during online transactions. When a customer signs up for the program, they create a password that they must enter for all online transactions with participating merchants. Presumably, this creates an extra layer of customer authentication for online purchases.
Under Regulation E, a bank must reimburse consumer customers for unauthorized transactions that occur within 60 days after they appear on a periodic statement. We are not aware of any exception to this requirement based on Visa’s determination that the transaction was “verified.” However, your bank is required to reimburse the customer only for those transactions that you determine are “unauthorized.” A transaction is unauthorized if it involved an electronic transfer from the customer’s account initiated by a person other than the customer without authority and from which the customer received no benefit. If your investigation under Regulation E leads you to conclude that the transaction was authorized, your bank is not liable for reimbursement.
For resources related to our guidance, please see:
-
Verified by Visa (For Consumers) (“Verified by Visa often works behind the scenes when you're shopping online. There may be times when you will be asked by your bank to provide more information to confirm the purchase. This helps make certain that you’re the only person using your card online.”)
-
Verified by Visa (For Merchants) (“Verified by Visa relies on the Three-Domain Secure (3-D Secure) Protocol, which serves as the mechanism for cardholder authentication at the time of an eCommerce purchase. For merchants, Verified by Visa provides an additional level of security prior to authorization, and for cardholders it creates the trust they seek when shopping online.”)
-
Regulation E, 12 CFR 1005.6(b)(3) (“A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period.”)
-
Regulation E, 12 CFR 1005.2(m) (“‘Unauthorized electronic fund transfer' means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated: (1) By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized; (2) With fraudulent intent by the consumer or any person acting in concert with the consumer; or (3) By the financial institution or its employee.”)