IBA Compliance Connection

Your go to source for compliance!

A customer just notified us that ACH fraud has occurred on their account for the last six months. Does Regulation E require that we credit the customer for unauthorized transactions made during the sixty-day period preceding the notification, or for the sixty-day period occurring after the first unauthorized transaction that occurred when the fraud first began?

by

admin

Your bank likely will be required to credit the customer for unauthorized transactions that occurred during the first sixty days after you transmitted a periodic statement showing an unauthorized transaction. Under Regulation E, when a customer fails to report an unauthorized transaction within sixty days after transmittal of the statement showing the unauthorized transaction, the customer faces unlimited liability for unauthorized transfers that occur after that sixty-day period (up to the date on which the customer notifies the bank about the unauthorized transactions). However, the bank still must reimburse the customer for the unauthorized transactions that occurred during the initial sixty-day period.

For resources related to our guidance, please see:

  • Regulation E, 12 CFR 1005.6(b)(3) (“Periodic statement; timely notice not given. A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.”)
  • Regulation E, Official Interpretations, Paragraph 6(b)(3), Comment 2 (“Transfers not involving access device. The first two tiers of liability do not apply to unauthorized transfers from a consumer’s account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution’s transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. For example, a consumer’s account is electronically debited for $200 without the consumer’s authorization and by means other than the consumer’s access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer’s account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.”)