IBA Compliance Connection

Your go to source for compliance!

A customer recently notified us of several unauthorized online debit card transactions that occurred during a four-month period earlier this year, and their debit card was not lost or stolen. We are aware that under Regulation E, customers face unlimited liability for unauthorized transactions that occur more than sixty days after transmission of a periodic statement showing an unauthorized transaction up to the date we are notified of the unauthorized transaction. However, is there a requirement that those subsequent unauthorized transactions be recurring or initiated from the same place as the first unauthorized transaction?

by

admin

No, we are not aware of any requirement under Regulation E that subsequent unauthorized transactions be recurring or from the same place as the first unauthorized transaction for a customer to be liable for them.

Your bank likely will be required to credit the customer for any authorized transactions that occurred during the first sixty days after transmittal of the periodic statement showing the first unauthorized transaction. However, you are correct that your customer faces unlimited liability for the unauthorized transactions that occurred after the initial sixty-day period up to the date you were notified of the unauthorized transactions.

For resources related to our guidance, please see:

  • Regulation E, 12 CFR 1005.6(b)(3) (“A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.”)
  • Regulation E, Official Interpretations, Paragraph 6(b)(3), Comment 2 (“Transfers not involving access device. The first two tiers of liability do not apply to unauthorized transfers from a consumer’s account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution’s transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. For example, a consumer’s account is electronically debited for $200 without the consumer’s authorization and by means other than the consumer’s access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer’s account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.”)