Charlie Consumer walks in and says that there’s been an unauthorized transaction on his account for $100 a week for the past 2 years. If your first thought is that you don’t have to refund anything to this consumer, you’re wrong. I can hear you right now “but what about the 60-day rule in Reg. E? We don’t have to investigate.” Well, you’re right. Section 1005.11 of Reg. E (12 CFR 1005.11) states that if the consumer does not provide notice to the financial institution within 60 days after the periodic statement on which the first alleged error appeared, the financial institution does not need to comply with the error resolution procedures of Reg. E. But that does not mean that you can still hold the consumer liable for unauthorized transactions in excess of what § 1005.6 provides. Section 1005.6 has its own 60-day rule, but it still requires some refund. In the past few weeks we’ve received numerous question on how these two 60-day rules interact. So, let’s take a closer look at these two rules. While we’re at it, we’ll look at another timing rule that trips up a lot of banks, the 2-day rule for lost or stolen access devices.
First, let’s look at the 60-day rule and the error resolution procedures. Section 1005.11 outlines procedures an institution must follow in resolving errors related to an electronic funds transfer (EFT). In addition to an unauthorized transaction, the term “error” includes: an incorrect EFT to or from the consumer’s account; the omission of an EFT from a periodic statement; a computational or bookkeeping error made by the institution relating to an EFT; the consumer’s receipt of an incorrect amount of money from an electronic terminal; an EFT not identified in accordance with Reg. E’s electronic terminal receipts and preauthorized transaction requirements; or the consumer’s request for documentation or for additional information or clarification concerning an EFT. If a consumer provides you notice of an error with 60 days of the periodic statement on which the first alleged error appeared, you must comply with the error resolution procedures as outlined below. If the consumer does not provide the notice within 60 days of the periodic statement on which the first alleged error appears, you do not need to comply with the error resolution procedures.
While we’re on the subject of notice, let’s discuss a couple other issues that often arise. You cannot require that the notice be made in writing. Once the consumer provides you notice of the error (as long as it enables you to identify the consumer’s name and account number, and indicates why the consumer believes an error exists and includes to the extent possible the type, date, and amount of the error), the clock on your response is running. Now, you can require that a consumer who provides an oral notice confirm that notice in writing within 10 business days, but you cannot delay your response to the notice simply because you do not have it in writing. If you require written confirmation of an oral notice, you must inform the consumer of the requirement and provide the address where the written confirmation must be sent at the time of the oral notification. You may not require the consumer to use a specific form. You may not require that they file a police report. All that a consumer need do is provide you with the notice and that starts the clock.
I am not going to spend a lot of ink on the ins and outs of the error resolution process, but I will provide a brief overview for you to understand what the first 60-day rule requires. Once you receive a notice, you must promptly begin an investigation into the error. If you are unable to complete the investigation, you can extend the 10 days to 45 days by giving the consumer a provisional credit in the amount of the alleged error and sending a notice to the consumer of the provisional credit. If the notice was provided orally and the consumer did not provide the written confirmation that you require, you do not need to provide the provisional credit-this is the only requirement that is waived by not providing the written confirmation. If you determine that an error occurred, you must correct it (including refunding any amount for which the consumer is not liable) within one business day and report the results of the error to the consumer within three business days. If you determine that an error did not occur, you must provide written notice to the consumer informing the consumer of your determination and the right to request copies of the documents you used to determine no error occurred. Before you debit any provisional credit, you must notify the consumer of the date and amount of the debiting and that you will honor any transactions without charge to the consumer for five business days after the notification to the same extent that you would if the provisional credit was not debited.
Now, let’s look at the consumer’s liability for unauthorized transactions. Section 1005.11 of Reg. E only describes the error resolution procedures, it does not describe how and when a consumer is liable for an unauthorized transaction. Even when you are not required to comply with the error resolution procedures, you may not impose any liability on the consumer in excess of what § 1005.6 prescribes. Section 1005.6 prescribes three different tiers: (1) when a consumer provides timely notice of a lost or stolen access device; (2) when a consumer does not provide timely notice of a lost of stolen access device; and (3) when a consumer does not provide timely notice after a periodic statement. If state law (or your agreement) provides for less liability to the consumer, you must comply with the state law or agreement. No state law or agreement, however, can impose greater liability.
Let’s look at the third tier first. If a customer reports an unauthorized EFT within 60 days of the periodic statement, they are not liable for any amount except as provided by tiers 1 or 2. If they do not provide notice within 60 days, they are liable for those transactions that occurred after the 60th day following the periodic statement and the date they provide the notice if the institution can show that the transactions would not have occurred had the consumer provided notice within the 60-day period. After the first 60 days, the consumer’s liability is unlimited. Except as provided in the first two tiers, a consumer who fails to notify the institution during the 60-day period is not liable for the unauthorized EFTs that occurred during the 60-day period.
Tiers 1 and 2 apply when an unauthorized EFT is accomplished with a lost or stolen access device, such as a debit card. If a consumer notifies the institution within two business days of discovering that their access device was lost or stolen, the consumer is liable for the lesser of $50 or the amount of unauthorized transactions that occurred before the notice was given. If the consumer does not notify the institution within two business days they are liable for the lesser of $500 or the sum of: (i) the amount of unauthorized EFTs in the first two business days (up to $50); and (ii) the amount of unauthorized EFTs that occurred after the close of business on the second business day and before the notice was provided. You must be careful here. If an access device is still in the consumer’s possession, it is not lost or stolen and tiers 1 and 2 do not apply. Also, tiers 1 and 2 apply to unauthorized EFTs that occurred after the consumer LEARNS of the lost or stolen device, not when the first transaction occurred. For example, I steal* Charlie Customer’s ATM card and withdraw $100 every week for 2 months before Charlie discovers his card is missing. If he promptly reports it, he is liable under tier 1 for $50. Now, let’s assume that instead of telling the institution, Charlie tries to get the card back from me, but I am very sneaky and it takes Charlie more than 2 days to track me down. Charlie is now liable for $500 ($500 < $50 from first withdrawal + $700 for the withdrawals after the 2-day period).
Putting it all together with the original example. I stole Charlie’s ATM card on Friday, November 13, 2015 and withdrew $100 every Friday from his account. The statement dropped on Monday, November 16, 2015 and showed my unauthorized withdrawal. I was able to steal $1,000 before the 60-day period expired. Charlie discovered that I stole his card on December 19, 2015 (after I withdrew $600) but he tries to deal with me himself instead of telling the bank. Charlie finally tells the bank on Monday November 14, 2017, after two years, I have stolen $10,500. Who is liable for what? Well the tiers can be added to each other so under tier 2 (because Charlie did not give notice within 2 business days of learning of the stolen card), Charlie is responsible for $500 and under tier 3 (because he did not notify the institution during the 60-day period) he is responsible for the $9,500 I got away with after the end of the 60-day period for a total of $10,000. The institution is liable for $500 of the $1,000 that I withdrew during the first 60 days. Changing the example slightly, I needed extra cash for Christmas in 2015 so I withdrew $100 a day from November 13, 2015 to December 25, 2015 making the total in the 60-day period $4,600 and $14,100 in the two years. Charlie is still only going to be liable for the $10,000 but the bank is now liable for $4,100 of the $4,600 I got away with in the 60-day period.
As you can see, even though the 60-day rule for the error resolution procedures provides that you do not need to investigate errors, you can still have substantial liability for unauthorized transactions when the consumer does not report an unauthorized transaction. The 60-day and 2-day rules for consumer liability can have a substantial bite so do not forget about those little buggers.
*This example is completely fictional. If any of my friends happen to be named Charlie and they happened to have their ATM cards stolen, that is purely coincidental. This is not an admission of guilt.