Question:
I have a very specific Regulation E question that I believe I have the answer for, but others at the credit union have a different opinion. Let me give you the scenario:
The cardholder did not enter in their card number to the website nor the digital wallet. They just gave the fraudster the code to do so and verified the charges as valid. Is the cardholder liable or is the credit union liable under REG E and/or Visa’s zero liability?
Answer:
Unfortunately, in this case, the credit union will be liable for the unauthorized charges that occurred. Here is the definition of unauthorized transaction from Reg E:
(m) “Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.
The commentary to this section of Reg E provides additional clarification:
I also want to provide the Reg E definition of “access device” because it’s pertinent here. It doesn’t mean just the card; it applies to the security codes too:
(1) “Access device” means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.
Reg E liability for unauthorized transactions often comes down to the question, “did the cardholder intend to make a transaction?” It does not matter how naive they are or negligent they were. Did they think they were making a transaction? If the answer is no, the credit union is liable.
It is clear based on your narrative the cardholder was tricked into providing an access device (the security codes) and did not intend to authorize any transactions. The credit union is responsible for the subsequent unauthorized charges that occurred.
The CFPB also published some Reg E FAQs. One of them addresses this exact issue:
Error Resolution: Unauthorized EFTs Question #5: 5. A third party fraudulently induces a consumer into sharing account access information that is used to initiate an EFT from the consumer’s account. Does the transfer meet Regulation E’s definition of an unauthorized EFT?
Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.
For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.
Visa’s Zero Liability policy does allow some leeway if negligence is involved. But I don’t even think that’s the case here – just someone who is incredibly naive. And it’s a moot point anyhow. Reg E applies and has no exceptions for consumer negligence.