NAFCU Journal September October 2021

41 THE NAFCU JOURNAL September–October 2021 a member “wrote the PIN on a debit card or on a piece of paper kept with the card”? The FAQ notes that this actually is clearly addressed in comment (6)(b)-2 in the official staff commentary, which states that “negligence by the consumer cannot be used as the basis for imposing greater liability” than what is allowed under the rule. So, the answer is no, negligence does not affect a member’s liability for unau- thorized transfers. FAQs number one and two address issues when a third party “fraudulently induces” a member into sharing account access information. These kinds of fraud are increasingly common, and the first question discusses whether these situa- tions are “unauthorized EFTs” as defined in the rule. The CFPB indicated that the answer is yes because obtaining an access device through fraud or robbery is an unauthorized EFT and gives a few specific examples: [The rule’s commentary] explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the con- sumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E. For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consum- er’s account access information: (1) a third party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into pro- viding their account login information, texted account confirmation code, debit card number or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stem- ming from these situations meet the Regulation E definition of unautho- rized EFTs. (Emphasis added.) Similarly, question two addresses whether transfers initiated with fraud- ulently obtained account information are transfers initiated by someone who was “furnished the access device” by the member. Under Regulation E, the Bureau concluded that being induced by fraud into giving someone account informa- tion is not furnishing an access device. Other FAQs are also worth reviewing. For example, question four reminds credit unions of the anti-waiver provi- sions in the Electronic Funds Transfer Act, which Regulation E implements, that do not allow financial institu- tions to use contractual language to limit consumers’ rights under the act. Questions six and seven address the ability to require additional informa- tion from consumers, reminding credit unions that they may not require filing of a police report or other documenta- tion, or for a member to first contact a merchant about an authorized EFT to initiate an error resolution investigation. The full list of FAQs can be found on the CFPB’s website. For more details on these rules in general, several past NAFCU Com- pliance Blog posts discuss these issues. The Philadelphia Federal Reserve also pub- lished its Consumer Compliance Outlook in July 2021 with an article that covers Regulation E liability and error resolution which is another helpful resource. Brandy Bruyere is NAFCU’s vice president of regulatory compliance.