Policies and Procedures Important in Lost-Stolen Card Situation
The NCUA’s consumer compliance area has said that among the most common complaints it receives are those related to Regulation E, which governs electronic funds transfers.
Recently, I taught a session on Regulation E at a debit card school in Boston hosted by debit consulting firm PayFusion. The participants, each of whom represented credit unions, had varying levels of experience with unauthorized transactions on debit cards. As well, they had a wide range of policies and procedures in place to investigate these occurrences.
One issue we discussed at the school was this: If a member’s debit card has been stolen and he claims that someone is using his card to make unauthorized transactions, what steps must we take?
First, get out your Reg E error resolution procedures. The member’s story may or may not be true, and that’s what you have to find out. Check to see that you have all the information you need from the member (name, account number and details of the error) because you can’t investigate if you don’t know what you are looking for.
If the member’s notice includes the necessary info and was timely (within 60 days of the statement on which the error appeared), you can begin to follow your error resolution procedures and investigate.
It’s important to understand, however, that you only have a limited amount of time to do so. Generally speaking, you have 10 business days to investigate whether an error occurred (you have more time for new accounts or if you grant provisional credit).
Keep in mind that you are not allowed to require your member to complete an affidavit or a police report before you begin the investigation. You may request that he do so, but you cannot require it as a condition of investigating the error.
If you find that an error occurred (i.e. the member’s card was stolen and unauthorized transactions were conducted), you need to correct the error and notify the member.
If you find that no error occurred (the transactions were authorized), you also need to notify the member of the results of your investigation. Regulation E provides specific timeframes in which these actions must be taken.
It’s critically important for credit unions to have policies and procedures in place to address Regulation E complaints. Just as important is an effort to track and document your timely responses.
This type of discussion is almost always followed by a second, bigger question – If indeed the transactions were unauthorized, how much liability does the member have?
There are three tiers of liability under Reg E with respect to unauthorized transfers. If an access device is involved (for example, a member’s debit card), the liability may be up to $50 or up to $500, depending on when the member notifies the credit union.
Moreover, if the member does not report an unauthorized EFT that appears on the member’s periodic statement within 60 days of the statement being sent, the member could have unlimited liability for transactions that occur after the 60 days and until the member notifies the credit union.
In addition, VISA and Mastercard, as well as state law, may impose less liability on the member than Reg E. Thus, the best answer as to what is a member’s liability under Reg E for unauthorized transfers really is “it depends.”
Andrea Stritzke is vice president of compliance for PolicyWorks in Des Moines, Iowa.