The NCUA's consumer compliance area has said that among the mostcommon complaints it receives are those related to Regulation E,which governs electronic funds transfers.

Recently, I taught a session on Regulation E at a debit cardschool in Boston hosted by debit consulting firm PayFusion. Theparticipants, each of whom represented credit unions, had varyinglevels of experience with unauthorized transactions on debit cards.As well, they had a wide range of policies and procedures in placeto investigate these occurrences.

One issue we discussed at the school was this: If a member'sdebit card has been stolen and he claims that someone is using hiscard to make unauthorized transactions, what steps must wetake?

First, get out your Reg E error resolution procedures. Themember's story may or may not be true, and that's what you have tofind out. Check to see that you have all the information you needfrom the member (name, account number and details of the error)because you can't investigate if you don't know what you arelooking for.

If the member's notice includes the necessary info and wastimely (within 60 days of the statement on which the errorappeared), you can begin to follow your error resolution proceduresand investigate.

It's important to understand, however, that you only have alimited amount of time to do so. Generally speaking, you have 10business days to investigate whether an error occurred (you havemore time for new accounts or if you grant provisional credit).

Keep in mind that you are not allowed to require your member tocomplete an affidavit or a police report before you begin theinvestigation. You may request that he do so, but you cannotrequire it as a condition of investigating the error.

If you find that an error occurred (i.e. the member's card wasstolen and unauthorized transactions were conducted), you need tocorrect the error and notify the member.

If you find that no error occurred (the transactions wereauthorized), you also need to notify the member of the results ofyour investigation. Regulation E provides specific timeframes inwhich these actions must be taken.

It's critically important for credit unions to have policies andprocedures in place to address Regulation E complaints. Just asimportant is an effort to track and document your timelyresponses.

This type of discussion is almost always followed by a second,bigger question – If indeed the transactions were unauthorized, howmuch liability does the member have?

There are three tiers of liability under Reg E with respect tounauthorized transfers. If an access device is involved (forexample, a member's debit card), the liability may be up to $50 orup to $500, depending on when the member notifies the creditunion.

Moreover, if the member does not report an unauthorized EFT thatappears on the member's periodic statement within 60 days of thestatement being sent, the member could have unlimited liability fortransactions that occur after the 60 days and until the membernotifies the credit union.

In addition, VISA and Mastercard, as well as state law, mayimpose less liability on the member than Reg E. Thus, the bestanswer as to what is a member's liability under Reg E forunauthorized transfers really is “it depends.”

AndreaStritzke is vice president of compliance for PolicyWorks in DesMoines, Iowa.