According to the Identity Theft Resource Center and CyberScout, the number of data breaches in 2017 reached a record high of 1,579. This is a 44% increase over the previous record-setting high in 2016. The good news is, financial institutions did not top the list when it comes to the type of entities that were breached. The bad news is, the likelihood that your financial institution, regardless of size, will be impacted by these breaches is high.

Unfortunately, there is more bad news that increases the odds. ATM malware first surfaced in 2009 and, in 2017, we saw the emergence of a new form of cybercrime – ATM malware-as-a-service. As this evolves, experts are indicating that in 2018 we could the see full automation of ATM malware attacks. By using a mini-computer automatically attached to an ATM, fraudsters can install the malware and collect card data in a very short period of time.

And then there was the notorious Equifax breach. Sensitive data of more than 140 million U.S. residents was exposed. The impact of this type of “big data” leak has too many implications to discuss in one article. But, we do know criminals use the data for financial gain.

What does this mean for compliance and deposit officers? While IT and security personnel are diligently working to enhance security measures at your institution, compliance and operations professionals are often dealing with the aftermath – fraudulent transactions reported by consumers, the victims.

Deposit Managers Must Prepare for an Increase in EFT Error Claims

The increase in security breaches and the emergence of new threats should have all financial institutions proactively preparing for an increase in unauthorized transactions and other alleged errors subject to the rules of the Electronic Funds Transfer Act. The EFTA, otherwise known as – and implemented by – Regulation E, was enacted in 1978, but 40 years later it is still a source of confusion for many financial institutions.

Let's face it, most consumers don't really know their rights if they believe an “error,” such as an unauthorized transfer, has posted to his or her account. And in many instances, financial institutions find the complexities of the regulation confusing or too burdensome. In response, institutions implement procedures that often result in either reimbursing money they shouldn't or aren't required to, or not reimbursing enough, which can result in an adverse snowball effect on the consumer, increasing both compliance and legal risk. Neither of these scenarios is favorable, so it's easier to pick the worst of the worst.

Challenges for Compliance Officers

When a consumer notifies an institution of an alleged error – verbally or in writing – the Reg E “time clock” is triggered and compliance with the error resolution procedures is required. The claim and the investigation must be documented, notices must be given and the consumer's liability must be properly calculated, all within the timeframes established by Reg E. The rules established by NACHA for ACH transactions and the card networks for debit cards are contractual in nature and may overlap, but they do not “trump” Reg E. Rules that are more favorable to the consumer, such as zero liability, can take precedence over Reg E, but in all other instances the federal regulation prevails. For example, the investigation period for a claim involving a P.O.S. transaction is 90 calendar days. The chargeback process may take longer, but the claim must be finalized and closed in accordance with Reg E.

At the time Reg E was adopted in 1978, paper-based payments far outnumbered electronic fund transfers, making the process a little less complicated. Today, obviously, the exact opposite is true. EFTs are the predominant payment method, and with the number of data breaches across all industries, the number of fraudulent transactions reported by consumers is predicted to increase.

To comply with Reg E, financial institutions have to know when a claim has officially been made so it can be investigated and resolved within the timeframe set forth in the law. Institutions must know when to issue provisional credit to consumers while the investigation moves forward, when it must be completed and the final credit issued, or when provisional credit can be revoked if the investigation shows that no error actually occurred.

And there's more. As I stated above, to avoid issues or to skirt figuring out the complexities of Reg E, financial institutions are often conducting no investigation and just reimbursing consumers – even when some liability could be imposed. Avoiding the complexities of Reg E by handling claims in this manner used to seem like the easiest solution for everyone. But with the increase in claims, it is no longer a prudent practice.

Consider the following example: Two unauthorized transactions have posted to a consumer's account as a result of a lost debit card, one in the amount of $375 and the other $100. Now, presume the consumer did not notify the institution within the required two-business day period; therefore, two tiers of liability apply. The first transaction posted the first day after the consumer became aware that their debit card was missing and the second transaction posted three days later. When posted in the order above (respectively), the consumer's liability is only $150. But, when the posting order is reversed (i.e., the $100 transaction first), the consumer liability is $425. Confusing enough?

How Can Compliance Officers Help Deposit Managers Cut the Risks of Common Reg E Violations?

As a compliance or risk management officer, you can reduce the risk of violations by developing an effective system of controls. Here are some processes to implement:

A uniform method for documenting received claims – whether the notice was oral or in writing;
Procedures that ensure the prompt submittal of claims to the appropriate department upon receiving a notice of an alleged error;
A system that ensures the prompt investigation of these claims;
Procedures that ensure the adequate documentation, and tracking of the steps and status of the investigation;
A tickler system that prompts the appropriate personnel of approaching timeframes; and
Most importantly, adequate training of all employees involved in the error resolution.

To provide further assurance of adherence, periodically review claims to verify the effectiveness of the established procedures and identify the need for additional training.

Compliance with the timeframes is important. Imposing liability where you can is also critical to avoid unwarranted losses. But it's also important to ensure your members are receiving proper credit as required by law. Doing it right and assuring both results in the only real win-win situation.

Lori Moore is Chief Risk and Compliance Officer for FINBOA. She can be reached at 281-503-1233 or lmoore@finboa.com.

Instant Insights /

Financial Institutions Must Improve the Reg E Resolution Process

Related Stories

Recommended For You