What Is Regulation E?

Introduction

Regulation E applies to any electronic fund transfer in the United States that authorizes a financial institution to debit or credit money from a consumer’s account.

This regulation determines the framework and steps for the dispute process. The Consumer Financial Protection Bureau (CFPB) issues Reg E following the Electronic Fund Transfer Act.

What Transactions Will Fall Under Regulation E?

The following types of transactions are electronic fund transfers and fall under Reg E, according to the CFPB:

• Point-of-sale transfers
• ATM transfers
• Withdrawal of funds
• Debit card transactions

All debits and withdrawals aren’t considered electronic fund transfers. The following transactions aren’t covered under Reg E:

• Checks
• Wire transfers

Does Reg E Cover Scams?

A Guest Editorial by PJ Rohall – Fraud Subject Matter Expert (SME) at Featurespace | Co-Founder at About-Fraud | Mental Health Advocate | SCARS Partner

A lot has been said about the Consumer Financial Protection Bureau’s (CFPB) commentary on how Reg E is applied to consumer scams. Here are some quick thoughts on what I find most interesting.

Authorized Push Payment Fraud (APP) still not covered by Reg E

APP fraud happens in all geographies but is talked about most frequently in the U.K. This is because they have over a decade of experience in real-time payments and more recently rolled out the Contingency Reimbursement Model (CRM) which has brought APP fraud front and center. The CRM is a whole article in itself, so let’s set that to the side and focus on APP fraud.

APP fraud is when a consumer is manipulated, through social engineering, into making a payment into an account that a fraudster controls. It comes in a variety of forms – romance scams, investment scams, invoice scams, imposter scams, etc. but it has one common element: the consumer logs in and executes the payment.

The CFPB commentary refers to consumers who are scammed into divulging sensitive information that enables a fraudster to take over their account, and the fraudster executes an unauthorized payment. That is different than APP fraud.

It seems clear to me that the CFPB is stating that Reg E can be applied to scams that lead to account takeovers, not scams that involve genuine customers executing fraudulent payments.

If this scam, why not that scam?

Ok, so why does Reg E cover one type of scam but not another? An interesting thread to tug on some more.

When a consumer is manipulated into logging in and making a payment, they are a victim of the same psychological manipulation as when they fork over their log-in information/OTP to allow a fraudster to do it. Does the act of being the one pushing the buttons mean they are in anymore control?

Some will argue, yes. They’ll say, if you’re actually the one logging in and sending the payment you should at some point be aware the payment you are sending may be fraudulent.

But that perspective ignores the fundamental purpose of social engineering. People are not behaving in a manner they normally would. People’s minds and emotions are preyed on systematically and strategically. And that can be applied to instances of logging in and executing the payment.

So, why is the scam that leads to an account takeover covered by Reg E, but the APP scam is not? Isn’t the consumer vulnerable to social engineering in both cases?

Negligence

Let me be clear, I am not arguing for liability one way or the other, I am simply exploring consistency. And on that point… let’s talk negligence. In the CFPB’s commentary, they stated that banks can not consider consumer negligence when determining liability under Reg E. And remember this is the scam where a consumer is being manipulated to give up their information and having their account taken over.

I clearly understand the sophistication of scams, but does that mean a consumer should have no responsibility when taking care of their sensitive information? I don’t think it’s helpful to not allow negligence to be considered at all. When you do this, you remove all responsibility from the consumer and set up an environment where folks are more likely to be careless.

Summing it all up

Determining liability in scams will always be tough, which is why I am not arguing one way or the other. However, I do think we should find more consistency in the interpretation of scams. My personal opinion is a scam is a scam, no matter who executes the final payment. Now, where do you draw the lines of responsibility and liability, that’s the million-dollar question. And no matter how you answer you should agree the best option is to prevent it before it happens. Layering education, technology and awareness to proactively stop as many scams as possible will always be the course we can all agree on!

A New Reimbursement For U.S. Scam Victims May Be An Option

The implication of Regulation E is clear and for some victims, it may be a way to recover money stolen by scammers.

To qualify you MUST answer these questions:

• Are you a U.S. resident?
• Did you give access or allow your scammer to have access to your bank account?
• Did the scammer withdraw any money from your account directly – without your direct participation?

IF YOU ANSWER YES TO ALL THREE YOU MAY QUALIFY FOR THIS.

However – there is a ONE-YEAR STATUTE OF LIMITATIONS – meaning this will only work for scammer-enacted withdrawals or transfers within the last YEAR!

The Reg E Dispute Submission Process May Differ From Bank To Bank

Some banks may require you to submit your dispute in writing, even though you already gave it to a representative over the phone.

Some banks, such as First Interstate Bank, have an online form. The form, which is used for debit card and ATM card disputes, asks for information such as:

• the amount of the transaction you’re disputing
• the type of merchandise or service
• the date the transaction was made
• the date the transaction posted to your account
• whether you had lost your debit card

However, the U.S. Federal Reserve also has a dispute reporting process that we recommend that you do simultaneously with submitting it to the bank.

To file a dispute claim through the United States Federal Reserve visit here: What do I do once I’m ready to file a complaint? | Federal Reserve Consumer Help

Follow the instructions exactly as written.

Reference

Important Links:

• CFPB releases unauthorized EFTs and error resolution FAQs | Buckley LLP Infobytes Blog (buckleyfirm.com)
• 12 CFR Part 1005 – Electronic Fund Transfers (Regulation E) | Consumer Financial Protection Bureau (consumerfinance.gov)
• Electronic Fund Transfers FAQs | Consumer Financial Protection Bureau (consumerfinance.gov)
• Final Rules | Consumer Financial Protection Bureau (consumerfinance.gov)