On January 15, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a Compliance Aid to clarify the requirements under the Electronic Fund Transfer Act (EFTA) and Regulation E. Electronic Fund Transfers (EFTs) are defined as “any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account.” The Compliance Aid, presented in a Frequently Asked Questions (FAQs) format, addresses various aspects of EFTs, including coverage, financial institutions’ obligations, and error resolution processes.
Compliance Aids are not rules under the Administrative Procedures Act, but instead “present the requirements of existing rules and statutes in a manner that is useful for compliance professionals, other industry stakeholders, and the public.”
Key takeaways from the FAQs, include:
Coverage: Transactions
EFTA and Regulation E apply to any electronic fund transfer that authorizes a financial institution to debit or credit a consumer’s account. This includes transactions involving demand deposit (checking), savings, or other consumer asset accounts established primarily for personal, family, or household purposes, including prepaid accounts. Person-to-person (P2P) payments, debit card transactions, credit-push P2P payments, and pass-through payments are all considered to be subject to the EFTA and Regulation E, provided they meet the definition of an EFT.
The compulsory use provision prohibits a “financial institution or other person” from “requir[ing] a consumer to establish an account … as a condition of employment.” According to the CFPB, the compulsory use prohibition also applies to tips, meaning employers cannot require workers to establish an account with a particular financial institution to receive their tips.
Coverage: Financial Institutions
Under EFTA and Regulation E, a financial institution includes banks, savings associations, credit unions, and any other person that directly or indirectly holds a consumer’s account or issues an access device and agrees to provide EFT services. Non-bank P2P payment providers can also be considered financial institutions if they hold consumer accounts or issue access devices and agree to provide EFT services. According to the CFPB, this means that both the non-bank P2P payment provider and the depository institution holding the consumer’s account have error resolution obligations under Regulation E.
Error Resolution
The Compliance Aid outlines that errors under EFTA and Regulation E include unauthorized EFTs, incorrect EFTs, omissions from periodic statements, computational or bookkeeping errors, incorrect amounts received from electronic terminals, and requests for documentation or clarification concerning an EFT. Financial institutions are required to promptly investigate error allegations, complete such investigations within specified time limits, report results of investigations within three business days after their completion, and correct errors within one business day after determining an error occurred. Private network rules that provide less consumer protection than federal law cannot be relied upon by financial institutions.
Further, the Compliance Aid provides that financial institutions cannot require a consumer to file a police report or other documentation as a pre requisite to their initiating an error resolution investigation. Nor may the financial institution “delay initiating or completing an investigation pending receipt of information from the consumer”.
Error Resolution: Unauthorized EFTs
An unauthorized EFT is defined as an EFT from a consumer’s account initiated by someone other than the consumer without actual authority to do so, and from which the consumer receives no benefit. Financial institutions must determine consumer liability for unauthorized EFTs based on the timing of the error report and the circumstances of the unauthorized transfer. Transfers initiated by fraudsters using stolen credentials or fraudulently obtained account access information are considered unauthorized EFTs. Financial institutions cannot consider consumer negligence when determining liability for unauthorized EFTs and must comply with error resolution requirements even if private network rules suggest otherwise.