Reg E Errors and Fraudsters
Happy Monday, compliance friends. I hope everyone had a good weekend and enjoyed World Laughter Day, which was yesterday! I know one group of people who shouldn’t get the last (evil) laugh: fraudsters who trick members out of their access devices to make unauthorized transfers!
I’m going to revisit one of our previous Regulation E blogs, but go further into detail into one type of error. That blog explains that under Regulation E, an unauthorized electronic fund transfer (EFT) is defined as any EFT from an account initiated by someone without authority to initiate the transfer and from which the member receives no benefit. Unauthorized EFTs include transfers using an access device that was obtained by robbery or fraud, and transfers a member was forced to initiate. It does not include transfers where the member acted fraudulently or when the member gave someone else permission to use her access device.
Let’s take a look at one of the examples given in that blog: A fraudster calls Amy pretending to be her credit union and Amy provides the fraudster with her account information. The fraudster uses her information to initiate EFTs from her account. The EFTs are unauthorized because the information was obtained via fraud, even though Amy voluntarily provided her information to the fraudster.
Regulation E’s rules and commentary support this conclusion because the definition of unauthorized transfer includes the situation in which an access device was obtained through fraud. Sometimes this is confusing because no debit card was involved and credit unions often associate the term access device with a debit card. After all, debit cards are pretty common access devices used by members to make electronic transfers. However, it’s important to remember that an access device is also a “code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”
This type of scenario comes up pretty often for the compliance team, as fraudsters continuously implement new strategies to trick people out of their account information, passwords, and other codes needed to gain access and make transfers. Fraudsters may pretend to be a credit union employee, the member’s employer, an IRS agent, a family member in need, or any number of other people they assume the member will trust. Ultimately, if account access is obtained through fraud, it is unauthorized under Reg E.
This brings us to our next issue: What about particularly gullible members? Will the credit union be continuously on the hook for members that provide account access to fraudsters?
A credit union dealing with this issue may try a variety of tactics to reduce the risk of loss to these types of schemes. For example, some credit unions have implemented fraud alerts specific to members that have been the victim of fraud previously. For these members, the credit union sends an alert after every transaction and not just transactions that trigger the credit union’s usual fraud system. Additionally, some credit unions provide a brief guide, video, or training explaining different types of fraud and shedding light on the ways some people may try to gain account access. This is a strategy that can be used for all members so they are more alert and can more easily recognize when they are being targeted by a fraudster. In more severe cases, where members have given out access information on multiple occasions, credit unions have relied on their limitation of services policies to limit the types of transactions the member is able to make. If your credit union is struggling with these types of unauthorized transfers, try reaching out on the NAFCU Compliance, Risk and BSA Network for advice from your compliance peers.