Compliance Blog

In 2014, the card networks made changes to their zero liability policies as applied to branded debit and ATM cards. Recently, Visa announced another change that replaces the standard in the Visa Core Rules for its zero liability policy from "grossly negligent" to "negligent". This change essentially raises the standard of care required by cardholders to meet the zero liability protections afforded by Visa. Many credit unions have asked the NAFCU compliance team a couple of questions associated with this change so we thought it would be helpful to round them up:

1. Should we send a change in terms notice under Regulation E to incorporate the change in language?

Regulation E requires a change in terms notice under four circumstances, one of which is the increase of liability for members going through the error resolution process.  See, 12 C.FR. § 1005.8(a)(ii). Before Visa announced this change, a member would have zero liability for unauthorized transactions unless he or she was grossly negligent or fraudulent in the handling of the account or card. Under the revised rule, the member will be afforded zero liability unless he or she is negligent or fraudulent in handling the account or card. So what is negligence anyways? While this can vary under state law and your attorney is in the best position to give a good summary of negligence, here are some basics. Negligence is a legal concept that compares the behavior of a hypothetical reasonable and prudent person to the behavior exhibited by your member. If the member's behavior negatively deviates from the expected behavior of a reasonably prudent person acting under similar circumstances, the member is said to be negligent, or in plain English, careless. Gross negligenceon the other hand, is a step above negligence amounting to conscious and voluntary disregard of the need to act reasonably.

In effect, Visa's change could impose greater liability on a cardholder as the types of actions that will create liability will include both "negligence" and "gross negligence." Unfortunately, Visa has not defined which actions are negligent in its rules, so the exact behavior that may trigger liability seems to be a case-by-case determination. Nonetheless, credit unions may need to update EFT disclosures that reference Visa's zero liability policy and notify its members of this revision 21 days in advance through a change in terms notice. Regulation E has a model form for the error resolution notice but does not a model form for a change in terms notice. So credit unions may need to reach out to form providers or their counsel to draft this notice.

Finally, we have also heard that some credit unions will not be implementing this change and will not be imposing greater liability as they will continue to handle the error resolution process as per usual. In these cases, an updated disclosure may not be necessary as the credit union is choosing to provide a zero liability protection to its members under its own procedures that are more consumer friendly than Visa rules. This may create additional liability for the credit union but it is not unusual for credit unions to choose to be more lenient when imposing liability for unauthorized transactions based on its internal business decisions. However, credit unions taking this route may want to discuss the implications with their Visa representative.  

2. Negligence is not supposed to affect a member's liability under Regulation E. So how come Visa's standard can take negligence into account?

The basic premise of the interplay between Visa's rules and Regulation E is that Visa provides members more protections through its zero liability policy than Regulation E's error resolution. This means that for unauthorized transactions involving a Visa debit card or account, the Visa rules require a credit union to replace all funds taken as the result of an unauthorized debit transaction  (unless the member was negligent) while Regulation E may not require that all funds be returned (depending on timeliness and whether an access devise was used).

Here is a chart that reflects how these two liability standards work together specifically for signature-based transactions (i.e. transactions that require a debit card and a signature):

This means that Regulation E serves as the ceiling for the amount of liability a credit union can impose on a member while Visa's zero liability is the floor. As long as the credit union is under the ceiling, it may offer better liability limits to its members. For that reason, Visa is allowed to condition its zero liability protections with a negligence standard as these additional protections do not conflict with Regulation E. If the member is negligent in handling the account or card, then the credit union has two choices, it can apply its own zero liability policy or apply Regulation E's liability for unauthorized transactions as long as the potential liability has been properly disclosed.