Q: Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized EFT?
A: Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized EFT Question 1
, Regulation E defines an unauthorized EFT as a transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). When a consumer’s account access information is obtained from a third party through fraudulent means such as computer hacking, and a hacker uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.
For example, the Bureau is aware of the following situations involving unauthorized EFTs:
- A consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, lender, or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided P2P payment application to initiate a credit push payment out of the consumer’s deposit account.
- A consumer shares their debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks into the consumer’s phone and uses the mobile wallet to initiate a debit card transfer out of the consumer’s deposit or prepaid account.
- A thief steals a consumer’s physical wallet and initiates a payment using the consumer’s stolen debit card.
All of the financial institutions in these examples, including any non-bank P2P payment provider or deposit account holding financial institution, must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2
, as well as the liability protections for unauthorized transfers in 12 CFR 1005.6.