11/5/2019

1

Sticky Situations: Card and ACH Investigations

About the Facilitator

Rayleen M. Pirnie, AAP, CERPRP Payments Risk Consulting Services, LLCRayleen.Pirnie@outlook.com ∙ 816.204.1846 

• 20 years of experience in fraud investigations, payments risk management, and information security

• Bachelor of Science Criminal Justice Administration

• Accredited ACH Professional (AAP) 

• Certified Enterprise Risk Professional (CERP)

• Crime-novel junkie

11/5/2019

2

Disclaimer

The material in this program is for educational purposes only and does not provide any warranties or legal advice. The opinions are that of the presenter and do not necessarily represent those of the event host.

Information presented is valid as of the date of the presentation.

Discussion of specific products and services is not an endorsement; each is used as an example or resource only. 

Images: iStock

Program copyright 2019 RP Payments Risk Consulting

Rules and Regs

11/5/2019

3

The Most Common Issues

• Denying claim for • No written confirmation of verbal notice• “Late” written confirmation of verbal notice• ACH debit claim more than 60 days from settlement of entry

• Delaying investigation until• Written confirmation of verbal notice received• Customer reports in a branch during normal business hours

The Most Common Issues

• Refusing consumers written confirmation because it’s not a WSUD or Affidavit

• Not documenting ACH investigations

• Denying claim based on insufficient evidence

11/5/2019

4

Consumer Claims of Error

• Our focus is on Unauthorized Debit Activity

• Investigations, liability, and transaction handling:• State law• Regulation E• Network Rules (ACH or Debit Card)

• Read the interpretations!

• Always follow what is most consumer friendly – i.e. zero‐liability card brands vs. Regulation E liability 

Regulation vs. Process Rules

• Written as guide for consumer protection

• When discrepancy between payment rules and Regulation E exists, Reg. E prevails

EFTA / Regulation E ACH Rules and Card Network Rules

• Written as guide for institutions to process transactions and returns

• Details obligations of network participants

State laws may override all of the above in terms of obligations and customer liability. 

Disclosures and account holder agreements that are more consumer‐friendly win.

11/5/2019

5

Let’s Compare

• NO written confirmation of verbal claim required

• Cannot deny a claim because consumer refuses to provide written confirmation• Only affects provisional credit

• Investigation must begin upon receipt of notice

• Longer protection timeframe than networks allows for return

• CFPB’s sample forms sufficient written “notice” to bank

Regulation E Rules• WSUD required for ACH returns; Affidavit for Debit Card returns

• Timely claim may not allow for an in‐network return

• CFPB’s sample forms not sufficient for in‐network Returns

Written Confirmation

11(b)(2) Written Confirmation- Official Interpretation: “While a financial institution may request a written, signed statement from the consumer relating to a notice of error, it may not delay initiating or completing an investigation pending receipt of the statement.”

§1005.11(c)(2)(i)

An institution need not provisionally credit the consumer’s account if

The institution requires but does not receive written confirmation within 10 business days of an oral notice of error;

11/5/2019

6

11

Effects of Late Notice

Effects of Late Notice (i.e. Provisional Credit): §1005.11(b)(1) Official Interpretation: “An institution is not required to comply with the requirements of this section for any notice of error from the consumer that is received by the institution later than 60 days from the date on which the periodic statement first reflecting the error is sent. Where the consumer's assertion of error involves an unauthorized EFT, however, the institution must comply with § 1005.6 before it may impose any liability on the consumer.”

Notice ‐ § 1005.6(b)(5)

Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.

The consumer may notify the institution in person, by telephone, or in writing.

Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made.

11/5/2019

7

Calculating Liability – §1005.6(b)(1)

FI may NOT use statement as sole evidence of knowledge of theft or loss of access device: The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.

Calculating Liability – Access Device§1005.6(b)(1)The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24‐hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. 

For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.

11/5/2019

8

Calculating Liability – No Access Device §1005.6(b)(3)

Official Interpretation – No access device involvedThe first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution.

For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.

Extenuating Circumstances -§1005.6(b)(4)

• “ If the consumer's delay in notifying the financial institution was due to extenuating circumstances, the institution shall extend the times specified above to a reasonable period.”

• Examples:• Hospitalization• Military leave / duty• Extended travel• Prison?

11/5/2019

9

Provisional Credit

• Applies to ACH investigations if cannot immediately return entry

• § 1005.11(c)(2)(i) - (A) The institution requires but does not receive written confirmation within 10 business days of an oral notice of error

• Untimely claim - § 1005.11(b)(1)(i) – FI exempt from Provisional Credit requirement when notice is received by the institution later than 60 days after the institution sends the periodic statement

Investigations

11/5/2019

10

19

Investigation Tips

Accept and document all claims of unauthorized activity, even if it appears the bank is not liable

• Important to document findings and case in event the customer complains to your Regulator, the CFPB or gets an attorney to sue

• Exception = returns where recredit to customer account occurred (i.e. claim of unauthorized activity happened 15 days ago – returned via ACH Network – customer made whole)

Common Steps in ACH Investigation

• Document specifics of the claim

• Determine what can be returned in-network

• Contact ODFI to gain copy of authorization

• Out-of-network recovery• RDFI should not be in a position of loss • ODFI / Originator liability extends to period of state law, as much

as 7 years in some states

• Remember provisional credit (if applicable)

• If not returned in-network, document case, findings, actions, and disposition

11/5/2019

11

Common Steps in Card Investigations

• Document specifics of the claim

• Determine what can be returned

• Request additional documentation from Merchant

• Steps splinter here depending on nature of the claim

• Remember provisional credit (if applicable)

• Police reports

• Document case, findings, actions and disposition

What if a customer gives their card to a family member once, and then the family member uses it

again without permission?

• Regulation E vs. Card Rules• What does your disclosure say about authorized users? What is the

consumers responsibility to revoke an authorized user status?• If nothing in your disclosures / card holder agreement, the bank must

accept as a valid unauthorized claim and investigate accordingly.• Bank MUST be able to prove the individual (family member) was

authorized to make the purchase (authorized user) and the customer failed to notify the bank of revocation of status.

11/5/2019

12

What if a debit card we issued is attached to a TP EFT Service Provicer (i.e. Venmo® or Paypal®) and the

TP account is hacked?

• Assuming the customer is not disputing having an account, rather, transactions using account are unauthorized.• Pull TP Terms and Conditions – these drive this relationship and liability• Regulation E § 1005.14 Electronic fund transfer service

provider not holding consumer's account.• Customer gave access to account / card; investigation authority and liability stemming from this authorization is held by the TP• Paypal User Agreement – Liability for Unauthorized Transactions and Other Errors

What if the Third-Party accounts have the customer’s account number in them and the claim is a

fraudulent ACH transfer?

• Customer is not disputing having an account, rather, ACH transfer(s) unauthorized.

• § 1005.14 Electronic fund transfer service provider not holding consumer's account.

• If customer consented to account and authorized, same applies – TP responsible for investigation and claim

11/5/2019

13

What if the customer disputes having a Third-Party account?

• Document dispute and open an investigation

• Contact TP

• Contact ODFI for Authorization

• If timely, return transaction(s)

• If claim not timely, work with ODFI • Late return• Out-of-network claim

Customer claims transfers made using mobile banking app are all fraud.

• What are the specifics of the claim?

• Recent case• App added to new device (an iPhone – customer has on her

Samsung device)• Customers user name and password used to access app and

make transfers• Bank unable to get TP app provider to provide demographics• Their question – can we deny the claim since customers

username and password were used?

11/5/2019

14

Customer isn’t happy with service or color of the sweater they ordered. Is the bank liable if the

Merchant or Originator won’t fix the issue for the customer?

• Regulation E – does not cover this situation – the transaction was authorized • Dissatisfaction of products or services is NOT a valid return

reason in ACH – the transaction WAS authorized• Depending on Card product, may have chargeback

• “Not as described or Defective” – Customer should try to resolve with Merchant first and should be advised that the Merchant may dispute based on multiple reasons including customer never returned the product, never cancelled the service, or a description that they feel sufficiently describes the product or services.

What if someone insists that they didn’t get their money from a foreign ATM, but the other bank

balances and says that the customer did?

• Assuming customer admits they attempted the withdrawal (not a claim of someone else using the card)

• Foreign Bank counting machine provides evidence contrary to claim (same as your own internal 4-walls investigation of your own ATM)

• Request video review

11/5/2019

15

What if a customer discovers a “fraudulent purchase” that has happened monthly for YEARS! How do we handle this correctly?

• Document claim and any applicable extenuating circumstances• Account review• Bank liability / customer liability (assuming no state law or card

brand limitations)• What is the bank responsible for?• Is there more the bank can do?

• NACHA Operations Bulletin 03-2003• Out of network collection• With WSUD – most recent 60 days can be returned thru ACH Network • With Affidavit and depending on claim – may be able to return thru Card Network

Customer was charged $40 last month for gym membership, but now they are saying they never

got the money.

• What exactly is Originator / Merchant claiming?• Did customer provide proof of debit to Originator /

Merchant?• Involving TP• Transaction authorized – no Reg E • ACH

• “Incomplete Transaction”• With WSUD Return R10• Customer should notify Originator of return

• Card

11/5/2019

16

Customer reports a series of unauthorized ACH and card debits on their HSA account.

• Bona Fide Trust Accounts

You Try It

11/5/2019

17

Customer says she didn’t authorize $2600 debits to Nintendo that son racked up ordering games and ad-

ons. Wants returned.

• Facts of the case

• Authorized or unauthorized?

• Actions

What if a minor steals the card from the mom’s purse and the mom insists that the bank pay for it (do we

press charges on a 10-year old)?

• Authorized or unauthorized? 

• Actions

• Tip: If customer revokes claim, best to get it from them in writing, but at minimum include this (with date of revocation and made by X) in denial letter

11/5/2019

18

Customer claims they did not authorize a payday lender to debit their account.

• Review account; is there a credit from same Originator?• Credit alone does NOT prove customer authorized

• Authorization

• Evidence

What if the customer authorized a S&H fee for a trial offer, but says they didn’t 

authorize a monthly debit for the product?

• Assuming customer has admitted to taking advantage of a trial offer and does not claim they revoked authorization

• Customers failure to read T&C is not unauthorized activity• Pull product / service T&C to prove “trial offer termination” obligations of customer

• Encourage customer to work directly with provider• Offer stop pay or card reissue to prevent future activity

11/5/2019

19

Wrap-up

• Accept every claim and document, even if bank not responsible

• Investigate upon first notice

• May request affidavit but cannot deny or delay investigation if not received

• Appropriate evidence

Action Items

11/5/2019

20