Sticky Situations: Card and ACH Investigations · • CFPB’s sample forms sufficient written...
Transcript of Sticky Situations: Card and ACH Investigations · • CFPB’s sample forms sufficient written...
11/5/2019
1
Sticky Situations: Card and ACH Investigations
About the Facilitator
Rayleen M. Pirnie, AAP, CERPRP Payments Risk Consulting Services, [email protected] ∙ 816.204.1846
• 20 years of experience in fraud investigations, payments risk management, and information security
• Bachelor of Science Criminal Justice Administration
• Accredited ACH Professional (AAP)
• Certified Enterprise Risk Professional (CERP)
• Crime-novel junkie
11/5/2019
2
Disclaimer
The material in this program is for educational purposes only and does not provide any warranties or legal advice. The opinions are that of the presenter and do not necessarily represent those of the event host.
Information presented is valid as of the date of the presentation.
Discussion of specific products and services is not an endorsement; each is used as an example or resource only.
Images: iStock
Program copyright 2019 RP Payments Risk Consulting
Rules and Regs
11/5/2019
3
The Most Common Issues
• Denying claim for • No written confirmation of verbal notice• “Late” written confirmation of verbal notice• ACH debit claim more than 60 days from settlement of entry
• Delaying investigation until• Written confirmation of verbal notice received• Customer reports in a branch during normal business hours
The Most Common Issues
• Refusing consumers written confirmation because it’s not a WSUD or Affidavit
• Not documenting ACH investigations
• Denying claim based on insufficient evidence
11/5/2019
4
Consumer Claims of Error
• Our focus is on Unauthorized Debit Activity
• Investigations, liability, and transaction handling:• State law• Regulation E• Network Rules (ACH or Debit Card)
• Read the interpretations!
• Always follow what is most consumer friendly – i.e. zero‐liability card brands vs. Regulation E liability
Regulation vs. Process Rules
• Written as guide for consumer protection
• When discrepancy between payment rules and Regulation E exists, Reg. E prevails
EFTA / Regulation E ACH Rules and Card Network Rules
• Written as guide for institutions to process transactions and returns
• Details obligations of network participants
State laws may override all of the above in terms of obligations and customer liability.
Disclosures and account holder agreements that are more consumer‐friendly win.
11/5/2019
5
Let’s Compare
• NO written confirmation of verbal claim required
• Cannot deny a claim because consumer refuses to provide written confirmation• Only affects provisional credit
• Investigation must begin upon receipt of notice
• Longer protection timeframe than networks allows for return
• CFPB’s sample forms sufficient written “notice” to bank
Regulation E Rules• WSUD required for ACH returns; Affidavit for Debit Card returns
• Timely claim may not allow for an in‐network return
• CFPB’s sample forms not sufficient for in‐network Returns
Written Confirmation
11(b)(2) Written Confirmation- Official Interpretation: “While a financial institution may request a written, signed statement from the consumer relating to a notice of error, it may not delay initiating or completing an investigation pending receipt of the statement.”
§1005.11(c)(2)(i)
An institution need not provisionally credit the consumer’s account if
The institution requires but does not receive written confirmation within 10 business days of an oral notice of error;
11/5/2019
6
11
Effects of Late Notice
Effects of Late Notice (i.e. Provisional Credit): §1005.11(b)(1) Official Interpretation: “An institution is not required to comply with the requirements of this section for any notice of error from the consumer that is received by the institution later than 60 days from the date on which the periodic statement first reflecting the error is sent. Where the consumer's assertion of error involves an unauthorized EFT, however, the institution must comply with § 1005.6 before it may impose any liability on the consumer.”
Notice ‐ § 1005.6(b)(5)
Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.
The consumer may notify the institution in person, by telephone, or in writing.
Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made.
11/5/2019
7
Calculating Liability – §1005.6(b)(1)
FI may NOT use statement as sole evidence of knowledge of theft or loss of access device: The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.
Calculating Liability – Access Device§1005.6(b)(1)The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24‐hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft.
For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.
11/5/2019
8
Calculating Liability – No Access Device §1005.6(b)(3)
Official Interpretation – No access device involvedThe first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution.
For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.
Extenuating Circumstances -§1005.6(b)(4)
• “ If the consumer's delay in notifying the financial institution was due to extenuating circumstances, the institution shall extend the times specified above to a reasonable period.”
• Examples:• Hospitalization• Military leave / duty• Extended travel• Prison?
11/5/2019
9
Provisional Credit
• Applies to ACH investigations if cannot immediately return entry
• § 1005.11(c)(2)(i) - (A) The institution requires but does not receive written confirmation within 10 business days of an oral notice of error
• Untimely claim - § 1005.11(b)(1)(i) – FI exempt from Provisional Credit requirement when notice is received by the institution later than 60 days after the institution sends the periodic statement
Investigations
11/5/2019
10
19
Investigation Tips
Accept and document all claims of unauthorized activity, even if it appears the bank is not liable
• Important to document findings and case in event the customer complains to your Regulator, the CFPB or gets an attorney to sue
• Exception = returns where recredit to customer account occurred (i.e. claim of unauthorized activity happened 15 days ago – returned via ACH Network – customer made whole)
Common Steps in ACH Investigation
• Document specifics of the claim
• Determine what can be returned in-network
• Contact ODFI to gain copy of authorization
• Out-of-network recovery• RDFI should not be in a position of loss • ODFI / Originator liability extends to period of state law, as much
as 7 years in some states
• Remember provisional credit (if applicable)
• If not returned in-network, document case, findings, actions, and disposition
11/5/2019
11
Common Steps in Card Investigations
• Document specifics of the claim
• Determine what can be returned
• Request additional documentation from Merchant
• Steps splinter here depending on nature of the claim
• Remember provisional credit (if applicable)
• Police reports
• Document case, findings, actions and disposition
What if a customer gives their card to a family member once, and then the family member uses it
again without permission?
• Regulation E vs. Card Rules• What does your disclosure say about authorized users? What is the
consumers responsibility to revoke an authorized user status?• If nothing in your disclosures / card holder agreement, the bank must
accept as a valid unauthorized claim and investigate accordingly.• Bank MUST be able to prove the individual (family member) was
authorized to make the purchase (authorized user) and the customer failed to notify the bank of revocation of status.
11/5/2019
12
What if a debit card we issued is attached to a TP EFT Service Provicer (i.e. Venmo® or Paypal®) and the
TP account is hacked?
• Assuming the customer is not disputing having an account, rather, transactions using account are unauthorized.• Pull TP Terms and Conditions – these drive this relationship and liability• Regulation E § 1005.14 Electronic fund transfer service
provider not holding consumer's account.• Customer gave access to account / card; investigation authority and liability stemming from this authorization is held by the TP• Paypal User Agreement – Liability for Unauthorized Transactions and Other Errors
What if the Third-Party accounts have the customer’s account number in them and the claim is a
fraudulent ACH transfer?
• Customer is not disputing having an account, rather, ACH transfer(s) unauthorized.
• § 1005.14 Electronic fund transfer service provider not holding consumer's account.
• If customer consented to account and authorized, same applies – TP responsible for investigation and claim
11/5/2019
13
What if the customer disputes having a Third-Party account?
• Document dispute and open an investigation
• Contact TP
• Contact ODFI for Authorization
• If timely, return transaction(s)
• If claim not timely, work with ODFI • Late return• Out-of-network claim
Customer claims transfers made using mobile banking app are all fraud.
• What are the specifics of the claim?
• Recent case• App added to new device (an iPhone – customer has on her
Samsung device)• Customers user name and password used to access app and
make transfers• Bank unable to get TP app provider to provide demographics• Their question – can we deny the claim since customers
username and password were used?
11/5/2019
14
Customer isn’t happy with service or color of the sweater they ordered. Is the bank liable if the
Merchant or Originator won’t fix the issue for the customer?
• Regulation E – does not cover this situation – the transaction was authorized • Dissatisfaction of products or services is NOT a valid return
reason in ACH – the transaction WAS authorized• Depending on Card product, may have chargeback
• “Not as described or Defective” – Customer should try to resolve with Merchant first and should be advised that the Merchant may dispute based on multiple reasons including customer never returned the product, never cancelled the service, or a description that they feel sufficiently describes the product or services.
What if someone insists that they didn’t get their money from a foreign ATM, but the other bank
balances and says that the customer did?
• Assuming customer admits they attempted the withdrawal (not a claim of someone else using the card)
• Foreign Bank counting machine provides evidence contrary to claim (same as your own internal 4-walls investigation of your own ATM)
• Request video review
11/5/2019
15
What if a customer discovers a “fraudulent purchase” that has happened monthly for YEARS! How do we handle this correctly?
• Document claim and any applicable extenuating circumstances• Account review• Bank liability / customer liability (assuming no state law or card
brand limitations)• What is the bank responsible for?• Is there more the bank can do?
• NACHA Operations Bulletin 03-2003• Out of network collection• With WSUD – most recent 60 days can be returned thru ACH Network • With Affidavit and depending on claim – may be able to return thru Card Network
Customer was charged $40 last month for gym membership, but now they are saying they never
got the money.
• What exactly is Originator / Merchant claiming?• Did customer provide proof of debit to Originator /
Merchant?• Involving TP• Transaction authorized – no Reg E • ACH
• “Incomplete Transaction”• With WSUD Return R10• Customer should notify Originator of return
• Card
11/5/2019
16
Customer reports a series of unauthorized ACH and card debits on their HSA account.
• Bona Fide Trust Accounts
You Try It
11/5/2019
17
Customer says she didn’t authorize $2600 debits to Nintendo that son racked up ordering games and ad-
ons. Wants returned.
• Facts of the case
• Authorized or unauthorized?
• Actions
What if a minor steals the card from the mom’s purse and the mom insists that the bank pay for it (do we
press charges on a 10-year old)?
• Authorized or unauthorized?
• Actions
• Tip: If customer revokes claim, best to get it from them in writing, but at minimum include this (with date of revocation and made by X) in denial letter
11/5/2019
18
Customer claims they did not authorize a payday lender to debit their account.
• Review account; is there a credit from same Originator?• Credit alone does NOT prove customer authorized
• Authorization
• Evidence
What if the customer authorized a S&H fee for a trial offer, but says they didn’t
authorize a monthly debit for the product?
• Assuming customer has admitted to taking advantage of a trial offer and does not claim they revoked authorization
• Customers failure to read T&C is not unauthorized activity• Pull product / service T&C to prove “trial offer termination” obligations of customer
• Encourage customer to work directly with provider• Offer stop pay or card reissue to prevent future activity
11/5/2019
19
Wrap-up
• Accept every claim and document, even if bank not responsible
• Investigate upon first notice
• May request affidavit but cannot deny or delay investigation if not received
• Appropriate evidence
Action Items
11/5/2019
20