Error Resolution and Liability Limits for Prepaid Accounts and Foreign Remittance Transfers
This issue focuses on error resolution topics. While the lead article “Error Resolution and Liability Limitations Under Regulations E and Z: Regulatory Requirements, Common Violations, and Sound Practices” in this issue reviewed error resolution requirements for non-prepaid debit cards and credit cards, this article discusses the requirements under Regulation E for prepaid accounts and foreign remittance transfers.
Prepaid Accounts
In 2016, the Bureau issued a final rule to fill a regulatory gap in Regulation E’s coverage by expanding the scope of covered products to include certain prepaid accounts.1 Under the final rule, prepaid accounts include:
- payroll cards;
- government benefit cards;
- an account labeled or marketed as “prepaid” and redeemable at multiple, unaffiliated merchants or usable at ATMs; and
- an account issued on a prepaid basis in a specific amount or capable of being loaded with funds that can be used at multiple unaffiliate merchants but is not a checking account, share draft account, or negotiable order of withdrawal account.2
In 2018, the Bureau amended the rule to modify the error resolution and liability limits for prepaid accounts that are not payroll or government benefit cards, to delay the effective date until April 1, 2019, and to make other changes.3
Error Resolution and Liability Limits for Prepaid Accounts
Of relevance to this article, the prepaid account rule applies a modified version of Regulation E’s limits on the consumer’s liability for unauthorized transactions (§1005.6) and error resolution procedures (§1005.11) to certain prepaid accounts.4 These provisions are codified in §1005.18(e).
Limitations on Liability
For prepaid accounts that are not payroll or government benefit cards, the 2016 final rule generally applied the consumer liability limits in §1005.6. However, the industry expressed concern about the increased risk of fraudulently reported unauthorized transactions for such accounts because they can be purchased and used anonymously. For example, a consumer could make purchases on a general-use, prepaid debit card, and then allege that some or all of the transactions were unauthorized (a practice referred to as friendly fraud or first-party fraud).5 Because these cards can be used anonymously, a financial institution may not be able to access information, beyond the transaction history, that could be useful for determining if the transaction was unauthorized. By contrast, if a consumer has a debit card linked to an account at the institution, the institution may be able to access information while investigating a dispute that could help determine if the transaction is unauthorized, including the account history and anti-money-laundering/know-your-customer verification checks.
Limitations on Liability and Error Resolution for Unverified Accounts
To address these concerns, the Bureau amended the rule to provide that the regulation’s requirements for liability limits and error resolution for prepaid accounts that are not government benefit or payroll cards apply only if the financial institution:
- has consumer identification and verification process for its prepaid account program,
- discloses to the consumer the risks of not verifying and registering an account using a notice with language substantially similar to model form A7 in Regulation E, and
- ensures the consumer successfully completes the consumer identification and verification process for the account.6
The 2018 amendment further elaborated on these requirements. Specifically, the amendment clarified the following circumstances in which an institution is deemed to have not successfully completed its consumer identification and verification process:
- The institution has not concluded its consumer identification and verification process and has informed the consumer of the risks of not verifying and registering an account using a notice with language substantially similar to model form A7 in Regulation E. 7 Even if the financial institution later verifies the consumer’s identity, it is still not required to investigate or apply the liability limitations for transactions that occurred prior to verification;8
- The institution has concluded the identification and verification process but was unable to verify the account, provided the institution informed the consumer of the risks of not verifying and registering an account using language substantially similar to model form A7 in Regulation E; or 9
- The institution does not have a consumer identification and verification process, provided it has disclosed its error resolution process and limitations on consumers’ liability for unauthorized transfers or, if none, state it does not provide such protections.10
Bureau Issues FAQs for Electronic Fund Transfers
As Consumer Compliance Outlook was preparing to publish this article, the Consumer Financial Protection Bureau on June 4, 2021, published Electronic Fund Transfer FAQs, a compliance aid that provides eight FAQs on various error resolution issues under the Electronic Fund Transfer Act (EFTA). The Bureau previously published a policy statement about compliance aids in the Federal Register that addresses whether they are legally binding and whether they provide a safe harbor to institutions complying with them.
Modified Error Resolution Requirements
Financial institutions may provide the traditional Regulation E periodic statements or a periodic statement alternative for prepaid accounts. Institutions that provide the traditional periodic statement are subject to the existing timelines for error investigations and consumer liability under §1005.11 and §1005.6, respectively.
However, institutions using the alternative periodic statement are subject to a different timeline for deciding when an error notice is timely and when a consumer is liable for unauthorized transactions. The alternative allows a financial institution to provide the account balance by telephone, an electronic history of 12 months of account transactions, and a written history of 24 months of account transactions upon request. For institutions using this option, a consumer’s error resolution request is timely if received by the earlier of:
- 60 days after the consumer electronically accesses the account (provided that the history made available reflected the error), or
- 60 days after the institution sends a written history of the consumer’s transactions in which the error is first reflected.11
The regulation also provides a safe harbor option in which a financial institution may comply by investigating any notice of error received within 120 days after the transfer allegedly in error was credited or debited to the consumer’s account.12 This option makes it unnecessary for institutions to track when the consumer electronically accessed the account.
As discussed in the companion article in this issue, “Error Resolution and Liability Limitations Under Regulations E and Z: Regulatory Requirements, Common Violations, and Sound Practices,” institutions should not conflate the timing requirement for responding to an error resolution inquiry for non-prepaid debit cards with the limits on a consumer’s liability for unauthorized transactions. When a notice of unauthorized transaction is received after the timing triggers previously discussed, the liability limits under §1005.6 may still apply for unauthorized transactions that occurred prior to the cutoff date.13 If the consumer accessed the account history online that included the disputed transactions, but waited more than 60 days to file a dispute, the consumer’s liability depends on whether the unauthorized transaction(s) involved the loss or theft of an access device and when the unauthorized transaction(s) occurred.
Examiner Insights for Prepaid Card Error Resolution Compliance
Regulation E prohibits institutions from imposing fees for the error-resolution process, including charges for documentation and investigation.14 While institutions generally avoid directly charging fees for error resolution procedures, charging consumers for general customer contact also risks violating this broad prohibition. For example, several prepaid card programs charge fees for calling customer service. However, if a customer calls to inquire about an EFT transaction or assert a Regulation E error, a charge should not apply.
To address this risk, financial institutions can program telephone prompts to help consumers bypass fees when calling in with an error notice. Alternatively, sufficiently trained employees will be better enabled to identify calls in which consumers are alleging a Regulation E covered error. Finally, given the high volume of calls at most prepaid calling card centers, adequate monitoring or call sampling would provide an opportunity to monitor this risk on an ongoing basis.
Regulation E Error Resolution for Foreign Remittance Transfers
Regulation E provides remittance transfers15 with separate error resolution procedures in §1005.33, which generally govern when the asserted error involves a remittance transfer provider, subject to limited exceptions.16 In 2016, Outlook reviewed the Regulation E requirements for foreign remittance transfers with an extended discussion of error resolution procedures. In the 2016 article, Table 2 summarized the EFT error resolution procedures for remittance transfers by listing which transactions are defined as errors, the elements of an error notice, and the obligations financial institutions must satisfy in responding to an error notice.
Several elements of the remittance transfer error resolution procedures are similar to elements of the general EFT error resolution procedures. In both procedures, the financial institution may avoid investigating the alleged error by choosing to correct the alleged error in the amount or manner alleged. In both procedures, if an error occurred, the institution may not impose a charge related to any aspect of the error resolution process. In both procedures, if an investigation concluded no error occurred, written notice must be provided to the consumer, while if an investigation concluded an error occurred, oral notice can be provided.
Despite their similarities, the procedures have at least one significant difference. The error resolution procedures for remittance transfers explicitly require remittance transfer providers to establish policies and procedures designed to ensure compliance with the error resolution requirements. The policies and procedures must include instructions to retain records of senders’ error notices (including any supporting documentation) and the remittance transfer provider’s findings from investigating the alleged error. Consistent with the general Regulation E retention requirements in §1005.13, the provider must retain these documents for a minimum of two years.
Examiner Insights on Remittance Transfer Error Resolution Procedures
In 2019, the Bureau brought a consent order against a non-bank remittance transfer provider.17 The facts and analysis of the order provide guidance for possible compliance management program enhancements. The remittance transfer provider initially did not have written policies and procedures designed to ensure compliance with the error resolution requirements. The provider later adopted a policy, but it failed to comply with regulatory requirements.
For example, the policy did not define the key terms of remittance transfer error and a consumer’s notice of error, it also did not specify the type of investigation required, how to communicate the results of the investigation to the consumer, or the regulatory time limits for conducting the investigation. These deficient procedures contributed to violations of the error resolution requirements for remittance transfers. The Bureau found that the provider also failed to properly report error investigation results, failed to notify consumers of their rights after an investigation of an error, and even made deceptive representations to consumers that the provider would not be responsible for errors made by payment agents.
To correct its remittance transfer error resolution procedures, the Bureau required the remittance transfer provider to enhance several of its compliance pillars. Consistent with Regulation E requirements, the remittance provider was required to maintain policies and procedures designed to ensure compliance with the error resolution requirements related to remittance transfers. Additionally, the provider had to maintain a compliance management system and conduct training and oversight, reasonably designed to ensure that operations comply with Regulation E remittance requirements. Overall, the facts of this case and the terms of the consent order provide a helpful reminder that the absence of a critical control like effective procedures can have a cascading impact resulting in other violations.
Conclusion
With the addition of the prepaid account rule and the large number of transactions conducted with these accounts, it is important that financial institutions understand their obligations under the prepaid account rule in responding to notice of an error and determining a consumer’s liability for unauthorized transactions. As discussed in the article, these obligations vary in some ways from the requirements for non-prepaid EFTs. Similarly, errors can occur with the large volume of foreign remittance transfers, so it is important that financial institutions providing this service understand their obligations for error resolution for these transfers. Specific issues and questions related to error resolution and consumer liability for unauthorized transactions should be raised with the institution’s primary regulator.
ENDNOTES
1 See 81 Federal Register 83934 (November 22, 2016). In 2018, the Bureau amended the rule to change the effective date, modify the error resolution and consumer liability provisions, and make other changes. 83 Federal Register 6364 (February 13, 2018).
2 See 12 C.F.R. §1005.2(b)(3)(i). Prior to the 2016 rule, payroll cards and government benefit cards were already covered under provisions of Regulation E. The 2016 rule modified some of these requirements, and classified both cards as prepaid accounts. Thus, the 2016 prepaid account rule should be understood as modifying the existing requirements for payroll and government benefit cards while creating new protections for the other categories of prepaid accounts. The rule excludes certain accounts from the definition of prepaid account, including gift cards, loyalty cards, and accounts loaded only with funds from a health savings account.
3 See 83 Federal Register 6364, 6382 (February 13, 2018). In response to the rule, PayPal sued the Bureau to challenge certain aspects of the rule. In PayPal, Inc. v. CFPB, 2020 WL 7773392 (D.D.C. December 30, 2020), a district judge vacated two provisions of the prepaid account rule. The Bureau is appealing this decision. Error resolution and liability procedures are unaffected by the ruling.
4 See §1005.18(e)(3)(i).
5 See 83 Federal Register at 6382.
6 See §1005.18(e)(3).
7 See §1005.18(e)(3)(ii)(A).
8 See §1005.18(e)(3)(iii). See also 83 Federal Register at 6383 (“[T]he final rule does not require financial institutions to limit liability or resolve errors that occurred prior to verification on accounts that are later successfully verified.”)
9 See §1005.18(e)(3)(ii)(B).
10See §1005.18(e)(3)(ii)(C).
11 See §1005.18(e)(2)(i)(A) and (B).
12 See §1005.18(e)(2)(ii); Comment 18(e)-1.
13 See Comment §1005.11(b)(1)-7.
14 See Comment §1005.11(c)-3.
15 A remittance transfer is an international electronic transfer of funds requested by a sender in a state, territory, or possession of the United States to a designated recipient in a foreign country and sent by a remittance transfer provider. 12 C.F.R. §1005.30(e.)
16 If an alleged error in a remittance transfer originates from an account in a financial institution, and the institution is not the remittance transfer provider, §1005.11 exclusively applies. However, if the financial institution from which the funds are being transferred is also the remittance transfer provider, §1005.33 exclusively applies.
17 See In the Matter of Maxitransfers Corp. (Bureau Consent Order, August 23, 2019).