Compliance Questions & Answers

A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers.

If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period.

When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability.

If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period.

The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability:

• Up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card; and
• Up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft.

The first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution.

For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability.

However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.

Reference: 1005.6(b)(3); Official Staff Interpretation 1005.6(b)(3), comments 1 and 2.

Part of the advertising requirements for Regulation Z includes a provision that “if an advertisement for credit states specific credit terms, it shall state only those terms that actually are or will be arranged or offered by the creditor.”

If there was an error, the bank needs to consider how it will respond, consider the following:

• Being prepared to adhere to the requirements of Regulation Z by honoring the advertisement’s stated rate
• Being prepared to acknowledge via a replacement/retraction that the advertisement was an error
• Determining whether a product may be offered that provides reasonable acceptable substitute to those who applied based on the original rate etc.

In addition the bank should consider corrective action to ensure that this is isolated, consulting the regulatory agency for guidance, documenting what happened and the correction process, reporting to the Board.

Reference: Regulation Z 12 CFR 1026.16(a); 1026.24(a)

Section 604 permits a person, including a bank, to obtain a consumer report for a legitimate business need for the information including in connection with a business transaction that is initiated by the consumer; or to review an account to determine whether the consumer continues to meet the terms of the account.

Reference: FCRA, Section 604(a)(3)(F).

For the purpose of part 328, safe deposit boxes and credit products are excluded from the definition of "non-deposit." Therefore, there is no requirement under part 328 for an IDI to include such a disclosure in marketing material for these products.

Reference: FDIC Q&As Part 328 Final Rule Question V.1

A disclosure delivered in an electronic format will not meet the requirement to provide disclosures in writing under a given regulation (e.g., Regulation Z or DD) unless it meets E-SIGN requirements specifically provided by the relevant regulation.

Reference: E-Sign Act Requirements, Fed. Consumer Affairs Update, Sept. 2014.

The Security Officer must report on the effectiveness of the Security Program annually and when updates are made to the program.

Reference: FED 12 CFR 208.61; OCC 12 CFR 21; FDIC 12 CFR 326