The Electronic Fund Transfer Act and unauthorized debits: A bank’s unique burden

In the past year alone, more than 65,000 Americans were impacted by debit card fraud. With total losses projected to exceed more than $165 billion over the next ten years as fraudsters become more and more sophisticated, debit card fraud has become a mass spread issue impacting both consumers and banks. Particularly, banks have a unique burden of potentially sharing in customers’ losses when the customers are the victims of certain types of debit card fraud under the Electronic Fund Transfer Act of 1978 (the Act) as codified in 15 U.S. Code § 1693, et seq.

For clarity, the Act created various protections for consumers more than just the bank’s burden of potentially sharing in a consumer’s losses due to fraud. This article focuses on the background of the Act regarding unauthorized “electronic funds transfers” (EFTs). For ease of reading, I am simplifying much of the Act, even as it relates to EFTs.

Put simply, an EFT is any transfer of funds, other than a transaction originated by check, draft or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument or computer or magnetic tape so as to order, instruct or authorize a financial institution to debit or credit an account. A few examples: when you use your debit card at a point-of-sale system (i.e., purchase something from a store), that is an EFT; when you use an ATM, that is an EFT; and when you use a bank’s website to complete an ACH transfer out of your account, that is an EFT.

An unauthorized EFT is an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit. There are certain exemptions to this definition such as when the consumer furnished their card or code to the person initiating the transfer.

As a result of the Act, a bank may share in a customer’s losses due to an unauthorized EFT (i.e., the bank will reimburse the customer), depending on when the customer notifies the bank and whether an access device, like a debit card, was used to conduct the transaction. To oversimplify the Act, the extent of the customer’s losses (i.e., how much a bank will reimburse) due to a legitimate claim for an unauthorized EFT is determined solely by how quickly the customer notifies the bank. Under the Act, a bank may not use factors other than the timing of the notification of the unauthorized EFT to lessen their share of the loss. Factors such as a customer’s negligence (e.g., the customer wrote their PIN on their ATM card); a separate agreement between the customer and bank calling for a different share; or even if state law calls for a lesser share, may not be used to increase the customer’s liability (i.e., lessen the bank’s burden).

To further and greatly oversimplify the Act with relation to EFTs, if a customer timely notifies a bank of a legitimate unauthorized EFT, the bank will share in the loss and in my experience, the bank will take the majority share of the customer’s loss. Even more burdensome to the bank, if the customer timely notifies the bank, the Act shifts the burden of resolving the error from the customer to the bank. Taking yet another step, if the customer files a lawsuit against the bank regarding the share of the loss for an unauthorized EFT, the burden of proof is on the bank to show that the EFT was authorized or that the bank otherwise complied completely with the Act (unlike the large majority of lawsuits which require the party bringing the suit to prove their case).

So what was going on in 1978 when the Act became law?

Generally, financial institutions and banks were busy building out ATM networks with ATM cards and focusing on credit card use. Debit cards, the first option for real-time confirmation that a customer was good for the money, debuted in the 1970s and were a novel concept nowhere near the ubiquitous use that was to come in the 1990s. Likewise, point-of-sale terminals for on-the-spot card transactions weren’t widespread in retail. Indeed debit cards were not even available for point-of-sale transactions in 1978.

The national and global economy was for the first time coming to terms with the reality that banking could be conducted almost exclusively through machines and was fast becoming faceless. Perhaps against the desires of the general public, technology in life, specifically in payment methods, was increasing and only a patchwork of state and limited federal efforts provided, what some considered inadequate, protection to consumers who engaged in EFTs.

In response, Congress passed the Act and it was signed into law. In passing the Act, Congress sought to increase consumer awareness and acceptance of EFTs while remaining cognizant of, but not deterred by, the potential chilling effect on the development of EFT systems should regulation be too burdensome.

Amended only once since its passage, the Act was also part of a wider Consumer Credit Protection Act. The Act was signed into law with the explicit primary objective for “the provision of individual consumer rights.” 15 U.S. Code § 1693(b).

As such, the Act was aimed solidly at protecting consumers and making them comfortable with using EFTS. In fact, the Act is explicit in that its consumer protection measures are aimed at promoting disclosure and allocating liability in a broad, liberal way in favor of the consumer.

With its focus on individual consumer rights, the Act created a very unique burden on banks. Particularly with the burdens mentioned above and with relation to the bank’s share in the risk of loss for unauthorized EFTs with consumers, oftentimes regardless of any fault on part of the bank.

The Act was meant as the first take on regulating EFTs with a gear towards comforting consumers to use EFTs and was passed during a time that the total of debit card transactions totaled less than total of debit card fraud today. So, as of now, the 46-year-old Act controls. Consumers and banks alike must be wary of its provisions. 

Client alert authored by Cy Porras (312.855.4314), associate.

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.