Jump to Content
ABA: The American Bankers Association
Skip Section Navigation

A consumer filed a Regulation E dispute. May the bank decline it because the customer gave a fraudster her debit card information?

My bank has a consumer customer who provided her debit card information to a fraudster claiming to be an Apple representative. The fraudster stated that he needed her debit card and personal identification number (PIN) in order to verify some charges on her Apple account. The consumer cooperated and the fraudster ultimately charged the customer's account for several thousand dollars. The consumer filed a Regulation E dispute. May the bank decline it because the customer gave the fraudster the information?

No. The bank should not deny the claim, as this was an unauthorized transaction.

Regulation E defines an unauthorized electronic fund transfer (EFT) as any EFT from an account initiated by someone without authority to initiate the transfer and from which the member receives no benefit. (§1005.2(m).) Unauthorized EFTs include transfers using an access device, such as a debit card, that was obtained by robbery or fraud.

When a consumer provides his or her account information to a fraudster pretending to be a bank or other legitimate entity needing the information for something other than making an EFT and the fraudster uses that information to initiate EFTs from the consumer’s account, the EFTs are unauthorized because the information was obtained via fraud, even though the consumer voluntarily provided the information to the fraudster.

Providing credentials to someone does not necessarily mean that the consumer has "authorized" a transaction. It depends on how the fraudster obtained the information and the customer’s purpose in providing it. If, for example, the consumer provides the information as a means to pay someone—even if the customer is tricked into making the payment—it is authorized. However, if someone tricked the customer into providing certain account information (e.g., "I am from the bank/IRS and need this information"), but the customer did not authorize a payment, it is not an authorized transaction.

In some cases, one could reasonably infer that when the consumer provided the account information, the consumer intended to authorize a transaction, but the bank would need some kind of proof. Of course, a transaction is authorized if the consumer acted fraudulently or gave someone else permission to use her or his access device.

In the case you describe, your customer thought she was providing her information for a legitimate purpose and did not authorize any transactions. (January 2021)

Compliance Hotline

Have a compliance-related question? We're here to help. Members, reach us by phone or email.