Regulation E – Can we hold our consumer liable when they willingly give out their access device?

By Robert Wilkins

February 12, 2025

Regulation E is always a hot button topic and the subject of constant regulatory scrutiny. For example, at the end of 2024, the CFPB sued JPMorgan Chase, Bank of America, and Wells Fargo for it’s handling of the popular Zelle P2P payment platform. Among the allegations were that those banks failed to provide protections to Zelle users that they were entitled to under the Electronic Funds Transfer Act and Regulation E. The CFPB noted that when bank customers would assert that they were fraudulently induced to provide their passcodes to a fraudster, and the fraudster accessed the consumer’s device to send unauthorized transfers, these banks were often failing to investigate these situations or denying these claims as authorized.

We regularly field questions about consumer negligence and the role that plays in Regulation E claims.  Specifically, whether a consumer can be held liable if they willingly provide their access device to the wrongdoer. Seemingly, the confusion comes from the provision (and accompanying commentary) in Regulation E that defines an unauthorized electronic transfer.  Briefly, Regulation E § 1005.2 defines an “unauthorized electronic fund transfer” to mean “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.”  One of the more common Regulation E consumer claims we hear about involves a consumer complaining that they provided their access code to someone purporting to be someone else, like an employee of the financial institution or some other third party that will help them in some way.

In these situations, some financial institutions have been quick to rely on the first enumerated exclusion to the definition of an unauthorized EFT, which is an electronic fund transfer initiated “by a person who was furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by the person are no longer authorized.”  Seems pretty straightforward – if a consumer willingly provides their access device to a third party, it is not an unauthorized EFT unless the consumer has previously notified the financial institution that transfers by that person are no longer authorized.  Not so fast …

A look at the CFPB’s commentary to Regulation E § 1005.2 makes clear that not all willing disclosure or transfer of access devices are treated equally.  The first piece of commentary talks about a willing grant of authority to a third party:

“Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.”

This commentary addresses scenarios where a consumer provides willing authority to a third party and then the third party exceeds the initial grant of authority.  Imagine that a parent provides their access device to their child to purchase one new video game from an online app store.  The child, basking in their newfound wealth, decides it would be better to have ten games.  Though the parent only gave their child permission to purchase one game, the parent cannot claim that the child’s purchase of the nine additional games was unauthorized for the purpose of Regulation E unless the parent had already told the financial institution that their child was no longer authorized to use the access device.

Now imagine a separate scenario where a consumer is the victim of a scam where a wrongdoer convinces the consumer that they work for the financial institution. The wrongdoer tells the consumer to provide their access device for security purposes, or some other seemingly legitimate purpose.  Using that access device, the wrongdoer initiates EFTs from the consumer’s account.  Based on the previously referenced commentary, because the consumer provided their access device to third party, one could assume that this is not an unauthorized EFT.  However, the CFPB has addressed this scenario in a separate piece of commentary addressing fraud:

“Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.”

This commentary is unambiguous.  Thus, when a wrongdoer obtains the access device from a consumer through fraud or robbery, an EFT initiated by that wrongdoer using the consumer’s access device is unauthorized.  Financial institutions cannot rely on the previous commentary or regulatory text regarding authority to summarily deny a consumer’s claim of an unauthorized EFT under Regulation E.

Now, this is not to say that just because a consumer claims that they were the victim of fraud, that is the end of the story.  Under Regulation E a claim of an unauthorized EFT triggers a financial institution’s duty to investigate.  Through its investigation, the financial institution may find that the consumer was actually a participant in the fraud and thus the transaction was actually authorized.  However, ultimately, if the financial institution cannot disprove the consumer’s claim of fraud, it would be quite risky to reject the consumer’s claim under Regulation E on the sole basis that the consumer willingly provided their access device to another person.

About the Author

Robert Wilkins

Robert Wilkins is a Senior Associate Attorney at SW&M with experience in regulatory compliance, trust and decedent accounts, operational matters and cannabis banking. Robert was instrumental in creating the firm’s Cannabis Banking practice. Additionally, he co-authored SW&M’s California Trust Accounts […]

Learn More