According to the Identity Theft Resource Center and CyberScout,the number of data breaches in 2017 reached a record high of 1,579.This is a 44% increase over the previous record-setting high in2016. The good news is, financial institutions did not top the listwhen it comes to the type of entities that were breached. The badnews is, the likelihood that your financial institution, regardlessof size, will be impacted by these breaches is high.

Unfortunately, there is more bad news that increases the odds.ATM malware first surfaced in 2009 and, in 2017, we saw theemergence of a new form of cybercrime – ATM malware-as-a-service.As this evolves, experts are indicating that in 2018 we could thesee full automation of ATM malware attacks. By using amini-computer automatically attached to an ATM, fraudsters caninstall the malware and collect card data in a very short period oftime.

And then there was the notorious Equifax breach. Sensitive dataof more than 140 million U.S. residents was exposed. The impact ofthis type of “big data” leak has too many implications to discussin one article. But, we do know criminals use the data forfinancial gain.

What does this mean for compliance and deposit officers? WhileIT and security personnel are diligently working to enhancesecurity measures at your institution, compliance and operationsprofessionals are often dealing with the aftermath – fraudulenttransactions reported by consumers, the victims.

Deposit Managers Must Prepare for an Increase in EFT ErrorClaims

The increase in security breaches and the emergence of newthreats should have all financial institutions proactivelypreparing for an increase in unauthorized transactions and otheralleged errors subject to the rules of the Electronic FundsTransfer Act. The EFTA, otherwise known as – and implemented by –Regulation E, was enacted in 1978, but 40 years later it is still asource of confusion for many financial institutions.

Let's face it, most consumers don't really know their rights ifthey believe an “error,” such as an unauthorized transfer, hasposted to his or her account. And in many instances, financialinstitutions find the complexities of the regulation confusing ortoo burdensome. In response, institutions implement procedures thatoften result in either reimbursing money they shouldn't or aren'trequired to, or not reimbursing enough, which can result in anadverse snowball effect on the consumer, increasing both complianceand legal risk. Neither of these scenarios is favorable, so it'seasier to pick the worst of the worst.

Challenges for Compliance Officers

When a consumer notifies an institution of an alleged error –verbally or in writing – the Reg E “time clock” is triggered andcompliance with the error resolution procedures is required. Theclaim and the investigation must be documented, notices must begiven and the consumer's liability must be properly calculated, allwithin the timeframes established by Reg E. The rules establishedby NACHA for ACH transactions and the card networks for debit cardsare contractual in nature and may overlap, but they do not “trump”Reg E. Rules that are more favorable to the consumer, such as zeroliability, can take precedence over Reg E, but in all otherinstances the federal regulation prevails. For example, theinvestigation period for a claim involving a P.O.S. transaction is90 calendar days. The chargeback process may take longer, but theclaim must be finalized and closed in accordance with Reg E.

At the time Reg E was adopted in 1978, paper-based payments faroutnumbered electronic fund transfers, making the process a littleless complicated. Today, obviously, the exact opposite is true.EFTs are the predominant payment method, and with the number ofdata breaches across all industries, the number of fraudulenttransactions reported by consumers is predicted to increase.

To comply with Reg E, financial institutions have to know when aclaim has officially been made so it can be investigated andresolved within the timeframe set forth in the law. Institutionsmust know when to issue provisional credit to consumers while theinvestigation moves forward, when it must be completed and thefinal credit issued, or when provisional credit can be revoked ifthe investigation shows that no error actually occurred.

And there's more. As I stated above, to avoid issues or to skirtfiguring out the complexities of Reg E, financial institutions areoften conducting no investigation and just reimbursing consumers –even when some liability could be imposed. Avoiding thecomplexities of Reg E by handling claims in this manner used toseem like the easiest solution for everyone. But with the increasein claims, it is no longer a prudent practice.

Consider the following example: Two unauthorized transactionshave posted to a consumer's account as a result of a lost debitcard, one in the amount of $375 and the other $100. Now, presumethe consumer did not notify the institution within the requiredtwo-business day period; therefore, two tiers of liability apply.The first transaction posted the first day after the consumerbecame aware that their debit card was missing and the secondtransaction posted three days later. When posted in the order above(respectively), the consumer's liability is only $150. But, whenthe posting order is reversed (i.e., the $100 transaction first),the consumer liability is $425. Confusing enough?

How Can Compliance Officers Help Deposit Managers Cut the Risksof Common Reg E Violations?

As a compliance or risk management officer, you can reduce therisk of violations by developing an effective system of controls.Here are some processes to implement:

• A uniform method for documenting received claims – whether thenotice was oral or in writing;
• Procedures that ensure the prompt submittal of claims to theappropriate department upon receiving a notice of an allegederror;
• A system that ensures the prompt investigation of theseclaims;
  Procedures that ensure the adequate documentation, and tracking ofthe steps and status of the investigation;
• A tickler system that prompts the appropriate personnel ofapproaching timeframes; and
• Most importantly, adequate training of all employees involvedin the error resolution.

To provide further assurance of adherence, periodically reviewclaims to verify the effectiveness of the established proceduresand identify the need for additional training.

Compliance with the timeframes is important. Imposing liabilitywhere you can is also critical to avoid unwarranted losses. Butit's also important to ensure your members are receiving propercredit as required by law. Doing it right and assuring both resultsin the only real win-win situation.

Lori Moore is Chief Risk and Compliance Officer for FINBOA.She can be reached at 281-503-1233 or [email protected].