Compliance Q&A: Customer Computer Hack and Bank Liability

Q. Our customer received a phone call from someone telling the customer that the customer’s computer was about to be hacked. The person convinced the customer to allow a remote logon to the customer’s computer to “stop the hacking process.” In this process, the customer provided both of his debit card numbers and PINs. The fraudster used these to then purchase gift cards. We feel the customer was clearly negligent in this case, but does that help the bank at all?

A. Unfortunately, when fraudsters gain access to accounts by persuading consumers to provide their access device (e.g., authorization or authentication code), Regulation E generally considers such situations to be unauthorized electronic fund transfers. Regulation E’s commentary specifically states that “[a]n unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.” Furthermore, according to the commentary, “consumer behavior that may constitute negligence under state law, such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers: Therefore, consumer liability in these instances is generally going to be limited to $50 if the consumer notifies the financial institution of the loss or theft of an access device within two business days of learning of the loss or theft of the access device, or up to a maximum of $500 if the consumer fails to provide notice within that time period.

Compliance Alliance offers a comprehensive suite of compliance management solutions. To learn how to put them to work for your bank, call (888) 353-3933 or email and ask for our Membership Team.