Who's Liable in Web Fraud? Some Say Rules Lack Clarity

Article excerpt

As online fraud becomes more sophisticated and more common, banks have no choice but to shoulder the financial burden of reimbursing consumers for their losses.

Regulation E, the Federal Reserve Board's banking rules covering consumer electronic funds transfers, makes it clear that banks are on the hook.

Or does it?

To some, the rules seem silent in key areas and leave open the possibility of an interpretation that might let banks shift some of the responsibility back to the consumer.

Though there are no indications that any banks are considering mounting such an argument -- many have opted instead to promote fraud-protection policies that go beyond their duties under Reg E -- some observers say it is conceivable that the idea could catch on if covering fraud losses ever becomes prohibitively expensive.

Avivah Litan, a vice president and research director with the Stamford, Conn., market research firm Gartner Inc., said that while Reg E requires that banks reimburse consumers for unauthorized electronic transfers, in some cases it is mute on whether to define a transfer as unauthorized.

For example, phishing victims who reveal their passwords at phishers' bogus Web sites might be faulted for voluntarily handing over this information.

If the con artist logs on to the account and drains the funds, Ms. Litan said, "consumers have to prove that their password was stolen," which could allow a bank to dispute that the information was illegally used.

"With credit cards, people don't have to prove anything to dispute a transaction," she said. "Here they are guilty until proven innocent. Reg E is kind of vague."

Not so, said Nessa Feddis, the senior federal counsel in the American Bankers Association's government relations division.

She points to section 205.6 of Reg E, which clearly says that as long as consumers notify the bank in a "timely" manner (generally within 60 days of receiving their statement), they are protected against any unauthorized transfer, no matter how irresponsibly they may have acted.

The classic example is a consumer who writes their PIN on their automated teller machine card. If they lose the card and it is used to withdraw money from the machine, the customer is still covered for the loss, Ms. Feddis said.

"There is no negligence standard in Reg E," she said.

Steve Zeisel, a senior counsel at the Consumer Bankers Association, agrees.

He said that according to one of the commentary sections, negligence on the consumer's part "cannot be used as the basis for imposing" liability, and "behavior that may constitute negligence under state law, such as writing the PIN on a debit card ... does not affect the consumer's liability for unauthorized transfers." In other words, banks definitely seem to be responsible for the loss. …