To protect consumers, among other things, the EFTA requires financial institutions to obtain affirmative consent, disclose any relevant restrictions, and take certain actions to investigate and communicate with a consumer in response to claimed unauthorized transactions. Ultimately, these consumer protections have culminated into an evolving list of regulations that impose a web of disclosure obligations with varying timing requirements on financial institutions and other persons involved in providing EFT services.

With a mountain of notice and disclosure requirements, it is no surprise that Regulation E is a major compliance pitfall for many financial institutions.  Time and again, the Consumer Financial Protection Bureau (CFPB) and the National Credit Union Administration (NCUA) list Regulation E as a common source of legal violations identified during its annual examinations.  Some of these common violations include:

• Failure to properly follow and complete Regulation E error resolution procedures, including requiring written confirmation of an oral error notice and providing notice in the revocation of any provisional credit.
• Failure to provide affirmative consent and opt-in confirmations for overdraft services.
• Failure to obtain written authorization and/or respond and timely implement stop payment requests for preauthorized transfers.

This article will focus on the Regulation E violation identified by the CFPB in its enforcement action filed against TransUnion on April 12, 2022: the failure to obtain written authorization for preauthorized transfers from a consumer’s account.

Written Authorization for Pre-Authorized Transfers

Under Regulation E, 12 CFR Part 1005.10(b), Preauthorized electronic fund transfers from a consumer’s account:

• Must be authorized by a signed writing; AND
• A copy of the authorization shall be provided to the consumer.

The Official Interpretation of the regulation also clarifies that “written authorization” may be provided electronically, but only if such electronic signature complies with the demands of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001 et seq. (the “E-SIGN Act”).

Although this requirement for written authorization for preauthorized electronic fund transfers from a consumer’s account is generally very straightforward, this is only one of many ongoing obligations under Regulation E requiring a financial institution (and/or the third-party payee) to take affirmative actions to obtain consent or provide notice.  And this is a two-fold obligation, requiring a financial institution or third-party payee to BOTH (i) obtain specific prior written authorization, AND (ii) provide the consumer a copy of such authorization FOR EVERY preauthorized electronic fund transfer initiated from a consumer’s account.  It should be noted that Regulation E also has notice requirements for preauthorized electronic fund transfers to a consumer’s account, but instead of prior authorization, the account-holding financial institution is simply required to provide written confirmation within two business days following such transfer.  Additionally, unlike transfers from a consumer’s account, notice to a consumer for transfers to the consumer’s account is not required to be written notice; such notice may be provided in any manner authorized under 12 CFR 1005.10, including via telephone.

This written authorization rule has no qualifications, exceptions, or exclusions.  Financial institutions need to review their services, processes, and procedures regularly to ensure they are maintaining compliance with these specific consent and disclosure requirements required under Regulation E in relation to preauthorized transfers from a consumer’s account.

Nonetheless, the CFPB does recognize a limited safe harbor for certain violations of this written authorization rule.  Specifically, the CFPB’s Official Interpretation states it will be a bona fide error and “the payee does not violate the requirement to obtain a written authorization if the failure to obtain written authorization was not intentional,” and based on the consumer’s representation that the card used for preauthorization is a credit card (not a debit card).  However, this safe harbor only applies if the financial institution maintains procedures to avoid such errors.  Generally, a specific request for the consumer to specify whether a debit card or a credit card is being used for the transaction is a reasonable procedure in accordance with Regulation E.

Finally, it is important to note that a financial institution will not be deemed to have violated Regulation E if a third-party payee fails to fulfill the written authorization requirements; in such case, the third-party payee is in violation of the regulation.

TransUnion Enforcement Action and Liability under the EFTA

On April 12, 2022, the CFPB filed a lawsuit against TransUnion, alleging that TransUnion violated the EFTA and Regulation E by failing to obtain written authorization for preauthorized transfers and for failing to provide consumers with copies of such authorizations.  In its complaint, the CFPB claims TransUnion failed to adequately represent its products and services and engaged in deceptive and misleading tactics “to cause consumers to enroll in their subscription products and prevent them from cancelling.” See Complaint at 2, Consumer Fin.  Prot. Bureau  v. TransUnion, No. 22 C 1880, (N.D. Ill. 2022), https://files.consumerfinance.gov/f/documents/cfpb_transunion_complaint_2022-04.pdf. In support of its argument, the CFPB points to TransUnion’s service enrollment form, noting it did not contain “separate language of consumer authorization for a specific amount of recurring payments to be charged to consumers’ debit cards.” The CFPB asserts that because the terms of the preauthorized transfer were not “clear and readily understandable” to the consumer, TransUnion never obtained written authorization for such preauthorized transfers in accordance with Regulation E; and, therefore, could not and did not provide a copy of such authorization to the consumer as required by Regulation E.  The CFPB also commented on the failure of TransUnion to provide easily accessible methods to permit a consumer to revoke its authorization for such recurring charges or otherwise cancel the services.

In its suit against TransUnion, the CFPB is seeking redress for consumers, injunctive relief, and civil money penalties; however, financial institutions and other covered persons should be aware that the risk resulting from violations of Regulation E is not limited to enforcement actions by a regulatory body.  Rather, any failure to comply with the EFTA and Regulation E could result in a private right of action for impacted consumers, permitting recovery of: (1) actual damages, (2) a sum between $100 and $1000, AND (3) court and attorneys’ fees.  See 15 USCS § 1693m.  Consumers must bring a suit for aggrievances under the EFTA within the statute’s one year statute of limitation.

Lessons Learned from TransUnion

In efforts to mitigate the legal and compliance risks presented by Regulation E, financial institutions should review their services, processes, and procedures in light of this TransUnion enforcement action to ensure they are not engaging in any deceptive or misleading tactics similar to those practices identified as violations of Regulation E (or other regulatory violations identified by the CFPB in the complaint), resulting in recurring consumer payments without an express consumer authorization.

In sum, financial institutions can learn three main lessons from this TransUnion enforcement action and related Regulation E violations and should implement the following best practice takeaways:

1. All service subscriptions should clearly describe whether the service is automatically recurring.
2. There must be separate, readily apparent language to address a consumer’s authorization for recurring payments of a specific amount.
3. A copy of such authorization of recurring payment must be provided, and such notice should offer a consumer the opportunity to cancel such transactions in the event such payment authorization was unintended by the consumer.

By implementing a strong compliance program, your financial institution will be able to avoid the common Regulation E pitfalls identified by the regulators year after year.

Contact us for more information.

Baldini Lang LLC has extensive experience assisting clients in building compliance programs and policies to meet their legal requirements and establish best practice standards.  Contact us for more information.