Locke Lord QuickStudy: CFPB Updates Guidance Regarding “Unauthorized Transfers” Under the Electronic ‎Fund Transfer Act

Locke Lord LLP
June 14, 2021

Over the last several years, advancements in digital banking have allowed electronic fund transfers to become the predominant method of completing consumer transactions.  The COVID-19 global pandemic has only accelerated this trend.  Accompanying the sheer volume of online transactions, however, are attendant risks associated with electronic transfers, including fraudulent conversion of access device information and other means of wresting control of consumer accounts.1  As the country emerges from the pandemic, and as financial institutions expand digital service offerings, the industry must increasingly focus on those risks.  Heightened attention is warranted especially for those increasing number of fraudulent transactions not involving pre-authorized payments, but resulting from one-time transfers precipitated by unknown bad actors.

It is in this context that the Consumer Financial Protection Bureau recently updated its interpretive guidance regarding unauthorized electronic fund transfers.  Electronic Fund Transfer FAQs, Version 1 (updated June 4, 2021).2  Enacted in 1978, the Electronic Fund Transfer Act, 15 U.S.C. §§ 1693 et seq. (the “EFTA”), provides the framework for protecting parties engaged in electronic transactions wherein funds are debited from or credited to an asset account.  While the language of the EFTA is sparse, it has as a primary objective the protection of consumer rights, which courts and regulators alike have affirmed.3  Additionally, courts have generally adhered to the EFTA’s framework for determining which party bears the risk of loss for unauthorized transfers, specifically related to prearranged plans under which periodic transfers are contemplated.4  Regulation E, moreover, generally limits consumer liability for unauthorized transactions if such transactions are timely reported to the financial institution.5  Of particular relevance here, however, is the appropriate balance regarding the risk of loss between financial institutions and consumers arising from unauthorized electronic transfers involving third-party swindlers.

An “unauthorized electronic fund transfer” is defined under the EFTA as a transfer from a consumer account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer received no benefit.6   However, under the statute, unauthorized electronic fund transfers do not include, among other things, transfers involving a person other than the consumer who was furnished with the means to access the consumer’s account unless the consumer has notified the financial institution that transfers by such persons are no longer authorized.7  If a transaction is “unauthorized” under the EFTA, a consumer’s liability will generally not exceed the lesser of $50 or the amount transferred within two business days of the date the unauthorized transfer occurs, if the transfer is reported to the financial institution within that timeframe, among other limitations.  If the consumer does not notify the financial institution within two business days, however, the consumer’s liability will not exceed the lesser of $500; or 1) $50 or the amount of unauthorized transfer occurring within two business days, whichever is less; and 2) the amount of unauthorized transfer occurring after two business days, but before notice is provided to the financial institution, among other limitations.8  Whether the EFTA is applicable, therefore, to fraudulent third-party transfers unrelated to pre-authorized transactions largely determines a financial institution’s risk of loss under the EFTA.

At least some courts have interpreted the definition of “unauthorized electronic fund transfer” narrowly.  For example, in Kashanchi, supra, plaintiffs held a savings account at a local bank, which they sued after the bank allowed $4,900 to be transferred from their account.  The subject transfer apparently was initiated by a telephone conversation between an employee and an unknown third party.  After the bank refused to credit the plaintiffs’ account, they claimed a violation of the EFTA.  The Fifth Circuit affirmed the dismissal of the suit on grounds that the statute excluded plaintiffs’ cause of action.   In so doing, the Court examined the nature of transactions generally covered by the statute, premised on a review of the Congressional record.  It concluded that any transfer of funds initiated by a telephone conversation “not  pursuant to a prearranged plan and under which periodic or recurring transfers are not contemplated” do not constitute unauthorized transfers.

The Consumer Financial Protection Bureau has taken a broader view.  Framing its “Electronic Fund Transfer Act FAQs” through a series of hypothetical questions involving unauthorized third-party access, the CFPB appears to shift even more of the risk of unauthorized third-party transactions to financial institutions.  Unauthorized electronic fund transfers now include those transactions resulting from consumers being fraudulently induced into knowingly providing account access to bad actors.  For example, the CFPB notes that:

If a third party fraudulently induces a consumer into sharing account access information that is used to initiate an electronic fund transfer from the consumer’s account, does the transfer meet Regulation E’s definition of “unauthorized electronic fund transfer”?  Yes

Here, in situations where a bad actor has fraudulently obtained access to a consumer’s account information by 1) either calling the consumer under false pretenses to obtain login or similar information; or 2) through phishing to gain access to a consumer’s computer, those activities meet the definition of an unauthorized electronic fund transfer.9  The CFPB has similarly determined that transactions resulting from a third party fraudulently inducing a consumer to disclose account information, or otherwise resulting from a consumer’s negligence, also trigger EFTA coverage.  This interpretative guidance is arguably a significant departure from the language of the EFTA.10

The practical consequence of the CFPB’s position is to vastly expand the potential risk of loss associated with third-party fraud for financial institutions.  Given the volume of potential fraud, it becomes that much more urgent for institutions to develop robust protocols to not only facilitate customer reporting of fraudulent transactions, but also pre-empt costly exposure resulting from digitized fraud.  This guidance also raises the specter of litigation involving disputes over significant, unrecoverable transfers accomplished through the consumer’s voluntary – even negligent  – disclosure of account information to a bad actor.  In light of this guidance, financial institutions must consider leveraging whatever resources are necessary, including providing additional guidance to consumers, to mitigate the risk of loss and litigation arising from an increasing number of fraudulent fund transfers.


1. See, e.g., that industry losses resulting from digital banking fraud topped $2.3 billion in 2016)
2. See,
3. See, e.g., Clemmer v. Key Bank Nat’l Association, 539 F.3d 349, 353 (6th Cir. 2008);
4. See, e.g., Kashanchi v. Texas Commerce Med. Bank, N.A., 703 F.2d 936, 941 fn. 6 (5th Cir. 1983).‎
5. Regulation E, 12 CFR § 1005.6(b).
6. ‎15 U.S.C. § 1693a(12).‎
7. Id., §1693a(12)(A).‎
8. Id., §1693g(a),(e); Regulation E, 12 CFR § 1005.6(b).
9. See,, Questions 1, 2.
10. See id., §1693a(12)(A).‎