"I came here to drink milk and kick ass. And I've just finished my milk." - Moss, The IT Crowd

Thursday, June 16, 2011

Setting the Record Straight on Prepaid, Part 4

What is Regulation E and when does it apply?

Well, if I were to answer that question thoroughly with plenty of examples and detailed explanation, it would take about 20 or 30 pages and you would be ready to fall asleep by the end of it. I know, because I wrote a document like that for a previous employer. I’ll give a simplified overview here; it won’t cover all the nuances, but should give you a reasonable idea of what’s going on.

Regulation E applies only to consumer accounts. It does not apply to accounts held by business entities, or to anything which is not an “account” as defined in the regulation (which is why it generally doesn’t apply to non-reloadable prepaid cards). The best-known parts of Regulation E protect the consumer from being liable for the full amount of unauthorized charges or electronic transfers, as long as the disputed charge meets certain requirements (for example, you can’t call a charge “unauthorized” just because the merchant who charged your card later refused to let you return an item you decided you didn’t want) and the consumer reports the unauthorized charge within the timeframes set out in Regulation E. The cardholder agreement for the GPR card will provide information on how the cardholder can report unauthorized charges.

Under Regulation E, if the physical card has been lost or stolen, the cardholder must notify the card issuer within two business days after becoming aware that the card was lost or stolen in order to limit the cardholder’s liability to $50. That is, if you lose your card at a concert on Thursday night but don’t realize it’s missing until Saturday morning, you have through Tuesday to report the loss and still take advantage of the $50 liability limit. If the cardholder fails to report the loss or theft within 2 business days of becoming aware of it, the cardholder still has up to 60 days after the date any unauthorized transactions appear on the card’s periodic statement in order to limit their liability to $500. You will not be liable for any unauthorized charges that appear on your card account after you have notified the card issuer of the loss or theft. “Periodic statements” for GPR cards are usually delivered to the customer online unless the customer specifically requests paper statements (for which the program manager may charge a fee, since they cost money to print and mail), and for that reason the cardholder agreement may specify a more lenient reporting timeframe, such as 90 or 120 days from the date that the unauthorized charges occurred, for the $500 liability threshold.

If unauthorized charges have been made on a GPR card account but the physical card has not been lost or stolen (this can happen, for example, if the information from the card’s magnetic stripe was copied by a skimmer at an ATM or gas pump, and then encoded by fraudsters onto another card), then the cardholder need only notify the card issuer within 2 business days of becoming aware of the unauthorized charges in order to invoke the $50 liability limit; and within 60 days after the date the unauthorized transactions appear on the periodic statement in order invoke the $500 liability limit. Again, since periodic statements will typically be delivered online, the cardholder agreement may specify the more lenient timeframe of 90 or 120 days from the date the unauthorized charges occurred.

The financial institution has the right to request that the customer submit written confirmation that the charges in question are unauthorized within 10 business days of when the customer provides oral notice (that is, within 10 business days of when the customer calls the toll-free number and reports the unauthorized charges). If the customer fails to provide this written notice as requested, then the Regulation E limits on liability no longer apply.

Ms. Gogoi’s article implies that GPR card issuers can pick and choose which Regulation E liability standards to impose, whereas credit cards and bank accounts with associated debit cards are required to hew to a $50 liability limit. Specifically, she states: “Funds added to a card are FDIC insured, but the cards aren't protected by the federal laws that limit credit card customer losses to $50 for fraudulent charges. But prepaid providers set their own rules. Green Dot customers, for example, pay $4.95 for a replacement card and could lose up to $500, depending on how quickly the loss is reported. NetSpend's customers lose nothing, says Henry, but pay $9.95 for a new card.”

This is misleading, given that the article purports to primarily discuss the comparison between prepaid debit cards and traditional bank accounts. GPR card issuers most certainly do not just set their own customer liability rules willy-nilly, and debit cards associated with a traditional bank account are subject to exactly the same Regulation E limitations of liability as described above. Credit card issuers are required to limit cardholder liability to $50 by Regulation Z. Regulation E does not apply to credit cards, and Regulation Z does not apply to prepaid cards or traditional bank debit cards. Prepaid cards are not credit cards, and do not charge interest on purchases because credit is not being extended to the customer; the customer correspondingly has a greater responsibility to check for unauthorized charges on the card account – EXACTLY AS THEY WOULD WITH A TRADITIONAL BANK ACCOUNT.

GPR card issuers are, of course, able to waive customer liability for fraudulent charges, just as credit card issuers often waive the $50 customer liability as a goodwill gesture. It is incorrect and unfair to imply that, because some GPR card issuers choose to waive customer liability altogether and some do not, that no regulatory limits exist on customer liability for unauthorized charges made on a GPR card.

1 comment: