s Fraud Liability Matrix s Fraud Liability Matrix Prepared by the Federal Reserve Bank of Minneapolis s, Standards, and Outreach Group April 2018 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 1
s Fraud Liability Matrix (Fraud ) Consumer Protection Who is liable if cannot recover against fraudster or merchant Credit Items Consumer not liable if they report fraud within 60 days after transmittal of the consumer s periodic statement. Reg. E (12 CFR 205.6(b)(3)) Originating Depository Financial Institution ( ODFI ) 1 is liable for breach of warranty that an item is authorized. Credit Items may generally be returned at any time. The ODFI warranties regarding entries are set forth in NACHA 2 OR 2.4.1 2.4.4. Liability for breach of these warranties is set forth in NACHA OR 2.4.5. Return deadlines for credit items are set forth in NACHA OR 3.8 ACH Debit Items Consumer not liable if they report fraud within 60 days after transmittal of the consumer s periodic statement. A Receiving Depository Financial Institution ( RDFI ) 3 must promptly recredit a consumer s account if the consumer provides timely written notification of an unauthorized debit item and the consumer has not waived the RDFI s recredit obligation. Reg. E (12 CFR 205.6(b)(3)) NACHA OR 3.11. Written notification requirements are contained in NACHA OR 3.12. Specific recredit rights for ARC, BOC, POP, IAT, and RCK entries are set forth in NACHA OR 3.11.2.1 3.11.2.3. ODFI is liable for breach of warranty that item is authorized. An ODFI must accept the return of unauthorized items returned by the RDFI within 60 days after the settlement date. Warranty claims may be brought after the 60-day period outside of the ACH network. The ODFI warranties regarding entries are set forth in NACHA OR 2.4.1 2.4.4. Liability for breach of these warranties is set forth in NACHA OR 2.4.5. NACHA OR 2.12.1; 3.13. 1 Defined in 2018 NACHA Operating Rules 8.66. 2 Any reference to NACHA in this document refers specifically to the 2018 NACHA Operating Rules ( NACHA OR ) or the 2018 NACHA Operating Guidelines ( NACHA OG ). 3 Defined in NACHA OR 8.83. 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 2
s Fraud Liability Matrix (Fraud ) Forged (counterfeit) check 5 Consumer Protection Who is liable if cannot recover against fraudster or merchant Consumer not liable as the check is not properly payable. 6 Payor bank must not charge or must recredit the amount of the fraudulent check to the consumer s account. UCC 4-401 Payor bank is liable as there is no breach of presentment warranty. UCC 4-401. Presentment warranties 7 are set forth in UCC 3-417 and 4-208 Check 4 Forged drawer s signature Consumer not liable as the check is not properly payable. Payor bank must not charge or must recredit the amount of the fraudulent check to the consumer s account. Possible exception if consumer s negligence substantially contributed to the forged signature, or if consumer failed to report unauthorized payment in a timely manner. UCC 4-401 UCC 3-406 UCC 4-406 Payor bank is liable as there is no breach of presentment warranty. If both payor bank and consumer were negligent, the loss will be allocated between the payor bank and consumer. UCC 4-401; 4-406(b). Presentment warranties are set forth in UCC 3-417 and 4-208 Forged endorsement Consumer not liable because loss is allocated to the initial recipient of the item with the forged endorsement (usually the depositary bank). Presentment warranties are set forth in UCC 3-417 and 4-208 Transfer warranties 8 are set forth in UCC 3-416 and 4-207 Depositary bank is generally liable because it would breach transfer or presentment warranties in the process of collecting the item, but would have a right of charge-back against its customer. Presentment warranties are set forth in UCC 3-417 and 4-208 Transfer warranties 8 are set forth in UCC 3-416 and 4-207 4 These protections also apply to business checks. 5 Unless otherwise noted, each fraud type applies to both paper and electronic checks. 6 An item is properly payable if it is authorized by the customer and is in accordance with any agreement between the customer and bank. UCC 4-401(a). 7 A presentment warranty refers to an implied promise by a presenting bank and previous transferors to a payor bank that, among other things, the presenting bank is (and the previous transferor was) entitled to enforce a check. 8 A transfer warranty refers to an implied promise by a collecting bank to a transferee that, among other things, the collecting bank is entitled to enforce a check. 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 3
s Fraud Liability Matrix Check 4 (Fraud ) Fraudulent Alteration Forged (Remotely Created Checks and electronicallycreated items) Consumer Protection Who is liable if cannot recover against fraudster or merchant Consumer not liable as the check is not properly payable. Payor bank must not charge or must recredit the amount of the fraudulent check to the consumer s account. Possible exception if consumer s negligence substantially contributed to the forged signature, if consumer failed to report unauthorized payment in a timely manner, or if an incomplete check was fraudulently completed. Consumer not liable as check is not properly payable, which means that it was not authorized or not in accordance with any agreement. Possible exception if consumer failed to report unauthorized payment in a timely manner. UCC 4-401 UCC 3-406 UCC 4-406 UCC 3-407(c) UCC 4-401 Reg. CC (12 C.F.R. 229.34(b)(2)) 9 Depositary bank is generally liable as there is breach of transfer or presentment warranties. Depositary bank is generally liable due to breach of transfer and presentment warranties with respect to remotely created checks and electronically-created items. Presentment warranties are set forth in UCC 3-417 and 4-208 Transfer warranties are set forth in UCC 3-416 and 4-207 Reg. CC (12 CFR 229.34(b)(1); 229.34(g)(2)) Duplicate Presentment (electronic checks, substitute checks, and electronicallycreated items) Payor bank will not debit consumer s account with respect to duplicate presentments. UCC 4-401 Depositary bank is generally liable due to breach of transfer and presentment warranties with respect to electronic and substitute checks and indemnity with respect to electronically-created items. Reg. CC (12 CFR 229.34(a)(ii); 229.34(g)(3)) 9 References to Reg. CC in this document are to the version effective July 1, 2018. 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 4
s Fraud Liability Matrix (Fraud ) Consumer Protection Who is liable if cannot recover against fraudster or merchant Credit Card Present (signature or PIN required) $50 The consumer s maximum liability under federal law is $50 for unauthorized use. If the credit card is reported as lost or stolen before it is used by an unauthorized person, then the card issuer cannot hold the customer liable for unauthorized charges. Truth in Lending Act; Reg. Z (12 CFR 226.12(b)); see Ftc.gov 11 The Issuing Bank is generally liable for fraudulent transactions. However, if EMV was not used, the party (merchant or issuer) that has not adopted EMV technology is liable. 12 Truth in Lending Act; 13 Visa and MasterCard rules and policies, 14 liability shift rules, 15 and chargeback guidelines. 16 10 MasterCard and Visa are used in this document as examples of major credit and debit card networks. You may obtain similar information regarding other networks via their websites, policies, and/or terms and conditions. 11 Federal Trade Commission consumer fact sheet, LOST OR STOLEN CREDIT, ATM, AND DEBIT CARDS, http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-anddebit-cards (March 16, 2015). 12 This EMV-based liability shift does not apply to automated fuel dispensers until October 1, 2020. 13 Under 15 U.S.C. 1643(b), the Issuing Bank has the burden of proof to show that card use was authorized in order to enforce liability for the use of a credit card. 14 The Visa and MasterCard network rules apply to participants in the network, including Issuing Banks (banks that issue cards to cardholders) and Acquiring Banks (banks that facilitate transactions on behalf of a merchant). Visa publishes its Core Rules at https://usa.visa.com/support/consumer/visa-rules.html. (January 28, 2018). MasterCard publishes its policies and rules at https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html (January 28, 2018). 15 Visa s and MasterCard s policies establish that a party that is the cause of a contact chip transaction not occurring will be liable for any resulting card present counterfeit fraud. An issuer would be liable if it did not invest in EMV chip cards, and a merchant would be liable if it had not invested in EMV-compatible terminals. If neither or both parties are EMV compliant, then the fraud liability remains the same as it is today. See https://www.visa.com/chip/merchants/grow-your-business/paymenttechnologies/credit-card-chip/liability-shift.jsp (February 1, 2018); https://www.mastercard.us/content/dam/mccom/en-us/.../merchant-emv-chip-faqs.pdf (February 1, 2018). 16 https://usa.visa.com/dam/vcom/download/merchants/chargeback-management-guidelines-for-visa-merchants.pdf; https://www.mastercard.us/en-us/merchants/getsupport/merchant-learning-center.html (February 1, 2018). 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 5
s Fraud Liability Matrix Credit (Fraud ) Card Present Continued (signature or PIN required) Consumer Protection Who is liable if cannot recover against fraudster or merchant The consumer has no liability for unauthorized use under Visa/MasterCard consumer policies, provided that certain requirements are met. Visa's Zero Liability Policy guarantees that a Cardholder won't be held responsible for unauthorized charges if the Cardholder s card is lost, stolen, or fraudulently used, provided that the Cardholder was not grossly negligent, did not commit fraud, did not delay in reporting unauthorized use, and has an account in good standing. 17 MasterCard s Zero Liability Protection has similar requirements for a Cardholder to have liability. 18 If a Cardholder does not meet these requirements, then the Cardholder may be liable for fraudulent charges up to the limits specified in federal law. Visa/ MasterCard websites The Issuing Bank is generally liable for fraudulent transactions. However, if EMV was not used, the party (merchant or issuer) that has not adopted EMV technology is liable. 12 Visa and MasterCard policies, 14 liability shift rules, 15 and chargeback guidelines. 16 17 Visa s Zero Liability Policy does not apply to Visa corporate or Visa purchasing card or account transactions, or any transactions that are not processed by Visa. https://www.visa.com/chip/personal/security/zero-liability.jsp (January 28, 2018). 18 MasterCard s Zero Liability Protection requires only that: 1) a customer used reasonable care in protecting the customer s card from loss or theft; and 2) a customer promptly reported loss or theft to the customer s financial institution. The policy does not apply to commercial cards or unregistered prepaid cards. https://www.mastercard.us/en-us/about-mastercard/what-we-do/terms-of-use/zero-liability-terms-conditions.html (January 28, 2018). 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 6
s Fraud Liability Matrix (Fraud ) Consumer Protection Who is liable if cannot recover against fraudster Credit Card not present (telephone order, mail order, subsequent recurring payment, and e- commerce transactions) $50 The consumer s maximum liability under federal law is $50 for unauthorized use. No liability for unauthorized use if credit card number was used but the actual card was not lost or stolen. The consumer has no liability for unauthorized use under Visa/MasterCard consumer policies, provided that certain requirements are met. Visa's Zero Liability Policy guarantees that a Cardholder won't be held responsible for unauthorized charges if the Cardholder s card is lost, stolen, or fraudulently used, provided that the Cardholder was not grossly negligent, did not commit fraud, did not delay in reporting unauthorized use, and has an account in good standing. 17 MasterCard s Zero Liability Protection has similar requirements for a Cardholder to have liability. 18 Truth in Lending Act (15 USC 1643(a)); Reg. Z (12 CFR 226.12(b)); see Ftc.gov Ftc.gov 11 Visa/ MasterCard websites Depending on contractual arrangements, the merchant or Acquiring Bank is generally liable for fraudulent card not present transactions. Visa and MasterCard policies and rules 14 and chargeback guidelines. 16 If a Cardholder does not meet these requirements, then the Cardholder may be liable for fraudulent charges up to the limits specified in federal law. 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 7
s Fraud Liability Matrix Debit (Fraud ) Card Present (signature or PIN required) Consumer Protection Who is liable if cannot recover against fraudster or merchant Federal Law and Regulations: Unlimited Under Regulation E and Federal law, a consumer s maximum liability varies based on when a consumer reports unauthorized transactions or a lost or stolen card. A consumer may be liable for up to: if loss or theft of card is reported prior to fraudulent transaction $50 if consumer reports loss or theft of card within two business days after the consumer learns of the loss or theft $500 if consumer reports loss or theft of card more than two business days after learning of the loss or theft but less than sixty calendar days after the statement showing the unauthorized transfer(s) was sent All losses that occur more than sixty calendar days after the statement showing the unauthorized transfer(s) was sent and before a consumer reports the unauthorized transfer(s) 19 if consumer fails to report unauthorized transfer(s) within sixty calendar days after statement showing the unauthorized transfer(s) was sent. Visa and MasterCard Policies: The consumer has no liability for unauthorized use under Visa/MasterCard consumer policies, provided that certain requirements are met. Visa's Zero Liability Policy guarantees that a Cardholder won't be held responsible for unauthorized charges if the Cardholder s card is lost, stolen, or fraudulently used, provided that the Cardholder was not grossly negligent, did not commit fraud, did not delay in reporting unauthorized use, and has an account in good standing. 17 MasterCard s Zero Liability Protection has similar requirements for a Cardholder to have liability. 18 If a Cardholder does not meet these requirements, then the Cardholder may be liable for fraudulent charges up to the limits specified in federal law. Ftc.gov 11 Electronic Funds Transfer Act (15 U.S.C. 1693g); Reg. E (12 CFR 205.6(b)) Visa/ MasterCard websites The Issuing Bank is generally liable for fraudulent transactions for which a consumer is not liable. However, if EMV was not used, the party (merchant or issuer) that has not adopted EMV technology is liable. 20 Visa and MasterCard policies, 13 liability shift rules, 14 and chargeback guidelines. 15 19 In order for a consumer to be liable based on the consumer s failure to report unauthorized transfer(s), a financial institution must show that the loss would not have occurred but for the failure of the consumer to report the unauthorized transfer(s) within sixty days after transmittal of the statement. 15 U.S.C. 1693g(a)(2). 20 This EMV-based liability shift does not apply to automated fuel dispensers until October 1, 2020. 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 8
s Fraud Liability Matrix Debit (Fraud ) Card not Present (telephone or web initiated use) Consumer Protection Who is liable if cannot recover against fraudster or Same as Debit Cards Card Present (above). Note that the rules based on reporting lost or stolen cards do not apply to card not present transactions if a consumer s card was not lost or stolen, even if information from the card was stolen. Same as Debit Cards Card Present (above) Depending on contractual arrangements, the merchant or Acquiring Bank is generally liable for fraudulent card not present transactions. Visa Rules and/or Chargeback Guide, MasterCard Rules and/or Chargeback Guide, Secondary Sources 21 21 There is very little hard law on this issue. A number of secondary sources, however, assign the liability to the issuing bank. See Arnold S. Rosenberg, Better than Cash? Global Proliferation of Debit and Prepaid Cards and Consumer Protections Policy. 44 Column. J. Transnat l L. 520, 587 (2006). 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 9
s Fraud Liability Matrix Debit (Fraud ) Decoupled Debit Cards (Cards issued by Institution other than Bank in which consumer maintains an account.) Consumer Protection Who is liable if cannot recover against fraudster or Federal Law and Regulations: Unlimited Under Regulation E and Federal law, a consumer s maximum liability varies based on when a consumer reports unauthorized transactions or a lost or stolen card. A consumer may be liable for up to: if loss or theft of card is reported prior to fraudulent transaction $50 if consumer reports loss or theft of card within four business days after the consumer learns of the loss or theft $500 if consumer reports loss or theft of card more than four business days after learning of the loss or theft but less than ninety calendar days after the statement showing the unauthorized transfer(s) was sent All losses that occur more than ninety calendar days after the statement showing the unauthorized transfer(s) was sent and before a consumer reports the unauthorized transfer(s) 19 if consumer fails to report unauthorized transfer(s) within sixty calendar days after statement showing the unauthorized transfer(s) was sent. Visa and MasterCard Policies: The consumer has no liability for unauthorized use under Visa/MasterCard consumer policies, provided that certain requirements are met. Visa's Zero Liability Policy guarantees that a Cardholder won't be held responsible for unauthorized charges if the Cardholder s card is lost, stolen, or fraudulently used, provided that the Cardholder was not grossly negligent, did not commit fraud, did not delay in reporting unauthorized use, and has an account in good standing. 17 MasterCard s Zero Liability Protection has similar requirements for a Cardholder to have liability. 18 If a Cardholder does not meet these requirements, then the Cardholder may be liable for fraudulent charges up to the limits specified in federal law. Lesser of $50 or the amount of money, property, labor, or services obtained by the unauthorized use before notification to the Issuer. Reg. E (12 CFR 205.14(b); 205.6(b)) Visa/ MasterCard websites Between the Card Issuer and the Consumer s Financial Institution, The ODFI, (likely the Card Issuer) is liable for breach of warranty that an item is authorized. Between the Card Issuer and the Acquiring Bank, liability depends primarily on whether the transaction was a card-present or card not present transaction. NACHA Rules. See ACH Debit Items above. network rules - See Debit Cards above 2018 Federal Reserve Bank of Minneapolis, not to be used without consent. 10