Unauthorized ATM Withdrawals: What if you don't believe the customer?
by Mary Beth Guard, BOL Guru
Question: Recently we had a consumer call in to inquire about her account balance. Once provided her balance, she informed our employee that her ATM card had been stolen (yes, this was within the 2 business days). Subsequently she says that an unauthorized transaction in the amount of $500.00 was taken from her account. The facts are as follows:
- the transaction occurred in the same building in which she works,
- During the same time frame in which she works,
- She states that NO ONE knows her PIN#, and
- PIN# was not written on the card or kept in proximity to the stolen card. When we reviewed the Transfund report we found out that there were absolutely no invalid PIN attempts. The PIN# was entered and the funds were disbursed. This customer has never written anything more than a drawer check on this account; it is solely accessed by her ATM card. We have interviewed the consumer and we just don't have a high comfort level about her story.
We have provided the customer provisional credit as required, but in performing our investigation we found there is not an active camera at this ATM....we are sort of at wits end. I have read and re-read the reg as to any support the reg gives to financial institutions when we feel that the customer's story is not true. What types of options does the bank have? The best that I could come up with is that under Section 205.6 - Liability of Consumer for Unauthorized Transfers - 6(a) Conditions for Liability - 1. Means of identification. A financial institution may use various means for identifying the consumer to whom the access device is issued, including but not limited to: i. Electronic or mechanical confirmation (such as PIN). .... Does this mean since we discovered that there were no invalid PIN attempts and she says that noone else knows the number that the bank would be able to identify the customer as the one who withdrew the funds?
Answer: The purpose of the investigatory period under Regulation E is not to merely inconvenience the customer or delay his access to funds. It is to give you the necessary time to take a good hard look at the facts and determine whether you believe the claim is legitimate. If you believe the claim is legitimate, you follow the rule's timing requirements to correct the error or reverse the unauthorized transaction. If you do not believe the transaction is legitimate, however, you instead follow the timing requirements for notifying the customer of the outcome of your investigation and let them know you will not be taking further action.
The risk you run by denying the claim is the customer may sue to enforce her rights under the EFTA. If she does sue, she will present her side of the story and any supporting evidence she might have. Your bank will do the same. You must ask yourself how you think a court or jury would rule after hearing both sides. Would they believe the bank or the customer? If you believe your case is not sufficiently clear to allow you to achieve an easy victory, you may want to reconsider paying the claim.
The fact of the matter is, either:
- the customer is lying; or
- the customer is mistaken about the facts; or
- you have some insider card fraud.
Someone, somehow, had to have access to the card and knowledge of the PIN. If they didn't get it voluntarily from the customer, they either had to subvert the fraud prevention measures in effect for your card program, or they had to obtain it by deceit.
The last option (#3) is the least likely, particularly because the withdrawal was made in the building where your customer works. Nonetheless, you should do a thorough review of your internal controls to assess whether it could have been possible for someone to obtain a copy of your customer's card, as well as the PIN.
Did you get a chance to look at the customer's card? Was she correct in her assertion that the PIN was not written on it? Have any other cards been issued on this account? Has she ever given her card to anyone else to use? Have any other persons ever been with her when she used her card? Have the operators of that particular ATM been notified of any other fraud committed there?
Have you checked to see if this customer has any prior history of fraudulent activity?
205.6 helps you, but doesn't definitely answer the question of whether or not she made the transaction. It's possible that in the past she withdrew funds in the presence of one of her coworkers who shoulder-surfed and memorized the number and she waited until she had an opportunity to briefly steal and use the card.
Ask a few more questions. See if that helps. If it doesn't, decide how you think you would fare if this ended up in court.
The original version appeared in the March 2002 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com