Access Devices and Regulation E – Clear as Mud?

Amy Donaghue

By: Karen Sylvester, AAP, APRP, CAMS, CRCM, NCP, Senior Director, Compliance Education

What is considered an “Access Device”?

Regulation E Section 1005.2(a) defines an Access Device as “a card, code or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.” Though at first glance this definition seems clear, today’s technological environment has muddied the waters.

Where has the clarity gone? With every site or app we log into, we have a username and password to access our account to make a purchase or move money to another account. But the real question comes up when the account holder disputes that transaction. Disputes for these types of transactions happen more and more as fraudsters are gaining trust and tricking account holders into sharing app credentials. So, if the account holder gives up this information, are they then responsible for the transaction?

Looking back to when ATM and debit cards were first being issued, the struggle of account holders writing their assigned PIN numbers on their cards and losing their cards caused a huge headache for financial institutions. We educated our account holders about not writing their numbers on their cards and updated the technology to let them change the PIN number to something they knew and thought we had solved the problem. But, once again, fraudsters are a few steps ahead and now they are pushing consumers to give up more information, therefore changing and increasing the number of unauthorized transactions.

In March of 2022, the Federal Deposit Insurance Corporation (FDIC) issued the Consumer Compliance Supervisory Highlights. This document highlights some of the findings from the FDIC. It states, “the FDIC noted issues involving consumers being targeted for fraud. In one instance, a third-party service provider (TPSP) managed a financial institution’s deposit accounts. The consumers stated someone posing as a representative of the financial institution’s fraud department contacted them seeking account verification codes. Believing they were communicating with the TPSP (working on behalf of the financial institution) about unauthorized activity, the consumers provided the two-factor authentication code, and it turned out the person to whom they gave the code was a scammer. The scammer then used the account credentials to steal money from the consumers’ accounts. To limit its liability, the financial institution disclosed in the account agreements that neither the institution nor the TPSP would ever request the two-factor authentication code. However, the FDIC concluded that Regulation E’s liability protections for unauthorized transfers apply even if a consumer is deceived into giving someone their authorization credentials. Consumer account disclosures cannot limit the protections provided for in the regulation.”

What does this mean for your financial institution?

  • Financial institutions must continue to educate consumers about keeping their information secure and not sharing it with ANYONE.
  • Consumers cannot sign away their protections via terms and conditions or account agreements that provide less protection to them than Regulation E.
  • An access device is more than the physical card issued by the financial institution and now includes the credentials consumers use to access their information online.

The EPCOR Member Support team is always available to help answer your Regulation E questions. If you need assistance, don’t hesitate to reach out to us via phone (800.500.0100), email (memserve@epcor.org) or chat with us on our website (epcor.org). And consider joining us at EPCOR Payments University in Branson, MO, Sandusky, OH or our NEW destination location, French Lick, IN, to learn more about Regulation E and other hot topics. We hope to see you there!