Similarly to Regulation E and the limitations on a consumer’s liability for an unauthorized electronic fund transfer, Regulation Z places limits on a cardholder’s liability for unauthorized use of a credit card. Unfortunately for card issuers, these limits are much more expansive than Regulation E.
What is Unauthorized Use?
Regulation Z, section 1026.12 limits a cardholder’s liability for unauthorized use of a credit card. To be considered unauthorized use, two criteria need to be met. First, the credit card must be used by a person who does not have actual, implied, or apparent authority to use the credit card. Second, the cardholder must receive no benefit from the unauthorized use. Credit unions, when investigating potential unauthorized use, should make sure both of these requirements are satisfied.
For an example on authority, this CFPB page is helpful:
“For example, if you lose your card and someone finds it and uses it, that would be an unauthorized use.
However, if you give your card to someone to use, you have authorized the use. If the person uses the card for a different purpose, that may still be considered an authorized use. You would still be responsible for the charge, until you notify your card issuer that the person is no longer authorized to use the card. In that case, the card company may issue you a new credit card.”
According to the above, if a cardholder gives a credit card to a person they are generally giving that person authority to use the card. This authority can continue even if the person uses the card for a different purpose than what was agreed on. As such, credit unions should try to find out how the unauthorized user obtained the credit card, as a member may have a more limited definition of authority.
What is the Limit?
If unauthorized use has occurred, Regulation Z limits the liability of a cardholder to the lesser of $50 or the amount of unauthorized charges that occurred before notification to the cardholder. What is key to understand is that the liability limits are based on when a card issuer is notified. Specifically, the limit encompasses the entire time frame before a card issuer is notified. Unlike Regulation E, Regulation Z does not place a timing requirement on when a card holder is required to provide notice in order to avoid liability. Does this mean that a carefree member, who does not notify a credit union of a lost or stolen card, can cost the credit union thousands of dollars for unauthorized use of their card? Absolutely.
Credit unions worried about this potential issue may want to consider setting up a transaction monitoring system to provide warnings for potential unauthorized credit card usage.
Notification Requirements
Regulation Z permits a cardholder to notify a card issuer of unauthorized use when the cardholder provides the card issuer with “the pertinent information about the loss, theft, or possible unauthorized use of a credit card, regardless of whether any particular officer, employee, or agent of the card issuer does, in fact, receive the information.” The cardholder is permitted to notify the card issuer in person, via telephone, or in writing.
Conditions to Impose Liability on a Card Holder
If unauthorized use has occurred and the card issuer would like to impose liability, then the card issuer must satisfy the following three requirements:
- The credit card must be an accepted credit card;
- The card issuer must have provided notice regarding maximum liability and the means by which the card issuer can be notified of the loss or theft of the card; and
- The card issuer must have provided the means to identify the cardholder on the account or the authorized user of the card.
Only if all three above requirements are met, may the card issuer impose liability on the consumer for unauthorized use of their card.
Credit unions worried about unauthorized use of their member’s cards may want to further read section 1026.12, as it contains more detailed information on this issue, including the ability of a card holder to assert claims against the card issuer. Credit unions should also be aware that the major card companies (VISA, Mastercard, and AmEx) may have policies regarding a consumer’s liability for unauthorized use. As such, credit unions should review the relevant rules for the relevant credit card company.