Regulation E and campus cards: Are hundreds of campus card programs breaking the law?
“One of these days the feds are going to shut you down because that online card system you are using doesn’t follow Reg E.”
Comments by the Cynic
“Reg E doesn’t apply to your online system at all—your campus is not a bank and this is not a depository relationship, the students are simply prepaying for stuff. And even if it does, the feds don’t care about campus cards.”
Comments by the Ostrich
For more than a decade, the campus card industry has been debating the applicability of Regulation E (Reg E) to campus-issued debit programs. Some say it applies and the future holds dire reform for those using online debit systems. Others interpret the law in such a way that it does not even apply to these programs. And yet another group believes that while it does seem to apply, a campus can make a good faith attempt to comply in ways that are feasible and thus avoid any real issues should they be called to task. To better understand the ramifications of each of these positions, an understanding of the components of Reg E is necessary.
A history of the regulation
In 1978, the U.S. Congress passed the Electronic Funds Transfer Act (EFTA) as an addition to the Consumer Credit Protection Act. The goal of the EFTA was to establish, “the basic rights, liabilities, and responsibilities of consumers who use electronic money transfer services and of financial institutions that offer these services (Regulation E &205.1).” The Federal Reserve Board is tasked with implementing the EFTA, and it does so via its Regulation E.
Because of the fear tactics used by proponents on each side of the debate, Reg E is still considered a mystery to many. But at just 16-pages in length, it is really quite straightforward and concise. At its most basic:
If you hold money for others and enable them to electronically instruct that part or all of it be transferred to another party, you must follow specified procedures with regard to how you (1) issue the access device or card, (2) hold the individual liable for unauthorized transfers, (3) initially disclose terms and conditions, (4) provide receipts and periodic statements, and (5) resolve errors or discrepancies should they occur.
That is the 50,000-foot view of Reg E. It is not that difficult to grasp. The mystery has risen not so much for what Reg E says, but for what it fails to say. Like most laws, it is necessarily incomplete leaving plenty of areas up to interpretation. When the original drafting was conducted in the late 1970’s, the electronic transaction market was in its infancy. Many services, like campus debit and prepaid accounts, barely existed. While revisions occur, the electronic transaction world progresses far faster than the legislative review process.
Thus, the mystery is in the application of sometimes dated language to new options that seem to fall under the regulation’s coverage but are not specifically described.
The following paragraphs will review the major elements of Reg E, as they may relate to campus card accounts. The information is presented as an introduction only, and should not be used for policy formulation. Consult with your institution’s legal staff before making policy decisions. Though instances are rare, lack of compliance carries both civil and criminal penalties.
Important definitions
Electronic fund transfer – any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, that is initiated through an electronic terminal, telephone, or computer or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account. The term includes, but is not limited to, point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds, and transfers initiated by telephone.
Access device – a card, code or other means of access to a consumer’s account that may be used for EFT.
Electronic terminal – any electronic device through which a consumer can initiate an EFT, including POS devices, ATMs, and cash dispensing machines.
Financial institution (FI) – any person who, directly or indirectly, holds an account belonging to a consumer or issues an access device and agrees with a consumer to provide EFT services. Note: a campus can be an FI for Reg E purposes—it is not limited to banks.
Elements of the regulation
Issuance of Access Devices
In general, a financial institution may issue an access device only in response to a written or oral request from the individual. An exception, however, which seems to enable campuses to issue unsolicited/required cards (i.e. provide IDs that also serve as account access) states that an unsolicited device may be issued so long as:
- The device is unusable unless validated, via oral or written communication, by the consumer and his or her identity has been verified.
- Initial disclosure information, clear explanation that the device is not validated, and disposal information should validation not be desired is given at the time of distribution.
Liability of Consumer for
Unauthorized Transfers
Assuming the institution has met all of its disclosure requirements and the consumer has notified the institution of the suspected unauthorized transfer in a timely manner, the consumer is liable for the lesser of $50 or the sum of the unauthorized transfers. If the consumer fails to notify the institution in a timely manner, liability can be as high as $500.
Initial Disclosure of Terms and
Conditions
Initial disclosure statements must be in an understandable written form that the consumer may keep, and must be provided prior to the first transaction involving the account. Among statements in this disclosure are the consumer and institution’s liability, error resolution procedures and contacts, and limitations and charges for transfers. The Regulation contains a sample form for this disclosure.
Documentation of Transfers
At the time a transaction is initiated at an electronic terminal by a consumer, the institution shall make available a written receipt of the transaction (a third party such as a merchant can provide the receipt if such arrangements have been made). The receipt includes items such as the date, location, and type of transfer as well as a unique identifier and name of third party debited or credited via the transfer.
Periodic statements shall detail all transactions occurring during the cycle. These statements must be sent on a monthly or shorter cycle if activity has occurred and, at least, quarterly if no activity has occurred.
Error Resolution Procedures
When a notice of error is provided, by written or oral means from the consumer, the institution must promptly investigate the error. The consumer must be informed of the results of this investigation within 10 business days. A 45 day period applies if the consumer’s account is provisionally re-credited the amount in dispute. Both the 10 and 45 day time periods are doubled if the transfer in question is a POS debit card transaction.
The institution has the following options:
- Make the requested correction, without investigation.
- Review its records and, if an error occurred, correct it within 1 business day and notify consumer within the ten or forty-five day period.
- Review its records and, if no error occurred, mail or deliver a written explanation within 3 business days. The documents upon which the institution relied in making the decision must be made available to the consumer if requested.
Relation to State Law
In general, if a state law provides greater consumer protection it may supersede federal law.
Penalties for non-compliance
The Federal Trade Commission (FTC) is responsible for enforcing Reg E. Penalties for non-compliance, established in the EFTA, include civil and criminal punishments. Damages awarded an individual may not exceed the sum of actual damages—plus $1000 and reasonable attorney’s fees. In a class action case, damages may not exceed $500,000 or one percent of the defendant institution’s net worth. A significant determining factor in the amount of these awards is the intentionality of the violation. Criminal penalties may not exceed a $5,000 fine and/or one-year imprisonment.
So do campus cards programs fall under Reg E or not?
This is a question for the Federal Reserve Board and your campus general counsel to decide. To date there is no firm answer.
As concluded by Steve Shattuck, a lawyer with Piper & Marbury, Baltimore, Maryland, in his report titled
Educational Institution Debit Cards and Electronic Fund Transfer Laws (1994), “putting aside whether Congress intended for the Act to cover colleges as well as banks, Reg. E seems to apply to a college which holds, directly or indirectly, a sum of money for a student, and issues an access device to that student for use at campus or off-campus point of sale terminals. However, in any situation in which the consumer has paid a sum of money and no longer has control over it, the application of the Regulation is much more questionable.”
Though the technology used in campus card programs has changed a great deal since Mr. Shattuck made that statement, the basic account types remain true. Copy cards and declining balance meal plans could certainly fit his latter description–in which a sum of money is paid but the consumer no longer has control over it (e.g. it must be spent for photocopies or for purchases in on-campus dining halls). And, it would follow that the more robust programs would likely meet the definitions for Reg E coverage particularly in light of the growing diversity and number of both on and off campus points of acceptance.
Reg E is a basic attempt to protect the consumer in the world of electronic transactions. And because this is the general intent, it seems likely that campus cards are covered under the regulation. Student cardholders entrusting money to the campus card program deserve basic protections for the handling of this money just as general consumers deserve protection in their dealings with financial institutions and credit issuers. One can split legal hairs over the wording of the actual regulation but its intent seems clear.
Will a campus be penalized for non-compliance? It seems unlikely that any significant penalties would be handed out unless a campus was cited repeatedly or it was found that there was an ongoing and intentional effort to defraud customers. More likely, a warning would be issued and a time to cure the problem provided.
But Susan Staywick, spokesperson for Federal Reserve Board, indicated that she is not aware of any campus programs under investigation nor any discussion of issues relating to campus debit cards. In fact, she states, “there have not been any changes to Reg E of late (since some modifications were made to staff interpretations in 2001) and there is nothing out for comment.”
Many campuses are acting proactively, taking steps to comply with Reg E to the extent feasible and cost-effective. Many are following the rules for issuance of cards, providing initial disclosure statements and making provisions for error resolutions as set forth in the regulation. Others are also limiting a customer’s liability for unauthorized transactions and providing monthly statements of account activity either in print or via the web. The most difficult provision to meet seems to be the printing of receipts from certain devices such as photocopiers, vending machines, and laundries. And if this is the extent of one’s violation, it would seem difficult to slap the hand too hard.
Campus card Reg E disclosures
To view the disclosure statements used by several campus cards in an attempt to meet the requirements of the regulation, visit the following URLs:
- Mesa State University:
http://www.mesastate.edu/sl/mavcard/Disclosure/MAVDisclosure.htm - Towson College:
http://onecard.towson.edu/regulation_e.html - University of Notre Dame:
http://food.nd.edu/oncampusstudents/services/debitagreement.html