One common fear with online banking is losing your money to cyberthieves. With the news of hackers breaking into major banks, it seems like your hard-earned money could be stolen by hackers. Is that an actual risk?
Last year I started to look into the safety of your money in banks. My first articles covered deposit insurance. It’s important to understand that deposit insurance only takes effect when an institution fails. If your money is stolen, deposit insurance won’t help.
Fortunately, if you and your bank have taken reasonable precautions, it’s not easy for cyberthieves to break into your account (Ally Bank’s security page has a good overview the precautions it takes to ensure security). Most of the cyber-attacks that have made the news were data breaches that did not directly result in bank accounts being drained.
If hackers somehow find a way to drain your account, you are still protected thanks to federal regulation (Regulation E) which requires all banks and credit unions to limit the liability for losses to consumer accounts. Customers have a responsibility to notify the institution of the unauthorized withdrawals in a timely fashion. If the customer waits too long, they can be liable for some or all of the loss.
Here is a general overview of Regulation E:
If you know your debit card is lost and you notify your bank within two days, your losses will be capped at $50. However, if you notice your card is lost and you do not notify your bank in time, you may have to pay up to $500 in unauthorized charges.
If you notice a withdrawal from your bank account that you did not authorize, you are not responsible for the lost funds as long as you notify the bank of the error within 60 days of the bank sending you a statement. If you do not notify your bank in time, then your losses may not be limited.
The full details of Regulation E are provided at this CFPB webpage. The most important takeaway from Regulation E is that you need to monitor your accounts and report to the bank or credit union any unauthorized transfers. Also, Regulation E only applies to consumer accounts. Business accounts don’t have this protection.
If you stay on top of your bank account, will you be 100% safe? Nothing is 100% safe. One hole in Regulation E protection is a withdrawal that you authorized. How can that be possible? One way is if you’re tricked. For example, people have often been tricked into sending their money to criminals via wire transfers. As the FDIC warns "wiring money to strangers - in the U.S. but especially in another country - is risky because often they could be scam artists." This FDIC consumers news article lists several wire transfer scams and describes how you can protect yourself.
Similar to authorizing a withdrawal, you may lose protections if you give out your login credentials. Many people do that when they use account aggregation services. These services can be used to simplify monitoring and managing multiple bank accounts. However, there is a risk of an account aggregation service having all of your passwords. As Chase warns in its online and mobile security page:
If you give out your chase.com User ID and Password, you are putting your money at risk. Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you're giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.
Chase like other banks repeats the liability rules from Regulation E in its deposit account agreement:
If your statement shows electronic funds transfers that you did not make, tell us at once. If you do not tell us within 60 days after the statement was sent to you, you may not get back any money you lost after the 60 days if we can prove that we could have prevented the transactions if you had told us in time.
Some banks highlight their security guarantee which is generally a repeat of Regulation E. Ally Bank’s security page states:
We guarantee that you will not be liable for any unauthorized Online or Mobile Banking transaction as long as you report the unauthorized transaction by calling us at 1-877-247-ALLY (2559) within 60 days from when your statement is made available.
I asked Ally if wire transfers are included in this security guarantee, and they said yes. To reduce the chance of wire transfer scams, Ally does not offer outgoing international wire transfers. Only outgoing domestic wire transfers are allowed.
Capital One 360 (formerly ING Direct) goes further on wire transfers. According to a Capital One 360 representative, no outgoing wire transfers are allowed at Capital One 360.
Regulation E and Business Accounts
If you take reasonable precautions and consistently monitor your accounts, you shouldn’t have to worry about money disappearing from your bank accounts. Banks like Ally and Capital One 360 have implemented systems that help ensure the safety of your money, and Regulation E exists to protect you when fraud does occur. It’s important to remember that Regulation E only protects consumer accounts. Business accounts are not covered. There have been several cases in which businesses have filed lawsuits against banks in an attempt to get back money that was lost by electronic fraud. Businesses have also had to sue to get back money that was lost due to bank employee fraud. I’ll review some of these cases and the risks that businesses face in future articles.