Featured Savings Rates

Popular Posts

Featured Accounts

Safety of Your Money at Banks - Fraudulent Transfers

Safety of Your Money at Banks - Fraudulent Transfers

One common fear with online banking is losing your money to cyberthieves. With the news of hackers breaking into major banks, it seems like your hard-earned money could be stolen by hackers. Is that an actual risk?

Last year I started to look into the safety of your money in banks. My first articles covered deposit insurance. It’s important to understand that deposit insurance only takes effect when an institution fails. If your money is stolen, deposit insurance won’t help.

If your money is stolen, deposit insurance won’t help

Fortunately, if you and your bank have taken reasonable precautions, it’s not easy for cyberthieves to break into your account (Ally Bank’s security page has a good overview the precautions it takes to ensure security). Most of the cyber-attacks that have made the news were data breaches that did not directly result in bank accounts being drained.

Regulation E

If hackers somehow find a way to drain your account, you are still protected thanks to federal regulation (Regulation E) which requires all banks and credit unions to limit the liability for losses to consumer accounts. Customers have a responsibility to notify the institution of the unauthorized withdrawals in a timely fashion. If the customer waits too long, they can be liable for some or all of the loss.

Here is a general overview of Regulation E:

If you know your debit card is lost and you notify your bank within two days, your losses will be capped at $50. However, if you notice your card is lost and you do not notify your bank in time, you may have to pay up to $500 in unauthorized charges.

If you notice a withdrawal from your bank account that you did not authorize, you are not responsible for the lost funds as long as you notify the bank of the error within 60 days of the bank sending you a statement. If you do not notify your bank in time, then your losses may not be limited.

The full details of Regulation E are provided at this CFPB webpage. The most important takeaway from Regulation E is that you need to monitor your accounts and report to the bank or credit union any unauthorized transfers. Also, Regulation E only applies to consumer accounts. Business accounts don’t have this protection.

The most important takeaway from Regulation E is that you need to monitor your accounts and report to the bank or credit union any unauthorized transfers.

If you stay on top of your bank account, will you be 100% safe? Nothing is 100% safe. One hole in Regulation E protection is a withdrawal that you authorized. How can that be possible? One way is if you’re tricked. For example, people have often been tricked into sending their money to criminals via wire transfers. As the FDIC warns "wiring money to strangers - in the U.S. but especially in another country - is risky because often they could be scam artists." This FDIC consumers news article lists several wire transfer scams and describes how you can protect yourself.

Similar to authorizing a withdrawal, you may lose protections if you give out your login credentials. Many people do that when they use account aggregation services. These services can be used to simplify monitoring and managing multiple bank accounts. However, there is a risk of an account aggregation service having all of your passwords. As Chase warns in its online and mobile security page:

If you give out your chase.com User ID and Password, you are putting your money at risk. Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you're giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.

Chase like other banks repeats the liability rules from Regulation E in its deposit account agreement:

If your statement shows electronic funds transfers that you did not make, tell us at once. If you do not tell us within 60 days after the statement was sent to you, you may not get back any money you lost after the 60 days if we can prove that we could have prevented the transactions if you had told us in time.

Some banks highlight their security guarantee which is generally a repeat of Regulation E. Ally Bank’s security page states:

We guarantee that you will not be liable for any unauthorized Online or Mobile Banking transaction as long as you report the unauthorized transaction by calling us at 1-877-247-ALLY (2559) within 60 days from when your statement is made available.

I asked Ally if wire transfers are included in this security guarantee, and they said yes. To reduce the chance of wire transfer scams, Ally does not offer outgoing international wire transfers. Only outgoing domestic wire transfers are allowed.

Capital One 360 (formerly ING Direct) goes further on wire transfers. According to a Capital One 360 representative, no outgoing wire transfers are allowed at Capital One 360.

Regulation E and Business Accounts

If you take reasonable precautions and consistently monitor your accounts, you shouldn’t have to worry about money disappearing from your bank accounts. Banks like Ally and Capital One 360 have implemented systems that help ensure the safety of your money, and Regulation E exists to protect you when fraud does occur. It’s important to remember that Regulation E only protects consumer accounts. Business accounts are not covered. There have been several cases in which businesses have filed lawsuits against banks in an attempt to get back money that was lost by electronic fraud. Businesses have also had to sue to get back money that was lost due to bank employee fraud. I’ll review some of these cases and the risks that businesses face in future articles.

Related Pages: Capital One 360, Chase Bank

Related Posts

Jim Davis
Jim Davis (anonymous)   |     |   Comment #1
Good stuff.  Another issue I wonder about is internal theft/embezzlement.  Say someone  inside a bank finds a way to drain 20 million out of accounts, and absconds with the money.

How are we protected there? Private insurance is my guess, and possibly , if it caused a bank to fail , then FDIC.
Anonymous   |     |   Comment #6
Someone gets 10-20 and the bank gets my lawsuit for negligence!
Anonymous   |     |   Comment #2
Is there any risk to money we have in CDs?  I've wondered about this but have been told that money in CDs is safe.
Anonymous   |     |   Comment #3
Nobody seems to address what happens if your credentials are stolen through malware.  The bank will say the transfer is "authorized" and not covered.
jennifer (anonymous)   |     |   Comment #4
CD's are somewhat safer in my opinion.  They typically require human intervention to liquidate.  At many banks and credit unions, you can't go into your online account and cash one out early.  It requires a phone call or writing the institution.  Pretty much a nonissue to me.  I don't worry about bank accounts as long as I check the statement.   I would never give passwords to a third party.
Anonymous   |     |   Comment #5
Also, a big drawback of online bill pay banking, is when you execute a transaction the bank reduces your balance accordingly.  However, you have no guarantee that the payee received the money, especially if you do not get monthly paper bills. They often send physical checks out to the smaller payees, which can be lost in the mail, end up in dead letter file if payee changes address, and a whole host of other potential problems. 

You would think the bank would have a check and balance against this happening, but I was told they do not.
Anonymous   |     |   Comment #7
Ken's warning regarding the aggregation services is (by me) incredibly well taken.  Everyone should think about Ken's caution really, really hard.  Absent a legitimate, immediate, threat to my life, no entity gets my critical account access data.  And there are NO exceptions!
Anonymous   |     |   Comment #8
Accept for HACKERS! 

Whether it be your personal computer or financial institutions .
DepositGuy835   |     |   Comment #9
Regulation E only covers bank accounts in the name of a person.  It is my understanding that it does cover IRA's (which I think are in name of a trustee or custodian), business accounts, accounts in the name of a living trust, 401K's, 403b's and other accounts. Maybe Ken could check to see if this is correct.
RJM   |     |   Comment #10
Ive never had an unauthorized ACH transfer. And I have been banking online for a long time.

I even bought some mens pills from India and they gave a discount for ACH payment so I went with that. I called Capital One (An old ING account) and asked them if they would cover me if there were any unauthorized charges and they said they would. Its been a few months and nothing yet.

A few times, I still don't know how but I had a few credit cards that had to be replaced because somehow scammers got the info. I think its been about 4 times total and 3 of the 4 times, the banks called me because they thought the transaction was fraudulent and they were right.

I still don't know how that happened. Im guessing maybe a redbox machine had a skimmer attached or something.
Anonymous   |     |   Comment #11
Only way you can protect yourself is not to have online bank access and not to use checks and debit cards. Since that is impossible today, every one of us is at risk for some sort of crime committed against us. If you bank through cell phone, you will be hacked directly one of those days and the biggest damage can be done. By the time you complain it will be to late to recoup your money. If you lose you cell phone and a bad guy finds it, there are hundreds of apps to recover everything from it including your banking info without knowing the password.