On November 23, 2015, the Consumer Financial Protection Bureau (CFPB) issued a Compliance Bulletin reminding covered entities of their obligations under the Electronic Fund Transfer Act (EFTA) and Regulation E to obtain consumer authorization before automatically debiting a consumer’s account for preauthorized electronic funds transfers (EFTs). Before issuing the Bulletin, the CFPB observed that some companies had not fully complied with the requirements of the EFTA and Regulation E, and that others may not be certain of how these requirements intersect with the Electronic Signatures in Global and National Commerce Act (E-Sign Act). Despite this uncertainty, the Bulletin emphasizes that the CFPB will take appropriate action against entities that fail to comply with their obligation to obtain consumer authorization.

The Bulletin expressly outlines the requirements under the EFTA and Regulation E for entities that obtain consumer authorizations for preauthorized EFTs. Specifically, Regulation E requires that preauthorized EFTs from a consumer’s account be authorized “only by a writing signed or similarly authenticated by the consumer.” The entity must also provide a copy of the authorization to the consumer. Consumer authorizations can be provided in paper form or electronically, and Regulation E does not prohibit companies from obtaining signed, written authorizations from consumers over the phone if companies comply with the E-Sign Act requirements for electronic records and signatures. This includes the requirement that the electronic record be “inscribed on a tangible medium or . . . stored in an electronic or other medium and [be] retrievable in perceivable form.”

With respect to telephone authorizations, the CFPB noted that Regulation E may be satisfied if the consumer authorized preauthorized EFTs by entering a code into his telephone keypad, or if the company records and retains the consumer’s oral authorization, provided that the consumer intends to sign the record as required by the E-Sign Act. The CFPB concluded that entities do not violate Regulation E merely because they obtained authorizations that were signed or similarly authenticated by the consumer over the telephone.

As for the requirement that companies provide a copy of the authorization, the CFPB expressed concern that companies may be omitting important authorization terms such as the recurring nature of the preauthorized EFTs, or the amount and timing of the payments. The CFPB also noted that, as an alternative to providing a copy of the authorization after its execution, companies can comply with Regulation E before initiating the first automatic debit by providing a consumer with two copies of a preauthorization form and asking the consumer to retain the second copy.

The Bulletin specifically referenced companies engaged in mortgage servicing, student loan servicing, debt collection, and short-term, small-dollar lending. While not expressly outlining violations by entities within those industries, the Bulletin represents a warning to such entities that the CFPB will take appropriate supervisory or enforcement action if they do not comply with the automatic debit authorization requirements.