With store-based payday lending, loans are based on paper checks held for future deposit.  Loans based on check holding have been transformed to debit holding for Internet payday lending. Loans based on electronic access to the borrower’s bank account involve an additional set of legal and self-regulatory factors.

All payday loans made via the Internet are electronic fund transfers between the payday lender’s bank and the borrower’s bank account.  Two sets of protections and requirements apply to these transactions: Federal Electronic Funds Transfer Act/Reg E (EFTA) requirements and the voluntary self regulation rules imposed on banks by the National Automated Clearing House Association rules that in some cases provide more protections for consumers. 

Consumer protections under the Electronic Fund Transfers Act/Reg E and the NACHA rules do not easily fit the use of electronic fund transfers to make payday loans or collect payments when the loans are due. Neither of these regulatory regimes were written with electronic payday loans in mind and do not provide financial institutions or consumers with clear rights, protections, or recourse.

Consumer complaints and inquiries focus on collection tactics using the ACH system, whether a borrower can stop payment or withdraw authorization for the payday lender to withdraw funds from their bank accounts, how to get a dispute resolved, and risks of fraud and unauthorized transfers. NACHA’s rules for electronic collection of returned checks also may apply to payday loans based on debits.

Electronic Fund Transfers Act and Reg E

EFTA/Reg E is the law/regulation that applies to debit card use, direct deposit of paychecks, and payday loans made via the Internet when information from the borrower’s check is used to access a bank account in the name of the borrower. An electronic fund transfer is the movement of “money,” or credits, from one account to another through an electronic medium.

Consumers applying for payday loans online either fax a paper check to the lender or enter check account information in an online form.  Reg E applies to both types of transactions, since the consumer authorizes the transaction as an ACH transaction and the paper check is only a source document.  Some Internet payday loans are “preauthorized debits” under contracts that make loan renewals automatic on the borrower’s next payday unless the consumer takes a separate action to have full payment withdrawn from her bank account.

All payday loans made via the Internet are delivered and collected through the electronic funds transfer system, called the Automated Clearinghouse. The National Automated Clearinghouse Association is a private entity made up of the banks that use the ACH Network and its rules bind the banks on both ends of the Internet payday loan transaction, prescribing security requirements and other protections that benefit consumers. Since account agreements signed by consumers typically require them to comply with NACHA rules, consumers are also covered by these industry self-regulatory provisions. 

NACHA rules require the lender to get the borrower’s authorization before transmitting most types of ACH debit entries and set out the requirements for that authorization.  The payday lender must be able to furnish its bank with the original or a copy of the borrower’s authorization to access her bank account to credit the loan and debit the payment through the ACH Network. NACHA rules also require security and fraud-prevention steps when the ACH system is triggered online and sets out procedures for revoking authorization to credit/debit accounts.

NACHA has two sets of rules that apply to Internet payday lending, depending on how consumers give authorization to access their bank accounts.  If the authorization is provided online through clicking on an “I agree” or “I accept” button, NACHA’s WEB rules apply. If the borrower faxes in an authorization for the lender to access her bank account, the prearranged payment and deposit entry (PPD) rules seem to apply. PPD transactions cover both credit (payday loan proceeds deposited into the borrower’s checking account) and debit (payment of loan principle and finance charges to payday lender) transactions and can be repeat transactions with a standing authorization or a single transfer.

WEB Rule Requirements:

Security: Since a web site that captures bank account information exposes consumers to greater fraud and security risks, NACHA rules say that WEB ACH companies must use at least 128 bit encryption technology prior to transmitting banking information, including the Receiving bank’s routing number, account number, and PIN or any identification symbol. Merchants are supposed to use commercially reasonable systems to detect fraudulent transactions and to verify that routing numbers are valid.

All payday loan applications filed online with the surveyed lenders included transmission of the applicant’s bank account number among other information. In addition, bank account information was entered into online forms that were transmitted to lenders electronically but authorization was signed on paper and faxed back to the lender. Although account information was transmitted online in both methods, the NACHA WEB security requirements apparently don’t apply in the second case.

The payday lender must have physical security to protect data and protect against unauthorized access and use of data and network security. The payday lender’s bank has the same obligations and must establish the identity of the merchant and the merchant’s creditworthiness on an ongoing basis. The merchant’s bank is required to set exposure limits and to periodically review the merchant’s entries relative to the exposure limit.  It is unclear how banks comply with this requirement with off-shore online lenders.

Consent: Internet initiated entries (WEB) require the merchant (payday lender) to have a consumer’s consent to access the bank account to deposit the loan proceeds and to withdraw payment.  The authorization must contain evidence of a consumer’s identity and consent. The authorization has to be clearly labeled as such, and conspicuously displayed on a computer screen or visual display.  If the transaction is a one-time payment, the lender doesn’t have to tell the consumer how to revoke authorization, presumably because the merchant is expected to process the payment immediately. In the case of a payday loan initiated via the Internet, there is typically up to a two-week delay between authorizing the transaction and the withdrawal of the payment from the consumer’s bank account.

PPD Rule Requirements:

NACHA rules for prearranged payment and deposit transactions:

Notice: If the amount of a recurring debit is more or less than the recent one, the payday lender is required to send the borrower a written notice of the amount of the entry and the date when the debit will be initiated. This situation could arise when the borrower permits the payday lender to withdraw the finance charge over a succession of paydays or opts for the repayment of partial principal and finance charge. With the typical payday loan cycle of two weeks or less, an Internet payday lender complying with the NACHA rules for PPD transactions would have to immediately notify the borrower of the amount of the payment scheduled for the next electronic withdrawal. No such advance notice would be required for a one-time PPD Entry.

Access to Funds: The consumer’s bank must make loan funds available for withdrawal by cash or other use no later than the settlement date of the entry. If the payday lender’s ACH operator makes a PPD5:00 p.m. on the banking day prior to the settlement date, the loan credit has to be available to use at the opening of business on the settlement date. entry available to the borrower’s bank by

Prohibition on Required Electronic Payment as a Condition of a Loan

The EFTA prohibits “any person” to require, as a condition of the extension of credit, repayment by the means of preauthorized electronic fund transfer. Under the Federal Reserve’s Reg E rules, this prohibition applies to recurring electronic payments. While some payday loans are single transactions, those that permit multiple payments should be subject to this prohibition.

Some surveyed sites apparently do not permit borrowers to withdraw authorization to debit accounts. The 200Cash.com agreement states: “This authority is to remain in full force and effect until 200Cash.com, Inc. and the Financial Institution have received written notification from the customer of its termination in such time and in such manner as to afford 200Cash.com, Inc. and the Financial Institution a reasonable opportunity to Act on it.” 

But, the contract also states “You understand and agree that you may revoke this ACH/EFT authorization only after all payments are completed and 200Cash.com, Inc. is paid in full.” This agreement could be construed as requiring that the loan be repaid electronically. Another contract says: “I agree to….keep my account open to allow all ACH/EFT and/or bank drafts to Americash Advance to occur in a timely manner for the scheduled due date.”

EFTA protections that apply to debit cards also apply to payday loans made via the ACH system. If the debit is unauthorized, a consumer is not liable for lost funds if she notifies the financial institution within 60 days of getting the periodic statement on which the unauthorized debit first appears. To be able to prove a transaction was not authorized or was for the wrong amount, a borrower has to be able to print out and keep copies of loan authorization documents.