How did the son have access to the debit card and PIN? Did the father give him that information or did the son take that information without the father's permission? That makes a difference.
If the father gave the son the PIN and access to the card, then the transactions are considered "authorized" for purposes of Reg E unless the father notified the bank that the son had that access and was no longer authorized. I'm assuming no such notice was provided as you probably would have hot-carded that card and issued an new one with a new PIN if so. So if the father says he gave the son the PIN and access to the card, transactions are "authorized" and no credit required for the transactions.
If the father did not give he son that information and access, then the transactions may legitimately be "unauthorized". Be sure the father knows that if he wants to pursue the claim that the transactions are unauthorized, you will be giving him credit, but then you step into his shoes as the victim suffering the loss and as such, you will pursue prosecution to the fullest extent of the law. This will often change the claim from "unauthorized" to "I'll handle this on my own with the son." Also, in this scenario, it is important to find out when the father first learned of the loss or theft of his device, of the unauthorized activity, and compare that to when he notified you. If he took too long to notify you he could still be liable for more than $50 of the unauthorized activity.
_________________________
Jim Bedsole, CRCM, CBA, CFSA, CAFP
My posts - my opinions