You are correct. This is consumer protection at its finest.
Make sure you get all the details so you can determine whether any other protections may apply. As I recall, you may have an out there if the customer never told the bank that they had at one time "loaned" their card and PIN to an individual that later conducted an "unauthorized" transaction.
I disagree with this. It depends on if the card was given and abused, or later stolen. What is the difference in liability if X writes his PIN on his card and loses it, or if he wrote it on the card and it was stolen and used? None, these are unauthorized.
Say X gave his card to his son 6 months ago and it was used as agreed and immediately returned. Fast forward to today. Son (or someone) stole card and used it. The PIN may have been written on the card. You want to deny the claim because the son used it 6 months ago on an authorized basis. I wouldn't agree with that call. Instead of relying on 2(m)2 in the OSC, read further to 2(m)3. I believe that applies. An unofficial opinion I got from an FRB attorney agrees that so long as the card was taken back, there is no evergreen authority.
ยง205.2 Definitions.
2(m)2. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.
3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.