Hi,

Can someone tell me where to find the VISA guidelines for debit card disputes?

We use VISA for our debit cards and have a customer who was receiving unauthorized Sprint online charges since May of this year. They total a little over $175. The customer stated that they don't even have a computer and they have been complaining to Sprint since June, but are unable to get any refund so they brought their statements in to us.

We reported the transactions to Shazam. Shazam told us that VISA will accept disputes on items 120 days old. I was unaware of that. I thought 60 days was always the rule. Is this true?

Also, with VISA having $0 liability are we still within Reg-E guidelines to only re-imburse the customer for transactions that originated within the past 60 days after hearing about the 120 days?

Any help in understanding this would be appreciated.

Doesn't anyone have a recommendation?

Separate Visa rules and Reg E. Whether or not you can get a refund from Visa does not change your responsibility to your customer for unauthorized EFTs under Reg. E.

Assuming that your bank agrees that the Sprint charges are unauthorized, the transactions that you must refund to your customer are not those occurring in the most recent 60 days. Check out section 205.6 of the regulation. Your customer is entitled to credit for the transactions that occurred before the date which is 60 days after the first statement showing the Sprint transactions. So if the first Sprint transactions was in May 2007 and the statement for that month was made available on May 31, the 60 day period ends on July 30, and the customer would be entitled to recover the May, June and July Sprint payment amounts. There would be no $50 deducted from the refund unless the charges were made with a lost or stolen access device (debit card?).

I thought the consumer must report an unauthorized electronic transfer that appears on the statement within 60 days of us sending it to them for us to reimburse. What you are saying is 60 days from them first noticing it on their statement?

Does extension of time limits come in to play due to them making attempts to contact the merchant?

Please advise if I am correct in this statement. VISA might refund for transactions 120 days old. However, Reg E. states we are only obligated for the 60 days after the first statment.

What John is saying is the customer has 60 days from the first statement that has unauthorized charge(s).
His example assumes an unauthorized occured during May & the 'first' statement was generated May 31 = Thus 60 days from May 31 is July 30. - - -
Unauthorized prior to that the customer still disputes and the bank eats (Jonh's example / assumption of May-June-July charges)& unauthorized after that the customer eats.

What Regulation E states is that the customer is protected from unauthorized transfers, but must take responsibility for checking his/her statement. It does that by providing protection for a window in time. That window starts with the date the unauthorized transfer takes place. It closes at the end of 60 days after the bank makes the statement available showing the first unauthorized transfer. That "window" concept applies to any series of related unauthorized transfers, such as a series of debits via ACH, or a series of card transactions made with a lost or stolen card. (Transactions with lost/stolen cards are subject to some notice requirements based on when the consumer learns of the loss/theft of the card.)

In a series of UEFTs (Unauthorized Electronic Fund Transfers) that are related, once the 60 day window closes, the customer is responsible. But the customer can recover (subject to the lost/stolen card rules) for any UEFT occurring during that "window" period. And there is no deadline for the consumer's claim. For example, if a consumer gets hit for three UEFTs starting on 11//15/2007 and ending 1/15/2008 (with a statement issued 11/30/07 showing the first UEFT), each in the amount of $100, with no card involved, the consumer can make a claim two years later, and be entitled to the $300 total.

So the customer can recover through the debit card company for UEFT's, but the bank is not responsible? I just want to understand our liability.

Thanks for all your help.

Reg E states that the BANK is responsible for reimbursing the customer. Whether or not the bank can get the money from the merchant will be up to Visa rules (if that is who you have a contract with).

Yes, it is VISA.

So in my case we have to refund the entire May through October transactions. Even thought Reg E. puts limits on 60 days after the initial event, because they are VISA there is 0$ liability and we must reimburse the customer.

No. Look carefully at your Visa zero liability requirements. The Visa website still indicates that the consumer must notify the card issuer of the fraud promptly. Contact Shazam and Visa to get an interpretation of what that means. And don't forget that the Visa zero liability policy does not apply to ATM transactions or to PIN-authorized transactions not handled over the Visa network.

I second what John has said. The ZLP is not all-encompassing and you are allowed to use "gross negligence" as qualifying criterion. See the second footnote at the bottom of the page.

http://www.usa.visa.com/personal/security/visa_security_program/zero_liability.html

However, Visa operating rules state that even if federal regulations or the Zero Liability doesn't apply, if you do chargebacks at all then you must use them on all cards with no allowance for restrictions on when you decide to apply them. See the Operating Regulations Vol 2 Chapter 1 for an exact quote.

FYI - Visa rules allow you to initiate a chargeback for non-PIN debit card transactions approximately 4 months after the transaction date.