I haven't had to deal with Reg E much in my career and now I'm being asked how to handle a situation. I'm hoping I can get some help. Here's the scenario:

Customer notifies us on 4/29 of 17 different unauthorized transactions (processed as debit card debits) with posting dates ranging from 2/12 through 4/27. The transaction descriptions relfect internet sites from all around the world. Total amount of all the charges is $450. The bank sent monthly statements on 2/25 and 3/25. The customer is in possession of their debit card and says that no one else has had the card during this period.

Is this considered loss or theft of an access device - even though the customer is in possession of the card?

What transactions/amounts is the customer potentially liable for?

It is surprisingly easy to skim info from a card. Even though they have the card in their possession doesn't mean someone didn't strip the info.

The customer has no time limit to report these transactions (read §205.6). If they don't report the transactions within 60 business days following the first statement showing the first error (which they didn't), you don't have to comply with §205.11. Basically, you don't have to give provisional credit and are under no time frames to resolve. You do have to resolve the error as soon as possible, but you're not subject to regulatory time limits.

Welcome to Reg E.

In the above given scenario, where the customer notified us of the unautorized EFTs later than 60 days after the statement showing the first transactions, do we need to be concerned with the date that the customer actually learned of the loss or theft of the device? It appears that we need to establish this date for purposes of calculating liability. The teller didn't collect this information from the customer. I would think that if the customer never actually physically lost the card, we can assume that the customer learned of the loss as of the statement date? Or is the date the customer learned of the loss the day they notified us?

If you can't tell, I'm lost...

If someone would be gracious and willing, I could PM or email the exact details so you could look and tell me what the customer is liable for.

Any claim experts out there? I've been looking for some specific examples and how to handle each, but I haven't been so lucky. Any help would be greatly appreciated!

Take a look at the claim tool available free in the BOL Banker Tools.

http://www.bankersonline.com/tools/compliance/regecalc_liabcalctool.html

Yes you are still concerned with the date they learned of the loss or theft of an access device. But if an "authorized" access device wasn't used, such as a skimmed card, 205.6 liability rules won't apply.

Here is the timeline:

Tran Date/Description of Debit Card Charge/Amount of Charge
2/12 - ABC.com - 82.84
2/12 - ABC.com - 93.54
2/25 - Periodic statement
3/9 - DEF.com - 31.73
3/9 - DEF.com - 31.73
3/9 - ABC.com - 0.99
3/25 - Periodic statement
3/31 - GHI.com - 20.00
3/31 - GHI.com - 20.00
3/31 - GHI.com - 20.00
4/13 - DEF.com - 32.87
4/13 - DEF.com - 32.87
4/22 - Periodic statement
4/27 - JKL.com - 5.00
4/27 - JKL.com - 5.00
4/27 - JKL.com - 5.00
4/27 - JKL.com - 6.00
4/27 - JKL.com - 10.00
4/27 - JKL.com - 50.00
4/29 - Customer notified bank

These were processed as debit card debits, but the customer never lost possession of the card and showed it to us. I'm not sure when the customer first learned of the problem. I'm not sure if these would be considered via an access device or not. Do we handle each transaction seperately or all as one incident?

As one. But it sounds like a skimmed card was used if your customer never lost possession and that card was used from locations where your customer wasn't.

Reg E claims can be tricky. There are a lot of "if-then" scenarios. You might want to look in the BOL Banker Store for a Reg E claims webinar that walks you through a lot of this and provides you with sample forms as well.

I'm definitely going to purchase a training CD-ROM from the BOL store. Handling Reg E claims has not been something very well understood at my bank and its time that changes.

When it says that it "involves an access device", does that mean the card has to be physically be used (i.e. - handed to a cashier, swiped through a terminal, used at an ATM)? What about when you pay for a product/service online and enter your debit card information - is that involving an access device? In my scenario, I'm still trying to figure out whether the 205.6 liabilities apply. I do know that the 205.11 timelines and provisional credit rules don't apply.

In order to impose any liability for access device use, the access device must be an accepted access device. If counterfeit cards were created through skimming, and used in these unauthorized transactions (assuming that is your finding), an accepted access device would not have been used, and you can impose no liability on the consumer. The date he learned anything won't matter for the first two layers of section 205.6.

Liability for transactions occurring more than 60 days after the statement showing the first unauthorized EFT would not depend on whether an access device was used, right Andy?

Yes. The first two tiers (or tears, if you will) of liability do not apply to unauthorized EFTs from a consumer's account made without an access device.

Access device is defined in Reg. E:

(a)(1) Access device means a card, code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.

There are two access devices for every debit card. We often think of a "debit card" as just that - the piece of plastic we keep in our wallets. However there is another access device - the 16-digit card number.

For Internet or any other card-absent transactions, the access device that is used to facilitate a purchase is not the plastic card but rather the information that is on it. That information can be removed (memorized, written down, photographed, etc.) and used to access the account without the plastic card being present.

This is what I was thinking, debit card could be used via the numbers on the card and not actually the plastic, and would still be considered "use of an access device". This doesn't seem to mesh with what the others are saying here. They say if the customer still has the card, then an access device was not used. The confusion only compounds!

Since the question indicates the transactions were made at Internet sites, it appears that info from a card was used. As David points out, that info constitutes an access device. If we assume that the card number was stolen, can we establish when the consumer learned that the card number had been compromised. That's the date for figuring out liability under the $50 and $500 limit portions of section 205.6. Assuming the worst (from the bank's perspective), let's say the customer didn't learn of the facts until 4/29, when he notified the bank. Some of the transactions go back into February. If the February statement went out on 2/25, 60 days from that date was 4/26. The customer is probably liable for all of the transactions on 4/27. He would also be liable for $50 of the earlier transactions.

I'll just muddy the waters a bit and add that if the access device involves a VISA/MC debit card, their zero liability protections may even trump Reg E and reduce the customer's liabilty to $0.
If this is the case, you may also have chargeback rights through your processor to try and recover some of these funds for the bank.