We have a customer that says there were POS debits to her account from Paypal. We tracked it down to online gamming site and ask her if her childeren were using the internet for online games. She said she would have to ask her kids.

Since this was made over two months (Aug-Sept)does the 2 day $50 rule and over 2 day $500 rule apply here even if she still has the card in hand?

If she didn't authorize the debits, they are unauthorized and Reg E applies. Since are access devise debits, the $50 rule applies (as long as she tells you within 2 days of learning of the lost/stolen card.

She may never have had the card stolen/lost. Someone may have skimmed the info from her card.

If these debits started on 8/1/09 to 9/8/09 and she infomred us on 9/9/09 she is only liable for the transactions up to $50 from 9/4 to present, and then she is only liable up to $500 for transactions from 8/1 to 9/3/09 right? She also still has the card.

If she got her statement on 9/8 and called the bank on 9/9, she notified you within two days of learning of the unauthorized debits.

The two-day count only matters if the access device is lost or stolen and the cardholder learned of the loss or theft. This customer didn't learn about the misuse of her access device (card number) until after she contacted the bank about the PayPal entries on her statement. That point in time is when you start the two-day clock ticking, not the date of the first unauthorized transfer (UEFT) or the date of the statement.

Assuming that there were no further unauthorized entries after the date she contacted the bank, IMO the customer is liable for $0 of the total of the UEFTs.

I don't have any idea where you're pulling that 9/4 date from.

I agree with John - $0.

Hypothetical...

Let's say the customer from the opening post received her statement on 9/1 and realized there were unauthorized debits from gaming sites. She confronts her kids and tells them to knock it off and they do. But she forgets to inform the bank of the error until she goes to make a deposit on 9/20. Now, since she is past the 2 day, is she still only liable for $50? No other unauthorized debits have occured since 9/1.

The reason I ask is I've read the staff interpretation, and want to make sure I'm understanding the timely notice not given section correctly. Paragraph 6(b)(2)—Timely Notice Not Given

Considering if she admits her kids did it and once the bank indicates that they will pursue criminal action against the fraudsters - the issue usually becomes moot.

Also remember, POS debits, assuming the access device is branded by MC or Visa, CH would have also been protected by zero liability provisions for the online activity.

The easiest course of action is to get a signed letter from the cardholder and perform chargebacks. The customer gets her money back and the bank gets their money back as well. No sense in spending a lot of time trying to determine who is responsible on Internet type activity when the bank normally has full recovery, unless of course they were Verified by Visa or MC SecureCode transactions, but that i a topic for another day.