Customer has had $1,700 in unauthorized transactions over the holiday weekend. They notify us first thing on Tuesday morning. Based on the regulation, I believe they are only liable for the first $50.

However, per the customer's request, we had previously raised their daily allowable debit card transaction limit. This was a verbal agreement and nothing is signed. Does the fact that we raised their limit affect what the customer is liable for? Had the limit been at $500 per day, there would not have been such a loss.
Any thoughts?

The agreement does not change the obligation.

As was once said, the bank cannot take away or waive a consumers right unless it is he most dire of circumstances.

Reg E is for the consumers protection, raising his or her limit doesn't change how little or how much burden can be shifted to them in the case of unauthorized transactions.

Cheers!

The liability also assumes an authorized access device was used. If one wasn't, the consumer has no liability. (Think card skimming as an example.)

Andy, can you elaborate on that. Aside from MC/VISA zero liability...where does Reg E impose this?

Andy, can you elaborate on that. Aside from MC/VISA zero liability...where does Reg E impose this?

Section 205.6 (b)(1-2) refer to consumer liability if the unauthorized charge is the result of a stolen access device (i.e. ATM/Debit card)

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and

(ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.

However, if the customer still has their card in their possession and the card has been skimmed, counterfeited, number used to make purchases online, etc. then 205.6(b)(1-2) do not apply. Instead you would use 205.6(b)(3) which does not impose any liability on the customer.

(3) Periodic statement; timely notice not given. A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.

So what is the customer liable for if they report 82 days after the first fraud occured? Are they responsible for all of it, or only the 1st 60 days of it?

Thanks, Brian...I'll say it again...Reg E confuses me to no end...I need to find time to dig in and really understand it one day soon!

Jeslord...

Provided the bank can prove that had notice occurred in 60 days any losses between day 61-82 would not have occurred. Which is pretty much a guarantee because I am sure you SOP is to change account numbers when an account is compromised.

So 60 days of limited liability with an additional 22 days of unlimited liability... all of which cannot exceed the total loss of the 22 days...

::The following only matters if the access device was not lost or stolen and just merely compromised::

So for example if in days 1-60 the unauthorized activity was $500 and then days 61-82 the unauthorized activity was $250... their liability is the $250 and the bank should credit them $250 since their total liability for untimely reporting within 60 days can only be the maximum of the loss incurred after timely reporting should have happened.

If they lost $50 in the first 60 and $100 more by day 82, then their liability is the full $100 and the bank should credit them nothing.

If the access device leading to the unathorized access was lost or stolen, then maximum liability remains $500... as per 2(b)(ii)

At least that is how I read it.

Cheers!

Thanks Brian.

jeslord, I'll be doing a Reg E claims webinar soon. I hope you'll consider it if you're involved in claims.