Essentially the customer lost an access device, which could be a card (common) or a code (as in this case). You have the same issue, but a less common media to access the funds. A question is, with multifactor authentication how did this happen? As Brian noted, malware of some type may have been used so the consumer wasn't practicing safe computing. It can be important that you figure out how this happened and that you include that in the training information you provide other customers so the bank doesn't suffer another loss. I assume the consumer didn't just give logon credentials away. Again, even if they did we still use the same Reg E tests the difference is the access device was different - being dumb doesn't increase the consumer's liability. The difference is you have a smaller daily limit on a debit card than billpay and wires.
I absolutely agree that if the consumer was negligent, I would not give them that product or service again and certainly not if their computer has malware. You could pay the consumer back and find a new claim immediately as those funds could be taken.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell