Please compare the language in Regulation E, Section 205.6
on Consumer Liability for Unauthorized Transfers with that in Section 205.11
on Error Resolution. Both sections refer to a 60 day period, but each has a separate purpose in mind.
While it is true that a consumer's error resolution claim must be received within 60 days of delivery of the statement showing the alleged error in order to be protected by the error-resolution provisions, such is not the case with the unauthorized transfers provision in 205.6.
What 205.6 says is that the consumer must notify the bank by the 60th day following delivery of the statement showing the first unauthorized transfer in a string of connected unauthorized transfers in order to cap the consumer's liability at $0 (no access device used) or up to $500 (access device used). But the consumer is protected by 205.6 limits on liability during the first 60 days regardless of when the consumer enters the claim. If the consumer comes back to the bank 2 years after a series of unauthorized transfers hit the account, the consumer would be liable for only those transfers occurring after the end of the 60-day period, plus up to $500 of those occurring within the 60-day period if done with an access device.
Even though the consumer isn't entitled to the protections of the error resolution process (provisional credit, 10 and 45 day rules, notices, etc.), it's probably necessary for the bank to use some of the research techniques used in error resolution to determine whether the transfers in question are unauthorized.
Regulation E has no "statute of limitations" provisions on fraudulent use like the UCC does.