I am working on a dispute for a MasterCard debit card in which I think the customer should have some liability on, but am looking for some guidance.

Here is the scenario: Our risk office contacted the customer when unusual transactions presented to the account and scored high and then restricted the card. The customer answered the call from the risk office, validated the transaction in question as non fraud and requested that the restriction on the card be removed. Once that restriction was removed, several more transactions occurred (all transactions were out of state, Walmart purchases)

Fast forward to 5 days later, the customer is overdrawn. The bank made the contact to the customer regarding the account and the unusual transactions and he is claiming these transactions are all fraud.

We have gone through the normal process of provisional credit, had the customer sign an affidavit that the items are fraud, however; I am hung up on the fact that had the customer not removed the restriction that the transactions would not have gone through, therefore not resulting in the fraud loss.

Should the provisional credit remain and the bank take the loss for this? Is there any customer liability here due to that risk office contact?

Any guidance would be appreciated! Thanks!

Is the transaction that prompted the original call (which the customer affirmatively validated) among the disputed items?

Yes, that transaction that prompted the call and then the 12 to follow are what the customer is disputing.

Reg E 1005.6 bases the customer's liability on how soon they reported the unauthorized transactions after they discovered the loss or theft of their access device. In this case, the access device that was stolen was the card number (since the physical card is still in the cardholder's possession.)

The question that we are trying to answer here is, "Did the cardholder know that the access device was lost/stolen when they asked to have the card reactivated?"

We cannot increase the customer's liability solely on the basis that they failed to recognize the first transaction as fraud from your phone call. See the interpretations to 1005.6(b). Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)

We may want to argue that the customer "should have known" the card was compromised based on the call, however again the interpretations do not put much responsibility on the cardholder.

"Knowledge of loss or theft of access device. The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge."

We must also take into consideration that VISA/MasterCard Zero Liability protections could further reduce the cardholder's liability to zero.

Based on the description of events, it appears that the cardholder did not recognize the fraud until they contacted the bank, which would put their maximum liability at $50.00 for Reg E. VISA/MasterCard Zero Liability would further reduce this to $0.00.

It is up the Bank whether or not it provides this individual with another card.

Given that you contacted the customer about the first transaction, and received validation, I would suggest that you have enough information to deny that portion of the customer's claim.

With respect to the other transactions, I think it warrants further investigation to determine if the bank can come to a more firm conclusion on these items.

The first course of action I would suggest is for someone to ask the customer point blank why he validated the transaction when contacted by phone, then later changed his mind.

A couple of thoughts -- Can the risk office document that it actually reached the customer and not an imposter who had stolen the customer's identity?

What do you suppose are the odds that the customer actually did the transactions and is only now claiming fraud because he's caught overdrawn?

Where and when did the transactions take place and where was the customer at those times?

I second what John said; I would check the records for the original call and see what number was used. I know of several instances where theives have manipulated IVR sustems to change contact information and PINs.

If that's the case, you need to strengthen your authentication methods on your IVR system.