For purposes of Reg. E liability provisions, if unauthorized transactions occur related to a debit card (POS transactions), but the actual card never leaves the possession of the customer, are these still considered loss/theft "involving an access device?" Or, would it be considered in the category of not involving an access device? This could be in instances where just the card number and expiration date information was compromised and a thief was able to make transactions, but, again, the consumer maintained possession of the access device all along.

Take the definition of Access Device to the next level. I assume you ask due to Reg E liability provisions....

1005.2(a)(2)(i) An access device becomes an “accepted access device” when the consumer:
Requests and receives, or signs, or uses (or authorizes another to use) the access device to transfer money between accounts or to obtain money, property, or services;

This comes into play for 1005.6(a) Conditions for Liability. In order to place any liability onto the customer, the stolen card must be an accepted access device.

(a) Conditions for liability. A consumer may be held liable, within the limitations described in paragraph (b) of this section, for an unauthorized electronic fund transfer involving the consumer's account only if the financial institution has provided the disclosures required by § 1005.7(b)(1), (2), and (3). ****If the unauthorized transfer involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.****

Since the customer neither requested, received, signed for, used, requested validation for an unsolicited card (sent by your bank), or received from your bank a replacement card; the card created by the skimmer is not an ACCEPTED access device and is not subject to consumer liability.

Great answer Burkemi!

Thank you Burkemi. Not sure I totally agree, but sounds like a logical extension. There is an accepted access device involved in the situations I am referring to, it's just that only the information has been compromised, rather than the physical card itself. The "theif" doesn't necessarily create a fake card with the information. They just use the card number, exp. date, etc. to execute the transaction.

So, for error resolution procedures you would treat such an instance according to 1005.6(b)(3) and associated commentary?

The definition of an "access device" includes more than just a physical card.

From the definitions:
(a)(1) “Access device” means a card, code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.

From the commentary to 1005.2:
3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.

So, you would seem to agree that such a scenario would fall under the "loss/theft involving an access device" provisions?

Yes. Debit card numbers are considered an access devise. Since the "access device" was obtained through robbery or fraud, transactions from the stolen numbers are included in the definition of an unauthorized EFT.

Keep in mind that Regulation E is very consumer friendly...

For myself, I suspected that to be the case, but it isn't made very clear in the Regulation. Thank you for your input!

As Adam pointed out, Reg E is very consumer friendly. If it comes to a question, your best bet is usually to side with the customer.

It's also a regulation that hasn't really kept up with technology, in that there is very little written in the commentary to address some of the situations facing issuers and cardholders today.

Indeed . . . Interesting discussions and conclusions remain to be had regarding mobile wallet accounts, Game System accounts (like XBox), etc. Do these all now become access devices because the stored card information? What about when you let somebody play a game on your phone and they order "power-ups" or whatever that charge the customer's debit card without authorization to make the charge, but with authorization to play the game. Fun stuff!