Our customer refused to authorize the transaction and demanded his card be unblocked
It sounds like you need to request that your third party vendor receive some retraining about the Bank's wishes for how their call center staff handles these types of requests. The customer cannot 'waive' their Reg E protections by refusing fraud safeguards that you provide. The commentary to 1005.6 notes that liability is based solely on timeliness of reporting.
3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.Your third party's response to the cardholder should have been, "We're sorry. The card must remain deactivated until you speak with your bank."
Now if we conclude that the cardholder had knowledge of the loss or theft of the access device at the time of the third party call and then waited more than two business days to notify the bank, they may be liable for up to $500 of any transactions that occurred more than two business days after the date of the call according to 1005.6(b)(2).
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com