The rules in section 1005.6 are based on customer responsibility to notify the bank when the customer is aware (or should be aware) that something is wrong. There are two incidents that trigger that responsibility -- the consumer's realizing that their access device is missing (lost or stolen), and receipt and review of a statement that includes a transaction the consumer believes they did not authorize. Realizing that an access device is missing triggers a two-business-day alert limit in which to contact the bank and avoid liability for unauthorized transactions occurring before contacting the bank (with a $50 upward limit on liability). Why? Because a timely notice to the bank can stop further unauthorized transactions with the access device.
The other deadline is based on a responsibility to review one's bank statement. The consumer is allowed a VERY generous 60 days to do that. Again, the reason for the deadline is that a responsible consumer who notifies the bank of unauthorized EFTs on their statement can prevent more unauthorized transactions. If the consumer misses that 60-day deadline, any further unauthorized transactions are the consumer's responsibility,.
That's why section 1005.6 protects the consumer from loss for the earliest transactions.
John S. Burnett
Fighting for Compliance since 1976
Bankers' Threads User #8