Seeking Reg E input on a current situation we are dealing with – we have a customer who has been giving out her personal and bank information out; she was initially roped into a marketing scam and continued to give them more of her information over several weeks. The information she provided to these individuals were her name, address, DOB, SSN, online banking credentials and 7 different debit cards numbers associated to her personal and business accounts. She is now filing disputes on about 50 transactions that appear on these debit cards, with various merchant names. She does ‘not recognize’ these transaction amounts and isn’t confident on which merchants she was approving transactions for (they are not the ‘exact names’ that she’s familiar with).

We are assuming several of these transactions weren’t actually authorized by her individually, but by the fraudsters who have been provided with her account information. Do we have any grounds to decline her disputes as ‘valid’ since she had willingly given all of this information out or are we obligated to research each individual transaction?

Thank you for your time!
-Monica

You are pretty much stuck. It should be the last debit card that person ever sees from you or maybe even the last account relationship.

6(b) Limitations on Amount of Liability

2. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)

And remember that business debit cards aren't covered by Regulation E.

Skittles - very good point. Missed that little gem in there.

I do think you have a strong case not to provide zero liability under Visa or Mastercard rules.

Why wouldn't 2(m)-2 apply to the above scenario?

Depends. Is this granting a third party the authority to use the access device or is this an access device obtained through robbery or fraud?

"We are assuming several of these transactions weren’t actually authorized by her individually, but by the fraudsters who have been provided with her account information."

This statement from the OP leads me to conclude it is an access device obtained through robbery or fraud. For example, I call you to tell you that you won a prize and I just need your debit card number and internet banking credentials so I can credit your account. You provide them and I use the info to originate several unauthorized charges. In this scenario, the customer never actually authorized any purchases therefore 2(m)-2 would not apply.