As you undoubtedly realize, the bank should never have provided Reg E disclosures on that account or with the card if the account is for a business. What you are left with is a large gray area and an unknown number of accounts with similar gray areas.
But if this WERE a consumer account, you would have a pretty clear argument that none of the transactions meets the definition of "unauthorized electronic fund transfer" precisely because the son had received an authorization to use the card and, as far as I can see, he never gave Dad the card back, and, as you stated, never told the bank to shut down the kid's use of the card, either.
John S. Burnett
Fighting for Compliance since 1976
Bankers' Threads User #8