Earlier this month, he came in and decided to stop letting her using his debit card so he wanted to restrict the card but didn't want a new debit card with new numbers
he refused to hot card the debit card and get a new debit card with new numbers
First, it is the bank that decides whether or not to cancel the card. The customer should have no say in this discussion.The customer provided notice that he had previously granted authority to a third party to use his access device, but was revoking that authority. See the definition of "unauthorized in 1005.2(m).
(m) “Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated:
(1) By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized;
(2) With fraudulent intent by the consumer or any person acting in concert with the consumer; or
(3) By the financial institution or its employee.
Your customer is liable for any transaction between the time that he granted a third party to use the access device and the time that he notified you that the third party was no longer authorized. The bank is liable for transaction that occurred after you were notified that the third party was not authorized to use the card any longer. Whether the customer wanted the card cancelled or not is irrevelant. The bank, not the customer, accepted the liability risk for not cancelling the card. You cannot increase a customer's liability based on any type of agreement once you have knowledge that the third party is no longer authorized.
See the commentary to 1005.6(b)
3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.