If an account username and password is stolen and money is stolen, what is the limit of liability to a truly innocent accountholder?

My question is whether a stolen username and password, where there is no physical access device, is considered a stolen access device under Reg E?

An "access device" includes a card or code or other means to access an account. 205.2(a)(1).

Quote:

---

truly innocent accountholder

---

I don't mean this as humor, but did the consumer have some liability in this? How was the account information stolen? Was it written somewhere and taken? Was it given out over the phone (pfishing)? Taken via internet? Some banks take the standpoint that if the customer has not taken every step to safeguard the information, they are 100% liable, and not innocent at all. And how were the funds taken? By check? ATM/debit card? Electronic tranfer? Each of these can have a different liability amount.

I was trying to research the very question posed above (what if a user name and password are stolen....).

I guess I would have thought the $50/$500 rule would be in place since a user name/password would be considered an "access device" as defined in 205.2(a)(1). Anything outside of the $50/$500 would be (unfortunately) the bank's loss.

I am looking for all the assistance on this issue I can get.

The reason I was researching this issue stems from an article I came across this morning on the MSNBC website. I will try and post the link (I've never done it before, so I hope it works.)

http://www.msnbc.msn.com/id/6713753

Based on the article, it appears the customer is out. Unless there are other circumstances not included in the article, I would like to know why?

Just curious what others think.

I think the key here is that the money was ripped from their business account, which isn't protected under Reg. E.

Thank you. I totally looked past that when I initially read the article.

Had it been a consumer account would this fall under the $50/$500 rule (because the user name and password are considered an access device)? If so, how would you be able to prove the two-day rule in the case of stolen information (instead of knowledge that I lost my card)?

Or would the customer have 60 days to notify the bank to avoid all liability?

Thanks.

The two days is triggered when they learn of the loss or theft of the device. That may well be when they saw online that the funds were gone or when they reviewed their statement. As far as you being able to verify when they learned of this, there is no way. You hope your customer is honest. Some are, some are not, some are until they realize what the cost is.