The answer depends on what information was compromised to result in the unauthorized transactions.
If the customer's debit card number (the access device you issued) was compromised and a fraudulent cash app account established, you are responsible for the investigation requirements under 1005.11.
However, if the customer asserts that their cash app ID & password was compromised (the access device that Square issued) then Square is responsible for complying with 1005.11 because they are considered an EFT service provider under 1005.14.
The challenge is that without knowledge of which access device was stolen, the path of least compliance risk for the bank is to investigate the claim if you don't know what actually transpired. This is a good training point for your front lines to ask questions about the nature of the claim at the time the dispute is initiated.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com