Our customer gave his daughter the PIN to his debit card.
She withdrew several times from the ATM on 12-11-05.
He wants his money back. Do we have to refund due to the fact that he admitted he willfully gave her the pin?

No - look toward 205.2(m) OSC Comment 2:

2. Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.

No refund - customer negligence - or offer to prosecute his daughter for theft, or refund and close.

I'll disagree with Tex. I don't think you have a choice to refund and pursue the daughter yourself. If the law and regulation say the transactions are authorized, they are authorized. If you reimburse Dad, you can't pursue the daughter for an authorized transfer.

In this case, I think the only point that needs to be ironed out is whether Dad gave his daughter the PIN and granted her authority to use the card. I can see Dad arguing that he gave her the PIN in case he couldn't remember it, but never gave her the card (but she lifted it from his wallet). If the facts are that Dad gave daughter the PIN and the card, and she simply exceeded her transaction authority and ripped him off, the case is open and shut. Dad gets to take the matter up with daughter, but not with you in the middle.

If that's the determination, I'd also cancel Dad's card access. Permanently.

The offer to prosecute was made tongue in cheek, John - I forget that some posters may not be as familar with Reg E as others - I'll try to rein in the sarcasm, or make it more evident next time.

I believe a key here is did she exceed the authority when he gave it to her (authorized by the Reg.) or did he take the card back and later have her steal it, and use the PIN that she had committed to memory.

In the former, claim denied, in the latter, I'd have to consider paying the claim if he re-secured the card.

FWIW, I think Andy's approach is a little too conservative (although I recognize that you'll never get successfully sued going conservative). I base this on: 1) a straightforward reading of the reg; and 2) the reasoning behind the reg.

1) The Regulation and the OSC don't say anything about "re-securing" the access device. They say that if a consumer furnishes the access device to someone, EFT's performed by that person are authorized, unless the consumer has notified the institution that transfers are no longer authorized. In other words, any steps the consumer takes to "resecure" the access device or revoke permission are ineffective unless the consumer also notifies the institution that transfers by the other person are unauthorized.

2) The reasoning behind the wording of the regulation is logical. The financial institution is ultimately the only party that can truly "secure" the access device (by blocking the card/changing the PIN, etc). Congress put the burden of unauthorized EFTs on the financial institution even when the consumer has been stupid or negligent (i.e. by writing the PIN on the card and leaving it on your desk). That's the risk of issuing EFT devices. But when a consumer has willingly given the access device to someone else, the financial institution has no knowledge of what's authorized and what's not, and has no ability to plan for or prevent transfers in excess of the authority. It's very difficult for a consumer to truly "re-secure" the access device. So it only makes sense that the financial institution is off the hook until it receives notice.

I'm not saying you don't look at each case individually and carefully evaluate your position (including potential bad p.r.). But IMO, the idea of "re-securing" the card puts something into the regulation that's not there.

OK. Why is the customer held to a higher standard if they re-secure the card after they gave out the PIN? Case in point, A writes his PIN on his card. Someone steals the card, uses it and the bank pays the claim. The withdrawal wasn't authorized, A didn't do it nor did A benefit from it.

B gives card and PIN to "trusted" person who makes the withdrawal and returns the card and funds. Later this person steals the card and uses it again. B didn't do it, authorize it nor benefit from it.

A was more negligent in that the PIN was available to anyone. B at least tried to keep the PINs availability to a minimum. Because B knows who had the PIN, identification and recovery are easier, but B is held completely liable?

I base this on the OSC 2(m)3.

IMHO - once the card and PIN is given to another person, they are then an authorized transactor until notice is given to the bank. End of story. There is nothing in the regulations that deals with re-securing the card, etc. Taking the card at a later date and using it without the original card holder's knowledge is just part of "exceeding their authority".

My heart is with Randy's answer, although my head sides with Andy. My gut tells me that my head is right on this.

But I'd really be happier if the Fed or a court would decide that Randy's right and I'm wrong on this.

My arthritic knees often forecast rain, too. They're right about as often as my meteorologist son.

I agree with Rainman and Randy.

If you give somebody a card, you can take it back. If you give them a PIN (also included in the definition of an access device) you can't take it back. It's a voluntary, evergreen grant of authority; if the claimant gave the access device to the actor, it's an authorized transaction.