First, welcome to BankersOnline. You will find that there is quite a community of compliance professionals that share your frustration with Reg E.
The staff interpretations to 1005.6 are very clear about the role customer negligence plays in determining liability. Since the cardholder reported the theft timely, their maximum liability is $50.00. If you can determine that the customer gave the card and PIN to a third party and they used the card you can deny the claim based on 1005.2(m). Based on your description of events this does not seem likely. Regardless, the best way to minimize losses in this case may be to pay the customer $750, file your own police report if they refuse to, and never give this customer another card.
Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)
2(m)2 Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com