What is everyone's opinion on a mobile phone being an access device? So if a customer lost their smartphone, it was unlocked, and they kept an electronic note inside with their mobile banking login and password, and subsequently a crook got in an transferred some money, would this be considered loss/theft of an access device? Is the access device the phone itself or their banking credentials? My thoughts were that the phone (or computer) would be the electronic terminal and the access device would be their login information. So, they learned of the loss/theft of their phone, they would have to put two and two together to comprehend that their "access device" (the login credentials) were also in there and that maybe they should notify their FI....

I don't think the phone (or a PC) would be considered an access device, but as you mentioned, the login credentials are the access device. I doubt anyone would consider his/her phone or PC an access device, and I honestly don't know how likely it is that someone would notify their FI that they lost their phone.

Having worked in banking for a long time (and therefore careful/paranoid ) I would at a minimum change my login info if my phone or PC were lost or stolen.

I suppose as a glimpse into public opinion, I was reading reviews on the online banking app for my bank (where I bank, not where I work) in the Google Play store. One user criticized the app because it requires the user to sign in with their online MFA credentials each time. Apparently safeguarding someone's account was too inconvenient for that user. And considering that many people don't employ security on their phones, like a PIN or a pattern to unlock the screen, I imagine the user in your scenario would be very susceptible to account fraud.

Thanks for the reply - your example regarding the mobile banking application review is exactly the reason why my mind came up with this kind of scenario...because there are people out there who just don't safeguard their info making it so easy for someone to compromise their account.

Not much room for liability assignment to the customer if their password was stolen since they would probably only learn about it after the transactions occurred.

It's definitely a business decision that FIs need to carefully consider and address when considering mobile banking. There will always be losses, that risk is a cost of being in this business. Many FIs provide "helpful tips" to customers when issuing an access device, such as ATM safety, safeguarding PINs and passwords, etc. I think those are a good idea and hopefully the customer will read them, for their benefit and also the FI's benefit. Unfortunately there will be negligent customers and also unfortunate is that Reg E does not allow the FI to place liability on the customer for that negligence. That is when the FI must consider cutting off the customer's account access via those methods.