Customer Gives Up Card Data in Scam

Answered by:

Question:

I have a customer that supplied all of her debit card information to a email representing themselves as Paypal. As a result, $8000 was removed from the account in a thirty day period at European ATM machines with a counterfeit card. This customer did not open her statement for the previous month where she could have seen the removal of the first $2000. If she had done this we could have saved the remaining $6000 from being withdrawn. I have read previous answers to similar questions, but can't decide if I can invoke OSC 205.2 on this scenario, or if we will need to charge off this amount even though the customer provided everything the fraudster needed and did not use the statement to catch the first withdrawals. Can you provide a clear interpretation of can I or can I not deny this claim?

Answer:

I will offer my interpretation. I believe that the customer cannot be held liable for unauthorized transfers solely because the customer was duped into giving up access device information. In this case, you need to look at comment 3 to 205.2(m).

In the best case scenario you may be able to make a case that the customer had knowledge of the compromised access device on the date she gave up the information (if you know that date). Then you can, perhaps, impose the $50/$500 rule for transactions occurring within the 2 and 60-day periods described in section 205.6 of the regulation. Regardless of whether you can make the case for the "knowledge of compromised access device" you can lay off on the customer any transaction occurring more than 60 days after the first statement was delivered reflecting the first such unauthorized transfer.

Ignorance and gullibility are not excuses under the regulation to assign added liability to the customer.

First published on BankersOnline.com 2/7/05