Skip to content

Data breach and card reissuing

Answered by: 

Question: 
We have been notified by Mastercard of a data breach and need to inform our customers who were impacted by this incident. In previous financial institutions where I have worked, we typically send a letter to notify customers about the card compromise. This letter includes the date we will be closing their card and informs them that a new card will be issued. My question is regarding the regulations surrounding this process: Can customers choose to keep their card active? If so, where does the liability lie if they experience fraud in the future? I am looking for a regulation or a Mastercard rule to implement a formal policy, as there isn't one currently in place at my current financial institution.
Answer: 

by Randy Carey:

You cannot impose liability on the customer for fraudulent transactions regardless. There is no upside to the bank by allowing them to keep their current card.

Answer: 

by Brian Crow:

To echo Randy's comment, if the bank allows a consumer to keep a compromised card active, the bank accepts the liability risk. Consumers cannot sign away their Regulation E protections. See the commentary to 1005.6(b).

3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E

First published on 11/17/2024

Filed under: 
Filed under compliance as: 

Search Topics