Skip to content

Expired Debit Card - Stolen & Used

Question: 
A family member stole an expired debit card and has been using it undetected by the account holder the last year and a half. The expiration date is not validated at the ATM, so successful withdrawals were made. What is the bank's liability under Reg E?
Answer: 

Answer by Jim Bedsole:No different than it would be if the family member had stolen a non-expired card and used it in an unauthorized fashion. How did the family member have the PIN number? Was the family member previously given the PIN for an authorized transaction? If so, liability could be mitigated if the bank was not notified that the family was no longer authorized. If the transactions were truly unauthorized, then the amount of liability depends on when the transactions took place and how long before the customer notified the bank.

Answer: 

Answer by Randy Carey:I would opine that this may be a contract issue and not a Reg E issue. You would have to review your card holder agreement and your issuer agreements. As a customer, I would not stand still for a bank that allowed transactions to process to my account using an expired card and then try and hold me liable. This is not something I would look forward to explaining to a judge or jury. A review of your ATM system controls may be in order.

Answer: 

Answer by Andy Zavoina:I'll throw in my two cents as well. I would believe that Reg E will apply as unauthorized debits were made from the account. If the family member "stole" the card and was not given it for use, the exception or "evergreen authority" Jim mentions under (OSC) 2(m)2 is over-ridden by the "card taken by fraud" rule under 2(m)3.

Further, with an expiration this card may be deemed NOT to be an accepted access device. The definition really doesn't address this, but from the comments it is easy to assume that the expiration date is expected to be just that. Plus, a replacement card would seem to have been issued meaning that the old card was supposed to be useless.

If it is not an "accepted access device," the liability rules of 205.6 don't apply. This could place the transaction amounts on the bank, less the exception under 6(b)(3) 2 requiring review of the periodic statements. Even this section though, refers to the use of an access device ("accepted" is absent in the description). Those transfers after 60 days after you sent the first statement showing one of these transfers would be your customers liability.

The bottom line is that you have somewhat a unique situation here. The bigger problem is the other expired cards that may be out there, not secured by the owner, and ready for use. (This relates to Randy's contract issue.) The expiration date is meaningless unless you can have this read and used at ATMs. Encourage your customers to destroy the old cards. The smaller problem is one of this claim. Based on the limited information, as Jim said, the liability is under Reg E. I would look at the withdrawals from day one, through the first statement date plus 60 days as what you may have to pay.

First published on BankersOnline.com 2/04/08

First published on 02/04/2008

Filed under: 
Filed under technology as: 

Search Topics