Yes, your bank may be required to issue provisional credit and refund your customer for some of the fraudulent transactions.

Regulation E’s Official Interpretations state that a consumer’s liability for unauthorized electronic fund transfers (including debit card transactions) “is determined solely by the consumer’s promptness in reporting the loss or theft of an access device.” A consumer’s negligence is not a basis for imposing greater liability for unauthorized transactions than is permitted by Regulation E.

Regulation E provides different tiers of liability to be imposed on a consumer for unauthorized transactions based on how promptly they notify your bank after learning of the loss of their card or an access device. Generally, a consumer’s liability hinges on whether they notified the financial institution within two business days after learning of the loss or theft of the access device, as well as when each particular unauthorized transaction occurred. Regulation E does not define when a customer “learns” of the theft or loss of an access device, but we think it would be reasonable to assume that your customer learned of the theft when your debit card vendor alerted your customer to possible “card not present” fraud.

Consequently, we believe that your customer could be subject to Regulation E’s higher tier of liability because they did not notify your bank until more than two business days had passed since your debit card vendor notified them about the potential fraud. However, the fact that your customer initially stated that the fraudulent transactions were legitimate would not affect the customer’s eventual liability for the fraudulent transactions — as stated above, the consumer’s liability is determined solely by timing considerations, not by their negligence.

For resources related to our guidance, please see:

• Regulation E, Official Interpretations, Paragraph 6(b), Comment 3 (“Limits on liability. The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. . . .”)

• Regulation E, Official Interpretations, Paragraph 6(b), Comment 2 (“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”)

• Regulation E, 12 CFR 1005.6(b) (“A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

• (i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and
   
• (ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.”)

• Regulation E, Official Interpretations, Paragraph 6(b), Comment 1 (“Application of liability provisions. There are three possible tiers of consumer liability for unauthorized EFTs depending on the situation. A consumer may be liable for: (1) up to $50; (2) up to $500; or (3) an unlimited amount depending on when the unauthorized EFT occurs. More than one tier may apply to a given situation because each corresponds to a different (sometimes overlapping) time period or set of conditions.”)

• Regulation E, Official Interpretations, Paragraph 6(b)(1), Comment 2 (“Knowledge of loss or theft of access device. The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.”)

• Regulation E, 12 CFR 1005.2(a)(1) (“‘Access device’ means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”)

• Regulation E, 12 CFR 1005.2(m) (“‘Unauthorized electronic fund transfer’ means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. . . .”)

• Regulation E, 12 CFR 1005.11(a)(1) (“The term ‘error’ means: . . . (i) An unauthorized electronic fund transfer.”)

• Regulation E, 12 CFR 1005.11(c)(1) (“A financial institution shall investigate promptly and, except as otherwise provided in this paragraph (c), shall determine whether an error occurred within 10 business days of receiving a notice of error. The institution shall report the results to the consumer within three business days after completing its investigation. The institution shall correct the error within one business day after determining that an error occurred.”)

• Regulation E, 12 CFR 1005.11 (c)(2) (“If the financial institution is unable to complete its investigation within 10 business days, the institution may take up to 45 days from receipt of a notice of error to investigate and determine whether an error occurred, provided the institution does the following:

(i) Provisionally credits the consumer's account in the amount of the alleged error (including interest where applicable) within 10 business days of receiving the error notice. If the financial institution has a reasonable basis for believing that an unauthorized electronic fund transfer has occurred and the institution has satisfied the requirements of § 1005.6(a), the institution may withhold a maximum of $50 from the amount credited. An institution need not provisionally credit the consumer's account if:

• (A) The institution requires but does not receive written confirmation within 10 business days of an oral notice of error; or
   
• (B) The alleged error involves an account that is subject to Regulation T of the Board of Governors of the Federal Reserve System (Securities Credit by Brokers and Dealers, 12 CFR part 220);

(ii) Informs the consumer, within two business days after the provisional crediting, of the amount and date of the provisional crediting and gives the consumer full use of the funds during the investigation;

(iii) Corrects the error, if any, within one business day after determining that an error occurred; and

(iv) Reports the results to the consumer within three business days after completing its investigation (including, if applicable, notice that a provisional credit has been made final).”)

• Regulation E, Official Interpretations, Paragraph 11(c), Comment 6 (“If the financial institution determines an error occurred, within either the 10-day or 45-day period, it must correct the error (subject to the liability provisions of §§ 1005.6(a) and (b)) including, where applicable, the crediting of interest and the refunding of any fees imposed by the institution. In a combined credit/EFT transaction, for example, the institution must refund any finance charges incurred as a result of the error. The institution need not refund fees that would have been imposed whether or not the error occurred.”)