A customer notified us on a Saturday that on the preceding Wednesday, she became aware that she lost her wallet with her debit card inside. Two transactions at a retail store using the debit card PIN occurred before the customer discovered she lost the wallet. One transaction exceeded $300, and another transaction the following day exceeded $200. When we questioned the customer, she said that the PIN was written on a piece of paper kept in her wallet. Are we obligated to credit the customer for these transactions? The Visa rules state that a cardholder’s negligence can increase their liability for an unauthorized transaction, but the commentary to Regulation E states that negligence cannot be used as a basis for imposing greater liability than permissible under the regulation.

Yes, we believe your bank may be required to provisionally credit and refund your customer for some of the unauthorized transactions.

Regulation E

Regulation E’s Official Interpretations state that a consumer’s liability for unauthorized electronic fund transfers (including debit card transactions) “is determined solely by the consumer’s promptness in reporting the loss or theft of an access device.” A consumer’s negligence (such as “writing the PIN on . . . a piece of paper kept with the card”) is not a basis for imposing greater liability for unauthorized transactions than is permitted by Regulation E.

Regulation E provides different tiers of liability to be imposed on a consumer for unauthorized transactions based on how promptly they notify your bank after learning of the loss of their card or access device. Generally, a consumer’s liability hinges on whether they notified the financial institution within two business days after learning of the loss or theft of the access device, as well as when each particular unauthorized transaction occurred.

Based on the Regulation E liability rules, we believe that your customer would be subject to the higher tier of liability because she did not notify your bank until more than two business days had passed since she discovered the card was lost (assuming Thursday and Friday are business days — i.e., days on which your bank is open to the public and carries on substantially all business functions). However, since both unauthorized transactions occurred before your customer discovered the card was lost, we believe her liability for the unauthorized transactions would be capped at $50. Although there are certain factors that can increase a customer’s liability for unauthorized transactions that are not timely reported, they are only applicable in cases where the unauthorized transactions occurred after the customer discovered the loss of the card.

Visa Rules

Unlike Regulation E, which imposes some liability on consumers for unauthorized transactions, the Visa Rules limit a cardholder’s liability to zero once a cardholder notifies you of an unauthorized transaction. However, a card issuer may increase the amount of the cardholder’s liability “if the Issuer reasonably determines, based on substantial evidence, that the Cardholder was fraudulent or negligent in the handling of the account or the Card.”

However, while you may be able to impose liability on your customer in an amount greater than zero, that amount cannot exceed the maximum liability allowed under Regulation E.

For resources related to our guidance, please see:

  • Regulation E, Official Interpretations, Paragraph 6(b), Comment 3 (“Limits on liability. The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device.”)
  • Regulation E, 12 CFR 1005.2(a)(1) (“‘Access device’ means a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”)
  • Regulation E, Official Interpretations, Paragraph 6(b), Comment 2 (“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”)
  • Regulation E, 12 CFR 1005.6(b) (“A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of: (i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and (ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.”)

  • Regulation E, Official Interpretations, Paragraph 6(b)(1), Comment 3 (“The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.”)
  • Regulation E, 12 CFR 1005.2(d) (“‘Business day’ means any day on which the offices of the consumer’s financial institution are open to the public for carrying on substantially all business functions.”)
  • Visa Core Rules and Visa Product and Service Rules, Section 1.4.6.1 — Zero Liability (April 18, 2020), page 89 (“An Issuer must limit a Cardholder’s liability to zero upon notification from the Cardholder of an unauthorized Transaction. . . . The Issuer may increase the amount of the Cardholder’s liability for unauthorized Transactions if the Issuer reasonably determines, based on substantial evidence, that the Cardholder was fraudulent or negligent in the handling of the account or the Card.”)