Although the transaction you describe might be considered an authorized transaction, it is not likely that you can hold the customer liable because he did not request or validate the link to his savings account.
Because the transaction involved a transfer from a savings account made with a debit card, Regulation E governs the customer’s liability. 12 CFR 1005.3(a). Under Regulation E, a bank cannot impose any liability for an electronic fund transfer unless the transaction is made with an “accepted access device.” Comment 2, Official Staff Commentary, 12 CFR 1005.5(b). Accepted access devices generally consist of debit cards, used in combination with PINs, that were either requested by the customer or, if the card was unsolicited, validated by the customer. 12 CFR 1005.5.
As stated in the official comments, “[m]aking an additional account accessible through an existing access device is equivalent to issuing an access device.” Comment 1, Official Staff Commentary, 12 CFR 1005.5. Therefore, when you reissued the debit card and added access to the customer’s savings account, that was the equivalent of issuing a new access device to the customer. Accordingly, the customer was not liable for any transactions until he validated the savings account link and you verified his identity using reasonable means. 12 CFR 1005.5(b)Comment 1, Official Staff Commentary, 12 CFR 1005.5(a)(2).