We have a debit cardholder who reported unauthorized point of sale debit card transactions on his account in December. He has similar transactions dating back to August, which he says are not his either. Since he did not report the transactions within 60 days of receiving the first statement showing unauthorized activity, what is he liable for? Since we process through MasterCard, does $0 liability apply even though he did not report them in a timely fashion?

There is no statute of limitations for reporting unauthorized transactions. He has protection for all transactions on the August statement + 60 days. Refer to §1005.6(b). If he just discovered his card was missing/stolen & he's reporting it within 2 business day of him LEARNING of the loss, his maximum liability is $50.

If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution. [§1005.6(b)(1)]

If he knew his access device was missing (highly unlikely that he would and not report it), then look at this:
If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $500 or the sum of: $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and the amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period. . [§1005.6(b)(2)]

If he just discovered these unauthorized transactions because he reviewed his statements, then look at this:
A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable. [§1005.6(b)(3)]

The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft. [Staff Interpretations to §1005.6(b)(3)#1]

Only §1005.11 requires notification within 60 days.

I'm not an expert on MasterCard. Maybe someone else can help you with this.

In order to qualify for Zero Liability protections, Mastercard requires that the cardholder "promptly" notify the bank of the loss or theft of an access device and "exercise reasonable care" in safeguarding the card from los

Although Reg E 1005.6 does not allow us to increase consumer liability due to negligence, not reviewing statements for four months certainly could meet the failure to exercise reasonable care and be used as justification to not provide Zero Liability protection. You must still follow the Reg E liability schedule David outlined above.

Consumer has his debit card in his possession. Transactions were done online or in app. First statement with claimed unauthorized activity was sent 9-6-17, cardholder reported activity on 12-13-17. Please correct me if I'm wrong ... he would not be responsible for anything up to 11-6-17. Since not reported, activity after that would be his responsibility? Trying to figure out Reg E and MasterCard $0 liability is a chore!

Sounds like his card may have been skimmed, but it wasn't missing or stolen, so (I assume) he reported the unauthorized transactions within 2 business days of learning. Unfortunately, he did that by reviewing his statements quite late. If these were access device transactions, his liability is $50. If ACH, then it's $0. Because he didn't report it within 60 days, you don't need to follow 1005.11 (provisional credit & timing requirements), but you do have to resolve it "promptly" per 1005.6.

Technically, his exposure starts at 11/5 because it's 60 days from 9/6, not 2 months.