Scenario:
Assume that the debt card transaction was not processed through the Visa or Plus Network -

Jan 1 - Consumer's debit card information is stolen, but the consumer is not aware of this and the card is in their possession.
Jan 2 - Unauthorized EFT of $100 using the debit card information
Jan 6 - Unauthorized EFT of $600 using the debit card information
Jan 30 - Periodic statement is transmitted showing the unauthorized EFTs of $100 and $600
April 10 - Unauthorized EFT of $400 using the debit card information
April 11 - Consumer becomes aware of the three unauthorized debit card transactions and notifies the bank

Customer has notified the bank within 2 days of becoming aware that their debit card information was stolen. However, this notification is 71 days after the first statement that included the unauthorized debit card transaction. What is the consumer's liability?

Scenario:
Same as above except the debt card transaction was processed through the Visa or Plus Network so Visa's Zero Liability Policy is in play, but the bank considers it gross negligence on the consumer's part to not have monitored their account and reported the unauthorized debt card transaction within 60 days of the first statement that included the unauthorized debt card transaction. What is the consumer's liability?

We would credit the member the full amount for all transactions except the April 10th transaction. So the member's liability is for any transaction(s) that post 60 days after the statement showing the first error is transmitted.

Gross negligence is only at play for the April 10th transaction - all the January transactions are covered under Reg E which doesn't give a fig about negligence. Visa would want you to credit the member for the April 10th transaction under Zero Liability, but it is my opinion that not reviewing statements is negligence.

1005.6(b)(1) & (2) apply to the consumers "accepted access device" which is the physcal card. Since the physical card was not stolen, 1005.6(b)(1) and (2) do not apply.

So we are left with 1005.6(b)(3) which says the consumer has unlimited liability for transfers that occur more than 60 days from the transmittal of the statement on which the first error occurred. The Bank is liable for $700 between Jan 1 and 60 days after Jan 30. The consumer is liable for $400 for the transaction that occurred after day 60.

For Scenario 2, The Bank is not providing Zero Liability protections since the cardholder did not safeguard their card from loss/theft so the answer is the same. Reg E liability does not chnage due to cardholder negligence.

Answer to question not asked: If these had been ACH debits, the answer is still the same even though the bank is outside the NACHA timeframes for returning the January charges. Reg E doesn't care whether we can recover funds via NACHA rules or the chargeback rights. Reg E is establishs liability limits and protects the consumer.

Let me say this first. I am only familiar with Reg E rules, not really Visa Liability rules and ACH rules. Any training I've had seems to just regurgitate the rules, but never gives real life examples of the application of the rules in conjunction with Visa Zero Liability and ACH. So I feel a bit blind.

BrianC, what do you mean that "the Bank is not providing Zero Liability protections since the cardholder did not safeguard their card from loss/theft"? Can we do that for those early transactions? I'm not sure that the customer was negligent since maybe it was a waiter at a restaurant that took a picture of the card and used that information. In my scenario, I was thinking that the negligence came in in that they did not monitor their account statement and report to us any unauthorized transactions within 60 days as we require in our disclosures. Is negligence under Visa tied directly to safeguarding the card only, or is negligence a possibility when not monitoring your account associated with the Visa debit card?

Regarding "accepted access device", besides the physical card, what are some other "real" examples? Electronic Banking login, password, passcode? Telephone banking passcode? Personal identification numbers (PINs) but in what context? Cell phones, but in what context?

Thanks in advance!

Another question.

I understand that the bank doesn't have to give provisional credit during the investigation for the first two transactions because notice was more than 60 days, but does the bank have to give provisional credit for the $400 transaction that took place on April 10 since they notified us on April 11? I ask because even though under Reg E they could be liable for the $400, we have still have chargeback rights under Visa, so would we be required to give provisional credit until the investigation is complete?