I have a two part question. The first part is, I know for unauthorized transactions is the statement date of the first unauthorized transactions plus 60 days. My question is, if the unauthorized transactions are from different merchants do you have to look at the statements for each merchant that was unauthorized or just the first transaction that was unauthorized? For example a client is disputing a charge on 7/26/20 for company ABC then on 1/6/21 the client is disputing a charge from XYZ business. Which charges are the bank liable for versus the client liable for?

Second part, if this client is not a consumer but a business. I know they do not fall under Reg E so what liability does the bank have versus the client? Since the charges are so old are we still required to investigate them even though it is a business and doesn't fall under Reg E. We use visa, does visa have separate rules for a business?

1. 1005.6(b) states that liability can be based on a transaction or a series of related transactions. If you conclude the transactions are related (e.g., conducted by the same person, caused by the same data breech, etc.) then you can base your liability calculation on 60 days from the date of the statement on which the 7/26/20 charge appeared. If you conclude they are not related and the 1/6/21 charge would have occurred even if the customer had notified you sooner about the 7/26/20 charge, then they must be treated separately.

2. Although Reg E does not apply, Visa extends its Zero Liability protections to small business debit cards. You have to determine based on your issuer agreement if the customer qualifies for Zero Liability coverage. Unlike Reg E which does not permit you to increase customer liability due to negligence, Visa rules says that Zero Liability may be "withheld, delayed, limited, or rescinded by your issuer based on gross negligence or fraud, a delay in reporting unauthorized use."

A business customer that does not report fraud from July until now certainly had a "delay in reporting unauthorized use" and I would not extend Zero Liability protections to that business.