Hi all,

I've always taken that unauthorized transfers (UTs) through the same access device (eg, the same Debit card) are considered one "incident" when calculating $50/$500/unlimited liability in cases where the account holder did not notify the FI timely.

For example, let's pretend there's UTs from MerchantA posted 2/1/24, 3/1/24, 4/1/24, 5/1/24. There also UTs from another MerchantB on 5/1/24 and 6/1/24. And more UTs from MerchantC on 6/1/24. The statement with the 2/1 activity was mailed 2/29/24.

Cardholder first notified about the UTs from Merchant A B & C on 10/4/24 and the card was blocked at that point.

I'd always taken Reg E consumer liability calculations through the same access device to be calculated from the date of the earliest UT on that device, regardless of if multiple merchants are involved--as long as I show we could have blocked the additional activity had the consumer informed us timely.

I have a government agency examiner telling us that even if it's through the same device, MerchantA is one incident with it's own calculations of 60 days starting from the February statement generation, MerchantB is a separate incident with a 60 day calculation starting from the May statement generation, and Merchant C is a third calculation starting from the June statement generation.

I've never heard it interpreted the latter way.... We would have stopped all of those transactions had the cardholder notified us timely in the relation to the activity of MerchantA.

Thoughts?

We have to look at 1005.6(b) and consider what it says about liability.

(b) Limitations on amount of liability. A consumer's liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

What constitutes a "series of related transfers?" Certainly, multiple recurring transactions from the same merchant is one possibility, but the answer truly lies in what your investigation uncovers.

For example, if someone steals my access device and that same person uses my access device at many different merchants, those transactions are related because they are all done by the same thief.

If my debit card is compromised and sold on the dark web, then there may be multiple thieves who use my access device, but the transactions are all related because the theft came from the same source.

On the other hand, if my card is stolen and one criminal uses it for transactions around town and also I fall for a phishing scam and different criminals use my card online to set up fraudulent transactions, then these aren't related because I would have fallen for the phishing scam with a new card even if you had cancelled the old one when the card was stolen so the online transactions could not have been prevented by cancelling the card.

I disagree with the blanket statement made by your examiner, but also stress the importance that the burden of proof is on you to demonstrate that the transactions are part of a related series.

I've never heard such a thing myself. I would point him to the official interpretation under that 1005.6(b) which I think makes it clear that it's all consider a single incident.

Official interpretation of 6(b)(1) Timely Notice Given

1. $50 limit applies. The basic liability limit is $50. For example, the consumer's card is lost or stolen on Monday and the consumer learns of the loss or theft on Wednesday. If the consumer notifies the financial institution within two business days of learning of the loss or theft (by midnight Friday), the consumer's liability is limited to $50 or the amount of the unauthorized transfers that occurred before notification, whichever is less.

2. Knowledge of loss or theft of access device. The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.

3. Two business day rule. The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.

Official interpretation of 6(b)(2) Timely Notice Not Given

1. $500 limit applies. The second tier of liability is $500. For example, the consumer's card is stolen on Monday and the consumer learns of the theft that same day. The consumer reports the theft on Friday. The $500 limit applies because the consumer failed to notify the financial institution within two business days of learning of the theft (which would have been by midnight Wednesday). How much the consumer is actually liable for, however, depends on when the unauthorized transfers take place. In this example, assume a $100 unauthorized transfer was made on Tuesday and a $600 unauthorized transfer on Thursday. Because the consumer is liable for the amount of the loss that occurs within the first two business days (but no more than $50), plus the amount of the unauthorized transfers that occurs after the first two business days and before the consumer gives notice, the consumer's total liability is $500 ($50 of the $100 transfer plus $450 of the $600 transfer, in this example). But if $600 was taken on Tuesday and $100 on Thursday, the consumer's maximum liability would be $150 ($50 of the $600 plus $100).

I don't see anything in there implying that after the device is lost, each and every merchant is considered its own incident.

It doesn't appear that the regulation takes into account holds on funds. How do you treat the loss if there are two transactions that get approved on day 1, one posts immediately and the other pends for 3 days? Does the transaction that pended count against the $50 tier or the $500 tier? I've have read that it is not a transaction until it posts, but there is a hold on the funds which limits the amount of available funds.

I cannot be unauthorized until it posts to the account. There is no transaction. Your policy on restricting available funds for future transactions is a totally separate issue.

My thought on the concept of auth hold vs post hold... it's not a transaction until it posts, yes. But I believe elsewhere in the Reg it is stated that to escalate the liability to $500 (or unlimited in extreme cases when the fraud goes on for over 60 days), you have to show the transaction could been blocked.

The question I might ask here, is if the auth occurred during the tier 1 liability window but the cardholder notification and posting of the transaction occurred in the tier 2 window, would you have been able to block that transaction? Probably not, without the aid of a time machine. But I believe that is not necessarily a black and white answer.

I think Reg E could benefit being brought into the year 2024 where we live in a world of real time transactions, but also real time transaction notifications.... but that is another matter.

We keep running into situations where the cardholder doesn't notice "subscription based" fraud going on months and months because they "don't have time" to review their activity closely (despite logging in their online banking etc) ... but of course "whoops I don't have enough time to look closely" is not really addressed in reg e as a detriment to the cardholder dispute process.... other than the tier 2 tier 3 liability if it drags on for an excessive amount of time.

Increasingly, we see more and more scenarios where I'm calculating tier 1 vs tier 2 vs tier 3 becaus ehte cardholder just doesn't care.... and that gets really ugly if I take the examiner's opinion they expressed as-is. A lot of these subscription things though are small enough that tier 2 liability doesn't even wind up exhausted. Death by 1,000 cuts.

The $50/$500 liability on the consumer is based solely on how quickly they tell the FI that they lost the access device after they discovered losing the access device. It has no relation to when the unauthorized transactions occurred, preauthorized or completed.