Skip to main content

Comment for 1005.6 Liability of Consumer for Unauthorized Transfers

6(a) Conditions for Liability

1. Means of identification. A financial institution may use various means for identifying the consumer to whom the access device is issued, including but not limited to:

i. Electronic or mechanical confirmation (such as a PIN).

ii. Comparison of the consumer's signature, fingerprint, or photograph.

2. Multiple users. When more than one access device is issued for an account, the financial institution may, but need not, provide a separate means to identify each user of the account.

6(b) Limitations on Amount of Liability

1. Application of liability provisions. There are three possible tiers of consumer liability for unauthorized EFTs depending on the situation. A consumer may be liable for: (1) up to $50; (2) up to $500; or (3) an unlimited amount depending on when the unauthorized EFT occurs. More than one tier may apply to a given situation because each corresponds to a different (sometimes overlapping) time period or set of conditions.

2. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)

3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.

6(b)(1) Timely Notice Given

1. $50 limit applies. The basic liability limit is $50. For example, the consumer's card is lost or stolen on Monday and the consumer learns of the loss or theft on Wednesday. If the consumer notifies the financial institution within two business days of learning of the loss or theft (by midnight Friday), the consumer's liability is limited to $50 or the amount of the unauthorized transfers that occurred before notification, whichever is less.

2. Knowledge of loss or theft of access device. The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.

3. Two business day rule. The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.

6(b)(2) Timely Notice Not Given

1. $500 limit applies. The second tier of liability is $500. For example, the consumer's card is stolen on Monday and the consumer learns of the theft that same day. The consumer reports the theft on Friday. The $500 limit applies because the consumer failed to notify the financial institution within two business days of learning of the theft (which would have been by midnight Wednesday). How much the consumer is actually liable for, however, depends on when the unauthorized transfers take place. In this example, assume a $100 unauthorized transfer was made on Tuesday and a $600 unauthorized transfer on Thursday. Because the consumer is liable for the amount of the loss that occurs within the first two business days (but no more than $50), plus the amount of the unauthorized transfers that occurs after the first two business days and before the consumer gives notice, the consumer's total liability is $500 ($50 of the $100 transfer plus $450 of the $600 transfer, in this example). But if $600 was taken on Tuesday and $100 on Thursday, the consumer's maximum liability would be $150 ($50 of the $600 plus $100).

6(b)(3) Periodic Statement; Timely Notice Not Given

1. Unlimited liability applies. The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft.

2. Transfers not involving access device. The first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.

6(b)(4) Extension of Time Limits

1. Extenuating circumstances. Examples of circumstances that require extension of the notification periods under this section include the consumer's extended travel or hospitalization.

6(b)(5) Notice to Financial Institution

1. Receipt of notice. A financial institution is considered to have received notice for purposes of limiting the consumer's liability if notice is given in a reasonable manner, even if the consumer notifies the institution but uses an address or telephone number other than the one specified by the institution.

2. Notice by third party. Notice to a financial institution by a person acting on the consumer's behalf is considered valid under this section. For example, if a consumer is hospitalized and unable to report the loss or theft of an access device, notice is considered given when someone acting on the consumer's behalf notifies the bank of the loss or theft. A financial institution may require appropriate documentation from the person representing the consumer to establish that the person is acting on the consumer's behalf.

3. Content of notice. Notice to a financial institution is considered given when a consumer takes reasonable steps to provide the institution with the pertinent account information. Even when the consumer is unable to provide the account number or the card number in reporting a lost or stolen access device or an unauthorized transfer, the notice effectively limits the consumer's liability if the consumer otherwise identifies sufficiently the account in question. For example, the consumer may identify the account by the name on the account and the type of account in question.