By now, most consumers know that there are limits placed on your liability if your credit or debit card is used fraudulently. Those limits are imposed by the Fair Credit Billing Act (“FCBA”) and the Electronic Fund Transfer Act (“EFTA”).
Under the FCBA, you are liable for a maximum of $50 for fraudulent charges on your credit card. If you report the loss or theft of your card before the unauthorized use, or if the number is stolen but you retain physical possession of the card, you are not liable for any unauthorized charges. It’s worth noting that these days, many credit card issuers have a zero liability policy, meaning that they will not hold you liable for any unauthorized charges, even if they occurred before you reported the loss or theft.
Similarly, under the EFTA, you are not liable for any unauthorized transactions if you report your debit card lost or stolen before such transactions occur, or if your card number was used to conduct unauthorized transactions while the card remained in your possession, so long as you report the transactions within 60 days of your statement being sent to you. If you report the loss or theft of your card within two days of learning about it, your liability for unauthorized transactions is limited to $50. If you report the loss or theft of your card between three and 60 days of learning about it, your liability for unauthorized transactions is limited to $500. Under the EFTA, you are liable for all unauthorized transactions if you don’t report the loss or theft of your card within the first 60 days. However, some states and banks have imposed narrower limits on unauthorized debit card transactions.
Given all of this, imagine my surprise when I opened my bank statement from Chase last month and saw this:
Yes, that says customers are liable for all authorized and unauthorized transactions if you authorize someone else to use the card or don’t exercise ordinary care in safeguarding your PIN number. If you authorize someone to use your card, then by definition the transactions are authorized. However, what about the exercise of “ordinary care”?
It appears that Chase is trying to limit their liability and potential losses due to unauthorized use of a debit card associated with a business account. And that raises two interesting questions: 1) Are business debit cards subject to different terms when it comes to unauthorized transactions? and 2) Can a bank limit its liability by requiring certain levels of diligence by its customers, beyond the terms of the FCBA and EFTA?
Let’s tackle the first question first, since it seems to have a simple answer: No. The FCBA and the EFTA appear to apply to both individuals as well as businesses. Therefore, the liability for businesses for unauthorized credit and debit card transactions is limited to the extent described previously.
The second question is arguably more interesting, and the answer is somewhat more complex.
One simple scenario is when issuers offer greater liability protection to consumers than legally required. For example, in the zero liability policies mentioned above, the issuer can stipulate that cardholders must exercise reasonable care to safeguard their card. If the issuer concludes that the fraudulent use occurred because the card holder was negligent, then the issuer can refuse to apply the zero liability protection, and the card holder will be liable up to the limits described above.
However, what if the issuer wants to make the card holder liable for all fraudulent charges because it feels the card holder was negligent or otherwise contributed to the fraudulent charge? Under Regulation E, which provides a regulatory framework for Electronic Funds Transfers, banks and other financial institutions may not use negligence as a basis for imposing greater liability on consumers. Thus, even writing your PIN number on your debit card does not increase your liability under federal law. But even though you might not be liable for the unauthorized charges, it still makes sense to safeguard your PIN, card number, and other personal information so that you don’t have to spend unnecessary time rectifying a situation that could have been easily avoided. A bank or card issuer’s recourse if a customer’s negligence results in unauthorized charges or withdrawals is to decline to issue a new card.
I tried contacting Chase (as a customer) to see if someone could explain how they interpret their new terms in light of federal law but I had a hard time getting a hold of someone qualified to speak on the issue. But at least their new terms don’t appear to be part of a larger trend seeking to expand customer liability.
