(a) Conditions for liability. A consumer may be held liable, within the limitations described in paragraph (b) of this section, for an unauthorized electronic fund transfer involving the consumer’s account only if the financial institution has provided the disclosures required by § 1005.7(b)(1), (2), and (3). If the unauthorized transfer involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.

(b) Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and

(ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.

(3) Periodic statement; timely notice not given. A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.

(4) Extension of time limits. If the consumer’s delay in notifying the financial institution was due to extenuating circumstances, the institution shall extend the times specified above to a reasonable period.

(5) Notice to financial institution. (i) Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.

(ii) The consumer may notify the institution in person, by telephone, or in writing.

(iii) Written notice is considered given at the time the consumer mails the notice or delivers it for transmission to the institution by any other usual means. Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer’s account has been or may be made.

(6) Liability under state law or agreement. If state law or an agreement between the consumer and the financial institution imposes less liability than is provided by this section, the consumer’s liability shall not exceed the amount imposed under the state law or agreement.