The Reg E definition of an access device is a generic “card, code, or other means of accessing an account” so the debit card number does meet the definition of an access device. However, for the $500 liability tier to apply, 1005.2(b)(2) notes that the fraud must involve an “accepted access device” which must be a means of accessing the account issued by the Bank.
Mobile apps had not been invented at the time Reg E was penned in 1978. The intent behind a customer accepting and reporting an access device lost for the purposes of liability in 1005.6(b) refers to the physical loss of the debit card. We cannot assume that a customer would realize the need to report the loss of a phone to the institution and there is no mechanism in Regulation E that extends the loss of a phone to 1005.6(b). Consequently, the $50 and $500 liability tier to not extend to transactions performed on a mobile app as the bank did not issue the phone to the consumer. The institution would have to use 1005.6(b)(3) for scenarios where an accepted access device is not involved when determining consumer liability.
