Skip Header
U.S. flag

An official website of the United States government

FDIC Consumer News - Winter 2016

How Federal Laws and Industry Practices Limit Losses From Cyberattacks

En Español

When criminals make unauthorized purchases using stolen payment card numbers or other information, federal consumer laws and financial industry practices protect victims from losses under certain circumstances.  Here are key details to remember.

If your credit card number is accessed by cyberthieves:  "Under federal law, a consumer's liability is normally capped at $50 for all unauthorized transactions on each card.   However, if your credit card number is stolen, but not the card, you are not liable for any unauthorized use," said Richard Schwartz, a counsel in the FDIC's Consumer Compliance Section.  "In addition, credit card losses are typically absorbed by the card issuer because of zero-liability policies, which preclude consumers from having to pay any amount of an unauthorized charge.  These policies are set by the card industry."

If your debit card or the card number is used to withdraw money from a checking or savings account:  To minimize your losses, you should contact your bank as soon as possible if you discover that your debit card has been lost or stolen.  Your maximum liability under federal law is $50 if you notify your bank within two business days after learning of the loss or theft of your card. But if you notify your bank after those first two days, under the law you could lose more.

What if your debit card number (not the card itself) is stolen in an online hacking incident?  Remember to check your account activity regularly. Timing is critical because under federal law you will not be liable for the transaction if you report it within 60 days after your account statement showing the transaction is sent to you. But if the charge goes unreported for more than 60 days, all your money in the account could be lost.  However, remember to check with your bank about the payment card networks' zero-liability policy, which may protect you.

If you have a debit card for a business account that is used fraudulently: Debit cards issued for business use have different loss protections than debit cards for consumers.  The Uniform Commercial Code (UCC), which sets many rules for businesses, requires a standard of "ordinary care" by the card holder in order to avoid liability for losses from online fraud. "This can be a technical area, so check with an attorney to make sure you are managing your business account consistent with the UCC rules," Schwartz advised.

If a prepaid card account is used fraudulently: Prepaid cards have money deposited onto them, and they usually aren't linked to a checking or savings account.  In terms of legal protections against losses as a result of fraud, the rules vary depending on the type of prepaid card:

To learn more about loss limitations under the law, search by topic at the websites of the CFPB and the Federal Trade Commission.  Also be aware that FDIC deposit insurance only covers deposits if a bank fails, not for theft from bank accounts (see Dear FDIC: Questions About Deposit Insurance and Online Banking).  For information about how to protect yourself from data breaches, which may involve the theft of credit or debit card information, see our Spring 2014 issue.