The Electronic Fund Transfer Act, implemented by Regulation E, protects consumers using electronic fund transfers: debit-card transactions, ACH, ATM withdrawals, and many person-to-person and prepaid transfers. Its two best-known mechanics are error resolution and liability for unauthorized transfers. When a consumer reports an error in time, the institution must investigate on a defined timeline, generally ten business days, and either resolve it or extend the investigation while granting provisional credit. A consumer's liability for an unauthorized transfer is capped and rises with delay in reporting, so prompt reporting protects the consumer.
Regulation E is the rule fintechs and neobanks meet first, because it governs exactly what they do: move money electronically for consumers. Its error-resolution and unauthorized-transfer rules are prescriptive and time-bound, which makes them a frequent source of both consumer complaints and examination findings. This guide covers the scope, disclosures, the error resolution process, consumer liability, and where programs fall short.
What it covers
Regulation E applies to electronic fund transfers from a consumer's account: debit-card purchases, ATM transactions, ACH debits and credits, point-of-sale transfers, and many person-to-person and prepaid-account transfers. It is consumer-focused; transfers from business accounts are generally outside it. The regulation governs disclosures, receipts, periodic statements, error resolution, and liability limits.
Error resolution
The error-resolution process is the heart of Regulation E. When a consumer notifies the institution of an error, including an unauthorized transfer, within the timeframe the regulation allows, the institution must investigate.
- Investigate promptly. The institution generally has ten business days to investigate and determine whether an error occurred.
- Or extend with provisional credit. It may take longer, generally up to forty-five days, but only if it provisionally credits the disputed amount to the account while it investigates.
- Report the result. The institution must report the outcome and, if it finds no error, explain and tell the consumer how to get the documents it relied on.
The timelines are firm, and a program that misses them creates both a violation and a consumer harmed by a frozen disputed amount.
Liability for unauthorized transfers
Regulation E caps a consumer's liability for unauthorized transfers, and the cap rises with delay in reporting a lost or stolen access device or an unauthorized transfer shown on a statement. The tiers are defined.
| When the consumer reports | Maximum liability |
|---|---|
| Within two business days of learning of the loss or theft | Up to $50. |
| After two business days, but within 60 days of the statement showing the first unauthorized transfer | Up to $500. |
| Not within 60 days of that statement | Unlimited for the transfers that occur after the 60-day period. |
The structure exists to encourage prompt reporting, and the institution bears the loss the consumer is not liable for. Some access devices and card-network rules reduce the consumer's exposure further, and the timelines can be extended for new accounts and certain other situations.
Disclosures
The regulation requires initial disclosures of the terms and conditions of electronic fund transfers, including the consumer's liability, the error-resolution process, and the institution's contact information, along with receipts for transfers and periodic statements. For prepaid accounts, additional short-form and long-form disclosure requirements apply.
Where it goes wrong
- Missed timelines. The institution does not investigate within ten business days and does not grant provisional credit, so it blows the deadline and harms the consumer.
- Over-charging liability. The institution holds a consumer liable beyond the regulation's caps, especially after prompt reporting.
- Treating disputes as fraud-only. The error definition is broader than fraud and includes computational and processing errors, which a fraud-focused process misses.
Regulation E is the prescriptive, time-bound core of consumer payments compliance, and a frequent source of complaints and findings. For the structure that manages it, see the Compliance Management System guide; for the launch-stage obligations that include it, see the BaaS compliance before launch guide.
Primary sources
- Electronic Fund Transfer Act (15 U.S.C. 1693) and Regulation E (12 CFR 1005): The statute and regulation governing electronic fund transfers, including error resolution and liability for unauthorized transfers.
- CFPB Supervision and Examination Manual, Compliance Management Review: The CFPB's framework for a Compliance Management System: board and management oversight plus a compliance program of policies and procedures, training, monitoring and audit, and consumer complaint response.