Regulation E: electronic transfers and fraud

Regulation E is the single most important consumer-protection rule in U.S. retail banking. It governs every electronic transfer from a consumer deposit account — debit-card transactions, ACH debits, ATM withdrawals, online bill payments, peer-to-peer transfers initiated from the account, recurring payroll deposits. It sets the rules for unauthorized-transaction liability, the bank's error-resolution timeline, the disclosures the bank must give at account opening, and (since 2010) the opt-in requirement for overdraft service on one-time debit-card transactions. The rule's protections are the backbone of consumer-side fraud recovery in the U.S. banking system.

This article describes how Regulation E works in practice: what it covers, what the consumer's notice obligations are, how the error-resolution timeline operates, the liability caps, and the critical distinction between unauthorized transactions (covered) and authorized-but-fraudulently-induced transactions (largely not covered). For the closely related but distinct credit-card framework, see the Truth in Lending Act; for the practical guide to using these rules in a dispute, see disputing a fraudulent transaction.

Scope

Regulation E (12 CFR Part 1005) implements the Electronic Fund Transfer Act of 1978. It applies to "electronic fund transfers" — transfers initiated electronically that debit or credit a consumer's account. Covered transactions include:

• Debit-card and ATM-card transactions, including PIN-based and signature-based.
• ACH debits and credits to and from consumer accounts.
• Online bill payments initiated by the consumer.
• Telephone-initiated transfers between accounts.
• Person-to-person transfers initiated from the consumer's bank account through Zelle or similar bank-rail services.
• Preauthorized transfers (recurring direct deposits, autopay).

Covered accounts are consumer asset accounts established primarily for personal, family, or household purposes. Business accounts and accounts established at non-bank entities (with exceptions for prepaid accounts under Subpart A's 2016 amendments) are not covered by the consumer-protection provisions of Reg E.

Transactions not covered by Regulation E include wire transfers (covered by UCC Article 4A and, for international remittances, Reg E Subpart B), check transactions (covered by UCC Articles 3 and 4 and by Reg CC for funds availability), and credit-card transactions (covered by TILA and Regulation Z). The scope of Reg E is electronic, debit-side, consumer-account-based — a specific subset of the broader U.S. payments universe.

The 60-day rule and liability caps

The cornerstone of Regulation E is the consumer's right to dispute unauthorized transactions, and the timeline for doing so. Section 1005.6 sets out the consumer's liability for unauthorized transactions:

• If the consumer notifies the bank within two business days of learning of the unauthorized transaction (typically the day the unauthorized transaction appears on the consumer's account record), liability is capped at $50.
• If the consumer notifies the bank more than two business days after learning of the loss but within 60 days of the statement that first contained the unauthorized transaction, liability is capped at $500.
• If the consumer fails to notify the bank within 60 days of the statement that first contained the unauthorized transaction, the consumer can be liable for the full amount of any unauthorized transactions that occurred after the 60-day window expired but before notice was given.

The 60-day clock runs from the statement that first contained the unauthorized transaction — not from when the consumer learned of it. A consumer who does not regularly review statements can therefore lose protection on subsequent unauthorized transactions that occur after the 60-day window. The practical implication is that prompt review of account activity is the consumer's most important defensive habit; the further from the original unauthorized transaction, the weaker the consumer's position becomes.

Error resolution: the bank's timeline

Section 1005.11 governs the bank's response to a consumer's notice of an error. The error-resolution process applies to unauthorized transactions, incorrect amounts, transactions not properly identified on a statement, certain computational errors, and other defined error types.

The standard timeline:

1. The consumer provides notice (oral or written) within 60 days of the statement containing the alleged error. The bank may require written confirmation within 10 business days.
2. The bank must investigate and either resolve the error or provide a written explanation of its findings within 10 business days of receiving notice.
3. If the bank cannot complete the investigation within 10 business days, it may extend the investigation to 45 calendar days (90 days for new accounts, point-of-sale, or international transactions) provided it provisionally credits the consumer's account for the disputed amount within 10 business days and gives the consumer use of the funds during the extended investigation.
4. If the bank determines no error occurred, it must notify the consumer in writing, including notice that the provisional credit will be debited, the date of the debit, and the consumer's right to request the documents the bank relied on in reaching its determination.

The provisional-credit rule is among the most consumer-favorable features of U.S. banking law. A consumer disputing an unauthorized transaction promptly typically has access to the funds within ten business days, with the bank bearing the working-capital cost of the investigation. The provisional credit is reversed only if the bank concludes — with documentation — that no error occurred.

Unauthorized versus authorized

Regulation E's coverage of unauthorized transactions is broad and consumer-favorable. Its coverage of authorized transactions that the consumer was deceived into authorizing is, by contrast, narrow to nonexistent. This distinction is at the heart of the modern fraud problem.

An unauthorized transaction, in Reg E's defined terms, is one "initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit." A debit-card transaction made by a thief who stole the card, an ACH debit initiated by a fraudster who obtained the account number through phishing, a P2P transfer made by someone who gained access to the consumer's banking app — all are unauthorized under Reg E and are subject to the protections described above.

An authorized transaction is one the consumer actually initiated or authorized — even if the consumer was deceived into doing so. A romance scam in which the victim sends money to a fictitious romantic partner, a "tech support" payment to a fraudster impersonating Microsoft, an invoice fraud in which the consumer wires funds to a criminal posing as a legitimate vendor: these are authorized transactions under Reg E and are not covered by the regulation's protections. The consumer's recourse is to the recipient (often impossible to locate or beyond U.S. legal reach), to whatever voluntary recovery programs the bank may offer, and to law enforcement.

The CFPB and several state attorneys general have pursued enforcement and litigation around bank handling of authorized-push-payment fraud, particularly on Zelle. The U.K. has adopted a mandatory authorized-fraud reimbursement regime through its 2024 PSR rules. The U.S. has not adopted an equivalent federal framework, and the consumer-protection gap around authorized fraud is the principal unresolved issue in U.S. retail-banking consumer protection.

The opt-in for debit-card overdrafts

Section 1005.17 — added in 2010 as a post-financial-crisis amendment — prohibits a bank from charging an overdraft fee on a one-time debit-card transaction or ATM withdrawal unless the consumer has affirmatively opted in to "overdraft service" for those item types. The opt-in must be made through a defined process and can be revoked at any time. The rule does not apply to checks, ACH debits, or recurring debit-card transactions, for which the bank may charge overdraft fees without separate authorization. See overdraft and overdraft protection and overdraft fees, in detail.

Disclosures and remedies

Regulation E requires extensive consumer disclosures at account opening: a statement of the consumer's liability for unauthorized transactions, the bank's telephone number and address for reporting unauthorized transactions, the bank's business days, the types of transfers the consumer may make, any charges for transfers, and the consumer's error-resolution rights. The disclosure must be in writing in a form the consumer can keep, and periodic statements must show all electronic transfers during the cycle.

Enforcement is by the CFPB for institutions above $10 billion in assets and by the prudential regulators for smaller institutions. The EFTA provides a private right of action for consumers harmed by violations, with actual damages plus statutory damages in defined ranges and attorney's fees. The private right is exercised most often in unauthorized-transaction cases where the bank denied the dispute without proper investigation.

Limits and uncertainty

Regulation E's core framework — the 60-day rule, the liability caps, the error-resolution timeline, the provisional-credit requirement — has been stable for decades and is unlikely to change in substance. The principal area of evolution is the authorized-push-payment fraud question, where regulatory, legislative, and litigation activity are all live. Recent CFPB rulemaking has also addressed the Section 1033 personal financial data rights framework, the prepaid-accounts framework (Subpart A as amended in 2016), and various interpretive matters. The rule's scope and the consumer's basic protections are durable; the policy posture around emerging fraud patterns is not.