What is Regulation E?

What Regulation E Covers

Regulation E governs electronic fund transfers (EFTs) involving consumer accounts at financial institutions. The Consumer Financial Protection Bureau (CFPB) writes and enforces it. "EFT" is defined broadly to include:

• ACH credits and debits to consumer accounts
• Debit card transactions (including PIN and signature debit)
• ATM withdrawals and transfers
• Online and mobile banking transfers
• Telephone-initiated transfers from consumer accounts
• Payroll direct deposits
• Person-to-person payment apps (when funded from a covered account)

It does not cover credit card transactions (those are governed by Regulation Z) or wire transfers initiated through Fedwire or CHIPS, which fall under UCC Article 4A.

Consumer Liability Caps

The headline protection in Regulation E is the limit on a consumer's liability for unauthorized EFTs. The cap depends on how quickly the consumer reports the issue:

• Reported within 2 business days of learning of the loss: Maximum liability is $50
• Reported between 2 and 60 days: Maximum liability rises to $500
• Reported after 60 days: The consumer can be liable for unlimited losses on transactions that occur after the 60-day window

The triggering event is when the consumer learns of the loss, not when the transaction happens. So a consumer who notices a fraudulent debit on their statement and reports it within two business days of seeing it has the $50 cap, even if the transaction was weeks earlier.

Many banks and card networks voluntarily offer zero-liability protections that go further than Regulation E requires. Visa and Mastercard's zero-liability policies typically cover unauthorized signature debit transactions completely.

The 60-Day Dispute Window

Consumers have 60 days from the date the financial institution sends a periodic statement showing the unauthorized transfer to dispute it. After 60 days, the consumer's protections drop substantially.

Once a dispute is filed, the financial institution generally has 10 business days to investigate and provide provisional credit if the investigation isn't complete. The full investigation must wrap up within 45 days (90 days for new accounts, foreign-initiated transfers, or POS debit transactions).

Error Resolution Procedures

Regulation E lays out the error resolution procedure in detail. When a consumer notifies the bank of a suspected error (orally or in writing) within 60 days of the statement, the bank has to:

• Investigate the alleged error
• Determine whether an error occurred
• Report the results to the consumer within 10 business days (or provisionally credit and extend to 45 days)
• Correct any error within one business day of determination
• Send written explanation if the bank determines no error occurred

Errors covered by these procedures include unauthorized EFTs, incorrect EFTs, missing EFTs from a consumer's statement, computational errors, and consumer requests for additional information about an EFT.

Required Disclosures

Regulation E requires financial institutions to give consumers initial disclosures when they open an account that allows EFTs. The disclosures must explain:

• The consumer's liability for unauthorized transfers
• The phone number and address for reporting unauthorized use
• The bank's business days
• Types of EFTs the consumer can make and any limits
• Fees associated with EFTs
• Error resolution rights
• Confidentiality of account information
• The bank's liability for failure to make or stop EFTs

Periodic statements must show each EFT, including the amount, date, type, and any fees.

Preauthorized Transfers

Regulation E has specific rules for preauthorized transfers (recurring debits). A consumer can stop a preauthorized debit by notifying the bank at least three business days before the scheduled transfer date. The bank must allow the stop-payment request and can require written confirmation within 14 days.

Businesses initiating preauthorized debits must obtain written authorization from the consumer and provide a copy. NACHA's WEB and TEL authorization rules layer on top of Regulation E for ACH-specific debits.

Remittance Transfer Rules

Subpart B of Regulation E (added in 2013) covers international remittance transfers sent by consumers from the US. Remittance providers must give detailed pre-payment and receipt disclosures, error resolution rights, and a 30-minute cancellation window. These rules apply to providers that handle more than 500 remittance transfers per year.

Penalties and Enforcement

The CFPB enforces Regulation E for most institutions, with banking regulators (OCC, FDIC, Federal Reserve, NCUA) handling the institutions they supervise. Civil penalties can run to $1,000,000 per day for knowing violations under the broader Consumer Financial Protection Act framework. Consumers also have a private right of action with statutory damages between $100 and $1,000 per violation.