Regulation E Refresher: Unlimited Liability of Consumer for Unauthorized Electronic Fund Transfers

By Alex Wade

June 6, 2024

The Electronic Fund Transfer Act, as implemented through Regulation E, outlines specific requirements that must be followed regarding the liability of consumers for unauthorized electronic fund transfers (“EFTs”).  In this regard, Regulation E outlines specific limits on liability ($50, $500, and unlimited depending on when notice is provided) that seek to protect consumers from unauthorized EFT’s.  These limits on liability are as follows:

1) $50 Limited Liability Tier. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) $500 Limited Liability Tier. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and

(ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.

(3) Unlimited Liability Tier (Periodic Statements). A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes that it would not have occurred had the consumer notified the institution within the 60-day period.

Please note that for purposes of this blog post, I will focus on the nuances of the “unlimited liability tier,” which includes important requirements that financial institutions must be sure to adhere to avoid liability under Regulation E.

With that, it is important to note that the 60-day window under Regulation E’s unlimited liability tier is triggered upon transmittal of the applicable periodic statement reflecting the unauthorized EFT or series of related unauthorized EFTs, not when the EFT occurred.  For example, if the first unauthorized EFT occurred on January 1, 2024, and thus disclosed in the January 2024 statement, 60 days after transmittal of the January statement would be April 1, 2024 (assuming that the January statement was transmitted on February 1, 2024).  In this example, the consumer would be liable for all related unauthorized EFTs that occurred after April 1, 2024, and until the consumer provided notice to the financial institution, so long as the financial institution can establish that the subsequent related unauthorized EFTs would not have occurred had the consumer notified the financial institution within the 60-day period.

Importantly, although this tier is referred to as the “unlimited liability tier,” Regulation E states that the consumer’s liability cannot exceed the amount of the unauthorized EFTs that occur after the close of the 60 days and before notice to the financial institution, meaning, the financial institution would still be responsible for the unauthorized EFTs that occurred before the close of the 60 day time period.  Further, Regulation E provides that if an access device was used, then the consumer could be liable for an additional $50 if they provided notice within 2 business days after learning of the loss or theft of their login information.  If the consumer provided notice after 2 business days, then the consumer could be liable for up to $500.

Based on the foregoing, and in applying the example discussed above, the financial institution would be responsible for the unauthorized EFTs that occurred prior to the close of the 60-day time frame, i.e., the unauthorized EFTs that occurred between January 1, 2024, and April 1, 2024, minus $50 if the consumer provided notice within 2 business days or minus up to $500 if the consumer did not provide notice within 2 business days. 

Of course, the experts at SW&M are here to help financial institutions navigate the various nuances in the Electronic Fund Transfer Act/Regulation E regarding consumer liability for unauthorized EFTs, which could cause significant exposure if not properly adhered to.

About the Author

Alex Wade

Alex Wade is a Senior Associate Attorney at SW&M and is part of the firm’s Regulatory Compliance and Litigation Management practice groups. Using his experience in consumer defense, complex business litigation, governmental liability, insurance entity defense and personal injury law, […]

Learn More
Subscribe for Updates

Want the latest news and insights from the world of financial institutions delivered directly to your inbox? Enter your information below to be notified by email whenever SWM Lessons is updated.

  • This field is for validation purposes and should be left unchanged.
Search the Blog
Want to Learn more?

Reach out today to discover how we can help.