Regulation E explained — your protections for debit cards and electronic transfers

Q: Does Regulation E apply to prepaid cards?

Yes, since April 1, 2019, under 12 CFR 1005.18. The 2017 prepaid accounts rule extended Reg E to general-purpose reloadable cards, payroll cards, government benefit cards, and digital wallets that store value such as Venmo and Cash App balances. The same liability tiers and error-resolution timelines apply, with a few prepaid-specific carve-outs around unregistered accounts.

Q: What's the difference between an unauthorized EFT and an error under Reg E?

Both are covered by 1005.11 error-resolution procedures. An unauthorized EFT is one initiated without the consumer's actual authority and from which the consumer received no benefit, defined in 1005.2(m). An error in 1005.11(a) is broader and includes unauthorized EFTs, incorrect amounts, missing transfers, computational mistakes, and requests for documentation. The same 10-business-day timeline applies to both.

Q: Can the bank charge me a fee for filing a Reg E dispute?

No. Section 1005.11 does not authorize fees for invoking the error-resolution process, and the CFPB has treated dispute fees as unfair acts under the Consumer Financial Protection Act. Replacement-card fees are separate from the dispute itself.

Last updated: 2026-05-01

Regulation E is the federal rule that protects you when an unauthorized electronic fund transfer hits your debit card, prepaid card, or bank account. It is published at 12 CFR Part 1005 by the Consumer Financial Protection Bureau and implements the Electronic Fund Transfer Act. The three things it actually gives you: a tiered liability cap based on how fast you report, a hard 10-business-day deadline for the bank's investigation, and a right to provisional credit while that investigation runs.

Quick answer

Report within 2 business days of learning of loss/theft and your liability is capped at $50.
Report between day 3 and day 60 after the statement and your liability can be up to $500.
Wait past 60 days after the bank sends the statement showing the unauthorized transfer and your liability is unlimited for transfers after that 60-day window.
Once you give notice, the bank has 10 business days to investigate (§1005.11(c)). If it needs longer, it must provisionally credit your account within 10 business days and finish within 45.
If the bank denies the claim, you can demand the explanation and underlying documents in writing under §1005.11(d).

What Regulation E actually is

Regulation E is the CFPB's implementing rule for the Electronic Fund Transfer Act (EFTA), 15 U.S.C. §1693 and following. EFTA is the 1978 statute; Regulation E is the operational rulebook. Authority transferred from the Federal Reserve to the CFPB in 2011 under the Dodd-Frank Act, which is why the rule now lives at 12 CFR Part 1005 rather than the Fed's old Part 205.

The scope is narrower than people assume. Reg E covers consumer electronic fund transfers — debit-card transactions, ACH debits and credits, ATM withdrawals, point-of-sale transactions, telephone-initiated transfers, and (since April 1, 2019, under §1005.18) prepaid accounts including government benefit cards and general-purpose reloadable cards. It does not cover credit card transactions (Fair Credit Billing Act and Regulation Z), wire transfers (UCC Article 4A), or business accounts. If the charge hit a piece of plastic that pulled money straight out of your bank or prepaid balance, Reg E applies. If it hit a credit line, it does not.

The liability tiers under §1005.6 — the rule that makes timing matter

Section 1005.6(b) is the part most consumers care about. It sets three tiers of maximum liability for unauthorized EFTs, and the tier you land in is determined entirely by how quickly you tell your bank.

When you report	Maximum liability	Trigger / measurement	Citation
Within 2 business days of learning of loss or theft of the access device	The lesser of $50 or the actual unauthorized amount	From the moment you learn the card or credentials are compromised	12 CFR §1005.6(b)(1)
After 2 business days but before 60 days from statement	Up to $500, but only for transfers the bank can show would not have happened with timely notice	The 2-day clock plus 60-day statement window	12 CFR §1005.6(b)(2)
More than 60 days after the bank sends the statement showing the unauthorized transfer	Unlimited for transfers occurring after that 60-day window	Measured from when the statement was transmitted, not when you read it	12 CFR §1005.6(b)(3)
Extenuating circumstances (extended travel, hospitalization, etc.)	Deadlines extended to a "reasonable" period	Bank discretion, must be requested	12 CFR §1005.6(b)(4)

Two clauses matter more than people realize. The 2-day clock starts when you learn of the loss, not when it happens — so if a card stolen out of a drawer goes unnoticed for a week, you still have 2 business days from discovery. The 60-day clock runs from when the bank transmitted the statement, not when it arrived or got opened. Late mail does not extend the deadline; only §1005.6(b)(4) extenuating circumstances do.

Banks routinely waive these caps and refund in full as a goodwill matter, especially for first-time disputes. The statute sets the floor, not the ceiling.

The error-resolution machine: §1005.11

Section 1005.11 is the procedural engine. It tells the bank what it must do once you put it on notice of an alleged error — defined to include any unauthorized EFT, an incorrect EFT, a missing EFT, a computational error, a failure to credit a deposit, or a request for documentation.

Notice can be oral or written, but the bank can require written confirmation within 10 business days of oral notice (§1005.11(b)(2)). Skip the written confirmation and the bank is no longer obligated to provisionally credit, though it still has to investigate.

Once notice is on file:

10 business days to investigate and decide whether an error occurred (§1005.11(c)(1)).
45 calendar days extended investigation (§1005.11(c)(2)) — only if the bank provisionally credits within the first 10 business days and notifies you within 2 business days of the credit.
20 business days / 90 calendar days for new-account errors involving EFTs within 30 days of the first deposit (§1005.11(c)(3)).
3 business days after concluding to report results in writing (§1005.11(d)).
1 business day to start reversing provisional credit after a no-error finding, with 5 business days' written notice before debiting (§1005.11(d)(2)).

Provisional credit is the lever most consumers don't pull. The bank doesn't owe it during the first 10 business days — only if the investigation runs longer. But extended-investigation mode is the default for any non-trivial dispute, so provisional credit is on the table for nearly every claim not resolved on the phone. If the bank tells you it needs more than 10 days, the next sentence should be "and the provisional credit under §1005.11(c)(2)(i)?"

The written-denial right under §1005.11(d) — your appeal lever

If the bank concludes no error occurred, §1005.11(d)(1) requires it to deliver or mail a written explanation within 3 business days of the determination, and to note your right to request the documents the bank relied on. That request obligates the bank to promptly provide them.

This is the lever for a denial that looks wrong. Get the explanation and the underlying documents in writing, then read what the merchant actually supplied — in card-present fraud cases it's often a thin signature mismatch or a delivery receipt to a wrong address that doesn't show authorization. Cite the specific gaps in your appeal. If the bank still won't reopen, file at consumerfinance.gov/complaint; CFPB-flagged cases go to compliance, not the front-line dispute desk.

Reg E vs the Fair Credit Billing Act — different cards, different rules

Reg E and the Fair Credit Billing Act (FCBA, 15 U.S.C. §1666, implemented by Regulation Z at 12 CFR §1026.13) get conflated because both let you dispute charges. They cover different products and run on different timelines.

Issue	Regulation E (debit, prepaid, ACH)	FCBA / Regulation Z (credit cards)
Statute	EFTA, 15 U.S.C. §1693; 12 CFR Part 1005	FCBA, 15 U.S.C. §1666; 12 CFR §1026.13
Maximum unauthorized-use liability	$50, $500, or unlimited (timing-based)	$50 cap regardless of timing under 15 U.S.C. §1643; usually waived
Investigation deadline	10 business days (45 with provisional credit)	30 days to acknowledge, 2 billing cycles or 90 days to resolve
Provisional credit	Required after 10 business days if investigation runs long	Cardholder withholds payment of disputed amount during investigation
Window to dispute a billing error	60 days from statement transmittal	60 days from statement mailing
Written-denial documentation right	Yes, under §1005.11(d)	Yes, under §1026.13(g)(2)

The practical takeaway: credit gives you a flat $50 cap and lets you withhold payment during the dispute. Debit forces real money out of checking and recoups it through provisional credit. For online and unfamiliar-merchant purchases, credit is the safer instrument — the FCBA cap doesn't punish slow reporting.

What Regulation E does not cover

Three categories sit outside Reg E:

Credit card transactions. FCBA and Regulation Z govern. For an unauthorized charge on a Visa, Mastercard, Amex, or Discover credit card, cite §1026.12 (unauthorized use) and §1026.13 (billing error resolution), not §1005.6.
Wire transfers. Domestic wires are governed by UCC Article 4A as enacted by your state; recovery usually depends on whether the bank's commercially reasonable security procedures were followed. International consumer remittances over $15 are partially covered by Subpart B of Reg E (§1005.30 onward), which provides a 30-minute cancellation window and an error-resolution process — but the §1005.6 liability tiers don't apply.
Business accounts. Reg E protects consumer accounts. Accounts in a business name (LLC, corp, partnership) are governed by the deposit agreement, even if you are the only owner. Sole proprietorships on a personal account stay under Reg E.

How to invoke Regulation E on a call with your bank

Front-line reps don't quote regulation numbers, but supervisors do. The phrasing that escalates a stuck dispute:

"I'm reporting an unauthorized electronic fund transfer under Regulation E. I'm giving notice today, the card has been in my possession, and I'm requesting provisional credit under §1005.11(c)(2) if the investigation runs longer than 10 business days. If denied, I want the written explanation and underlying documents required by §1005.11(d)."

That phrasing routes you to the fraud team (statutory term), puts provisional credit on the record, and pre-requests §1005.11(d) documentation.

Anti-misconception: what people get wrong

"I have 60 days to report any unauthorized charge." Only partially true. The 60-day window is the deadline for capping liability at $500 — not for keeping liability at $50. The $50 cap requires reporting within 2 business days of learning of the compromise.
"Provisional credit is automatic within 10 business days." No. Provisional credit is required only when the bank elects to extend its investigation past 10 business days under §1005.11(c)(2). If the bank decides on day 5 to deny the claim, you get no provisional credit — you get a written denial.
"Reg E covers my Zelle, Venmo, and Cash App transfers." Zelle transfers initiated through your bank's app are EFTs and covered. Venmo and Cash App balances are prepaid accounts under §1005.18 and covered. But authorized transfers you later regret — "I sent it to the wrong person" or "I was scammed into sending it" — are not unauthorized under Reg E and are generally not recoverable through it.
"My bank can require a police report before opening the dispute." No. Under §1005.6 commentary the bank cannot condition liability protection on a police report or affidavit of unauthorized use, though it can request both during the investigation. If a rep refuses to open the dispute without one, ask for a supervisor.

FAQ

Does Regulation E apply to prepaid cards?

Yes, since April 1, 2019, under §1005.18. The 2017 prepaid accounts rule extended Reg E to general-purpose reloadable cards, payroll cards, government benefit cards, and stored-value wallets like Venmo and Cash App balances. Same liability tiers and timelines, with a few carve-outs for accounts the consumer hasn't registered.

What's the difference between an "unauthorized" EFT and an "error" under Reg E?

Both go through §1005.11 error-resolution. An unauthorized EFT is one initiated without the consumer's authority and from which the consumer received no benefit (§1005.2(m)). "Error" in §1005.11(a) is broader — it also includes incorrect amounts, missing transfers, computational mistakes, and documentation requests. The same 10-business-day timeline applies.

Can the bank charge me a fee for filing a Reg E dispute?

No. Section 1005.11 does not authorize fees for invoking error resolution, and the CFPB has treated dispute fees as unfair acts under the Consumer Financial Protection Act. Replacement-card fees are separate from the dispute itself.

What if I gave my PIN to a family member who then misused the card?

Voluntary sharing of an access device generally takes the transaction outside the "unauthorized" definition in §1005.2(m), because the recipient had implied authority. CFPB commentary treats those transfers as authorized unless you've notified the institution to revoke access. Reg E recovery is limited; civil remedies against the family member are usually the better path.