Regulation E implements the Electronic Fund Transfer Act and governs how banks handle electronic transactions, debit cards, ATM withdrawals, ACH transfers, and peer-to-peer payments. For community banks, Reg E violations are among the most common consumer compliance exam findings, particularly around error resolution timelines and provisional credit. This guide covers what the regulation actually requires, where banks most often fall short, and what examiners test during consumer compliance examinations.
Key Takeaways:
- Regulation E (12 CFR Part 1005) covers all electronic fund transfers including debit cards, ACH, ATM, and P2P payments
- Error resolution must begin within 10 business days of receiving a consumer's notice, with provisional credit if the investigation extends beyond that window
- Unauthorized transfer liability depends entirely on when the consumer reports it, the 2/60 day framework determines maximum loss exposure
- Reg E vs. Reg Z classification for dual-purpose debit/credit cards trips up banks during examinations
What Regulation E Covers
Regulation E (12 CFR Part 1005) applies to electronic fund transfers (EFTs), any transfer of funds initiated through an electronic terminal, telephone, computer, or magnetic tape. In practice, this includes:
- Debit card transactions (point-of-sale and online)
- ATM withdrawals and transfers
- ACH debits and credits (direct deposit, bill pay, payroll)
- Peer-to-peer (P2P) payments through services like Zelle, Venmo, or CashApp when linked to a bank account
- Recurring electronic payments (preauthorized transfers)
- Telephone-initiated transfers where the consumer provides account information
Regulation E does not cover wire transfers (governed by UCC Article 4A), check transactions, or transfers initiated by paper instruments. It also excludes securities and commodities transfers through broker-dealers.
The distinction matters for dual-purpose cards. When a consumer uses a debit card with a credit feature, the applicable regulation depends on whether the transaction was processed as a debit (Reg E) or credit (Reg Z). Examiners test whether banks correctly classify disputes based on how the transaction was processed, not how the consumer describes it.
Disclosure Requirements
Regulation E requires specific disclosures at multiple points in the customer relationship.
Initial Disclosures (§ 1005.7): Before the first EFT is made, banks must provide consumers with the terms and conditions of the EFT service, including:
- Consumer liability for unauthorized transfers
- The bank's telephone number and address for reporting errors or unauthorized transfers
- The type of EFTs the consumer can make and any limitations
- Fees for EFT services
- The consumer's right to receive documentation of transfers
- Error resolution procedures, including the timeframes for reporting
Periodic Statements (§ 1005.9): For each monthly cycle in which an EFT occurs, the bank must send a periodic statement showing the amount, date, and type of each transfer; any fees charged; and opening and closing balances. If no EFT occurs, the bank must still send a statement at least quarterly.
Change-in-Terms Notices (§ 1005.8): Banks must provide at least 21 days' advance notice before any change in terms that increases fees, increases consumer liability, reduces the types of available EFTs, or restricts the frequency of transfers.
A common examination finding: banks update their fee schedules but fail to send the 21-day advance notice before the change takes effect.
Error Resolution: The 10/45 Day Framework
Error resolution is where most Reg E violations occur. The CFPB examination procedures dedicate significant attention to this area.
Step 1: Consumer Notification
A consumer has 60 days from the date the periodic statement was sent to notify the bank of an error. Errors include unauthorized transfers, incorrect amounts, computational errors, transfers not reflected on the statement, and receipt of the wrong amount from an ATM.
The notification can be oral or written. Once the bank receives notice, the clock starts.
Step 2: Investigation (10 Business Days)
The bank must investigate and resolve the claim within 10 business days of receiving the error notice. During the investigation, the bank must determine whether an error occurred and report the results to the consumer.
For new accounts (open less than 30 days), the bank gets 20 business days instead of 10.
Step 3: Provisional Credit
If the bank cannot complete its investigation within 10 business days, it may extend the investigation to 45 calendar days : but only if it provides provisional credit to the consumer within 10 business days. The provisional credit must include any applicable interest.
For point-of-sale debit card transactions, the extended investigation period is 90 calendar days (not 45). For new accounts and foreign-initiated transfers, the extended period is also 90 calendar days.
Step 4: Resolution and Notification
After completing the investigation, the bank must notify the consumer of the results within 3 business days. If the bank determines no error occurred (or a different error occurred), it must provide a written explanation and give the consumer the right to request the documents the bank relied on.
If provisional credit was issued and the bank determines no error occurred, it must give the consumer 5 business days' notice before debiting the provisionally credited amount.
| Scenario | Investigation Deadline | Extended Deadline | Provisional Credit Required? |
|---|---|---|---|
| Standard EFT | 10 business days | 45 calendar days | Yes, if extended |
| POS debit card | 10 business days | 90 calendar days | Yes, if extended |
| New account (<30 days) | 20 business days | 90 calendar days | Yes, if extended |
| Foreign-initiated transfer | 10 business days | 90 calendar days | Yes, if extended |
Unauthorized Transfer Liability
Consumer liability for unauthorized electronic fund transfers is capped based on how quickly the consumer reports the unauthorized activity. This is the 2-day / 60-day framework under § 1005.6:
- Report within 2 business days of learning of the loss: Consumer's liability is limited to $50
- Report after 2 business days but within 60 days of the statement being sent: Consumer's liability is limited to $500
- Report after 60 days of the statement being sent: Consumer's liability is unlimited for unauthorized transfers occurring after the 60-day period
Many banks voluntarily adopt zero-liability policies for debit card fraud, but the regulation itself sets these maximum liability thresholds. Examiners will verify that your bank applies the correct liability limit based on the reporting timeline, regardless of your marketing materials.
For unauthorized transfers involving a consumer's access device (debit card, PIN), the consumer must have provided the device to the unauthorized user, negligence alone does not create liability. Writing a PIN on a debit card does not make a resulting unauthorized transaction "authorized" under Reg E.
Preauthorized Transfers
Regulation E includes specific protections for recurring preauthorized transfers under § 1005.10.
Authorization requirements: Preauthorized EFTs from a consumer's account require the consumer's written or similarly authenticated authorization. A bank cannot initiate recurring debits based solely on a consumer's oral authorization unless the authorization is recorded and made available to the consumer.
Right to stop payment: Consumers have the right to stop any preauthorized transfer by notifying the bank at least 3 business days before the scheduled transfer date. The stop-payment order can be oral (effective for 14 days) or written (effective until revoked). Banks that fail to honor a timely stop-payment request are liable for any damages.
Variation in amount notices: If a preauthorized transfer varies in amount, the bank (or the payee) must send the consumer notice at least 10 days before the transfer, stating the amount and date. Alternatively, the consumer can request notice only when the amount falls outside a specified range.
Regulation E vs. Regulation Z for Dual-Purpose Cards
Many consumers carry a single card that functions as both a debit card (Reg E) and a credit card (Reg Z). When a dispute arises, the applicable regulation depends on how the transaction was processed, not the consumer's intent or the card's primary purpose.
- Transaction processed through a debit network (PIN or signature debit): Regulation E applies
- Transaction processed through a credit network (Visa/Mastercard credit): Regulation Z applies
The error resolution procedures differ significantly between the two regulations. Reg Z gives consumers 60 days to dispute and the creditor 90 days to resolve, with no provisional credit requirement. Reg E's timeline is tighter and provisional credit is mandatory when the investigation extends beyond 10 business days.
Examiners test this classification by pulling a sample of recent disputes and checking whether the bank applied the correct regulation based on transaction processing, not the consumer's characterization.
Common Examination Findings
Based on recent CFPB supervisory highlights and OCC enforcement actions, the most frequent Reg E violations include:
- Missed provisional credit deadlines: Banks extend investigations past 10 business days without issuing provisional credit within the required timeframe
- Inadequate investigation documentation: Banks deny claims without documenting the specific basis for the denial or the evidence reviewed
- Failure to provide written denial explanations: Consumers receive verbal denials without the required written explanation and right-to-request-documents notice
- Incorrect liability caps: Banks apply the wrong liability limit or fail to assess the 2-day/60-day reporting timeline correctly
- Missing change-in-terms notices: Fee schedule changes take effect without the required 21-day advance notice
- Stop-payment failures: Banks process preauthorized debits despite receiving a timely stop-payment request
How Canarie Helps Banks Track Reg E Obligations
Reg E compliance generates time-sensitive obligations, 10-day investigation deadlines, provisional credit requirements, written notice obligations. Missing any single deadline creates a violation, and the volume of disputes at even a small bank makes manual tracking error-prone.
Canarie maps each Reg E dispute to a task workflow with built-in deadlines: investigation start, provisional credit decision point, resolution notice, and documentation requirements. Every step captures who acted and when, creating the evidence trail examiners expect. When your examiner pulls a sample of disputes, each one has a documented timeline from initial report through final resolution.
See how Canarie helps community banks manage compliance deadlines →
Frequently Asked Questions
Does Regulation E apply to Zelle and other P2P payment services?
Yes. P2P transfers initiated from a consumer's bank account are electronic fund transfers under Regulation E. However, the treatment of "authorized" versus "unauthorized" transfers in the P2P context has generated significant regulatory attention. If a consumer authorizes a P2P transfer to a fraudster (a scam), many banks treat the transfer as "authorized" and outside Reg E's error resolution protections. The CFPB has pushed back on this interpretation, arguing that certain fraud-induced transfers may qualify as unauthorized under § 1005.2(m).
What happens if a bank misses the 10-day provisional credit deadline?
If the bank extends its investigation beyond 10 business days without issuing provisional credit, it has violated § 1005.11(c)(2). The consumer is entitled to the provisional credit plus any interest that would have accrued. Beyond the individual violation, examiners may cite the failure as evidence of a systemic deficiency in the bank's error resolution procedures, potentially resulting in an MRA or consent order.
How does Regulation E treat ATM fee disclosures?
ATM operators must provide two disclosures: an on-screen notice before the consumer is committed to the transaction, and a printed notice on the receipt. The on-screen disclosure must state the fee amount and give the consumer the option to cancel. Under § 1005.16, both the ATM operator and the consumer's bank may charge fees, but both must be disclosed.
Can a consumer dispute an ACH debit under Regulation E?
Yes. ACH debits from a consumer's account are electronic fund transfers subject to Reg E protections. A consumer can dispute an unauthorized ACH debit within 60 days of the statement date. For authorized ACH debits, the consumer can exercise the stop-payment right under § 1005.10(c) by notifying the bank at least 3 business days before the next scheduled transfer. Banks also have recourse through NACHA's ACH return rules for unauthorized entries (return reason code R10).