Error Resolution Procedures and Consumer Liability Limits for Unauthorized Electronic Fund Transfers
Congress passed the Electronic Fund Transfer Act (EFTA) in 1978 to protect consumers engaging in electronic fund transfers (EFTs). The law provides the legal framework for the rights, liabilities, and responsibilities of participants in EFT systems that consumers use such as automated teller machines (ATMs), debit point-of-sale terminals in retail stores, and automated clearing house (ACH) transactions such as electronic payment of a creditor’s bill from a consumer’s checking account. Regulation E implements the EFTA’s requirements.
Among its provisions, Regulation E specifies procedures that institutions must follow for investigating and resolving errors alleged by consumers for EFTs, such as an unauthorized ATM withdrawal. The regulation also specifies the extent to which a consumer can be held liable for unauthorized EFTs. To facilitate compliance, this article reviews the regulation’s error resolution and consumer liability provisions.
ERROR RESOLUTION PROCEDURES: 12 C.F.R. §1005.11
Section 1005.11 sets forth the procedures financial institutions must follow after receiving notice from a consumer of an error for an EFT. Before discussing these procedures, it is helpful to identify issues that are deemed “errors.” Under §1005.11(a), the term error includes:
- An unauthorized EFT;
- An incorrect EFT to or from a consumer’s account;
- An omission of an EFT from a consumer’s periodic statement;
- A computational or bookkeeping error by the institution for an EFT;
- A consumer’s receipt of an incorrect amount of money from an electronic terminal;1
- An EFT that was not identified in accordance with §1005.9 or §1005.10(a); and
- The consumer’s request for documentation required by §1005.9 or §1005.10(a) or for additional information or clarification concerning an electronic fund transfer, including a request the consumer makes to determine whether one of the errors listed above actually exists.
The term “error” does not include routine inquiries about a consumer’s account balance, requests for information for tax or other record-keeping purposes, or requests for duplicate copies of documentation.2 Financial institutions must follow the required error resolution procedures even if the institution receives notice of an error after the consumer has closed the account.3
Notice of Error Requirements
A financial institution must comply with the §1005.11 error resolution procedures with respect to any notice of an error from the consumer that:
- is received by the institution no later than 60 days after transmitting the periodic statement on which the error is first reflected;4
- enables the institution to identify the consumer’s name and account number;
- indicates why the consumer believes an error exists; and
- includes, to the extent possible, the type, date, and amount of the error.5
Consumers can provide either written or oral notice. If a consumer provides oral notice, the institution may require the consumer to provide written confirmation of the error within 10 business days after oral notice.6
Time Limits for Completing Investigations
Generally, a financial institution must complete its investigation of an error within 10 business days of receiving a notice of error, but it may extend this period to 45 calendar days if certain conditions are met. The 10-business-day limit applies even if an institution received oral notice and required the consumer to provide written notice. The institution must begin the investigation promptly and cannot delay it until it receives written confirmation.7 In certain circumstances, the 10-day period can be extended to 20 days, and the 45-day period can be extended to 90 days.
10 Business Days After Notice. Unless a financial institution is permitted a longer time period to investigate an error in the circumstances discussed below, the institution has 10 business days after receiving notice from the consumer to investigate if an error occurred. However, if the alleged error involves an EFT to or from the account within 30 days after the first deposit into the account, the investigation period is extended to 20 business days instead of 10.8
45 Calendar Days After Notice. If the financial institution is unable to complete its investigation within 10 business days, it may extend the period to 45 calendar days from receipt of notice provided the institution:
- Provisionally credits the consumer’s account for the full amount of the alleged error plus interest, if any. However, the institution may withhold a maximum of $50 of the amount credited if the institution has a “reasonable basis” for believing an unauthorized EFT occurred and complies with the limitation on liability rules in §1005.6(a), as discussed later in the article.
- Informs the consumer of the amount and date of the provisional crediting within two business days of the crediting; and
- Allows the consumer full use of the provisional funds during the investigation.9
The institution is not required to provisionally credit a consumer’s account to extend the time period for investigation to 45 days if the institution requires but does not receive written confirmation within 10 business days of an oral notice of error or the alleged error involves an account that is subject to Regulation T, concerning securities credit by brokers and dealers.10
If the error involved an EFT that was not initiated within a state, resulted from a point-of-sale debit card transaction, or occurred within 30 calendar days after the first deposit into the account, the financial institution can take up to 90 calendar days, provided the conditions discussed above for extending the time period to 45 calendar days for other transactions are satisfied.11
After completing its investigation, a financial institution must:
- Correct an error within one business day after determining that an error has occurred; and
- Report the results of its investigation to the consumer (either orally or in writing, unless the institution concludes that no error or a different error occurred, in which case the results must be in writing) within three business days after completing its investigation.12
Procedures If No Error or Different Error Occurred
If a financial institution concludes that either no error or a different error than the one alleged occurred, the institution must:
- Include in the institution’s report of the results of the investigation a written explanation of the findings and a disclosure of the consumer’s right to request the documents upon which the institution relied;
- Upon debiting a provisionally credited amount:
- Notify the consumer of the date and amount of the debit; and
- Notify the consumer that the institution will honor checks (or similar instruments payable to third parties) and preauthorized transfers from the consumer’s account — without charging overdraft fees — for five business days after the notification, provided that the items honored would have been paid if the institution had not debited the provisionally credited funds.13
If the consumer reasserts the error and the institution completed the initial investigation in compliance with the regulation, the institution has no further responsibilities to the consumer, except when a consumer asserts an error after receiving documentation requested under §1005.11(a)(1)(vii). See 12 C.F.R. §1005.11(e).
CONSUMER LIABILITY FOR UNAUTHORIZED EFTs: 12 C.F.R. §1005.6
If an institution concludes from its investigation that an unauthorized EFT occurred, a consumer can be held liable within the limitations described in §1005.6.
Conditions for Liability
The regulation does not permit an institution to impose liability on a consumer for an unauthorized transaction unless the institution previously provided the consumer with three disclosures required under §1005.7(b): a summary of the consumer’s liability for unauthorized transactions, the telephone number and address of the person or office to be notified of an unauthorized EFT, and the financial institution’s business days. In addition, if the unauthorized transaction involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.14 An access device becomes an accepted access device when the consumer: requests and receives, or signs, or uses the device to transfer money between accounts or to obtain money, property, or services; requests the validation of an access device issued without solicitation; or receives a renewal of, or substitute for, an existing accepted access device from either the financial institution that issued the original access device or that institution’s successor.15
Notice Requirements
A consumer’s liability for unauthorized EFT depends on whether an access device is involved and when the consumer notifies its financial institution of the theft or loss of the device or the unauthorized EFT. The consumer’s notice is effective “when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.”16 Consumers may give notice in person, by phone, or in writing.17 Written notice is effective when the consumer mails the notice.18
Other rules regarding notification include:
Notice by Third Party. For purposes of the limitations on liability under §1005.6, notice provided by a third party on the consumer’s behalf is valid.19 A financial institution may require “appropriate documentation” from the third party to ensure that the person is acting on the consumer’s behalf.
Constructive Notice. According to §1005.6(b)(5)(iii), notice can be provided constructively, regardless of when the consumer provides actual notice, “when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized [EFT] to or from the consumer’s account has been or may be made.”
Liability for Unauthorized EFTs Involving an Access Device
Regulation E establishes three tiers of liability for unauthorized EFTs involving an access device. The applicable tier depends on when the consumer learned of the loss or theft of an access device, when the financial institution received notice, and when the financial institution transmitted the periodic statement showing the first unauthorized transaction to the consumer.
First-Tier Liability ($50 Maximum): S1005.6(b)(1). If the consumer notifies the financial institution within two business days after learning that the access device was lost or stolen, the financial institution may only hold the consumer liable for the lesser of (a) $50 or (b) the amount of unauthorized EFTs that occurred before the institution was notified.
| Monday | Consumer’s debit card is stolen |
|---|---|
| Wednesday | Consumer learns of theft |
| Thursday | Unauthorized EFT of $100 (using debit card) |
| Friday | Consumer notifies financial institution of theft |
|
Financial institutions may not hold the consumer liable for more than $50 of the $100 transfer |
|
| Monday | Consumer’s debit card is stolen |
|---|---|
| Tuesday | Unauthorized EFT of $35 (using debit card) |
| Wednesday | Consumer learns of theft |
| Friday | Consumer notifies financial institution of theft |
|
Financial institutions may hold the consumer liable for the $35 transfer |
|
| Monday | Consumer’s debit card is stolen |
|---|---|
| Tuesday | Unauthorized EFT of $35 (using debit card) |
| Wednesday | Consumer learns of theft |
| Thursday | Unauthorized EFT of $100 (using debit card) |
| Friday | Consumer notifies financial institution of theft |
|
Financial institutions may hold the consumer liable for only $50 of the $135 in transfers |
|
Second-Tier Liability ($500 Maximum): §1005.6(b)(2). If a consumer fails to notify the financial institution within two business days after learning that the access device was lost or stolen but notifies the institution of the loss or theft within 60 days of the financial institution’s transmittal of the statement containing the error, the institution may hold the consumer liable for the lesser of (a) $500 or (b) the sum of: (i) the consumer’s first-tier liability, i.e., the lesser of $50 or the amount of unauthorized EFTs that occur before the end of the second business day after the consumer learns of the loss or theft; and (ii) the amount of unauthorized EFTs that occur after the end of the second business day after the consumer learns of the loss or theft and before notice to the institution, provided the institution establishes that the unauthorized EFTs would not have occurred had the consumer provided notice within two business days after learning of the loss or theft.22
| Monday | Consumer’s debit card is stolen AND consumer learns of the theft |
|---|---|
| Tuesday | Unauthorized EFT of $100 (using debit card) |
| Thursday | Unauthorized EFT of $600 (using debit card) |
| Friday | Consumer notifies financial institution of theft. Bank’s systems are set up to immediately freeze an account after notice of unauthorized EFT. If consumer had provided notice on Wednesday, the $600 transfer would not have occurred. |
|
Financial institutions may hold the consumer liable for $500, calculated as follows:
|
|
| Monday | Consumer’s debit card is stolen AND consumer learns of the theft |
|---|---|
| Tuesday | Unauthorized EFT of $600 (using debit card) |
| Thursday | Unauthorized EFT of $100 (using debit card) |
| Friday | Consumer notifies financial institution of theft |
|
Financial institutions may hold the consumer liable for only $150, calculated as follows:
|
|
Third-Tier Liability (Unlimited): §1005.6(b)(3). If the consumer fails to notify the financial institution of the theft or loss within 60 days after the financial institution transmits to the consumer a periodic statement showing the first unauthorized EFT, the financial institution may impose liability on the consumer up to the total amount of all unauthorized EFTs occurring more than 60 calendar days after transmitting the statement and before notice to the financial institution, provided that the institution establishes that the unauthorized EFTs would not have occurred had the consumer notified the institution within the 60-day period. For unauthorized transactions that occurred before this period, the consumer is liable only to the extent that the banks could impose first and second-tier liability under §1005.6(b)(1) and (2).
| Jan. 1 | Consumer’s debit card is stolen AND consumer learns of the theft |
|---|---|
| Jan. 2 | Unauthorized EFT of $100 (using debit card) |
| Jan. 6 | Unauthorized EFT of $600 (using debit card) |
| Jan. 30 | Periodic statement is transmitted showing unauthorized EFTs of $100 and $600 |
| Apr. 10 | Unauthorized EFT of $400 |
| Apr. 11 | Consumer notifies financial institution of theft |
|
Financial institutions may hold the consumer liable for $900, calculated as follows:
|
|
| Jan. 1 | Consumer’s debit card is stolen AND consumer learns of the theft |
|---|---|
| Jan. 2 | Unauthorized EFT of $100 (using debit card) |
| Jan. 6 | Unauthorized EFT of $600 (using debit card) |
| Jan. 30 | Periodic statement is transmitted showing unauthorized EFTs of $100 and $600 |
| Feb. 5 | Unauthorized EFT of $400 |
| Feb. 20 | Consumer notifies financial institution of theft |
|
Financial institutions may hold the consumer liable for $500, calculated as follows:
|
|
| Mar. 15 | Consumer’s account is electronically debited without authorization for $200 |
|---|---|
| Apr. 2 | Financial institution transmits periodic statement containing unauthorized EFT |
| June 2 | Unauthorized EFT of $400 (61 days after periodic statement transmittal) |
| June 4 | Consumer notifies the financial institution |
|
Financial institutions may hold the consumer liable for only $400 of the total $600 in transfers, calculated as follows:
|
|
Extension for Extenuating Circumstances. Section 1005.6(b)(4) requires financial institutions to extend the time limits discussed above for each liability tier if the consumer failed to notify the institution because of “extenuating circumstances.” When this occurs, the institution must extend the limits to “a reasonable period of time.” Comment 6(b)(4)-1 of the Official Staff Commentary lists hospitalization and extended travel as examples of extenuating circumstances.
Unauthorized EFTs Not Involving an Access Device: Comment 6(b)(3)-2
The consumer liability rules are slightly different when an unauthorized EFT does not involve an access device. Most important, the first two tiers of liability do not apply; that is, the institution may not hold a consumer liable for any portion of any unauthorized EFT not involving an access device that occurred on or before the 60th calendar day after the institution’s transmittal of the periodic statement showing the first unauthorized EFT.23
Instead, an institution may only hold the consumer liable for an unauthorized EFT not involving an access device if the transfer occurred more than 60 calendar days after transmittal of a periodic statement showing the first unauthorized EFT out of the consumer’s account and before the consumer gives notice to the financial institution, provided the institution establishes that the unauthorized EFT would not have occurred had the consumer notified the institution within the 60-day period.
Liability Under State Law or Agreement: §1005.6(b)(6)
If either a state law or the agreement between the financial institution and the consumer provides less liability than the provisions of §1005.6, the consumer’s liability cannot exceed the limits under the state law or the agreement.
To facilitate compliance for the institutions it supervises, the Federal Reserve Board published the chart below summarizing circumstances in which the consumer has liability for unauthorized EFTs under Regulation E.25
CONCLUSION
Financial institutions should review and test their policies and procedures regarding error resolution investigations and consumer liability for unauthorized transactions to ensure that they comply with Regulation E’s requirements. Specific issues should be raised with the Consumer Financial Protection Bureau or your primary regulator.
| Event | Timing of Consumer Notice to Financial Institution | Maximum Liability |
|---|---|---|
| Loss or theft of access device | Within two business days after learning of loss or theft | Lesser of $50 or total amount of unauthorized transfers |
| More than two business days after learning of loss or theft up to 60 calendar days after transmittal of statement showing first unauthorized transfer made with access device | Lesser of $500 or the sum of:
|
|
| More than 60 calendar days after transmittal of statement showing first unauthorized transfer made with access device | For transfers occurring within the 60-day period, the lesser of $500 or the sum of:
|
|
| Unauthorized transfer(s) not involving the loss or theft of an access device | Within 60 calendar days after transmittal of the periodic statement on which the unauthorized transfer first appears | No liability |
- 1 The term electronic terminals means electronic terminals through which a consumer may initiate an EFT, such as ATMs, point-of-sale terminals, and cash-dispensing machines; the term does not include telephones operated by consumers. 12 C.F.R. §1005.2(h).
However, no error occurs in cases where the institution does not make a terminal receipt available for transfers of $15 or less. Comment 11(a)-6 ; see also 12 C.F.R. §1005.9(e). - 2 12 C.F.R. §1005.11(a)(2)
- 3 Comment 11(a)-4
- 4 When a notice of error is based on documentation or clarification that the consumer requested under §1005.11(a)(1)(vii), notice is timely if received by the institution no later than 60 days after the bank transmits the requested documentation. 12 C.F.R. §1005.11(b)(3)
- 5 12 C.F.R. §1005.11(b). However, the consumer is not required to allege any specific error if the consumer requests documentation or clarification pursuant to 12 C.F.R. §1005.11(a)(1)(vii) to determine whether an error actually occurred. 12 C.F.R. §1005.11(b)(iii)
- 6 12 C.F.R. §1005.11(b)(2)
- 7 Comment 11(c)-2
- 8 12 C.F.R. §1005.11(c)(3)(i)
- 9 12 C.F.R. §1005.11(c)(2)
- 10 12 C.F.R. §1005.11(c)(2)(i); see also 12 C.F.R. Part 220 (Securities Credit by Brokers and Dealers).
- 11 12 C.F.R. §1005.11(c)(3)(ii)
- 12 12 C.F.R. §1005.11(c)(1); Comment 1005.11(c)-1. Comment 1005.11(c)-5 states that an institution may include the notice of correction on a periodic statement that is mailed or delivered within the 10-business-day or 45-calendar-day time limits and that clearly identifies the correction on the consumer’s account.
- 13 12 C.F.R. §1005.11(d)
- 14 12 C.F.R. §1005.6(a)
- 15 12 C.F.R. §1005.2(a)(2)
- 16 12 C.F.R. §1005.6(b)(5)
- 17 12 C.F.R. §1005.6(b)(5)(ii)
- 18 12 C.F.R. §1005.6(b)(5)(iii)
- 19 Comment 6(b)(5)-2
- 20 Comment 6(b)(2)-1
- 21 Comment 6(b)(2)-1
- 22 12 C.F.R. §1005.6(b)(2)
- 23 Comment 6(b)(3)-2
- 24 Comment 6(b)(3)-2
- 25 Federal Reserve Board, Consumer Compliance Handbook,
Regulation E at 13.