Consumer Compliance Outlook: Third Issue 2025

Consumer Liability for Unauthorized Transactions Under the Electronic Fund Transfer Act and Regulation E

By Kenneth Benton, Principal Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia

Editor’s Note: Consumer Compliance Outlook (CCO) is updating a 2012 article reviewing the procedures financial institutions must follow under the Electronic Fund Transfer Act (EFTA) and Regulation E when consumers allege an error in an electronic fund transfer (EFT) to reflect regulatory changes that have occurred since it was published.¹

Part 1 of this two-part series discussed error resolution procedures under the EFTA and Regulation E. This second part discusses a consumer’s potential liability when an institution investigates an error involving an unauthorized EFT and confirms that it was unauthorized.

CONSUMER LIABILITY FOR UNAUTHORIZED EFT: 12 C.F.R. §1005.6

When an institution receives notice from a consumer of an unauthorized EFT, and the institution confirms this after completing an investigation (as discussed in the companion article on error resolution procedures), the consumer’s financial responsibility for the unauthorized EFTs is limited to the amounts described in §1005.6, which this article reviews in detail.

Conditions for Liability

The regulation does not permit an institution to impose liability on a consumer for an unauthorized transaction unless the institution previously provided the consumer with three disclosures required under §1005.7(b): a summary of the consumer’s liability for unauthorized transactions, the telephone number and address of the person or office to be notified of an unauthorized EFT, and the financial institution’s business days.

In addition, if the unauthorized transaction involved an access device, which the regulation defines as a “card, code, or other means of access to a consumer’s account, that can be used by the consumer to initiate electronic fund transfers,”² it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.³ An access device becomes an accepted access device when the consumer:

requests and receives, or signs, or uses the device to transfer money between accounts or to obtain money, property, or services;
requests the access device be validated without solicitation; or
receives a renewal of, or substitute for, an existing accepted access device from the financial institution that issued the original access device or that institution’s successor.⁴

The regulation and commentary explain that when determining a consumer’s liability under §1005.6, banks cannot:

use the consumer’s negligence (for example, writing the PIN on a debit card) as a reason for imposing greater liability than allowed under the regulation;⁵
impose greater liability on the consumer by agreement for unauthorized transfers than permitted under the regulation;⁶ or
apply greater liability under the regulation when state law or an agreement with the consumer imposes lesser liability.⁷

In addition, the EFTA prohibits a financial institution from waiving a consumer’s rights under the EFTA, including the right to file an action.⁸

Notice Requirements

The extent of a consumer’s liability for an unauthorized EFT depends upon whether an access device is involved and when the consumer notifies its financial institution about the theft or loss of the device or about the unauthorized EFT. The consumer’s notice is effective “when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.”⁹ Consumers may give notice in person, by phone, or in writing.¹⁰ Written notice is effective when the consumer mails the notice or delivers it by other usual means.¹¹

Other considerations regarding notification:

Notice by Third Party: For purposes of the limitations on liability under §1005.6, notice provided by a third party on the consumer’s behalf is valid.¹² A financial institution may require “appropriate documentation” from the third party to ensure that the person is acting on the consumer’s behalf.

Constructive Notice: An institution is deemed to have constructive notice, regardless of when the consumer provides actual notice, “when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized [EFT] to or from the consumer’s account has been or may be made.”¹³

Extension for Extenuating Circumstances: A financial institution must extend the time limits in 12 C.F.R. §1005.6(b) if the consumer failed to notify the institution because of “extenuating circumstances.”¹⁴ When this occurs, the institution must extend the limits to “a reasonable period of time.” Comment 6(b)(4)-1 lists hospitalization and extended travel as examples of extenuating circumstances under §1005.6(b)(4).

Liability for Unauthorized EFTs Involving an Access Device

Regulation E establishes three tiers of liability for unauthorized EFTs involving an access device. The applicable tier depends on when the consumer learned of the loss or theft of an access device, when the financial institution received notice, and when the financial institution transmitted the periodic statement showing the first unauthorized transaction to the consumer.

First Tier Liability ($50 Maximum): §1005.6(b)(1). If the consumer notifies the financial institution within two business days¹⁵ after learning the access device was lost or stolen, the financial institution may hold the consumer liable only for the lesser of (a) $50 or (b) the amount of the unauthorized EFTs that happened before the institution was notified.¹⁶

First Tier Liability: Example 1
Monday	Consumer’s debit card is stolen
Wednesday	Consumer learns of the theft
Thursday	Unauthorized EFT of $100 using debit card
Friday	Consumer notifies the financial institution of the theft
The financial institution may not hold the consumer liable for more than $50 of the $100 transfer because the consumer provided notice within two business days of learning the access device was lost or stolen.

First Tier Liability: Example 2
Monday	Consumer’s debit card is stolen
Tuesday	Unauthorized EFT of $35 using debit card
Wednesday	Consumer learns of the theft
Friday	Consumer notifies the financial institution of the theft
The financial institution may hold the consumer liable for the $35 transfer because §1005.6(b)(1) specifies a consumer may be liable for up to $50 of an unauthorized EFT when notice is provided within two business days of learning of the loss or theft.

Second Tier Liability ($500 Maximum): §1005.6(b)(2). If a consumer fails to notify the financial institution within two business days after learning that the access device was lost or stolen but notifies the institution of the loss or theft within 60 days of the financial institution’s transmittal of the statement containing the error, the institution may hold the consumer liable for the lesser of (a) $500 or (b) the sum of:

the consumer’s first tier liability (i.e., the lesser of $50 or the amount of unauthorized EFTs that occurred before the end of the second business day after the consumer learns of the loss or theft); and
the amount of the unauthorized EFTs that occurred after the end of the second business day after the consumer learns of the loss or theft and before the institution was notified, provided that the institution establishes that the unauthorized EFTs would not have occurred had the consumer provided notice within two business days after learning of the loss or theft.¹⁷

Second Tier Liability: Example 1¹⁸
Monday	Consumer’s debit card is stolen and consumer learns of the theft
Tuesday	Unauthorized EFT of $100 using debit card
Thursday	Unauthorized EFT of $600 using debit card
Friday	Consumer notifies the financial institution of theft; the bank’s systems are set up to immediately freeze an account after the notice of an unauthorized EFT. If the consumer had provided notice on Wednesday, the $600 transfer would not have occurred.
The financial institution may hold the consumer liable for $500, calculated as follows: $50 of the $100 transfer, plus $450 of the $600 transfer

Second Tier Liability: Example 2¹⁹
Monday	Consumer’s debit card is stolen and consumer learns of the theft
Tuesday	Unauthorized EFT of $600 using debit card
Thursday	Unauthorized EFT of $100 using debit card
Friday	Consumer notifies the financial institution of the theft; the bank’s systems are set up to immediately freeze an account after the notice of an unauthorized EFT. If the consumer had provided notice on Wednesday, the $100 transfer would not have occurred.
The financial institution may hold the consumer liable for only $150, calculated as follows: $50 of the $600 transfer, plus Entire $100 transfer

Third Tier Liability (Unlimited): §1005.6(b)(3). If the consumer fails to notify the financial institution of the unauthorized EFT within 60 days after the financial institution transmits a periodic statement to the consumer showing the first unauthorized EFT, the financial institution may impose liability on the consumer up to the total amount of all unauthorized EFTs occurring more than 60 calendar days after transmitting the statement and before notice to the financial institution, provided that the institution establishes that the unauthorized EFTs would not have occurred had the consumer notified the institution within the 60-day period. For unauthorized transactions that occurred before this period, the consumer is liable only to the extent that the banks could impose first and second tier liability under §1005.6(b)(1) and §1005.6(b)(1)(2), respectively.

Third Tier Liability: Example²⁰
January 1	Consumer’s debit card is stolen and consumer learns of the theft
January 2	Unauthorized EFT of $100 using debit card
January 6	Unauthorized EFT of $600 using debit card
January 30	Periodic statement is transmitted that showed unauthorized EFTs of $100 and $600
April 10	Unauthorized EFT of $400 using debit card
April 11	Consumer notifies the financial institution of the theft (after 60 days of the transmittal of the periodic statement with the unauthorized transactions)
The financial institution may hold the consumer liable for $900, calculated as follows: $50 of the $100 transfer, plus $450 of the $600 transfer, plus $400 of the $400 transfer

Unauthorized EFTs Not Involving an Access Device

The consumer liability rules are slightly different when an unauthorized EFT does not involve an access device. Most importantly, the first two tiers of liability do not apply; that is, the institution may not hold a consumer liable for any portion of any unauthorized EFT not involving an access device that occurred on or before the 60th calendar day after the institution’s transmittal of the periodic statement showing the first unauthorized EFT.²¹ Instead, an institution may only hold the consumer fully liable for transactions that occurred more than 60 calendar days after the periodic statement was transmitted showing the first unauthorized EFT and before the consumer provides notice to the financial institution. But the institution must also establish that the unauthorized EFTs would not have occurred had the consumer notified the institution within the 60-day period.

Liability for Unauthorized EFTs Not Involving an Access Device: Example²²
March 15	Consumer’s account is electronically debited without authorization for $200
April 2	Financial institution transmits the periodic statement containing an unauthorized EFT
June 2	Unauthorized EFT of $400 (61 days after periodic statement transmittal)
June 3	Consumer notifies the financial institution
The financial institution may hold the consumer liable for only $400 of the total $600 in transfers, calculated as follows: · $0 of the $200 transfer, and $400 of the $400 transfer.

The interagency examination procedures for Regulation E include a summary of the circumstances in which the consumer may be liable for unauthorized EFTs (reproduced in this table).²³

Summary of Consumer Liability for Unauthorized EFTs
Event	Timing of Consumer Notice to Financial Institution	Maximum Liability
Loss or theft of access device	Within two business days after learning of loss or theft	Lesser of $50 or the total amount of unauthorized transfers
	More than two business days after learning of loss or theft up to 60 calendar days after transmittal of statement showing first unauthorized transfer made with access device	Lesser of $500 or the sum of: $50 or total amount of unauthorized transfers occurring in the first two business days, whichever is less, and The amount of unauthorized transfers occurring after two business days and before notice to financial institution
	More than 60 calendar days after transmittal of statement showing first unauthorized transfer made with access device	For transfers occurring within the 60-day period, the lesser of $500 or the sum of: Lesser of $50 or amount of unauthorized transfers in the first two business days, whichever is less, and The amount of unauthorized transfers occurring after two business days For transfers occurring after the 60-day period, unlimited liability (until financial institution is notified)
Unauthorized transfer(s) not involving loss or theft of access device	Within 60 calendar days after transmittal of periodic statement on which unauthorized transfer first appears	No liability
	More than 60 calendar days after transmittal of periodic statement on which unauthorized transfer first appears	Unlimited liability for unauthorized transfers occurring 60 calendar days after periodic statement and before notice to financial institution

CONCLUSION

Financial institutions should review and test their policies and procedures regarding consumer liability for unauthorized transactions to ensure they comply with requirements of the EFTA and Regulation E. Specific issues should be raised with your primary regulator.

ENDNOTES

¹ Kenneth Benton and Robert Sheerr, “Error Resolution Procedures and Consumer Liability Limits for Unauthorized Electronic Fund Transfers,” Consumer Compliance Outlook (Fourth Quarter 2012).

² 12 C.F.R. § 1005.2(a)(1).

³ 12 C.F.R. §1005.6(a).

⁴ 12 C.F.R. §1005.2(a)(2).

⁵ Comment 6(b)-2.

⁶ Comment 6(b)-3.

⁷ 12 C.F.R. §1005.6(b)(6).

⁸ 15 U.S.C. §1693l.

⁹ 12 C.F.R. §1005.6(b)(5)(i).

¹⁰ 12 C.F.R. §1005.6(b)(5)(ii).

¹¹ 12 C.F.R. §1005.6(b)(5)(iii).

¹² Comment 6(b)(5)-2.

¹³ 12 C.F.R. §1005.6(b)(5)(iii).

¹⁴ 12 C.F.R. §1005.6(b)(4) requires that, if the consumer experienced extenuating circumstances, the time period for providing notice is extended by a “reasonable period.”

¹⁵ 12 C.F.R. §1005.6(b)(1). The commentary expands on this: “The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution’s business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution’s business day on Monday.” Comment 6(b)(1)-3.

¹⁶ Comment 6(b)(1)-1. The payment card networks, such as MasterCard, Visa, and Discover, typically provide in their agreement with participating merchants that the consumer generally has zero liability for unauthorized debit card transactions, subject to specified exclusions. Under §1005.6(b)(6), if the consumer’s account agreement with the institution incorporates the payment card network liability limits, the institution could not impose liability greater than those limits.

¹⁷ 12 C.F.R. §1005.6(b)(2).

¹⁸ Comment 6(b)(2)-1.

¹⁹ Comment 6(b)(2)-1.

²⁰ 12 C.F.R. §1005.6(b)(3); Comment 6(b)(3)-1.

²¹ Comment 6(b)(3)-2.

²² Comment 6(b)(3)-2.

²³ Federal Reserve Consumer Affairs Letter 19-6, “Revised Interagency Examination Procedures for Regulation E,” (April 9, 2019). Revised Interagency Examination Procedures for Regulation E (at pp. 25–26).