EFTA Civil Framework

Section summaryEFTA establishes the consumer rights, disclosure obligations, and dispute-resolution framework for electronic fund transfers from consumer accounts. The statute predates most modern digital payment systems but applies to ACH, debit cards, online bill pay, and similar mechanisms.

EFTA covers electronic transfers initiated by consumers using:

  • Debit cards at point-of-sale or ATM.
  • Online bill-payment services.
  • ACH debits authorized by the consumer.
  • Telephone-initiated transfers.
  • Mobile-payment apps tied to consumer deposit accounts.

The statute requires disclosures at account opening, transaction receipts, periodic statements, and error-resolution procedures. Compliance is enforced by the CFPB and through a private right of action.

Regulation E Mechanics

Section summaryRegulation E at 12 C.F.R. Part 1005 implements EFTA. It defines key terms, sets disclosure formats, establishes the unauthorized-transfer framework, and prescribes error-resolution procedures.

Key Regulation E provisions:

  • §1005.6 — consumer liability for unauthorized transfers.
  • §1005.7 — initial disclosures at account opening.
  • §1005.9 — receipts and periodic statements.
  • §1005.11 — error-resolution procedures.
  • §1005.17 — overdraft opt-in requirements.

The error-resolution procedure is the operational core. A consumer must notify the institution within sixty days of the statement showing the disputed transfer. The institution must investigate within ten business days and either resolve the dispute or extend the investigation up to forty-five days while provisionally crediting the account.

Reporting Deadlines

Section summaryConsumer liability for unauthorized transfers steps up sharply based on how quickly the consumer reports the loss to the institution. The deadlines run from when the consumer learns of the loss or theft.

Reporting-and-liability tiers under §1005.6(b):

  • Report within 2 business days of learning of loss/theft: maximum $50 liability.
  • Report after 2 but within 60 days: up to $500 liability for transfers between days 3 and 60.
  • Report after 60 days: unlimited liability for transfers after the 60-day window.
  • Report any unauthorized transfer shown on a statement within 60 days of the statement: limits apply.

The deadlines are strictly enforced. A consumer who delays reporting past 60 days faces meaningful exposure for transfers occurring after the window closes.

Liability Allocation

Section summaryWhen a consumer reports timely, the institution bears the loss for unauthorized transfers. When the consumer reports late or fails to report, the loss shifts to the consumer up to the regulatory caps.

Liability framework:

  • Institution bears loss when consumer reports within 2 business days.
  • Consumer liability capped at $50, $500, or unlimited based on report timing.
  • Negligence by consumer (writing PIN on card) does not increase liability under the regulation.
  • State law may impose additional consumer-protective rules.

Consumers who become aware of unauthorized activity should report immediately and document the report. The two-business-day window starts from awareness, not from the transfer date.

Business Account Exclusion

Section summaryEFTA and Regulation E cover transfers from accounts established primarily for personal, family, or household purposes. Business accounts are excluded and governed by UCC Article 4A and the bank-customer agreement.

Business-account treatment:

  • Reg E does not apply to commercial accounts.
  • UCC Article 4A controls business wire and ACH transfers.
  • Account agreement allocates loss between bank and business customer.
  • Commercially reasonable security procedures shift liability under §4A-202.
  • Business customers carry larger fraud exposure with shorter remedy windows.

A business customer hit by an account takeover faces a fundamentally different framework than a consumer. Loss recovery depends on the security-procedure analysis, not on Reg E reporting deadlines.

Criminal Overlap with §1029

Section summaryThe same conduct that gives rise to EFTA unauthorized-transfer claims often triggers federal criminal exposure under 18 U.S.C. §1029 access-device fraud.

Access-device-fraud overlap:

  • §1029(a)(1) — production or use of counterfeit access devices.
  • §1029(a)(2) — trafficking in or using unauthorized access devices to obtain anything of value totaling $1,000 or more.
  • §1029(a)(3) — possession of fifteen or more counterfeit or unauthorized access devices.
  • §1029(a)(5) — fraud in connection with access devices issued to another person.
  • Statutory maximum: up to 10 years (a)(1)-(2), 15 years for some subsections, 20 years on enhancements.

"Access device" is defined broadly at §1029(e)(1) to include cards, account numbers, PINs, and any other means of account access. Routine ATM/debit-card fraud scenarios typically map onto §1029(a)(2) or (a)(5).

Need defense counsel?

L&L Law Group, PLLC handles Computer Crimes Defense cases throughout DFW. Initial consultations are free.

Call (972) 370-5060 →

The Electronic Funds Transfer Act framework

The Electronic Funds Transfer Act (EFTA) is codified at 15 U.S.C. Sections 1693-1693r and was enacted in 1978 to establish consumer protections for electronic fund transfers. The Act has been amended multiple times to address evolving payment technologies and is implemented through Regulation E at 12 C.F.R. Part 1005. The framework provides substantial consumer protections including disclosure requirements, error resolution procedures, and limits on consumer liability for unauthorized transfers.

The EFTA scope reaches transfers initiated through electronic terminals, telephonic instruments, computers, or magnetic tapes that order, instruct, or authorize a financial institution to debit or credit a consumer account. The covered transfers include automated teller machine (ATM) transactions, point-of-sale terminals, automatic clearing house (ACH) transfers, and various electronic payment systems. The Act does not apply to credit card transactions, which are covered separately under the Truth in Lending Act and the Fair Credit Billing Act.

The EFTA provides consumer protections through three primary mechanisms. Disclosure requirements ensure consumers receive information about their accounts and transactions. Error resolution procedures provide a framework for addressing transaction errors and unauthorized transfers. Liability limitations restrict consumer responsibility for unauthorized transfers, with specific timing rules that affect the scope of consumer protection.

The unauthorized transfer framework and the consumer liability limits

The unauthorized transfer framework under EFTA provides substantial consumer protections against fraud and theft. The Act defines unauthorized electronic fund transfers as transfers initiated by persons other than the consumer without actual authority and from which the consumer receives no benefit. The definition specifically excludes transfers initiated by persons authorized by the consumer to initiate transfers, even where the authority was exceeded or violated.

The consumer liability limits under Section 1693g create a tiered framework based on the timing of notice to the financial institution. A consumer who notifies the institution within two business days after learning of the loss or theft of an access device has liability capped at $50. A consumer who notifies within 60 days after the statement showing the unauthorized transfer has liability capped at $500. A consumer who fails to notify within 60 days faces unlimited liability for subsequent unauthorized transfers but remains protected for transfers occurring before the negligent delay.

The financial institution defense framework requires the institution to prove the timing elements that affect consumer liability. The institution must show when the consumer learned of the unauthorized transfer, when the consumer notified the institution, and the specific timing of the various unauthorized transfers. The defense in EFTA disputes can challenge each element of the institution case and can present alternative timing analysis that supports broader consumer protection.

The error resolution procedure and the institution obligations

The error resolution procedure under Section 1693f provides a framework for addressing consumer disputes about electronic fund transfers. The consumer must notify the institution about the alleged error within 60 days of the statement showing the disputed transfer. The institution must investigate the disputed transfer and resolve the dispute within specific time frames. The procedural framework provides both substantive protections and procedural rights for consumers.

The institution must investigate and resolve the dispute within 10 business days of receiving the consumer notice, or provisionally credit the consumer account for the disputed amount within 10 business days and complete the investigation within 45 days. The provisional credit framework gives consumers immediate access to disputed funds while the investigation proceeds. The institution must provide written explanations of the investigation findings and the basis for any conclusions reached.

The consumer rights during the error resolution include access to documentation supporting the institution conclusions, the right to request reinvestigation if new information emerges, and the right to pursue civil remedies if the institution fails to comply with the procedural requirements. The defense and consumer advocacy in EFTA matters must understand the specific procedural requirements and must preserve the consumer position through proper notice and follow-up.

Civil remedies and criminal overlap considerations

The EFTA civil remedies under Section 1693m provide consumers with both individual and class action relief for institution violations. Individual remedies include actual damages but not less than $100 and not more than $1,000 in statutory damages, plus costs and attorney fees. Class action remedies include actual damages plus the lesser of $500,000 or 1 percent of the institution net worth. The remedy framework supports both individual consumer advocacy and broader institutional enforcement.

The criminal overlap considerations include the various federal criminal statutes that may apply to specific electronic fund transfer fraud. Federal wire fraud under 18 U.S.C. Section 1343 reaches the use of interstate communications for fraud including electronic fund transfer fraud. Federal bank fraud under 18 U.S.C. Section 1344 reaches schemes to defraud financial institutions. Identity theft under 18 U.S.C. Sections 1028 and 1028A reaches the use of identification in connection with electronic fund transfer fraud. The defense in criminal cases involving electronic fund transfers must consider both the criminal exposure and any parallel civil EFTA implications.

The strategic considerations in EFTA matters include coordination with parallel criminal proceedings, the timing of civil action relative to criminal proceedings, and the use of EFTA procedural protections to address specific transactions involved in alleged criminal conduct. The dual civil and criminal framework can produce complex strategic considerations, and the defense should engage with both dimensions to develop comprehensive strategies that address all available protections and remedies.

Frequently Asked Questions

Does Regulation E protect me if I gave someone my PIN?
Yes. Reg E does not impose a negligence reduction for consumer carelessness. If a transfer was not authorized by the consumer, liability is allocated under the §1005.6 framework regardless of how the credentials were obtained.
What is the difference between EFTA and the access-device-fraud statute?
EFTA is civil and governs how loss is allocated between the consumer and the institution. The access-device-fraud statute at 18 U.S.C. §1029 is criminal and applies to the person who used or trafficked in the unauthorized access device. Both can apply to the same incident.
Does my small business get Reg E protection?
No, unless the account is held in an individual name primarily for personal use. Business accounts fall under UCC Article 4A and the account agreement. Many small-business owners discover this distinction only after a fraud loss.
How fast must I report a stolen debit card?
Within two business days of learning of the loss to maintain the $50 liability cap. Report after 60 days and you face unlimited exposure for transfers occurring after the 60-day window.
Can I be prosecuted for using a friend's debit card with permission?
Not under §1029 if the use is genuinely authorized. The statute reaches unauthorized use. Permission-based use is a fact-intensive question, and the friend's testimony may be necessary to defeat the unauthorized-access element.
Part of a larger guide

Read the full Texas Computer Crimes Defense Guide

This article is one section of our comprehensive Texas Computer Crimes Defense Guide. The pillar guide covers recent developments, official resources, and the complete framework with deeper analysis.

Read the Pillar Guide →
⚖️
Texas Bar
Licensed
Bar Nos. 24043266 · 24043514
🏆
40+
Years Combined
Criminal Defense Experience
📞
Free
Consultation
Direct to Attorney
🔓
24/7
Jail Release
Available 7 Days a Week

Next Steps

If you are facing a situation described here, consult counsel promptly. Many issues in this area run on strict deadlines.

Reggie London & Njeri London

Co-Founding Partners · L&L Law Group, PLLC

Reggie London (Tex. Bar #24043514) and Njeri London (Tex. Bar #24043266) co-founded L&L Law Group in Frisco, Texas.

This guide was reviewed by Reggie London on May 30, 2026.

Cite this guide

Bluebook: Reggie London & Njeri London, EFTA & Regulation E in Federal Cases, L&L Law Group (May 30, 2026), https://landllawgroup.com/insights/efta-electronic-funds-transfer-act/.

APA: London, R., & London, N. (2026, May 30). EFTA & Regulation E in Federal Cases. L&L Law Group.