PRIA Logo
Back to search
Financial RegulationConsumer Finance

Electronic Fund Transfer Act (EFTA)

14 min read·Updated May 14, 2026

Electronic Fund Transfer Act (EFTA)

The Electronic Fund Transfer Act protects you every time you swipe a debit card, withdraw cash from an ATM, set up direct deposit, or authorize an automatic bill payment. Enacted in 1978 (15 U.S.C. §§ 1693-1693r) and implemented by the CFPB's Regulation E, EFTA establishes your rights when electronic transactions go wrong — capping your liability for unauthorized transfers, requiring banks to investigate errors within strict deadlines, and mandating clear disclosures about fees and terms. If someone drains your checking account with a stolen debit card number, EFTA is the law that limits your losses and forces your bank to act.

Current Law (2026)

<!-- pria:personalize type="bracket-highlight" -->
ParameterValue
Governing law15 U.S.C. §§ 1693–1693r; Regulation E (12 CFR Part 1005)
RegulatorConsumer Financial Protection Bureau (CFPB)
Unauthorized transfer liability — reported within 2 days$50 maximum
Unauthorized transfer liability — reported within 60 days$500 maximum
Unauthorized transfer liability — reported after 60 daysUnlimited (for transfers after the 60-day window)
Error resolution deadline (bank investigation)10 business days (45 days if provisional credit issued)
New account investigation deadline20 business days (90 days with provisional credit)
Required disclosuresTerms, fees, liability limits, error resolution procedures
Civil liabilityActual damages + statutory damages ($100–$1,000 individual; up to $500,000 class action) + attorney's fees
PreemptionState laws providing greater consumer protection are preserved
<!-- /pria:personalize -->
  • 15 U.S.C. § 1693 — Congressional findings and declaration of purpose (establishes federal protection for consumers using electronic fund transfer services)
  • 15 U.S.C. § 1693a — Definitions (defines "electronic fund transfer" to include ATM transactions, point-of-sale debit, direct deposits, telephone transfers, and preauthorized transfers)
  • 15 U.S.C. § 1693b — Regulations (authorizes the CFPB to prescribe regulations — Regulation E — to carry out the Act's purposes)
  • 15 U.S.C. § 1693c — Terms and conditions of transfers (requires financial institutions to disclose all terms, conditions, and fees at account opening and before changes take effect)
  • 15 U.S.C. § 1693d — Documentation of transfers (requires receipts at electronic terminals and periodic statements showing all EFT activity)
  • 15 U.S.C. § 1693e — Preauthorized transfers (governs recurring automatic payments — consumers can stop payment by notifying the bank at least 3 business days before the scheduled transfer)
  • 15 U.S.C. § 1693f — Error resolution (requires banks to investigate consumer error claims within 10 business days and resolve within 45 days; provisional credit required if investigation exceeds 10 days)
  • 15 U.S.C. § 1693g — Consumer liability (caps liability for unauthorized transfers at $50 if reported within 2 business days, $500 if reported within 60 days)
  • 15 U.S.C. § 1693h — Liability of financial institutions (banks are liable for all damages caused by failure to make authorized transfers or failure to stop preauthorized transfers when properly instructed)
  • 15 U.S.C. § 1693m — Civil liability (consumers can sue for actual damages, statutory damages of $100–$1,000, and attorney's fees; class actions capped at $500,000 or 1% of net worth)

How It Works

EFTA covers any transfer of funds initiated through an electronic terminal, telephone, computer, or magnetic tape — ATM withdrawals, debit card purchases, direct deposits, automatic bill payments, and person-to-person payment apps. It does not cover wire transfers, checks, securities transactions, or transfers between your own accounts at the same institution. (For credit card disputes, see the Truth in Lending Act.) The law's most important consumer protection is liability for unauthorized transfers, which turns entirely on how fast you act: report within 2 business days of discovering a problem and your maximum loss is $50; wait up to 60 days from your statement and the cap rises to $500; miss the 60-day window and you can lose everything taken after it. No employer or government agency can require you to receive wages or benefits by EFT only — you must be offered an alternative such as a check.

When you report an error — wrong amount, unauthorized transfer, missing deposit — your bank has 10 business days to investigate and resolve it (15 CFR § 205.11). If the bank needs more time, it may extend to 45 days, but only by provisionally crediting your account first so you aren't out the money during the inquiry. New accounts get slightly different timelines: 20 business days for provisional credit and 90 days total for investigation. For preauthorized recurring transfers — automatic rent, subscriptions, gym memberships — you can stop any scheduled payment by notifying your bank at least 3 business days before the transfer date; oral notice is valid, though the bank may request written confirmation within 14 days. A bank that processes a transfer after receiving a valid stop-payment order is liable for all resulting damages.

How It Affects You

<!-- pria:personalize type="impact" -->

If you use a debit card or bank account for electronic payments: The liability caps only protect you if you act fast — and the clock starts earlier than most people expect.

Your liability by reporting speed:

  • Report within 2 business days of learning your card or credentials were compromised → maximum $50 liability
  • Report between 2 days and 60 days after your periodic statement → maximum $500 liability
  • Report more than 60 days after your periodic statement → you could lose everything taken after the 60-day window

The 60-day clock runs from when your bank made your statement available, not when you opened it. If your bank sends electronic statements and you don't open them, the clock still ticks. Check your accounts weekly — not just when statements arrive.

How to report: Call the customer service number on the back of your card or on your bank's app immediately when you see unauthorized activity. Get a case number. Follow up in writing (email or secure message through your bank's app) within 24 hours to create a paper trail. Your bank cannot require you to submit a police report as a condition of the error investigation.

The provisional credit requirement: If your bank's investigation takes more than 10 business days, it must provisionally credit your account for the disputed amount while it completes the investigation. This is one of EFTA's most powerful protections — you're not left without funds for weeks while the bank investigates. If the bank fails to provide provisional credit when required, that failure is itself an EFTA violation you can sue over. The investigation must conclude within 45 days total; for new accounts under 30 days old, the bank gets 90 days.

After the investigation: The bank must notify you of its conclusion in writing. If the bank finds there was no error, it must explain the specific reasons and tell you that you can request copies of the documents it relied on. If you disagree with the bank's conclusion, you can submit additional information and, if that doesn't resolve it, file a complaint with the CFPB at consumerfinance.gov/complaint or sue in federal or state court.

If you use Zelle, Venmo, Cash App, or another P2P payment service: A critical EFTA limitation you need to know: the liability caps apply to transfers you did not authorize. If a scammer tricked you into sending money yourself — you pressed "send" but were deceived about why — the transfer may be treated as "authorized by you," and EFTA's fraud protections may not apply.

  • Zelle/bank-to-bank scam disputes: Banks have frequently denied EFTA claims for scam-induced transfers, arguing the customer "authorized" the payment. CFPB issued guidance suggesting some scam-induced transfers (where a consumer was impersonated) should be treated as unauthorized — but this remains contested. If you're scammed via Zelle:

    1. Report immediately to your bank and Zelle (zellepay.com/support/report-fraud)
    2. File a police report (some banks require it for scam claims)
    3. File a CFPB complaint at consumerfinance.gov/complaint
    4. File a fraud report with the FTC at reportfraud.ftc.gov
    5. Contact your state attorney general — some states have expanded consumer protection for P2P scams

  • Venmo/PayPal: Transfers sent from your PayPal balance are governed by PayPal's own dispute resolution. Transfers from a linked bank account or debit card fall under Regulation E's unauthorized transfer protections.

If you want to stop an automatic recurring payment: Give your bank oral or written notice at least 3 business days before the scheduled transfer. The bank may require written confirmation within 14 days of your oral notice. Important: stopping the payment at the bank is separate from canceling your subscription with the merchant — do both. If your bank processes the transfer after receiving a valid stop-payment order, the bank is liable for all resulting damages, including overdraft fees and returned item charges.

If your bank violates EFTA and you want to sue: EFTA provides a private right of action with meaningful remedies:

  • Actual damages: Whatever you actually lost
  • Statutory damages: $100 to $1,000 per case regardless of actual loss (for individual suits)
  • Attorney's fees and court costs: Makes it economically viable for consumer attorneys to take these cases
  • Class actions: Up to the lesser of $500,000 or 1% of the bank's net worth

To find a consumer attorney: the National Consumer Law Center (nclc.org) and the National Association of Consumer Advocates (naca.net) maintain referral directories. Many consumer attorneys take EFTA cases on contingency.

If you're an employer managing payroll: EFTA (specifically 15 U.S.C. § 1693k) prohibits requiring employees to receive wages only through a specific payroll card or electronic method. Employees must be offered a genuine alternative — typically a paper check or direct deposit to a bank account of their choice. If you use payroll cards, those cards must comply with Regulation E disclosures, error resolution, and unauthorized transfer protections, and may not impose fees that effectively remove the employee's choice.

If you run a fintech platform, payment app, or neobank: Platforms that hold consumer funds, facilitate electronic transfers, or access consumer bank accounts through the ACH network are subject to Regulation E (12 CFR Part 1005). This includes:

  • Error resolution procedures (10-business-day investigation; 45-day resolution; provisional credit)
  • Unauthorized transfer liability caps
  • Disclosure requirements (terms, fees, liability limits)
  • Prepaid account rules (CFPB Prepaid Rule, effective 2019): general-purpose reloadable cards (GPR), government benefit cards, and payroll cards must provide Regulation E protections including fee disclosures, access to account history, and error resolution

CFPB examination authority extends to "larger participants" in the consumer payments market — fintech payments platforms above defined size thresholds face CFPB supervision comparable to banks. Ensure your error resolution processes, disclosure documents, and complaint handling systems are Regulation E-compliant before scaling.

<!-- /pria:personalize -->

State Variations

<!-- pria:personalize type="state-specific" -->

EFTA explicitly preserves state consumer protection laws that provide greater protections than federal law:

  • Several states impose stricter liability caps or shorter investigation deadlines
  • State money transmitter laws add additional protections for electronic payment services
<!-- /pria:personalize -->
  • State unfair and deceptive practices acts provide parallel enforcement authority
  • Some states have enacted specific protections for prepaid cards and payroll cards
  • Federal preemption applies only where state law is inconsistent with and less protective than EFTA

Implementing Regulations

The CFPB regulations implementing EFTA live at 12 CFR Part 1005 — Regulation E. The Part spans 36 sections covering the full lifecycle of electronic fund transfer protections: coverage, disclosures, liability, error resolution, overdraft opt-in, prepaid accounts, gift cards, and international remittances. Key provisions:

  • § 1005.3 — Coverage: applies to EFTs that debit or credit a consumer account at a financial institution; excludes wire transfers (governed by Regulation J/UCC Article 4A), check transactions, securities/commodities transfers, and automatic same-institution account-to-account transfers
  • § 1005.5 — Issuance of access devices: financial institutions may issue debit cards and PINs only in response to a consumer's oral or written request, or as renewal/substitution of an accepted card; unsolicited debit card issuance is prohibited (contrast with credit cards, which may not be issued unsolicited under Regulation Z)
  • § 1005.6 — Consumer liability for unauthorized transfers: the three-tier structure — $50 if reported within 2 business days of learning of the loss; $500 if reported within 60 days of the periodic statement; unlimited for transfers occurring after the 60-day statement window; the clock starts when the statement containing the first unauthorized transaction is made available, not when the consumer opens it
  • § 1005.7 — Initial disclosures: must be provided before the first EFT is made; must include liability limits, types of transfers available, fees, error resolution procedures, and the institution's business days
  • § 1005.10 — Preauthorized transfers: for variable-amount recurring transfers, the institution must notify the consumer of the amount at least 10 days before the transfer date (or the consumer can waive this and receive notice only when the amount falls outside a pre-agreed range); consumers can stop preauthorized transfers by notifying the bank at least 3 business days before the scheduled date
  • § 1005.11 — Error resolution: institution must acknowledge a consumer's error notice within 10 business days and resolve (correct or determine no error) within 45 business days total; if the investigation will exceed 10 business days, provisional credit must be provided within that window; for new accounts (opened <30 days), the window extends to 20 business days for provisional credit and 90 days for resolution; applicable error types include unauthorized transfers, incorrect amounts, omitted transactions, and computational errors
  • § 1005.13 — Record retention: institutions must retain evidence of compliance with Regulation E requirements for 2 years from the date disclosures are required or action is taken
  • § 1005.15 — Electronic benefit transfer accounts: government benefit programs (food assistance/SNAP, Direct Express for SSA/VA payments) must provide Regulation E protections including error resolution and liability limits; agencies must offer a reasonable opportunity for recipients to select another financial institution
  • § 1005.16 — ATM fee disclosures: ATM operators must disclose the surcharge fee on-screen before the consumer is committed to completing the transaction; the consumer must have the opportunity to cancel without charge; the historical requirement for physical on-machine notices was eliminated by a 2012 amendment
  • § 1005.17 — Overdraft services: institutions may not charge overdraft fees for one-time debit card or ATM transactions unless the consumer has affirmatively opted in; opt-in must be obtained separately from other account terms; the rule does not restrict overdraft programs for checks or ACH debits; consumers who opt in can revoke consent at any time
  • § 1005.18 — Prepaid accounts: all Regulation E protections apply to general-purpose reloadable (GPR) prepaid cards, payroll cards, and government benefit cards; additional rules require a short-form fee disclosure before acquisition and a long-form fee disclosure thereafter; accounts with credit features linked to the prepaid account trigger additional Regulation Z requirements
  • § 1005.20 — Gift cards and gift certificates: cards must remain valid for at least 5 years from purchase date (or 5 years after the last funds were loaded); inactivity fees may be charged only if the account has been inactive for 12+ consecutive months and only one fee per month; consumers must be notified of any inactivity fee before purchase; these rules apply to retail gift cards, network-branded gift cards (Visa/Mastercard), and gift certificates
  • §§ 1005.30–1005.36 — Remittance transfers (international wires and money transfers): applies to any consumer-initiated transfer of more than $15 sent abroad; remittance transfer providers must disclose the exchange rate, fees, taxes, and the amount the recipient will receive before the consumer pays; consumers have a 30-minute cancellation right after payment with full refund; error resolution: if the recipient receives less than the disclosed amount (due to exchange rate or fee errors), the provider must investigate within 90 days and either refund the difference or re-send; the CFPB's remittance rule covers banks, credit unions, money services businesses (Western Union, MoneyGram), and digital platforms facilitating international transfers

Regulation E operates alongside Regulation Z for products that combine deposit account access with credit features — the CFPB's 2019 Prepaid Rule created specific rules for hybrid prepaid-credit products (e.g., a prepaid card with an overdraft line) to ensure both sets of protections apply. The overdraft opt-in requirement (§ 1005.17) was one of the most significant post-financial-crisis consumer protection additions to Regulation E and materially reduced overdraft fee revenue at major banks.

Recent rulemakings: The CFPB's 2019 Prepaid Account Rule (effective April 1, 2019) extended full Regulation E protections to GPR prepaid cards, payroll cards, and government benefit cards — closing a gap where millions of consumers using prepaid cards had no federal error resolution rights. The 2024 CFPB proposed rule on overdraft fees (NSF fees >$5 treated as credit extension subject to TILA) was withdrawn by the Trump CFPB in 2025 before taking effect.

  • 12 CFR Part 205 — Federal Reserve Board Regulation E: the FRB's legacy EFTA implementing regulation, maintained alongside CFPB Part 1005 after Dodd-Frank transferred primary EFTA rulemaking authority to the CFPB in 2011. Part 205 is substantively parallel to Part 1005 and continues to apply to state member banks supervised by the Federal Reserve. Key sections mirror CFPB counterparts: § 205.6 (consumer liability caps — same $50/$500/unlimited tiers as § 1005.6); § 205.11 (error resolution — 10 business day investigation, 45 day resolution, provisional credit requirement); § 205.17 (overdraft opt-in rule — consumers must affirmatively opt in before overdraft fees may be charged on one-time debit card or ATM transactions); and § 205.20 (gift card protections — 5-year minimum card validity, inactivity fee restrictions). The Federal Reserve applies Part 205 in safety-and-soundness examinations of the roughly 850 state member banks it supervises; other federal banking regulators (OCC for national banks, FDIC for state non-member banks) use CFPB Part 1005 as the reference standard. The substantive rules are functionally identical; the parallel regulatory structure reflects the multi-regulator design of federal consumer financial supervision rather than any difference in consumer rights.

  • 12 CFR Part 235 — Debit Card Interchange Fees and Routing (Regulation II): the Federal Reserve's implementing rule for the Durbin Amendment (Section 1075 of Dodd-Frank, codified at 15 U.S.C. § 1693o-2), which capped debit card interchange fees that large bank card issuers can receive:

    • § 235.3 — Interchange fee cap: an issuer may receive or charge an interchange transaction fee of no more than $0.21 per transaction plus 0.05% of the transaction value — for example, a $50 debit card purchase generates a maximum interchange fee of $0.245; this cap applies to banks and credit unions with $10 billion or more in total assets (the "regulated" issuers); the cap replaced the pre-Durbin average interchange of approximately $0.44 per transaction, cutting interchange revenue roughly in half for large issuers
    • § 235.4 — Fraud-prevention adjustment: regulated issuers may receive an additional $0.01 per transaction on top of the § 235.3 cap if they implement specified fraud-prevention standards (annual fraud monitoring, fraud detection methodologies, and annual review of their programs); this adjustment is separate from the base interchange cap and is only available to issuers certified as meeting the fraud standards
    • § 235.5 — Small issuer exemption: banks and credit unions with less than $10 billion in total assets are fully exempt from the interchange cap; small issuers may continue to receive market-rate interchange (which has generally remained around $0.45–$0.55 per transaction, above what large issuers receive); the exemption was intended to protect community banks and credit unions, though in practice Visa and Mastercard networks have tended to converge rates across issuer sizes
    • § 235.7 — Network exclusivity and routing requirements: a debit card must be enabled on at least two unaffiliated payment card networks — for example, both Visa and a regional PIN-debit network like NYCE or Interlink; merchants must be given a choice of at least two networks for routing debit transactions; these anti-exclusivity rules prevent card networks from locking issuers into single-network arrangements that would reduce routing competition; the CFPB extended routing requirements to "card-not-present" (online) debit transactions in a 2023 final rule

    Regulation II is one of the most financially significant consumer finance regulations in the U.S. — it affects every debit card transaction. Merchants collectively save an estimated $6–10 billion per year compared to pre-Durbin interchange rates, though the savings have not uniformly translated into lower retail prices. Banks and credit unions above $10 billion lost substantial interchange revenue, which contributed to the elimination of free checking accounts and debit rewards programs at large banks. The routing competition provisions (§ 235.7) have been the subject of ongoing litigation and regulatory interpretation — the 2023 extension to online debit transactions was a significant expansion. Recent rulemakings: 85 FR 77362 (December 2020) — Board proposed update to routing requirements for card-not-present transactions, finalized in 2023.

Pending Legislation

No standalone EFTA reform bills have been introduced in the 119th Congress. Related consumer financial protection provisions appear in broader legislation — see CFPB and Consumer Financial Protection and Credit Card Late Fee Cap.

Recent Developments

The CFPB has extended Regulation E protections to prepaid accounts (including general-purpose reloadable cards, government benefit cards, and payroll cards) through a 2019 rule update. Person-to-person payment platforms like Venmo, Zelle, and Cash App have faced increased scrutiny over whether their error resolution processes meet Regulation E standards — particularly for scam-induced transfers where the consumer authorized the payment but was deceived. The distinction between "unauthorized" transfers (covered by EFTA's liability caps) and "authorized but fraudulently induced" transfers (potentially not covered) remains an active area of regulatory and litigation focus.

At My Address

See how Electronic Fund Transfer Act (EFTA) plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address