How Unauthorized Transactions Work, and How to Dispute Them

Let’s say you notice an unauthorized transaction in your bank account after your debit card goes missing. This can be aggravating. But a federal regulation gives you a potential way to fix it.

Much of Regulation E, part of the federal Electronic Fund Transfer Act of 1978, lays out what happens when an error involving an electronic funds transfer (EFT) is suspected. One of the major examples of this type of error is an unauthorized debit card transaction. The Federal Reserve created the rules that make up Regulation E. The Consumer Financial Protection Bureau now oversees this regulation.

How does Regulation E work?

Regulation E (or Reg E for short) is primarily designed to protect consumers who’ve been the victim of an unauthorized EFT. For instance, Regulation E can offer protection if your debit card or debit card number is stolen, and your account is then used to make a purchase that you didn’t authorize.

Among the EFTs covered by Regulation E are:

  • Point-of-sale transactions
  • Debit card transactions
  • ATM transactions
  • Direct deposits or withdrawals (through Automated Clearing House, or ACH)
  • International money transfers (remittances)
  • Certain online bill payments
  • Pay-by-phone transactions
  • Person-to-person payments (such as Venmo and Zelle)

The regulation does not typically does not cover credit card transactions, paper checks or wire transfers, however. In addition, it does not provide protection when a consumer commits fraud or when a consumer willingly gives their debit card to somebody who commits fraud.

Examples of times when Regulation E may or may not take effect

The National Association of Federally-Insured Credit Unions offers these four scenarios to demonstrate when Regulation E may or may not apply.

  1. Sally gives her debit card to her son, Jake, to buy groceries. But Jake buys a TV instead. The TV purchase is not necessarily an unauthorized transaction. When another person is given authority to make transactions with a debit card, the account owner is liable for all transactions. That includes any transactions that go beyond what was supposed to be done, such as buying a TV instead of groceries. However, if Sally had told her financial institution that Jake could no longer use the debit card, she might be protected by Regulation E.
  2. Ken writes his PIN on his debit card so he won’t forget it. His card is stolen and used at an ATM. As long as Ken quickly tells his financial institution about the unauthorized transaction, it’s considered an unauthorized EFT. In other words, Ken isn’t punished for writing his PIN on the debit card.
  3. John buys a new desk online but isn’t satisfied with the new piece of furniture after unpacking it. This is not considered an unauthorized transaction. The same would hold true if the desk is damaged or defective. Why? Because John initiated the purchase.
  4. A fraudster calls Amy, pretending to be a representative of her financial institution. Amy gives her account information to the fraudster, who then uses it to withdraw money from her account. Even though Amy voluntarily provided account information to the fraudster, the withdrawals are viewed as unauthorized because they involved fraud.

Errors might trigger a Regulation E dispute

Forbes Advisor points out that errors other than those caused by fraud might be covered under Regulation E.

For example, let’s say you cancel your subscription to a streaming service but a charge shows up after the cancellation. In this case, you could request a refund from the streaming service. But if the streaming service doesn’t grant your request, you could file a Regulation E dispute with your financial institution.

According to Forbes Advisor, Regulation E allows you to dispute these errors:

  • Unauthorized EFTs
  • Incorrect EFTs to or from your account
  • Omission of an EFT from your bank statement
  • Computational or bookkeeping errors related to at EFT
  • Receipt of an incorrect amount of money from an ATM or another electronic terminal
  • Errors tied to preauthorized transfers
  • Requests for additional information or clarification about an EFT

Does Regulation E cover payday lenders?

Yes, Regulation E applies to EFTs for payday loans.

“Among other things, Regulation E prohibits lenders from requiring, as a condition of loan approval, a customer’s authorization for loan repayment through a recurring electronic funds transfer (EFT), except in limited circumstances,” according to the Consumer Financial Protection Bureau (CFPB).

Things get a little confusing with Regulation E protections when it comes to payday loan payments made with a traditional paper check.

Paper checks converted into electronic checks

In some cases, paper checks written by payday loan borrowers aren’t actually processed like traditional checks. Instead, a lender might process the check as an ACH (Automated Clearing House) payment, which qualifies as an electronic funds transfer, instead of as a traditional check, which would not qualify as an EFT. Under Regulation E, electronic funds transfers might be protected, while other transactions are not.

How are payday lenders able to do this? They can use the account number and routing number on a paper check to initiate an electronic ACH transaction.

Paper checks used as first-time payments

When a payday lender uses the ACH network to collect a first-time payment with a paper check, this is considered an EFT under Regulation E. As a result, a borrower should enjoy more protections than if the payment was treated as a traditional paper check and went through the paper-check system.

Paper checks processed through ACH due to insufficient funds

If a transaction is initially processed through the paper-check system and then sent through the ACH network because the first attempt failed due to insufficient funds in the borrower’s account, the follow-up ACH attempt doesn’t qualify as an EFT under Regulation E.

‘Remotely created’ checks processed through paper-check system

A borrower might provide their account and routing numbers to a payday lender for an ACH payment, but the lender might use that information to initiate a “remotely created” check that’s processed through the paper-check system. In this scenario, the transaction might not be protected under Regulation E.

How to dispute an unauthorized transaction

If you suspect an unauthorized transaction in your bank account, contact your financial institution right away.

If you tell your bank or credit union within two business days of finding out your debit card, PIN or security code was lost or stolen, you’re liable only for the amount of unauthorized transactions or $50, whichever is lower. After two business days, you could be on the hook for as much as $500 in unauthorized transactions.

What about if your bank or credit union sends you a statement showing an unauthorized debit? If that occurs, notify them within 60 days. Put off that notification, and you could be stuck with covering all of the transactions that happened after the 60-day deadline and before you alerted your financial institution.

For you to be held responsible for suspicious transactions, your bank or credit union would need to prove that if you informed them before the 60-day deadline, the transactions would not have happened.

What if nothing was lost or stolen?

If unauthorized transactions show up on your account statement yet your debit card, PIN or security code wasn’t lost or stolen, immediately contact your bank or credit union. The 60-day deadline also applies in this situation. You might be responsible for all of the unauthorized transactions that happened after that deadline passed and before you notified your financial institution.

Situations like a hospital stay or a long vacation might give you some breathing room if you aren’t able to take action within 60 days.

How do I contact my bank?

If you discover an unauthorized transaction for a checking or savings account, check the back of your debit card for the phone number of their customer service department. Or log onto your online account to see whether you can contact the customer service department by email or chat. You also can use your financial institution’s mobile app to reach out to them.

But don’t stop there.

“Send a letter to the card issuer and include your account number, the date and time when you noticed your card was missing, and when you first reported the loss. Keep a copy of your letter and your notes from calls with the bank or credit union,” the Federal Trade Commission (FTC) advises.

When will my transaction dispute be resolved?

Under Regulation E, a bank or credit union generally must look into your dispute right away and decide within 10 business days whether you’ll be reimbursed for the unauthorized transaction. Once it decides whether there was an error, the financial institution must fix it within one business day.

If the financial institution isn’t able to wrap up everything within 10 business days, it’s allowed up to 45 days after receiving your dispute to investigate the matter and figure out whether you’re owed money.

Are credit cards covered by Regulation E?

No, credit cards are not covered by Regulation E. Rather, they’re covered by the Credit CARD Act of 2009. Regulation E applies only to EFTs such as debit card transactions; credit card transactions don’t qualify as EFTs.

The bottom line

Regulation E gives you a lot of rights when it comes to unauthorized transactions, such as ATM withdrawals made by a crook. But these rights aren’t automatic. If you detect an unauthorized transaction in a bank or credit card account, you must alert your financial institution as soon as possible. Failure to act quickly could cost you a lot of money.

Scroll to Top