Somebody buys $812 worth of designer sneakers on your debit card from a website you’ve never heard of. You spot the charge on Monday morning, your stomach drops, and you Google what to do. Most of the answers point back to a single piece of federal law: Regulation E. It’s the rule that decides how fast your bank has to investigate, how much money you can be on the hook for, and how quickly the cash has to land back in your account. If you’ve ever wondered why banks are so picky about exact dates when you report fraud, this is why.
Regulation E is also one of the most consistently misunderstood consumer protections in banking. People think it’s the same as the chargeback rights they have on a credit card; it isn’t. People think they’re automatically covered no matter how long they wait; they aren’t. And in a world where most of us are paying for groceries, splitting dinner on Venmo, and getting paid by direct deposit, knowing what Reg E actually says is a real piece of household financial literacy.
What Regulation E covers
Regulation E is the rulebook the Consumer Financial Protection Bureau wrote to implement the Electronic Fund Transfer Act of 1978, the law Congress passed when ATMs were spreading and people needed legal protection for money moving electronically. The CFPB’s text of Reg E is dry, but the scope is broad. It covers debit card purchases, ATM withdrawals, ACH debits, direct deposit reversals, and most peer-to-peer transfers that pull from or push to a consumer checking or prepaid account. Wire transfers are not covered. Business accounts are not covered. Credit card transactions are covered by a different law, the Fair Credit Billing Act, which is why credit card fraud and debit card fraud have such different rules.
The two big jobs Reg E does for consumers: it caps how much money you can lose when somebody else uses your card or account, and it forces your bank to investigate disputes on a defined timeline. Those are the two things that matter when you’re staring at a fraudulent charge.
The three liability tiers, demystified
Here is the part that surprises people: Regulation E’s liability cap depends almost entirely on how fast you tell your bank. There are three tiers, and the dollar exposure on the wrong tier can be enormous.
Tier one: report within two business days, lose at most $50. If you discover your debit card is lost, stolen, or being used by someone else, and you call your bank within two business days, your maximum out-of-pocket loss is $50. Most banks waive even that small amount under voluntary “zero liability” policies, but the federal floor is $50. The clock starts the moment you learn about the problem, not the moment the thief used the card.
Tier two: report between day three and day sixty, lose up to $500. Once you cross the two-business-day line, your potential liability jumps to $500. This is the tier that costs people real money, because life gets busy and a strange $40 charge can sit unnoticed on a statement for weeks. If you wait a month to call, the bank can hold you responsible for everything above the $50 floor up to a $500 cap, plus any additional unauthorized transactions you could have prevented by reporting sooner.
Tier three: wait more than 60 days after the statement, lose unlimited amounts on later transactions. This is the cliff. If a periodic statement shows an unauthorized transfer and you don’t tell the bank within 60 calendar days after that statement was sent, you can be held responsible for every subsequent fraudulent transaction. The fraudster who hit your account once in March and discovered your bank wasn’t watching could empty the account in May, and Reg E would not require the bank to give that later money back. Bankrate’s plain-English summary of Reg E walks through the same cliff and is worth bookmarking.
The takeaway is brutally simple. Look at your statement every month. The first time something looks wrong, call.
How the investigation timeline works
Once you’ve reported a problem in writing or by phone, Reg E hands the next part to your bank. Under Section 1005.11, the bank has 10 business days to investigate and resolve the dispute. If the investigation will take longer, the bank usually has up to 45 calendar days, but only if it credits your account provisionally for the disputed amount within those first 10 business days. That provisional credit is the legal mechanism that lets you keep paying rent while the bank takes its time.
There are a few wrinkles. New accounts opened in the last 30 days get a longer investigation window. Transactions that happened outside the United States or at point-of-sale terminals can extend the bank’s window to 90 calendar days, again only if you got provisional credit. If the bank decides the transaction wasn’t actually unauthorized, it has to send you a written explanation and you have the right to request copies of the documents the decision was based on.
Notice what Reg E does and does not require. It requires the bank to investigate and to communicate. It does not require the bank to side with you. If the investigation concludes that the transaction was authorized, the provisional credit gets reversed and you’re back where you started.
Why “authorized” is the word that matters
The whole game in a Reg E dispute is the word “unauthorized.” Federal law defines it narrowly: an unauthorized electronic fund transfer is one initiated by a person other than the consumer without actual authority, and from which the consumer received no benefit. A thief who steals your card and buys gas is the clear case. A teenager who knows your PIN and orders a video game is murkier, because giving someone access to your card can be treated as granting authority even if you didn’t mean to.
The murkiest area in 2026 is peer-to-peer fraud. When someone tricks you into sending money on Zelle or Venmo to a fake landlord or a fake utility, that transfer was technically authorized by you, even though you were defrauded. The CFPB has been pushing big banks to provide reimbursement in scam cases anyway, and several banks now have voluntary programs. But under Reg E as written, push payments you initiated yourself aren’t covered. The legal protection kicks in when somebody else moves money out of your account without your permission, not when you were socially engineered into sending it yourself.
This is the practical reason finance writers keep telling people to slow down before they hit “send” in a payment app. Once you’ve authorized the transfer, even a fraudulently-induced one, you’ve stepped outside Reg E’s strongest protections.
What to do the moment you spot a problem
The mechanics are easier than the legalese suggests. Call the number on the back of your card right away, ideally the same day you notice the issue. Ask the bank to freeze or replace the card, then formally dispute the transaction. Many banks let you start the dispute in the mobile app, but follow up in writing within ten business days to lock in your full Reg E rights. Keep a copy of the email or letter.
While the investigation is open, watch the account daily for additional fraudulent charges. Each new unauthorized transaction should be added to your dispute. Change online banking passwords, turn on two-factor authentication if it isn’t already on, and request a brand-new card number rather than reactivating the old one. If the bank denies the claim and you disagree, you can file a complaint with the CFPB or with your state attorney general; banks pay close attention to escalated complaints because they’re tracked publicly.
How Reg E fits with everything else
Reg E sits in a family of consumer banking rules that are easy to confuse. Regulation D used to cap savings withdrawals at six per month, the Fair Credit Billing Act governs credit cards, Regulation CC dictates check holds and funds availability, and the FDIC and NCUA provide deposit insurance if the bank itself fails. Reg E is the one that protects you specifically when the money moves electronically and it wasn’t supposed to.
The right mental model is this: a credit card gives you stronger legal protection for fraudulent purchases than a debit card, because the merchant gets paid back by your card issuer instead of pulling cash out of your account. A debit card gives you Regulation E, which is solid as long as you check your statement and call quickly. A wire transfer or self-initiated P2P payment gives you almost nothing once the money leaves. Knowing which tier you’re in before you tap is half the battle. The other half is making the phone call the same day something looks wrong.