Skip to main content

§ 1005.6 Liability of consumer for unauthorized transfers.

(a) Conditions for liability. A consumer may be held liable, within the limitations described in paragraph (b) of this section, for an unauthorized electronic fund transfer involving the consumer's account only if the financial institution has provided the disclosures required by § 1005.7(b)(1), (2), and (3). If the unauthorized transfer involved an access device, it must be an accepted access device and the financial institution must have provided a means to identify the consumer to whom it was issued.

1. Means of identification. A financial institution may use various means for identifying the consumer to whom the access device is issued, including but not limited to:

i. Electronic or mechanical confirmation (such as a PIN).

ii. Comparison of the consumer's signature, fingerprint, or photograph.

2. Multiple users. When more than one access device is issued for an account, the financial institution may, but need not, provide a separate means to identify each user of the account.

See interpretation of 6(a) Conditions for Liability in Supplement I

(b) Limitations on amount of liability. A consumer's liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Application of liability provisions. There are three possible tiers of consumer liability for unauthorized EFTs depending on the situation. A consumer may be liable for: (1) up to $50; (2) up to $500; or (3) an unlimited amount depending on when the unauthorized EFT occurs. More than one tier may apply to a given situation because each corresponds to a different (sometimes overlapping) time period or set of conditions.

2. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)

3. Limits on liability. The extent of the consumer's liability is determined solely by the consumer's promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.

See interpretation of 6(b) Limitations on Amount of Liability in Supplement I

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

1. $50 limit applies. The basic liability limit is $50. For example, the consumer's card is lost or stolen on Monday and the consumer learns of the loss or theft on Wednesday. If the consumer notifies the financial institution within two business days of learning of the loss or theft (by midnight Friday), the consumer's liability is limited to $50 or the amount of the unauthorized transfers that occurred before notification, whichever is less.

2. Knowledge of loss or theft of access device. The fact that a consumer has received a periodic statement that reflects unauthorized transfers may be a factor in determining whether the consumer had knowledge of the loss or theft, but cannot be deemed to represent conclusive evidence that the consumer had such knowledge.

3. Two business day rule. The two business day period does not include the day the consumer learns of the loss or theft or any day that is not a business day. The rule is calculated based on two 24-hour periods, without regard to the financial institution's business hours or the time of day that the consumer learns of the loss or theft. For example, a consumer learns of the loss or theft at 6 p.m. on Friday. Assuming that Saturday is a business day and Sunday is not, the two business day period begins on Saturday and expires at 11:59 p.m. on Monday, not at the end of the financial institution's business day on Monday.

See interpretation of 6(b)(1) Timely Notice Given in Supplement I

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer's liability shall not exceed the lesser of $500 or the sum of:

1. $500 limit applies. The second tier of liability is $500. For example, the consumer's card is stolen on Monday and the consumer learns of the theft that same day. The consumer reports the theft on Friday. The $500 limit applies because the consumer failed to notify the financial institution within two business days of learning of the theft (which would have been by midnight Wednesday). How much the consumer is actually liable for, however, depends on when the unauthorized transfers take place. In this example, assume a $100 unauthorized transfer was made on Tuesday and a $600 unauthorized transfer on Thursday. Because the consumer is liable for the amount of the loss that occurs within the first two business days (but no more than $50), plus the amount of the unauthorized transfers that occurs after the first two business days and before the consumer gives notice, the consumer's total liability is $500 ($50 of the $100 transfer plus $450 of the $600 transfer, in this example). But if $600 was taken on Tuesday and $100 on Thursday, the consumer's maximum liability would be $150 ($50 of the $600 plus $100).

See interpretation of 6(b)(2) Timely Notice Not Given in Supplement I

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and

(ii) The amount of unauthorized transfers that occur after the close of two business days and before notice to the institution, provided the institution establishes that these transfers would not have occurred had the consumer notified the institution within that two-day period.

(3) Periodic statement; timely notice not given. A consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers. If the consumer fails to do so, the consumer's liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period. When an access device is involved in the unauthorized transfer, the consumer may be liable for other amounts set forth in paragraphs (b)(1) or (b)(2) of this section, as applicable.

1. Unlimited liability applies. The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft.

2. Transfers not involving access device. The first two tiers of liability do not apply to unauthorized transfers from a consumer's account made without an access device. If, however, the consumer fails to report such unauthorized transfers within 60 calendar days of the financial institution's transmittal of the periodic statement, the consumer may be liable for any transfers occurring after the close of the 60 days and before notice is given to the institution. For example, a consumer's account is electronically debited for $200 without the consumer's authorization and by means other than the consumer's access device. If the consumer notifies the institution within 60 days of the transmittal of the periodic statement that shows the unauthorized transfer, the consumer has no liability. However, if in addition to the $200, the consumer's account is debited for a $400 unauthorized transfer on the 61st day and the consumer fails to notify the institution of the first unauthorized transfer until the 62nd day, the consumer may be liable for the full $400.

See interpretation of 6(b)(3) Periodic Statement; Timely Notice Not Given in Supplement I

(4) Extension of time limits. If the consumer's delay in notifying the financial institution was due to extenuating circumstances, the institution shall extend the times specified above to a reasonable period.

1. Extenuating circumstances. Examples of circumstances that require extension of the notification periods under this section include the consumer's extended travel or hospitalization.

See interpretation of 6(b)(4) Extension of Time Limits in Supplement I

(5) Notice to financial institution.

1. Receipt of notice. A financial institution is considered to have received notice for purposes of limiting the consumer's liability if notice is given in a reasonable manner, even if the consumer notifies the institution but uses an address or telephone number other than the one specified by the institution.

2. Notice by third party. Notice to a financial institution by a person acting on the consumer's behalf is considered valid under this section. For example, if a consumer is hospitalized and unable to report the loss or theft of an access device, notice is considered given when someone acting on the consumer's behalf notifies the bank of the loss or theft. A financial institution may require appropriate documentation from the person representing the consumer to establish that the person is acting on the consumer's behalf.

3. Content of notice. Notice to a financial institution is considered given when a consumer takes reasonable steps to provide the institution with the pertinent account information. Even when the consumer is unable to provide the account number or the card number in reporting a lost or stolen access device or an unauthorized transfer, the notice effectively limits the consumer's liability if the consumer otherwise identifies sufficiently the account in question. For example, the consumer may identify the account by the name on the account and the type of account in question.

See interpretation of 6(b)(5) Notice to Financial Institution in Supplement I

(i) Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.

(ii) The consumer may notify the institution in person, by telephone, or in writing.

(iii) Written notice is considered given at the time the consumer mails the notice or delivers it for transmission to the institution by any other usual means. Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made.

(6) Liability under state law or agreement. If state law or an agreement between the consumer and the financial institution imposes less liability than is provided by this section, the consumer's liability shall not exceed the amount imposed under the state law or agreement.