If you’re launching a card program, you may have heard terms like the EFTA or Reg E being thrown around in legal or compliance discussions.
The Electronic Fund Transfer Act (EFTA) is important to fintechs because it establishes the rights, liabilities, and responsibilities for parties involved in an electronic transaction (like a debit card transaction). It’s what allows consumers to challenge transaction errors (disputes) or get their money back when an investigation reveals a legitimate error or wrongdoing (chargeback).
It also does other import things like setting caps on interchange debit card fees, giving merchants choices on how to route card transactions, and requiring you to provide certain notices and disclosures to consumers.
In this blog, we break down the EFTA and Regulation E.
If you’re launching a debit card product, here’s what you need to know:
- The EFTA is a federal law that protects consumers when they transfer funds electronically.
- Every product has its own considerations, so talk to a lawyer!
- The EFTA establishes certain requirements, like:
- You need to disclose certain terms.
- You may be required to provide monthly statements.
- You may need to give advance notice before you change important terms.
- You need to address claims there were unauthorized transactions, which may include having to cover the costs of fraudulent transactions.
- Lithic’s legal team knows many fintech lawyers and we’re happy to point customers to recommendations.
What is the EFTA?
Debit cards and other electronic payment methods are primarily regulated by the EFTA. The law sets a high-level framework, but Regulation E (or Reg E) fills in a lot of the details, so you may hear “EFTA” and “Reg E” used interchangeably.
The EFTA was originally passed to give consumers protections from then-new ATM and electronic payment technologies. But as new tech developed, it evolved to cover much more.
While the requirements may seem like a hurdle, many fintech entrepreneurs are able to navigate them. So let’s walk through some of the main considerations.
Who does the EFTA apply to?
The EFTA applies to certain financial institutions, including banks. When a fintech that offers cards works with a bank (as is typical in card issuing), the bank delegates much of its EFTA obligations to the fintech. This post focuses on how the EFTA applies to fintech companies that partner with banks to offer cards, though the law applies to many other types of businesses.
What does the EFTA cover?
The EFTA applies to “electronic fund transfer” services, which generally means any transfers by electronic means that debit or credit a consumer’s bank account. However, it does not apply to electronic fund transfers for businesses, just consumers.
Practically, the EFTA applies to transfers via debit cards, prepaid cards, ACHs, ATMs, online payments, point-of-sale (POS) transfers, and other electronic payment methods. While the EFTA covers prepaid and gift cards, those types of cards have special rules, which we’ll discuss in later posts. The EFTA also sets special rules for remittances.
In contrast, credit cards are primarily regulated by a separate law, the Truth in Lending Act.
If the EFTA applies to a product offering, you may need to disclose certain terms, like fees, limits on transfer frequency, liability limits, contact information, and others.
While card providers need to tailor agreements and disclosures to their situation, Lithic is happy to provide basic templates.
Statements and notices
The EFTA requires that companies offering cards and certain other financial institutions provide monthly statements outlining transactions, applied fees, and other account events from the relevant month. You also need to give advance notice if you’re changing important terms like fees or allowed frequency of transfers.
The EFTA sets limits on how much consumers can be liable for unauthorized transactions (like fraud or card theft):
- Up to $50 if they notify their card issuing company within 2 business days after learning of the loss or theft of an access device.
- Up to $500 if they notify their card issuing company between 3 days after learning of the loss or theft of an access device and 60 days after the financial institution sends the monthly statement that includes the unauthorized transaction.
- After that, they can be fully liable for the unauthorized transactions that happen until they notify their card company that the transfer was unauthorized.
Also, the EFTA requires that companies investigate billing disputes within 10 days of being notified, and must report their findings and correct any errors. The 10-day timeline may be extended if the consumer is provided with provisional credit for any disputed amount.
Network liability policies
While the EFTA gives consumers some liability protections, the card networks Visa and Mastercard have their own “zero liability” policies for unauthorized transactions on certain cards. Those policies offer more protection than the EFTA; cardholders aren’t liable for any amount if they use reasonable care to protect their card and promptly report any loss or theft.
So if there’s a fraudulent charge, in practice this means that the card issuing company (or bank) eats the cost.
For more information, you can check out:
- The Consumer Financial Protection Bureau's EFTA FAQs.
- The EFTA Overview Board of Governors of the Federal Research System.
- The text of the law itself on the FDIC’s website.
- The Office of the Comptroller of the Currency’s examination procedures.
If you want updates on regulatory fintech news (written for non-lawyers) check out Reggie Young’s FinTech Law TL;DR.
Disclaimer: This post is for information purposes only and is not legal advice. Every situation is unique, so you should consult a lawyer; Lithic’s legal team can recommend fintech attorneys if you need.