Mitigating risks for banks, fintech companies, and payment processors

As banks, fintech companies, and payment processors continue to innovate and partner on payment and wallet solutions, they must navigate the intricate framework established by the Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E. Increasingly, these and other covered financial institutions find themselves the subject of regulatory scrutiny or litigation relating to their compliance with EFTA and Regulation E error resolution requirements, shining a spotlight on several potentially ambiguous provisions in the law.

Court action has further blurred the line between the EFTA (which applies only to consumer funds transfers) and Article 4-A of the Uniform Commercial Code (UCC, or Article 4-A) (which typically governs wires and other commercial payments), creating additional uncertainty. A recent decision in the Southern District of New York – where the court held that the EFTA and Regulation E governed a portion of a wire transaction – reflects the changing landscape.

This alert discusses these developments in EFTA, Regulation E, and Article 4-A litigation and highlights key considerations for mitigating risks associated with electronic transactions.

EFTA and Regulation E: Core consumer protections

The EFTA aims to protect consumers engaged in electronic payments, such as ATM withdrawals, peer-to-peer transfers, and debit card transactions. Regulation E, which implements the EFTA, establishes rules for how banks and other covered financial institutions must manage these transactions, including resolving errors and providing mandatory disclosures to consumers. Financial institutions that fail to comply with the statute and regulation open themselves to regulatory actions and private litigation risk, even over seeming technicalities.

Core requirements of the EFTA and Regulation E include:

• Disclosure requirements: Financial institutions must provide consumers with clear disclosures about the terms, fees, and procedures related to electronic fund transfers, following specific formatting and timing requirements.


• Error resolution: Regulation E outlines the process for investigating and resolving consumer notices of unauthorized or incorrect transactions executed by the financial institution. As defined by the EFTA, an unauthorized electronic fund transfer is any transfer initiated by someone other than the consumer who lacks actual authority to do so, and from which the consumer receives no benefit. Upon receipt of a consumer’s notice of an error or unauthorized transaction, a financial institution is required to provide the consumer with written information relating to the investigation (known as an error resolution notice) and refunds under specific circumstances.


• Consumer liability: Regulation E imposes various limitations on a consumer’s liability for unauthorized electronic fund transfers based principally on when the consumer reports the transfers to the financial institution and whether an access device is involved (an access device is any card, code, or other means that may be used by a consumer to initiate electronic fund transfers).

Emerging issues related to the EFTA and Regulation E

Given the technical requirements of the EFTA and Regulation E, and in light of certain ambiguities on when the EFTA governs, financial institutions are seeing more EFTA litigation. Below, we summarize key issues relating to compliance and steps financial institutions can take that may help to mitigate compliance and litigation risk:

1. Responsibilities of multiple parties in bank–fintech and other partnerships

Electronic payment and transfer services that feature partnerships between banks, fintech companies, and payment processors have become increasingly common. These relationships often complicate compliance with the EFTA and Regulation E, especially where each party’s responsibilities are not clearly defined and followed. For example, while fintech companies in multi-party relationships typically serve as the consumer-facing entities that offer digital wallets and payment services, banks often are responsible for maintaining the accounts and handling error resolution.

Meanwhile, payment processors often provide the infrastructure to facilitate the movement of funds. It is important to note that the Consumer Financial Protection Bureau (CFPB) has provided guidance suggesting that payment processors could be considered “financial institutions” subject to the error resolution obligations under Regulation E. Recent enforcement actions by the CFPB against payment processors and other fintech companies reinforce this expansive view of who is a covered “financial institution.”

Multi-party relationships may lead to an enforcement action or litigation where a consumer notifies one of the parties of an error or fraud, but that notice does not lead to an investigation by the appropriate partner as contemplated by Regulation E or the partnership agreements. In this scenario, regulators could hold every party that is a financial institution responsible for Regulation E failures. And one party may be forced to indemnify the other parties as a consequence if that party’s failure led to the enforcement action or caused damages.

To mitigate risk, agreements between banks, fintech companies, and payment processors should, in particular, address:

• Roles in dispute resolution: Clearly define which party is responsible for investigating consumer disputes and providing disclosures.


• Indemnification provisions: Specify which party bears financial responsibility, including for violations of Regulation E or failure to meet error resolution deadlines.


• Fraud prevention and monitoring: Establish robust fraud prevention measures and ensure timely identification and reporting of unauthorized transactions between companies. Likewise, monitoring is important to help ensure that the actual process aligns with written policies and procedures.

To further mitigate risk, the parties should ensure that the information within any consumer-facing agreements or disclosures is clear and correct. Generally, it is recommended that the bank partner’s contact information be provided to the consumer as the sole avenue to report error- or fraud-related issues. This disclosure seeks to avoid the scenario outlined above, where information is not passed to the entity responsible for the error resolution process. Finally, the parties to the relationship are encouraged to engage in active and periodic monitoring to ensure that current practices align with any written policies and procedures. This monitoring may include testing of the consumer reporting function, review of the various disclosure and notices required by Regulation E, and testing the flow of information within the multi-party relationship.

2. Scope of investigation required when a dispute is issued

A significant amount of EFTA and Regulation E error resolution litigation arises from allegations of either a failure to investigate a consumer’s dispute, or inadequate investigation procedures. Whether an investigation is reasonable is heavily fact-dependent.

Under Regulation E, a reasonable investigation includes review of relevant information within the institution’s records. Generally, a financial institution may not summarily deny an error claim simply because the consumer had previously authorized transactions of a similar type. Regulation E also requires a financial institution to review information in the possession of third parties with whom the financial institution has an agreement.

The financial institution may consider starting the investigation by thoroughly reviewing any communications with, and any documents provided by, the consumer as part of the error notice. Institutions are encouraged to review consumer documents in the possession of the financial institution as well as other parties to a multi-party partnership, looking in particular at the specific transaction and the surrounding transactions. Even where one or a handful of these surrounding transactions appears to be legitimate, financial institutions should scrutinize each transaction in cases involving multiple alleged errors. Financial institutions may also look to any details that distinguish the allegedly fraudulent transaction(s) from other transactions (eg, geographic location, consumer purchase history, transaction amounts).

3. Details contained in written investigation reports

After investigating an error notice, a financial institution must communicate the following:

• The investigation determination


• An explanation of the determination when it determines that no error or a different error occurred, and


• The consumer’s right to request the documents that the financial institution relied on to make its determination.

Upon request, the institution is required to promptly provide copies of the documents. Where it has determined that no error occurred, the financial institution could choose to provide, among other things:

• Proof that the transaction was authorized (simply providing a statement that the consumer’s error claim was determined to be authorized may be insufficient)


• Evidence that the transaction occurred in a manner consistent with the consumer’s account terms, or


• Evidence that the consumer failed to report the error within the required time period.

If the dispute was resolved in the consumer’s favor, the institution must also explain how any necessary refunds or corrections will be made.

Failure to include the required detail in the written notice can expose the financial institution to legal liability. Indeed, inadequate or unclear notifications could result in consumer lawsuits or regulatory penalties. Depending on the allocation of compliance with laws and other responsibilities in multi-party relationships, contractual indemnity provisions could also be implicated.

4. “Consumer wire transfers”: When the EFTA collides with Article 4-A

Another complication is whether consumer-initiated wire transfers – once thought wholly subject to UCC Article 4-A – may also be partly subject to EFTA and Regulation E. Article 4-A is a comprehensive body of law that defines the rights and obligations that arise from wire transfers, among certain other payments. Thus, Article 4-A has governed wire payments sent by both businesses and consumers.

In general, Article 4-A provides fewer protections than those afforded by the EFTA. This is in part because Article 4-A typically applies to large dollar-amount, real-time, and irreversible transactions like wires transmitted between financial institutions. Provisions under the EFTA and Regulation E, which subject consumer transactions to extended dispute settlement procedures and potential reversals, have therefore long been viewed as incompatible with Article 4-A and the payment systems that it governs.

However, a January 2025 decision by the District Court for the Southern District of New York could change that. Considering a case brought by the state of New York against a large bank, the court partly denied the bank’s motion to dismiss the state’s lawsuit alleging that the bank violated the EFTA by failing to protect consumer victims of wire fraud.

The bank argued that the EFTA and Regulation E did not apply. According to it (and the traditional view), Article 4-A, as adopted by the state of New York, governed the entirety of a wire payment, which is a series of funds transfers. A wire begins with a sender – such as a consumer or business – instructing its bank to debit funds from its account there and send them to a recipient. The sender’s bank then sends those funds through a wire network to one or more banks, ending with the recipient. The state of New York, however, argued that the initial step of a wire payment – the instruction from the sending consumer to its bank – was governed by the EFTA and Regulation E. The district court agreed with the state of New York. According to the court, the statutory purpose of the EFTA was to protect consumers from sophisticated, technological frauds. Thus, the apparent exclusion by the EFTA in 15 USC § 1693a(7)(B) and Regulation E at 12 CFR § 1005.3(c)(3) of wire payments did not apply to the initial consumer leg of these transactions.

The case underscores the policy considerations surrounding the EFTA and the importance of maximizing customer protections to avoid litigation and regulatory risk. The bank currently awaits the court’s order on a Motion for Leave to Appeal. On March 26, 2025, the CFPB moved to withdraw a legal brief it had filed during the Biden Administration, which argued that the EFTA governs the initial leg of the wire transfer when funds are pushed from a consumer’s account. According to its motion to withdraw, the CFPB concluded that the previous filing of the legal brief was inappropriate and represented “an unsuitable method of advancing a novel and significant interpretation of the EFTA.”

Conclusion

As banks, fintech companies, and payment processors provide consumers with modern financial services, they must remain vigilant about complying with the EFTA and Regulation E. This includes providing detailed written notices to consumers when error claims are denied, adhering to investigation timelines, and helping to ensure that contracts between parties clearly allocate responsibilities. On top of that, financial institutions must now consider whether certain transactions – such as consumer wire transfers – thought wholly governed by the UCC, could be instead protected by the EFTA and Regulation E.

For more information, please contact the authors.