The information below explains general legal concepts for educational purposes. It is not legal, financial, or tax advice, and it does not create an attorney-client relationship. Laws and procedures vary by jurisdiction and may change. The author and publisher disclaim liability for actions taken based on this content.
Key Facts
- Federal level: Regulation E can cap a consumer’s liability for unauthorized electronic fund transfers when the consumer notifies the financial institution within two business days after learning of loss or theft of an access device, using a lesser-of $50 concept.
- Federal level: When the two-business-day concept is missed, Regulation E can cap liability using a lesser-of $500 concept and limits tied to when unauthorized transfers occur relative to notice.
- Federal level: Regulation E uses a 60-day reporting concept for unauthorized transfers shown on a periodic statement to avoid liability for subsequent transfers.
- Federal level: Regulation E defines an “error” to include unauthorized electronic fund transfers and omissions from a periodic statement, with a 60-day notice concept and institution investigation and correction deadlines.
- Federal level: The Fair Credit Billing Act uses a written billing-error notice concept within sixty days after the creditor transmits the statement, with a creditor acknowledgment period and correction or clarification timing.
- Federal level: For certain card transactions, 15 U.S.C. § 1666i sets prerequisites such as a good-faith resolution attempt, an initial transaction amount exceeding $50, and a geographic or location limit, and also limits the amount of claims and defenses.
- National overview: EFTA generally allows states to maintain electronic-fund-transfer laws that provide greater consumer protection, while FTC guidance describes that all states plus DC, Puerto Rico, and the Virgin Islands have breach-notification laws that influence what breach notices include.
- Federal level: The GLBA Safeguards Rule requires reasonable safeguards for customer information, including encryption in transit and at rest and a written incident response plan for certain security events.
Last reviewed: May 2026. Legal rules, forms, deadlines, and procedures can change by jurisdiction, agency, and court system.
- Why “online wallet security” has legal moving parts
- When payment disputes can fall under different federal regimes
- Unauthorized electronic transfers under Regulation E liability caps and timing
- Liability caps based on the two business day concept
- Periodic statement reporting and avoiding liability for subsequent transfers
- Resolving disputes under Regulation E what counts as an “error”
- What counts as an “error”
- Timing of the notice of error
- Institution deadlines for investigation, results, and correction
- Credit card billing errors under the Fair Credit Billing Act
- A compact comparison of the main federal timing frameworks
- 15 U.S.C. § 1666i prerequisites and limits for certain card transactions
- Federal state boundaries for electronic fund transfers and data breach notices
- How institution safeguards connect to online wallet risk
- Official recovery oriented guidance after data is compromised
- Sources
Why “online wallet security” has legal moving parts
“Online wallet security” usually refers to risks that arise when payment credentials or payment access sit online or in apps. Federal law addresses payment-related disputes in multiple ways, including unauthorized electronic fund transfer activity under Regulation E and credit-card billing issues under the Fair Credit Billing Act, and some credit-card claims and defenses also run through 15 U.S.C. § 1666i. State breach-notification laws drive what companies must or must not include in a breach notice, and the FTC data breach response guidance explains that these laws typically tell companies what information they must or must not provide.
When payment disputes can fall under different federal regimes
Federal consumer protections depend on how the payment problem is characterized. Many online-wallet disputes involve one of these federal frameworks:
- Unauthorized electronic fund transfer activity handled through Regulation E (12 CFR Part 1005).
- Credit-card billing errors handled through the Fair Credit Billing Act (15 U.S.C. § 1666).
For certain credit-card transactions, 15 U.S.C. § 1666i adds prerequisites and limits for related claims and defenses.
Unauthorized electronic transfers under Regulation E liability caps and timing
Regulation E’s unauthorized-transfer liability rules tie a consumer’s liability to when the consumer notifies the financial institution after learning of the loss or theft of an access device.
Liability caps based on the two business day concept
Under 12 CFR 1005.6 liability limits, a consumer’s liability can be limited using tiered caps:
- If the consumer notifies the financial institution within two business days, liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice.
- If the consumer fails to notify within two business days, liability shall not exceed the lesser of $500 or the sum of certain unauthorized transfers that occur after the two-business-day period and before notice.
Periodic statement reporting and avoiding liability for subsequent transfers
Regulation E also sets a periodic-statement reporting concept. Under 12 CFR 1005.6 liability limits, a consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days after the financial institution sends the statement to avoid liability for subsequent transfers.
Resolving disputes under Regulation E what counts as an “error”
Regulation E also creates an error-resolution process for certain disputes that relate to unauthorized electronic fund transfers shown on statements.
What counts as an “error”
Under 12 CFR 1005.11 procedures for resolving errors, the term “error” includes an unauthorized electronic fund transfer and also the omission of an electronic fund transfer from a periodic statement.
Timing of the notice of error
Under 12 CFR 1005.11 procedures for resolving errors, the institution’s error-resolution duties apply when the notice of error is received no later than 60 days after the institution sends the periodic statement (or provides passbook documentation) on which the alleged error is first reflected.
Institution deadlines for investigation, results, and correction
Under 12 CFR 1005.11 procedures for resolving errors, the financial institution generally must determine whether an error occurred within 10 business days of receiving a notice of error, report results within three business days after completing its investigation, and correct the error within one business day after determining that an error occurred.
Credit card billing errors under the Fair Credit Billing Act
Credit-card disputes follow a separate federal framework than unauthorized electronic fund transfer disputes.
Under 15 U.S.C. § 1666 correction of billing errors, a creditor generally must receive a written notice of a billing error within sixty days after transmitting the statement, and the notice must include specified elements, including name or account identification (if any), the amount, a statement of belief that the statement contains a billing error, and the reasons.
The Fair Credit Billing Act also sets response timelines. Under 15 U.S.C. § 1666 correction of billing errors, the creditor must send a written acknowledgment within 30 days (subject to exceptions) and must either make appropriate corrections within two complete billing cycles (in no event later than 90 days) or send a written explanation or clarification after conducting an investigation.
A compact comparison of the main federal timing frameworks
The table below summarizes how the timing framework shifts depending on whether a problem is treated as an unauthorized electronic fund transfer, a credit-card billing error, or a credit-card claims-and-defenses scenario.
| Dispute framing | Key timing concept in federal law | Key limits described in the same authority |
|---|---|---|
| Unauthorized electronic fund transfer (Regulation E) | Notice of loss or theft within two business days and periodic-statement reporting within 60 days | Liability capped using a lesser-of $50 concept (timely notice) or a lesser-of $500 concept (after the two-business-day window) under 12 CFR 1005.6 liability limits |
| Dispute resolution (Regulation E “error”) | Notice of error received within 60 days of the statement or passbook documentation on which the alleged error is first reflected | Institution investigation deadline 10 business days, results 3 business days after investigation, and correction 1 business day after determining an error occurred under 12 CFR 1005.11 procedures for resolving errors |
| Credit-card billing error (Fair Credit Billing Act) | Written billing-error notice within 60 days after transmission of the statement | Creditor acknowledgment within 30 days, followed by corrections within two billing cycles (no later than 90 days) or a written explanation/clarification under 15 U.S.C. § 1666 correction of billing errors |
| Credit-card claims and defenses prerequisites | Prerequisites include a good faith attempt and an initial transaction amount exceeding $50; geographic or location prerequisites apply | Claims and defenses may not exceed the amount of credit outstanding; prerequisites and caps appear in 15 U.S.C. § 1666i claims and defenses |
The same “online wallet” issue can land in different legal frameworks depending on the payment instrument and how the dispute is characterized, which is why the governing authority matters.
15 U.S.C. § 1666i prerequisites and limits for certain card transactions
For certain credit-card transactions, 15 U.S.C. § 1666i adds prerequisites and limits for related claims and defenses against the card issuer.
Under 15 U.S.C. § 1666i claims and defenses, prerequisites include a good-faith attempt to resolve the disagreement, an initial transaction amount that exceeds $50, and geographic or location prerequisites described in the statute. The same section also limits the amount of claims and defenses, stating that the amount may not exceed the amount of credit outstanding with respect to the transaction at the time the cardholder first notifies the card issuer or person.
Federal state boundaries for electronic fund transfers and data breach notices
EFTA does not generally remove state authority over electronic-fund-transfer laws. Under 15 U.S.C. § 1693q relation to state laws, this subchapter does not annul, alter, or affect the laws of any State relating to electronic fund transfers unless a State law is inconsistent with the federal provisions, and a State law is not inconsistent if it affords greater protection to a consumer.
For data breaches, state breach-notification laws also affect what companies include in breach notices. The FTC data breach response guidance states that all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information, and that state breach notification laws typically tell companies what information they must, or must not, provide in a breach notice.
For related historical context on online privacy themes, see technology raises significant privacy concerns and invasion of the personal information snatchers.
How institution safeguards connect to online wallet risk
The GLBA Safeguards Rule requires covered financial institutions to maintain reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of customer information. Under GLBA Safeguards Rule standards in 16 CFR Part 314, it also requires customer information to be protected by encryption both in transit over external networks and at rest, subject to limited infeasibility alternatives. The rule further requires a written incident response plan designed to promptly respond to and recover from a security event that materially affects confidentiality, integrity, or availability.
Official recovery oriented guidance after data is compromised
The IdentityTheft.gov data breach guidance describes recovery steps after certain personal information compromises. It includes steps such as checking credit reports through AnnualCreditReport.com and reviewing for accounts or debts that are not recognized, and it also describes a free one-year fraud alert option involving the three credit bureaus.
Sources
- 12 CFR 1005.6 liability limits
- 12 CFR 1005.11 procedures for resolving errors
- 15 U.S.C. § 1693q relation to state laws
- GLBA Safeguards Rule standards in 16 CFR Part 314
- FTC data breach response guidance
- IdentityTheft.gov data breach guidance
- 15 U.S.C. § 1666 correction of billing errors
- 15 U.S.C. § 1666i claims and defenses
