Navigating Regulation E Risk in Banking as a Service Models

4 minute read | June.10.2025

In the consumer deposits and payments products space, the banking as a service (BaaS) model creates significant opportunities for fintech innovation and consumer choice — but BaaS arrangements have also drawn the attention of regulators and plaintiffs’ attorneys. To manage these risks, banks and fintech partners must closely scrutinize how they allocate account servicing responsibilities among themselves to ensure compliance with applicable law, including the Electronic Fund Transfer Act (EFTA) and its implementing regulation (Regulation E).

The EFTA is the main federal statute governing a wide range of consumer deposit products and payment channels, including ACH, debit cards, ATMs, P2P, digital wallets, real-time payments and, at least according to recent district court decisions, wire transactions. If money moves by one of these mechanisms into or out of a consumer asset account, the EFTA and Regulation E likely impose responsibilities on the banks involved and their fintech partners, and noncompliance can generate significant financial and reputational risk to BaaS participants.

The EFTA creates a consumer-friendly regulatory regime that imposes significant servicing obligations on financial institutions, mandates prompt investigation and resolution of consumer disputes, and limits consumer liability for unauthorized transfers. It has consistently been a mainstay in supervisory and enforcement matters for the Consumer Financial Protection Bureau (CFPB) (see for example, here and here). While state attorneys general do not have direct authority to enforce the EFTA, at least one state has sought to do so through state laws prohibiting any illegal conduct. Further compounding this risk, the EFTA creates a private right of action and permits successful plaintiffs to obtain actual and statutory damages, plus attorney’s fees, for any violations.

The EFTA’s servicing obligations are technical, complex and often counterintuitive, making them difficult for even long-standing depository institutions with traditional products to meet consistently. Younger fintechs or BaaS providers with innovative deposit and payment product offerings have fared worse. The risks are most acute where a customer claims fraud or unauthorized activity on the customer’s account. This is because the law generally limits the consumer’s liability when the consumer is harmed by bad actors and places much of the risk of loss for unauthorized transfers on the financial institution holding the account. In other words, the bank often has to go out of pocket to make the victim whole and is left to chase the fraudster (if they can be found).

Fraud and Error Resolution are Drivers of Risk

EFTA obligations require investigating and resolving consumer claims of “errors,” which can include a range of account issues, including unauthorized or certain fraudulent debits from the consumer’s account, simple bookkeeping mistakes and even requests for certain documents. There are several key things to keep in mind — and which BaaS banks and their fintech partners often overlook:

Investigations. These must generally be conducted with available or reasonably obtainable information. Imposing burdensome information or document requests on the consumer making the claim can create compliance risk if used to limit the consumer’s rights.
Timing Matters. Regulation E sets forth specific timelines for responding to consumer disputes, which can be easily miscalculated or missed. Each notice of error must be investigated to determine whether an error occurred. If applicable, the error must be corrected, and the findings must be communicated to the consumer. If the investigation takes longer than 10 business days, the customer’s account may need to be provisionally credited during an investigation.
Consumer Liability is Limited. Consumer liability rules are complicated, but they are generally very low and often zero where a covered error occurs — oftentimes in scenarios that are counterintuitive because the financial institution is generally not allowed to use consumer negligence as a basis to deny a claim.
Burdens of Proof Fall on the Financial Institution. As baked into the EFTA, the burden of proof when responding to an unauthorized transfer claim falls on the account-holding financial institution. If an investigation cannot reach a clear answer, consumers generally win a tie.
Robbery and Fraud. As a general rule, consumers who willingly share their payment app login credentials or debit cards may be liable for transfers the receiving party makes — even those the consumer did not intend. However, circumstances involving certain robbery and fraud are an oft-overlooked exception to that general rule. Further complicating this exception, not all robbery and fraud scenarios are covered, making careful parsing of facts and comprehensive compliance staff training essential.
EFTA Rights Cannot be Waived. With very narrow exceptions, rights granted to consumers under the EFTA cannot be waived in any agreement and it is a separate violation of law to offer such an agreement.

The contours of the EFTA — and the obligations that go with them — reach far beyond these brief bullets. Understanding the finer detail behind each of these points is essential to a compliant account servicing program that appropriately allocates responsibilities between BaaS banks and fintech partners to avoid violations and mitigate risk to both parties.

Understand Risk Allocation and Plan Appropriately

While responsibilities and the cost of potential EFTA problems can be allocated contractually between a bank and fintech partner, supervisory and enforcement risk generally cannot be shifted away from the bank. If something goes wrong in a BaaS program, the bank partner’s regulators will focus on the bank’s role as the entity offering financial services and overseeing its fintech partner(s), and may find there has been an EFTA regulation warranting supervisory or enforcement action (including potential monetary penalties). Fintech partners are no less immune from their own regulators and could face state or private actions for their own conduct. Ultimately, both parties in the relationship maintain residual risk, regardless of contractual allocations.

Consequently, parties should carefully and purposefully allocate assignable risks and responsibilities among themselves. They should be more thoughtful still about allocating resources to mitigate the risks assigned to either party, as well as residual risks that are too sticky to contract away.

Limit Risk by Developing Robust Compliance Structures

Banks assigning EFTA compliance responsibilities to their partners should periodically visit their compliance management system (CMS) and third-party risk management (TPRM) policies to ensure that the level of third-party oversight aligns with risk appetite. For EFTA purposes, the CMS and TPRM policies should also jointly obligate third parties to operate consistent with the EFTA-regulatory regime for any consumer deposit or payment products they offer in partnership with the bank. EFTA compliance should be a key component of the conversation between the bank and fintech partners at onboarding, and should continue to be part of the bank’s monitoring regime through the duration of the partnership arrangement.

Fintech providers taking on user authorization collection, error resolution, and other EFTA-related responsibilities should likewise ensure that their own practices are up to par and satisfy both their contractual obligations as well as the requirements of Regulation E and applicable regulatory guidance interpreting EFTA. The best defense is robust written policies and procedures, combined with proper training and periodic monitoring and testing in a well-integrated CMS. When implemented properly, these structures can help avoid common mistakes and mutually benefit the fintech and its bank partners.

To learn more about payments and connect with Orrick attorneys who can help navigate these issues, please contact Edward Somers and Caroline Stapleton, and visit our Payments page.

Authors

Edward Somers Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Chicago

See my bio

D:+1 312 924 9835
E: esomers@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Edward Somers Partner

Chicago

Ted is a trusted advisor to the financial services industry in supervisory and enforcement matters before state and federal regulators, including the CFPB, and the DOJ. He also has significant experience guiding clients through enhancements to internal policies, practices, and customer-facing documentation to align with regulator expectations.

Prior to joining Orrick, Ted was a partner at Buckley LLP.

Caroline Stapleton Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 461 2904
E: cstapleton@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Caroline Stapleton Partner

Washington, D.C.

Client-centered experiences are at the heart of Caroline’s practice. She has provided a wide variety of institutions, from fintech startups to multinational banks, with tailored, practical guidance that considers each company’s unique characteristics and strategic goals. Caroline draws on her prior experiences as an attorney at a federal prudential regulator and as the head of compliance at a consumer finance company to give clients a comprehensive picture of the legal risks and opportunities each new matter presents.

Her work on behalf of financial services providers has included:

Providing guidance regarding novel or complex regulatory questions, often in the context of developing new financial products and services
Performing compliance risk assessments of marketing, underwriting, pricing, origination, servicing and loss mitigation activities
Advising banks and supervised lenders with examinations by federal and state regulators, including responding to exam findings, CAMELS ratings, Matters Requiring Attention (MRA/MRIA) and enforcement referrals
Strategically responding to and defending enforcement actions by state and federal regulators, including the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board and Department of Justice (DOJ), and, if necessary, negotiating favorable settlements
Developing strategies for bank partnership, state licensing and bank charter opportunities for consumer financial services providers
Conducting internal investigations of suspected misconduct or violations of an institution’s policies and/or regulatory requirements

In these and other representations, Caroline brings strong substantive knowledge of the key federal and state statutes and regulations governing the financial services industry. Her specific areas of focus include:

Fair lending and anti-discrimination laws, including the Fair Housing Act (FHA) and the Equal Credit Opportunity Act (ECOA)
Prohibitions on unfair, deceptive or abusive acts or practices (UDAP and UDAAP)
Technical regulatory compliance under federal and state laws governing loan marketing, disclosures, settlement practices, servicing and collection practices, consumer reporting and electronic payments
Federal preemption, including under the National Bank Act
Compliance management best practices and regulatory expectations, including third-party vendor and merchant oversight
Treatment and disclosure of confidential supervisory information (CSI)
State lease-to-own laws and regulations

Prior to joining Orrick, Caroline was senior counsel at Buckley LLP. She also has served as an attorney-advisor in the litigation division of the OCC, where she represented the agency in civil litigation, bank receivership preparation, employment disputes and other administrative contexts. Caroline also gained valuable in-house experience as the head of compliance and assistant general counsel of a Richmond-based consumer finance company.

Christopher Walczyszyn Managing Associate, Strategic Advisory & Government Enforcement (SAGE), Financial & Fintech Advisory

New York

See my bio

D:+1 212 506 3791
E: cwalczyszyn@orrick.com

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Financial & Fintech Advisory
Consumer Finance Regulatory
Fintech

vCard

See full bio

Christopher Walczyszyn Managing Associate

New York

Chris advises banks, non-banks, and other financial industry clients on a wide range of regulatory compliance and licensing issues, with an emphasis on the Truth in Lending Act (TILA), the Electronic Fund Transfer Act (EFTA), the Truth in Savings Act (TISA), the Equal Credit Opportunity Act (ECOA), the Real Estate Settlement Procedures Act (RESPA), and laws prohibiting unfair, deceptive, or abusive acts or practices. He also assists financial services providers with examinations and represents clients before the Consumer Financial Protection Bureau (CFPB) and other federal and state regulators.