In the US there is no single payments statute. The consumer perimeter is drawn instead by two rulebooks that key off the funding instrument. Pull money from a deposit account by debit card, ACH, or any electronic transfer and you are under Regulation E. Put it on a credit line and you are under Regulation Z. The instrument decides the regime, and the regime decides who eats the loss and how fast you have to move.

This split is not academic. A debit dispute and a credit dispute on the same merchant, same amount, same fraud pattern run on different clocks with different liability ceilings. If your dispute engine treats them the same, you are either over-crediting on credit or out of compliance on debit. The rest of this lesson is the part you have to encode.

Two regimes, one funding-instrument test

Regulation E implements the Electronic Fund Transfer Act and covers electronic transfers to and from consumer asset accounts: debit card transactions, ATM withdrawals, ACH debits, and P2P pushes off a bank balance. Regulation Z implements the Truth in Lending Act, as expanded by the Fair Credit Billing Act of 1974, and governs open-end credit, which is where credit card billing errors live.

The practical routing rule is simple. Ask what the funds came from. A deposit account means Reg E. A credit line means Reg Z. Prepaid accounts were folded into Reg E by the 2019 Prepaid Rule, so a general-purpose reloadable card runs on the debit clock, not the credit one.

The instrument, not the network or the channel, picks the regime. Build the routing decision at that fork and everything downstream inherits the right timers.

The Reg E clock and its three liability tiers

Reg E error resolution starts when the consumer gives notice. The institution then has 10 business days to investigate and determine whether an error occurred. If it cannot finish in 10, it may take up to 45 days total, but only if it provisionally credits the account within those first 10 business days and gives the consumer full use of the funds during the investigation. After a determination it reports results within three business days and corrects any error within one.

The outer boundary on the consumer side is 60 days. The institution is not obligated to follow error-resolution procedures for a notice received more than 60 days after it sent the periodic statement that first showed the error.

Consumer liability for unauthorized transfers under Reg E section 1005.6 runs in three tiers, and the tier is set by reporting speed:

The three tiers

That escalating structure is the design point. On debit, speed of reporting directly changes the consumer's exposure, which is why the dispute intake flow has to timestamp first contact precisely.

The Reg Z clock and its flat $50 cap

Reg Z runs on different mechanics. The consumer must send a written billing error notice that the creditor receives within 60 days of the first periodic statement reflecting the error. On receipt the creditor has 30 days to acknowledge in writing, unless it has already resolved the dispute, and it must resolve within two complete billing cycles and in no event later than 90 days.

During the investigation the consumer need not pay, and the creditor may not try to collect, the disputed amount or any finance charge tied to it. The creditor also cannot report the disputed amount as delinquent while the dispute is open.

The liability number is where Reg Z diverges most sharply from Reg E. Unauthorized credit card use is capped at $50, full stop, and critically that cap does not move with reporting speed. Report in two days or report in fifty, the ceiling stays $50. In practice most issuers waive even that, but $50 is the statutory floor of protection. There is no $500 tier and no unlimited-liability cliff the way there is on debit.

A worked example: same fraud, two outcomes

Take a $400 unauthorized transaction discovered by a consumer who reports it on day 30 after the statement.

On a debit card, this is Reg E. Because the consumer is well inside the 60-day statement window and reported within a reasonable time of discovery, liability is capped at $50 (assuming the two-business-day reporting test from discovery is met). The bank has 10 business days to investigate, and if it needs the full 45, it must provisionally credit the $400 first so the consumer is not out of pocket during the probe.

On a credit card, this is Reg Z. The consumer is inside the 60-day notice window, so the cap is $50 regardless of the day-30 timing. There is no provisional-credit mechanic, because the consumer was never required to pay the disputed amount in the first place. The issuer acknowledges within 30 days and must resolve within two billing cycles or 90 days.

Same dollar amount, same fraud, two different procedural shapes. The debit path is about getting money back into an account fast; the credit path is about suspending a payment obligation. If your platform abstracts both into one "dispute" object, it has to carry the regime flag and branch the timers and the provisional-credit logic on it.

What this means for what you ship

The perimeter is a set of clocks and ceilings, not a vibe. Three things have to live in your data model: the funding instrument (it selects the regime), the precise notice timestamp (it sets the liability tier on debit and starts every timer), and the regime-specific deadline stack. Get the instrument-to-regime routing wrong at intake and every downstream timer inherits the error.

Two takeaways to encode. First, debit liability escalates with delay through the $50, $500, and unlimited tiers, while credit liability is a flat $50 inside the 60-day window. Second, provisional credit within 10 business days is a Reg E obligation with no Reg Z equivalent, because credit disputes suspend the payment rather than reverse it.

This is the US consumer floor. Module 4 picks up where authorized data-sharing changes the dispute and liability picture again under open banking.

← Previous
The EU Stack: PSD2 to PSD3 and the PSR
Next →
Open Banking Two Ways: Section 1033 vs the EU's FIDA