Anyone who has watched a mysterious charge drain their checking account knows the panic that follows. Federal law sets a hard deadline: consumers who notify their bank of an unauthorized debit-card transaction within 60 days after the statement is sent can force the institution to return the money. Miss that window, and the bank can refuse to cover losses it can show would not have occurred had the consumer spoken up sooner. The protection comes from the Electronic Fund Transfer Act and its implementing rule, Regulation E, and it applies whether a physical card was stolen or only an account number was compromised.
Why the 60-day debit-card reporting window matters right now
Debit cards pull money straight from a checking account, so fraud hits a consumer’s available cash immediately. Credit-card disputes follow a separate statute with different protections, and many cardholders mistakenly assume debit transactions carry the same safety net. They do not. Under federal liability limits, the bank need not reimburse losses it establishes would not have happened but for the consumer’s failure to report within 60 days of the statement’s transmittal. That single sentence in the statute draws a bright line between full recovery and total exposure.
Once a consumer files a timely notice, the bank generally has 10 business days to investigate the error, according to the CFPB. If the institution cannot finish its review in that period, Regulation E procedures require it to provisionally credit the disputed amount while the investigation continues. The practical effect is that a consumer who acts within the 60-day window should see the money back in the account relatively quickly, even before the bank reaches a final decision.
Even when the 60-day deadline has passed, consumers are not barred from asking for help. The Consumer Financial Protection Bureau’s own unauthorized transaction guidance urges people to contact their bank as soon as they spot a problem, keep records of who they speak with, and follow up in writing. But the agency also explains that the statutory protections weaken sharply once the 60-day period has run, and any reimbursement beyond that point may depend on the institution’s policies or its own assessment of fault.
Statute, regulation, and examiner guidance all enforce the same deadline
Three layers of federal authority reinforce the 60-day rule. The statute itself, codified at 15 U.S.C. 1693g, sets the liability framework. Regulation E, found at 12 CFR Part 1005, translates that framework into operational duties for banks, including investigation timelines and provisional-credit requirements. The FDIC’s Consumer Compliance Examination Manual spells out how examiners test whether institutions follow through, referencing the 60-calendar-day notification concept at 12 CFR 1005.6(b)(3) through (5). The FTC publishes parallel consumer guidance explaining that liability limits for unauthorized debit and ATM transactions depend on reporting within 60 calendar days after the statement is sent.
The protection applies regardless of how the fraud occurred. A thief who clones a card at a gas pump and a hacker who buys goods online with a stolen account number trigger the same reporting clock. The 60-day period starts when the bank sends or makes available the periodic statement that first reflects the unauthorized transfer, not when the consumer happens to notice it. That distinction puts the burden on account holders to review statements regularly, whether they arrive by mail or appear in an online portal.
Gaps in public data on how banks actually comply
The legal obligation is clear, but the public record on how consistently banks honor it is thin. Regulators publish enforcement actions when they uncover systemic violations, yet those cases represent only the most serious breakdowns. Day-to-day handling of individual fraud claims happens largely out of view, resolved between institutions and customers with little transparency about outcomes or timelines. Consumers often learn about the 60-day rule only after a bank invokes it to deny reimbursement.
Complaint databases offer some clues but not a full picture. Aggregated narratives show patterns of frustration over delayed investigations, denials based on alleged customer negligence, and confusion about when the 60-day clock started. However, these anecdotes rarely identify whether the bank correctly applied the statutory standard or whether internal policies went beyond the minimum requirements. Without consistent, disaggregated reporting, it is difficult to assess whether institutions are meeting both the letter and the spirit of Regulation E.
Another blind spot involves how banks communicate the deadline. Account agreements and electronic disclosures may technically describe the 60-day requirement, yet the language is often dense and buried among other terms. Some institutions send alerts when unusual activity appears, but those systems vary widely and are not mandated by law. If a consumer misses an email or fails to log in for several weeks, the statement may still be deemed “made available,” starting the countdown even though the fraud has not been seen.
These gaps matter because the 60-day rule assumes a reasonably informed and attentive account holder. In practice, people juggle multiple accounts, devices, and obligations, and may share responsibilities within a household. When fraud occurs, they confront a system that offers strong protections only if they act quickly and can navigate technical requirements for written notice and documentation. Until regulators or lawmakers require more robust public reporting on outcomes-and clearer, more prominent disclosures for customers-the full impact of the 60-day deadline will remain difficult to measure, even as it quietly determines who bears the cost of unauthorized debit-card transactions.
