Reg E Is Coming to Crypto: Your Roadmap to EFTA Compliance

The CFPB tried to extend consumer protection law to crypto. The Trump administration killed it. Congress passed a major stablecoin law and forgot to include error resolution or unauthorized transfer protections. And state attorneys general are quietly building the case that their existing statutes already cover digital asset accounts.

If you run a crypto platform, stablecoin issuer, or fintech that handles digital asset payments, the compliance question isn’t settled. It’s just distributed differently than most people expected.

TL;DR:

• CFPB proposed extending Reg E to crypto in January 2025; withdrew it May 15, 2025 — the rule never took effect
• The GENIUS Act (signed July 18, 2025) created a federal stablecoin framework but left out error resolution, unauthorized transfer liability limits, and a consumer private right of action
• State enforcement is the real near-term risk: Massachusetts, New York, and others have EFTA-equivalent statutes that could apply to crypto accounts
• Private EFTA litigation is possible even without a finalized rule — platforms with no documented error resolution process are the most exposed

The Regulatory Setup: Why Reg E Was Coming for Crypto

The Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E, are the bedrock of consumer protection for electronic payments. Error resolution obligations, unauthorized transfer liability limits, required disclosures — EFTA created the framework that gives consumers recourse when something goes wrong with a bank transfer or debit card transaction.

The framework was never designed for crypto. When Congress passed EFTA in 1978, Bitcoin was 31 years away. The statute’s definition of “account” referenced depository institutions, and its definition of “funds” implicitly assumed fiat currency. That’s how crypto avoided EFTA’s reach for years — not through any explicit exemption, but through the technology outrunning the statute.

By 2025, that gap had become conspicuous. Consumers were holding billions in stablecoin payment accounts. People were losing assets to unauthorized transfers, phishing attacks, and exchange errors — with zero legal right to dispute resolution or liability limits that traditional bank customers take for granted.

The CFPB, under Director Rohit Chopra, moved to close the gap.

The Proposed Rule: What It Would Have Required

On January 10, 2025, the CFPB issued a proposed interpretive rule that would have extended EFTA and Regulation E to digital payment accounts — including certain stablecoins, other cryptocurrencies used as payment mechanisms, and even gaming currencies with real-money equivalent value.

The CFPB’s legal theory was straightforward: EFTA’s definition of “funds” includes assets that act or are used like money. If a stablecoin is accepted as a medium of exchange and used to make payments to multiple merchants, it functions like money — and accounts holding it should carry EFTA protections.

Under the proposed rule, crypto platforms classified as “financial institutions” would have faced:

For an industry used to terms-of-service language that shifts all liability to the consumer, this would have been a fundamental change.

The Withdrawal: What Happened and What It Means

On May 15, 2025, the CFPB under the Trump administration withdrew the proposed interpretive rule entirely. The bureau announced it would take no further action on the proposal.

The stated reason: policy priorities. The practical reason: the new administration made clear early that expanding CFPB jurisdiction into crypto markets wasn’t on the agenda. The same pattern played out in BNPL, where the CFPB’s credit card rule for buy-now-pay-later was similarly rescinded in 2025.

But withdrawal doesn’t mean the legal question is settled. Several developments kept the compliance question alive:

State law equivalence: The CFPB’s interpretive rule, while never finalized, laid out a legal framework that state regulators can adopt independently. Massachusetts has an EFTA-equivalent statute with nearly identical language on what constitutes a covered “electronic fund transfer.” A Massachusetts AG who decides that stablecoin payment accounts fall within that statute doesn’t need the CFPB’s finalized rule.

Private litigation: EFTA includes a private right of action. Plaintiff law firms have a history of testing consumer protection statutes against fintech platforms before regulators formalize coverage. The CFPB’s January 2025 proposal, even though withdrawn, serves as persuasive authority that the statutory text supports extension to crypto accounts. Courts will have to decide.

GENIUS Act gap: The federal stablecoin legislation that did pass — the GENIUS Act — created a licensing and reserve framework without the consumer protection floor that Reg E would have provided.

The GENIUS Act: What It Actually Includes (and Doesn’t)

President Trump signed the GENIUS Act into law on July 18, 2025. The Guiding and Establishing National Innovation for U.S. Stablecoins Act created the first federal licensing framework for payment stablecoin issuers — a significant development for an industry that had operated in regulatory ambiguity.

What the GENIUS Act includes:

• Reserve requirements: 1:1 backing with high-quality liquid assets (cash, Treasuries)
• Disclosure requirements: Public and plain-English disclosure of fees and terms
• No government affiliation marketing: Prohibition on marketing that implies FDIC insurance or government backing
• Redemption process: Clear process for consumers to redeem stablecoins at par
• Insolvency priority: Stablecoin holders get priority over other creditors in issuer insolvency

What the GENIUS Act doesn’t include — and what Consumer Reports explicitly flagged as a significant gap:

• No error resolution requirements
• No liability limits for unauthorized transfers
• No private right of action for consumers
• UDAAP and EFTA protections not clearly applied

In short: the GENIUS Act is a prudential framework for stablecoin issuers, not a consumer protection law for stablecoin users. For compliance teams at crypto platforms, the GENIUS Act created clarity on reserve and licensing requirements — but left the consumer protection question exactly where it was before the CFPB proposed rule was withdrawn.

Also important: the GENIUS Act specifically states that it does not preempt state consumer protection laws. That’s an open door for state enforcement.

State Enforcement: The Actual Near-Term Risk

The CFPB under the current administration has reduced its enforcement appetite across consumer financial protection. The void isn’t empty — it’s being filled by state attorneys general who have been waiting for exactly this moment.

New York: The AG’s office has proposed the Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act, which would require platforms to reimburse customers who lose assets to unauthorized transfers and fraud. The proposal draws directly from the CFPB’s interpretive framework.

Massachusetts: The state’s EFTA-equivalent statute uses nearly identical language to the federal law. The Massachusetts AG has signaled willingness to apply existing consumer protection statutes to digital asset accounts where the facts support it. The CFPB’s withdrawn interpretive rule is persuasive, even if not binding.

Iowa: The state enacted a crypto ATM fraud protection law (Iowa Code § 533C.1004) effective July 1, 2025. Consumers who are fraudulently induced to send crypto through ATMs can get full refunds if they report within 90 days to both the operator and law enforcement. Iowa is the leading edge of what state-level consumer protection for crypto looks like in practice.

Pattern across states: Crypto platforms operating without any error resolution process are the most exposed. State money transmitter licenses — which most crypto platforms hold in states where they operate — typically include consumer protection conditions that could be interpreted to require some form of error resolution and unauthorized transaction process.

What You Still Owe Consumers (Even Without Reg E)

Here’s the practical reality: the absence of a finalized Reg E rule doesn’t mean you owe your customers nothing when something goes wrong. Several obligations exist regardless of whether the CFPB finalizes an interpretive rule:

State MTL obligations: Money transmitter licenses in most states require the licensee to maintain procedures for handling consumer complaints and unauthorized transactions. Check your license conditions — they almost certainly include consumer protection requirements.

UDAAP exposure: Even without Reg E, representing that you’ll protect consumers from fraud or resolve disputes — and then failing to do so — is potentially a UDAAP violation. Platforms that make consumer-facing commitments about security and then have no process to back them up are building UDAAP exposure brick by brick.

Contract law: Your terms of service create contractual obligations. If you promise error investigation and then don’t investigate, you’re potentially in breach. If your TOS disclaim all liability for unauthorized transfers in ways that contradict state consumer protection law, that disclaimer may not be enforceable.

GENIUS Act implementing regulations: The GENIUS Act directed implementing agencies to issue regulations within 180 days of enactment — that means regulations were due approximately January 2026. Those regulations may include consumer protection provisions not in the Act itself. Track them.

Building Your Crypto Consumer Compliance Baseline

Even under current federal enforcement posture, the trend line is clear: consumer protection obligations for crypto platforms are expanding, not contracting. State actions, private litigation, and the eventual pendulum swing in federal enforcement make this a “when, not if” question. Here’s what to build now:

Error Resolution Process (Even if Not Currently Required)

Document a process for handling consumer claims of errors or unauthorized transfers, even informally. The process should include:

• How consumers submit a claim (written channel requirement)
• Who reviews the claim and within what timeframe
• What evidence the platform reviews (transaction logs, IP addresses, authentication records)
• How the consumer is notified of the outcome
• What recourse exists if the consumer disagrees

This doesn’t need to match Reg E’s exact requirements. It needs to exist, be documented, and be followed. A platform with a documented process that doesn’t perfectly match EFTA is in a meaningfully better position than a platform with no process at all.

Consumer Disclosure Audit

Review what your terms of service and account disclosures actually say about unauthorized transfers, error resolution, and consumer liability. Specifically:

• Do you make any representations about consumer protection that you can’t back up operationally?
• Does your liability disclaimer language conflict with state consumer protection law?
• Does your disclosure language align with what the GENIUS Act now requires for stablecoin issuers (fee disclosures, redemption process)?

Complaint Classification System

Most crypto platforms track complaints, but don’t categorize them in a way that lets compliance teams identify patterns. Build a classification that separates:

• Unauthorized transfer claims (someone accessed the account without consent)
• Error claims (transaction executed incorrectly)
• Fraud claims (consumer was deceived into making a transfer)
• General service complaints

The unauthorized transfer and error categories are where regulatory and litigation risk concentrates. Knowing how many of these complaints you receive and how they’re resolved is the starting point for any state AG inquiry or litigation defense.

State Law Assessment by Market

If you operate in multiple states, you need a state-specific assessment of whether your current consumer protection processes satisfy the MTL conditions and consumer protection statutes in each jurisdiction. Massachusetts, New York, California, and Texas are the highest priority states — both for market size and for enforcement activity.

The Litigation Watch

Several categories of private EFTA litigation are emerging that compliance teams should monitor:

“Asset accounts” theory: Plaintiffs arguing that stablecoin payment accounts are “asset accounts established primarily for personal, family, or household use” and therefore covered by EFTA’s existing text, without any rulemaking. Courts in the First and Ninth Circuits have been most receptive to broad EFTA coverage theories.

Prepaid account analogy: Stablecoin accounts function similarly to prepaid debit accounts, which are explicitly covered by Regulation E’s prepaid account rule (12 CFR 1005.18, effective 2019). Plaintiffs are arguing that stablecoin payment accounts should be treated analogously.

Unauthorized transfer liability: Consumers who lost crypto assets to sim-swap attacks, phishing, or exchange-level security failures are filing suit arguing platforms had EFTA obligations to limit their liability and investigate claims. Even without a finalized Reg E extension, these cases are reaching discovery.

The CFPB’s withdrawn interpretive rule will appear in these cases as persuasive authority that the statutory text supports coverage — not binding, but useful to plaintiffs establishing that EFTA’s reach was plausibly ambiguous.

So What?

The regulatory environment around Reg E and crypto is messy, not resolved. Federal enforcement has stepped back; state enforcement is stepping up. The GENIUS Act created a partial framework with notable consumer protection gaps. Private litigation is moving forward regardless.

For compliance teams at crypto platforms and stablecoin issuers, the practical priorities are:

1. Document your error resolution process — even if imperfect, having one is the baseline
2. Audit your consumer disclosures against state consumer protection laws in your key markets
3. Classify and track unauthorized transfer complaints separately from general service complaints
4. Monitor GENIUS Act implementing regulations due approximately January 2026
5. Review state MTL conditions in Massachusetts, New York, California, and Texas specifically

The CFPB withdrawal bought time, not immunity.

For platforms building their consumer compliance programs from the ground up, the UDAAP Risk Assessment Framework and the broader compliance management guidance on risktemplate.com walks through how to identify consumer protection gaps before the examiner does.

FAQ

Q: Does Reg E apply to cryptocurrency transactions? Federally, no — the CFPB’s proposed extension was withdrawn May 15, 2025. State EFTA-equivalent laws may apply depending on jurisdiction. Private EFTA litigation is ongoing regardless of the withdrawn rule.

Q: What consumer protections did the GENIUS Act include? Reserve requirements, fee disclosures, redemption process clarity, and insolvency priority for stablecoin holders. No error resolution obligations, unauthorized transfer liability limits, or private right of action.

Q: Which states have laws that could cover crypto error resolution? Massachusetts (EFTA-equivalent statute), New York (proposed CRPTO Act requiring unauthorized transfer reimbursement), and Iowa (crypto ATM fraud protection, effective July 1, 2025). More states are evaluating whether existing statutes cover digital asset accounts.

Q: What should crypto platforms do now? Document an error resolution process, audit consumer disclosures, build a complaint classification system that separately tracks unauthorized transfer claims, assess state MTL consumer protection conditions, and monitor GENIUS Act implementing regulations.

Q: What is the private litigation risk? Plaintiff firms are pursuing EFTA claims against crypto platforms arguing stablecoin payment accounts fall within existing statutory coverage. The withdrawn CFPB interpretive rule serves as persuasive authority in these cases. Platforms with no documented error resolution process are the most exposed.