Overdraft Practices Under Reg E: Regulatory Evolution, Compliance Risks, and Enforcement Trends

Overdraft fees have been a persistent concern for lawmakers and regulators since the rise of electronic banking in the late 20th century. The Electronic Fund Transfer Act, or EFTA, was enacted in 1978 to establish uniform consumer protections for electronic fund transfers, including ATM withdrawals and debit card transactions. While the original statute did not specifically address overdraft fees, it laid the foundation for future regulatory action by requiring financial institutions to provide clear disclosures and error resolution procedures for electronic transactions.^[1]

In response to growing public concern over the cost and opacity of overdraft programs—particularly those that automatically enrolled consumers and charged fees without notice—Congress and regulators began to act. In 2009, the Federal Reserve Board amended Reg E to prohibit financial institutions from charging overdraft fees on ATM and one-time debit card transactions unless the consumer affirmatively opted in to the service.^[2]This rule, finalized in 2010, was designed to ensure that consumers would not be subject to unexpected fees for routine transactions unless they had explicitly agreed to such coverage.

The 2009 rulemaking followed years of congressional hearings and consumer advocacy highlighting the disproportionate impact of overdraft fees on low-income and financially vulnerable consumers. Lawmakers introduced multiple bills during the 2000s aimed at requiring clearer disclosures and limiting fee practices, including proposals to mandate opt-in requirements and cap the number of fees that could be charged per month.^[3]Although many of these bills did not pass, they helped shape the regulatory framework that emerged through the Federal Reserve’s amendments to Reg E.

In 2011, rulemaking authority for Reg E was transferred to the newly created Consumer Financial Protection Bureau (CFPB) under the Dodd–Frank Wall Street Reform and Consumer Protection Act.^[4]The CFPB adopted the Federal Reserve’s overdraft opt-in rule and has since issued guidance and enforcement actions to clarify its application.

While the opt-in requirement has been in effect since 2010, enforcement has varied with changes in political leadership. In January 2025, following the inauguration of President Trump’s second term, the CFPB significantly curtailed its rulemaking and enforcement activity, including in the area of overdraft practices. This shift led to a pause in new enforcement actions and a reorientation of supervisory priorities.

Reg E and Overdraft Services: Legal Framework

Reg E defines “overdraft service” as a program under which a financial institution charges a fee for paying a transaction when the consumer lacks sufficient funds. Section 1005.17 establishes four key requirements: (1) clear, separate disclosures; (2) affirmative consumer consent; (3) confirmation of that consent; and (4) a prohibition on conditioning account features on opt-in status.^[5]

These requirements apply only to ATM and one-time debit card transactions—not to checks or recurring payments. The CFPB has clarified that institutions bear the burden of proving that a consumer affirmatively opted in, and that acceptable documentation may include signed forms, call recordings, or secure electronic confirmations.^[6]

Enforcement Trends 

The CFPB has emphasized the importance of adhering to Reg E’s requirements for overdraft services through various enforcement actions and public statements. These communications underscore the Bureau’s interpretation of the rules and offer insight into how institutions can align their practices with regulatory expectations.

In the past, the CFPB has gone after financial institutions for alleged violations involving unauthorized enrollment in electronic services, failure to obtain affirmative opt-in for overdraft fees on ATM and one-time debit card transactions, and inadequate recordkeeping of consumer consent. Despite the recent changes in the CFPB’s enforcement practices, they continue to emphasize the need to obtain and retain consumer consent before charging overdraft fees. Reg E requires that consumers opt in to such services, and institutions must maintain verifiable documentation of that consent. In the past, the CFPB found that certain financial institutions that enrolled consumers through in-person or phone-based methods did not meet the required regulatory standard, finding that the customers did not affirmatively opt in to the institution’s overdraft protection service. In the past the CFPB also found that financial institutions lacked sufficient records to demonstrate that consent had been properly obtained. Reg E mandates that consent disclosures be presented separately from other account terms and clearly explain the nature and cost of the service.^[7]Institutions cannot bundle overdraft terms with unrelated materials.

The Bureau has also scrutinized fee assessment practices, including the imposition of multiple overdraft fees on a single transaction and the application of fees in ways that contradicted the institution’s own disclosures. Where these practices are at issue, in addition to Reg E violations, the Bureau has also found violations of the Consumer Financial Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices or UDAAP.

To address these issues, the CFPB has required institutions to:

• Cease unlawful enrollment and fee practices
• Provide redress to affected consumers
• Improve internal controls and recordkeeping systems
• Enhance staff training on opt-in procedures and disclosure requirements

Though the CFPB has been less active recently on both the enforcement and the rulemaking front, the foundational requirements of Reg E remain in full effect.

Compliance Considerations and Risk Areas

Institutions offering overdraft services should be aware of common compliance pitfalls, as shown in the enforcement activity referenced above. First, institutions must retain clear, auditable records of consumer opt-in. The CFPB has suggested that this obligation may extend beyond the two-year minimum retention period under Reg E.^[8]Second, disclosures must be presented separately from other account terms and must clearly explain the nature and cost of the overdraft service. Third, systems must be configured to distinguish between one-time and recurring debit card transactions to apply the opt-in rule correctly. Finally, frontline staff must be trained to follow compliant opt-in procedures, particularly during in-person and phone interactions.

Conclusion

Overdraft practices remain a high-risk area for regulatory enforcement. While the CFPB’s enforcement activity has slowed under the current administration, the legal requirements under Reg E remain in effect. Institutions should be mindful of the possibility of state-level enforcement, as state attorneys general and financial regulators have increasingly scrutinized overdraft practices, particularly where consumer harm is alleged. Institutions that proactively audit their overdraft programs, reinforce staff training, and ensure transparent consumer communications will be better positioned to avoid enforcement risk and maintain public trust. Winston is here to keep you apprised of all the latest developments and help you navigate these changes with confidence.

If you have additional questions or need further assistance, please reach out to Caitlin M. R. Mandel (Partner, Government Investigations, Enforcement and Compliance), LaTisha Curtiss (Associate, General Litigation), or your Winston & Strawn relationship attorney.

---

[1] Electronic Fund Transfer Act, Pub. L. No. 95-630, 92 Stat. 3641 (1978).

[2] Electronic Fund Transfers, 74 Fed. Reg. 59033 (Nov. 17, 2009) (codified at 12 C.F.R. pt. 205).

[3] See, e.g., Overdraft Protection Act of 2009, H.R. 3904, 111th Cong. (2009).

[4] Dodd–Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1061, 124 Stat. 1376 (2010).

[5] 12 C.F.R. § 1005.17.

[6] CFPB, Consumer Financial Protection Circular 2024-05 (Apr. 2024).

[7] Consumer Financial Protection Bureau, Official Interpretation of 12 C.F.R. § 1005.17(b)(6), 12 C.F.R. § 1005, Supp. I, § 1005.17(c)(4), accessible here.

[8] See CFPB, supra note 6.