For unauthorized electronic fund transfers (EFTs) from a PayPal account--such as debits from a linked bank account or P2P payments--U.S. federal law under Regulation E (§ 1005.6) limits your liability. If you notify PayPal within 2 business days after learning of the loss or theft of your access device, your liability shall not exceed the lesser of $50 or the amount of unauthorized transfers made before notice. Notification after 2 business days increases potential liability to the lesser of $500 or the sum of specified unauthorized transfers. These business day periods consist of two 24-hour periods, calculated without regard to PayPal's business hours.

This applies to PayPal as an EFT service provider for eligible debits, not credit card charges. Notify PayPal immediately via their Resolution Center or support to start the process and cite Regulation E. This is separate from PayPal buyer/seller disputes or credit card chargebacks.

What Controls Unauthorized PayPal Payment Disputes

U.S. Regulation E, implemented under the Electronic Fund Transfer Act (EFTA) at 12 CFR § 1005.6, sets consumer liability limits for unauthorized EFTs, including those via P2P platforms like PayPal acting as the service provider. The rule covers transfers made after the loss or theft of an access device, such as login credentials or linked bank details.

Key limits from § 1005.6:

• Within 2 business days of learning of the loss/theft: Liability capped at $50 (or unauthorized amount before notice).
• After 2 business days: Liability up to $500 (or sum of unauthorized transfers before notice plus amounts after until notified, in some cases).

Business days follow a strict 24-hour calculation per period, even if it spans weekends (e.g., notice on Friday at noon means deadline at 11:59 p.m. Sunday if Saturday counts). PayPal must follow Regulation E error resolution procedures under § 1005.11 as the EFT provider.

What Does NOT Control This Dispute

Unauthorized EFT disputes under Regulation E do not follow credit card chargeback rules (e.g., Visa/Mastercard statement periods). If funded by credit card, different card network policies apply instead.

This differs from PayPal's Purchase Protection or item disputes, which handle authorized buyer/seller issues like non-delivery, not unauthorized access. Merchant refunds, wire transfers, or subscription cancellations also fall outside this framework.

Next Steps to Dispute and Limit Liability

Contact PayPal immediately as your first step--log in to the Resolution Center, select the transaction, or call support, and state it is an unauthorized EFT under Regulation E. Provide transaction IDs, the exact date/time you learned of the issue, and proof it was unauthorized (e.g., no device access, unfamiliar IP).

Gather this evidence checklist:

• Screenshots of transactions and account activity.
• Date/time stamps of when you discovered the issue.
• Records of notice to PayPal (email confirmations, chat transcripts).
• Bank statements if the linked account was debited.

PayPal, as EFT provider, investigates per Regulation E. If unresolved, escalate via CFPB complaint portal or FTC. Contact your bank only if the debit hit your external account directly.

Act fast: The 2-business-day window directly impacts your $50 liability cap.

FAQ

What counts as an "access device" for PayPal under Reg E?
Login credentials, passwords, or linked bank details that enable EFTs.

Does this apply if I used a credit card in PayPal (not bank)?
No--credit card charges follow card issuer dispute rules, not Regulation E EFT limits.

What if PayPal doesn't respond quickly?
PayPal must investigate per Regulation E; file with CFPB if delayed.

Can I get a full refund for unauthorized PayPal transfers?
Liability limits cap your loss, but confirmed unauthorized EFTs must be corrected per Reg E--not automatic without investigation.

Is there a 2026 update to these rules?
No 2026-specific changes confirmed in official sources.