Bank Won’t Refund Your Money After Fraud? Federal Law Says They May Have To — DC, MD & VA
- jenelledennis
- Mar 10
- 6 min read
Federal law gives consumers powerful protections when fraudsters steal account credentials or manipulate victims into transferring funds. Here’s what DC, Maryland, and Virginia consumers need to know.
Every week, consumers across the DMV wake up to find money gone from their bank accounts — and a financial institution telling them it isn’t the bank’s problem. In many of those cases, the bank is wrong. A powerful federal statute — the Electronic Fund Transfer Act (EFTA), enforced through Regulation E — creates mandatory obligations for banks and payment platforms when your money is taken through electronic means. These protections apply even when a scammer stole your password, impersonated your bank, or talked you into handing over a code.
The Law That Protects You: EFTA & Regulation E
Congress passed the Electronic Fund Transfer Act to establish a framework of consumer rights any time money moves electronically. The core protection is straightforward: if money leaves your account through an electronic fund transfer that you did not actually authorize, your financial institution is legally required to investigate your claim and, in most cases, restore your funds.
Your rights under EFTA include:
Right to Dispute: You have the right to submit an error claim and receive a written investigation response within 10 business days, or 45 days if the bank issues a provisional credit to your account while it investigates.
Right to Provisional Credit: If the bank needs more time to investigate, it must generally credit your account temporarily so you are not left without funds during the process.
Right to Written Notice: The bank must notify you of its findings in writing and explain any denial — you are entitled to know exactly why your claim was rejected.
Right to Documentation: If the bank concludes no error occurred, you can request the documents it relied upon in making that determination.
Anti-Waiver Protection: You cannot be forced to sign away these rights. Any clause in a bank agreement purporting to waive EFTA protections is void and unenforceable as a matter of federal law.
When Your Credentials Are Stolen
One of the most common EFTA scenarios is the stolen-credential transfer. This happens when a fraudster obtains your username, password, PIN, or one-time passcode without your genuine consent, and uses those credentials to move money out of your account. Common methods include:
Phishing & Spoofed Websites: You receive a message or a phone call appearing to come from your bank. A convincing fake login page captures your credentials in real time and immediately uses them to drain your account. ✔ Typically covered under EFTA.
SIM-Swapping: A fraudster contacts your mobile carrier, impersonates you, and transfers your phone number, then uses it to intercept your bank’s two-factor authentication codes to complete transfers. ✔ Typically covered under EFTA.
Malware & Remote Access: Malicious software installed on your device gives fraudsters the ability to capture keystrokes or remotely control your computer to initiate transfers you never authorized. ✔ Typically covered under EFTA.
Data Breach Credential Reuse: Stolen credentials from a third-party data breach are used to access your bank account. The fraudster initiates transfers using information you never provided directly to the bank. ✔ Often covered under EFTA.
ATM Card Skimming: A skimming device attached to a non-bank ATM — such as those found in convenience stores, gas stations, or restaurants — reads your debit card’s magnetic stripe data while a hidden camera captures your PIN. The fraudster then uses that stolen data to manufacture a counterfeit card and make unauthorized cash withdrawals, all without ever touching your actual card. EFTA’s protections apply regardless of which ATM was used — what matters is that the funds came from your consumer account and the transfers were never authorized by you. ✔ Typically covered under EFTA.
What If You Were Tricked: Social Engineering & Bank Impersonation
Some of the most devastating fraud schemes target consumers not through hacking, but through manipulation. Scammers impersonate bank fraud departments, government agencies, and tech support teams, creating a sense of urgency and convincing consumers to provide credentials or one-time passwords under the belief they are cooperating with a legitimate institution. The moment you comply, they drain your account.
The "Furnished Access Device" Defense and Why It Fails
Banks frequently deny social engineering claims by arguing that because you “gave” the fraudster your credentials, you “furnished” your access device and the transfer was therefore authorized. This argument misreads the statute.
Regulation E’s exception for furnishing an access device applies when a consumer voluntarily provides credentials to another person for that person’s legitimate use — like giving a family member your debit card with permission to make purchases. It does not apply when credentials are extracted through deception.
Critically, consumer negligence is not a defense under EFTA. Even if you could have been more cautious, that does not relieve the bank of its legal obligation to investigate and restore your funds.
DC, MARYLAND & VIRGINIA NOTE
DC, Maryland, and Virginia each have consumer protection statutes that can reach financial institution failures to properly handle electronic transfer disputes. If your bank stonewalled your EFTA claim, you may have additional remedies under the DC Consumer Protection Procedures Act, Maryland’s Consumer Protection Act, or the Virginia Consumer Protection Act (VCPA) — statutes that provide robust private rights of action and, in some circumstances, enhanced damages. Virginia consumers should be aware that the VCPA covers fraudulent and deceptive practices in consumer transactions, which can include a bank’s bad-faith handling of a fraud dispute.
Push Payment Fraud: What If You Sent the Money Yourself
Push payment fraud, sometimes called Authorized Push Payment (APP) fraud, presents a harder legal picture under EFTA. In these schemes, a fraudster convinces you to initiate the transfer yourself: wiring money to a “safe account,” sending Zelle, CashApp, or Venmo payments to what you believe is your own account, or paying for goods and services that never materialize. Because you technically initiated the transfer (even though you were deceived about its purpose) courts have sometimes found these transfers fall outside EFTA’s unauthorized transfer framework.
That does not mean you have no recourse.
Where the law stands — and what else may apply:
EFTA Investigation Failures: Even if the underlying transfer doesn’t qualify as “unauthorized,” your bank still has error resolution obligations. If the bank failed to properly investigate your dispute, provided inadequate written notices, or refused to produce documentation, those procedural failures may be independently actionable.
State Consumer Protection Law: DC, Maryland, and Virginia all have statutes that reach deceptive or unfair practices by financial institutions. In Virginia, the VCPA provides a private right of action for consumers harmed by deceptive acts in connection with a consumer transaction — which can include the conduct of a financial institution that mishandles a fraud claim.
If you have been the victim of push payment fraud, do not accept a denial as the final word without speaking to an attorney. The law in this area is evolving, and the specific facts of your situation may matter enormously.
What To Do If You’ve Been a Victim
Act Immediately — Deadlines Matter. EFTA has strict reporting timelines. You generally must report an unauthorized transfer within 60 days of the bank statement that includes it. If you have discovered fraud, contact your financial institution today, preserve every record, and submit a written or oral dispute.
Document Everything. Save every text, email, and call record related to the fraud. Screenshot your account transaction history. If you communicated with the fraudster, preserve those communications. Delete nothing.
File Regulatory Complaints. File a complaint with the CFPB at consumerfinance.gov/complaint and the FTC at reportfraud.ftc.gov. Regulatory pressure can sometimes move financial institutions that are otherwise unresponsive.
Consult a Consumer Protection Attorney. EFTA provides for recovery of actual damages, statutory damages, and attorney’s fees. This means a qualified attorney can often take your case without any upfront cost to you. Do not let cost be a barrier to understanding your rights.
Your Rights Apply Regardless of Where You Bank
Whether you bank with a large national bank, a community bank, a credit union, or use a payment app like Zelle, Cash App, or Venmo, EFTA applies across the board to consumer electronic fund transfers. Your regulator may vary, but your substantive rights under EFTA are the same regardless of institution size.
Maryland consumers may also have protections under the Maryland Consumer Protection Act. DC consumers can invoke the DC Consumer Protection Procedures Act, which provides robust private remedies including, in some circumstances, treble damages for willful violations. Virginia consumers have remedies under the Virginia Consumer Protection Act, which prohibits fraudulent and deceptive practices in consumer transactions and provides a private right of action for injured consumers.