but Reg E has no such protections for me being swindled by a dishonest merchant.
To play Devils' advocate, reading the Staff Interpretation comments on the definition of "Unauthorized Electronic Funds Transfer", I would argue the intent behind Reg E is to provide protections against dishonest merchants:
2(m) Unauthorized Electronic Fund Transfer
1. Transfer by institution's employee. A consumer has no liability for erroneous or fraudulent transfers initiated by an employee of a financial institution.
2. Authority. If a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.
3.
Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery Wouldn't such a swindle fall under the category of fraud, meeting the definition of an unauthorized EFT?