Four banks alone expect more than $255 million in scam and fraud claims in 2022.

By Ashley Belanger, ARS TECHINCA

October 5, 2022

https://arstechnica.com/tech-policy/2022/10/zelle-fraud-is-on-the-rise-…

When seven of the biggest banks in America saw that their customers liked using apps to send instant peer-to-peer payments, they rolled out Zelle through a jointly owned company called Early Warning Services in 2017 and quickly began processing billions in payments annually. By 2021, Zelle was processing nearly twice the number of payments as Venmo, but as the volume of Zelle payments increased, so did rumors about increased fraud. Scammed Zelle users complained to the New York Times that Zelle did not always reimburse customers who reported stolen money.

Suspicious after mounting anecdotal reports, one of the toughest policymakers on banks, Senator Elizabeth Warren (D-MA), launched an investigation. She demanded data from all seven of the big banks: JPMorgan Chase, Wells Fargo, US Bank, PNC, Capital One, Bank of America, and Truist. Only four banks complied. However, Warren’s report released this week shows that even half the data she sought was enough to show that “fraud is growing” on Zelle and that “the banks are not refunding the vast majority of defrauded consumers, breaking their promises to their customers and potentially violating federal law.”

According to Warren’s analysis of data shared by US Bank, PNC, Bank of America, and Truist, these four banks alone are “on pace to receive scam and fraud claims in excess of $255 million in 2022,” a dramatic spike compared to $90 million in 2020.

The majority of these claims—totaling more than 190,000 cases disputing $213 million in payments in 2021 and half of 2022—involved customers who were induced to make fraudulent payments by scammers. Only three banks provided complete data to Warren, which showed they repaid scammed customers in less than 10 percent of cases.

Warren’s report says that the banks are relying on federal laws— the Electronic Fund Transfer Act and the Consumer Financial Protection Bureau’s (CFPB) “Regulation E”—which “require that the banks repay customers when funds are illegally taken out of their account without authorization.” But crucially, banks don't have to pay if people authorize such payments, which is happening here, even if the payments are made to scammers. Now Warren is pushing CFPB to clarify Regulation E so that banks must acknowledge this method of attacking consumers as fraudulent and unauthorized.

More troubling is Warren’s suggestion that banks are also potentially breaking current law by not reimbursing unauthorized fraudulent charges. Warren says that the three banks who shared data revealed that they only reimbursed consumers for 47 percent of unauthorized payments that they should be legally required to reimburse every time.

A spokesperson for Early Warning Services did not comment on the allegations of violating federal law but did tell told Ars that where Warren sees an increase in fraudulent activity year to year, Early Warning Services sees a decrease in fraudulent activity proportional to its growing userbase.

“Tens of millions of consumers use Zelle without incident, with more than 99.9 percent of payments completed without any report of fraud or scam,” Early Warning Services’ spokesperson told Ars. “Zelle usage has grown significantly since its launch, from 247 million transactions in 2017 to 1.8 billion in 2021, while the proportion of fraud and scams has steadily decreased.”

Common scams that banks aren’t required to reimburse

Warren reports that banks tell consumers that Zelle has a zero liability policy for fraud—but that banks know that Zelle’s policy excludes increasingly common scams known as “spoofing” and “me-to-me” scams.

When spoofing, scammers use “a reputable institution’s name or branding to induce a fraudulent payment.” Cases of “me-to-me” scams involve the “use of a consumer’s own contact information to disguise a payment” to a scammer’s account, leading the consumer to think that they’re sending a payment to their own account when they are not. In both cases, because consumers initiate payment, banks aren’t legally required to reimburse consumers making claims of fraudulent activity.

Both types of scams happened at once to one Wells Fargo customer who told the New York Times that the scammer linked their own bank account to the customer’s account, then called the customer from a number that the customer’s cellphone displayed as a valid call from Wells Fargo. The scammer posed as a Wells Fargo agent and got the customer to send a $500 payment to his own phone number before the customer got suspicious and disconnected. Later, Wells Fargo “repeatedly rebuffed” the customer's claims of fraudulent activity on his Zelle app.

For some Zelle users, the cost of getting scammed can be much higher. Warren reported that consumers in Massachusetts, Georgia, Illinois, and California have reported losses of thousands of dollars from these scams, and “in many cases, consumers reported losses that could significantly impact their small business and even wipe out their life savings.”

According to Warren, Zelle distinguishes between fraud—unauthorized charges that are reimbursable—and scams—authorized charges that are fraudulently induced. Banks have argued that scam claims can be harder to verify; they say that what’s needed isn't more bank regulations but better cooperation between banks and law enforcement investigating scam claims.

It’s hard to know the full extent of the problem without data from all 1,700 banks and credit unions that use Zelle. Since 2021, CFPB has collected hundreds of scam claims. Some banks reported data to Warren showing total scam activity that banks considered authorized and therefore not reimbursable, which happened in 2021 and six months into 2022. Data from Truist reported 7,223 scam cases involving over $5.4 million in payments, US Bank reported 21,794 cases involving over $13.6 million, and PNC reported 6,831 cases involving nearly $6.9 million. Chase, Wells Fargo, and Capital One did not provide this requested data to Warren.

Because Regulation E is currently vague, not all banks agree on how to manage spoofing and "me-to-me" scams. Some banks, like Truist, specifically do not include authorized scam activity under Zelle’s zero liability policy, but other banks reportedly do reimburse some scam activity. Chase Head of US Government Relations, Michelle Mesack, told Warren in a letter provided to Ars that Chase reimburses “me-to-me” scams, “even though this would be considered an authorized transaction under Regulation E.”

Banks and policymakers disagree on solutions

Warren did not respond to Ars’ request for comment but reported that CFPB is “reportedly considering issuing guidance clarifying the scope of Regulation E.” CFPB did not respond in time for deadline to clarify the expected timeline of their review.

None of the banks included in Warren’s report immediately responded to Ars’ request for comment, except Chase, which disagreed with how Warren has characterized fraudulent activity on Zelle but would not go on the record with an official statement.

A nonpartisan advocacy and research organization, the Bank Policy Institute, provided Ars with a joint statement on Warren’s report from the American Bankers Association, Bank Policy Institute, Consumer Bankers Association, and The Clearing House. The statement says that “Sen. Warren fails to acknowledge that 99.9 percent of the 5 billion transactions processed on the Zelle network in the past 5 years were sent without any report of fraud or scams.”

“That doesn’t mean that Zelle, just like every other instant P2P payment service, is entirely free from those who seek to defraud the American consumer,” the statement said. “Banks know this and take steps to mitigate instances of fraud and criminal activity,” such as warning consumers.

They also claim that expanding CFPB regulations could result in diminished access to Zelle, new Zelle fees imposed on users, and more limited features, potentially resulting in “a chilling and disproportionate impact on community banks and all small financial institutions.”

Their preferred solution is to focus on the criminals, not the banks, saying, “Let’s stop the criminals rather than create policies that risk diminishing the value and benefits of this increasingly popular and indispensable service.”

Consumer Watchdog president Jamie Court agrees with Warren that clarifying regulations is critical.

“We agree with Senator Warren that the CFPB should clarify existing regulations to make sure that victims of Zelle fraud are reimbursed for the fraud they suffered by the banks that are profiting from Zelle,” Court told Ars.

Beyond CFPB potentially updating Regulation E to include scams as illegal activity banks must reimburse, Court thinks CFPB should make banks be more transparent about the risks involved with using Zelle.

“The CFPB should require the banks to do better policing of the platform and greater education of consumers of the dangers of fraud on it,” Court told Ars. “If the banks negligently operate a platform like Zelle, they should be responsible to defrauded consumers who are victims of that negligence.”

“Given this uncertain landscape and the banks’ abdication of responsibility, regulatory clarity is needed to further protect Zelle users,” Warren concluded in her report.

-----------

Ashley Belanger is the senior tech policy reporter at Ars Technica, writing news and feature stories on tech policy and innovation. She is based in Chicago. 

EMAIL [email protected] // TWITTER @ashleynbelanger