Legal
Friday, August 9, 2024
By Jim Romeo
Decades-old payment and credit card regulations have clarified consumer rights and protections from fraud and theft. Banks became adept at managing the risks and losses within one of their most lucrative profit centers.
A new breed of peer-to-peer (P2P) payment apps is raising questions about the reach of the old rules, and the resoundingly popular, bank-owned Zelle is under fire from lawmakers as a result.
Operated by Early Warning Services (EWS), which is owned by seven major banks, Zelle offers a way for account holders to “send and receive fast, free and easy payments with family, friends and people they trust, across a network of over 2,100 participating banks and credit unions,” Mark Monaco, head of Global Payment Solutions, Bank of America Corp., told the U.S. Senate Permanent Subcommittee on Investigations.
Before Monaco and executives of EWS, JPMorgan Chase & Co. and Wells Fargo & Co. testified on July 23, the Senate panel’s chairman, Richard Blumenthal, released results of a staff investigation finding that “Zelle’s three largest owner banks reimbursed victims who report [unauthorized-transaction] fraud only 38% of the time in 2023 – a decline from 62% in 2019. In terms of dollar value,” Blumenthal, a Connecticut Democrat, added, “this translates to over $100 million worth of transactions disputed as fraud not reimbursed each year from 2021 through 2023.”
EWS Chief Executive Cameron Fowler
EWS says that 120 million consumers and small businesses used Zelle last year online or via mobile devices, and 99.9% of transactions are completed without incident. According to EWS CEO Cameron Fowler, “from 2022 to 2023, reports of fraud and scam payments processed on the Zelle Network decreased – while we simultaneously grew our network and increased transaction volume.”
As Monaco testified, Zelle has grown every year since inception in 2017 and is the most-used P2P payment service. “Consumers across institutions have sent over 8.5 billion payments using Zelle, amounting to more than $2.3 trillion in transaction value,” he said.
Advice posted on a Zelle safety page.
A Zelle information page stresses that payments are cash-like, instantaneous and irreversible, alongside educational messaging – reinforced by each bank in its own way – to be alert to scams and how to report them.
But Blumenthal and other legislators have not been satisfied with Zelle data provided to them by the banks, nor with the prevailing level of consumer protection. In an August 4 letter, Blumenthal urged Consumer Financial Protection Bureau director Rohit Chopra to review his subcommittee’s report and thoroughly investigate the dispute resolution practices of Zelle and other peer-ro-peer platforms.
JPMorgan, facing inquiries from the CFPB that could lead to an enforcement action, has defended its Zelle policies as “above and beyond what the law requires,” Reuters reported. A bank spokesperson said the CFPB “should expect to be challenged to ensure their actions stay within the bounds of the law.”
All parties appear not to dispute that Zelle itself is not to blame for the criminality at the root of the exploitation.
P2P payment fraud, accompanying a surge in popularity of services available through easy-to-access apps, is one of the most visible types of illicit activity associated with or exploiting financial digitization. Modes of attack might involve social engineering, phishing and identity theft, elder financial abuse and pig butchering.
“Big banks own and profit from Zelle, but are failing to make their customers whole for both authorized and unauthorized fraudulent activity on the platform, despite their claims that it is safe and that they have a ‘zero liability’ policy for fraud,” Senator Elizabeth Warren said in 2022, an indication of how long the issue has been simmering.
“New internal data from the big banks shows that their platform Zelle is rampant with fraud and theft, and few customers are getting refunded – potentially violating federal laws and consumer rules,” Warren asserted. Despite the respective CEOs’ promises to the Senate Banking Committee, the liberal Massachusetts Democrat continued, “JPMorgan and Wells Fargo have still not turned over complete data, and I’ll keep fighting for stronger consumer protections and to hold all these banks accountable for abuse.”
Fast forward to February this year, following a Senate Banking Committee hearing, Warren and majority colleagues Jack Reed of Rhode Island and (committee chair) Sherrod Brown of Ohio complained “that Zelle has not shared any specific information about its reimbursement policy, customers may not know that they can be reimbursed and, thinking they may not get any help, may not report these scams. Zelle should clarify whether all participating banks and credit unions are required to reimburse customers who are victims of ‘qualifying’ imposter scams and make that policy public.”
The senators sent a letter asking EWS’s Cameron Fowler “to publicly clarify your reimbursement policy for imposter scams, add more categories of scams that consumers can be reimbursed for, and that you streamline the process for customers to report unauthorized transactions, scams, and fraud on Zelle.”
Two other platforms, Cash App (owned by Block) and Venmo (PayPal), received similar entreaties in 2023.
Blumenthal’s investigations subcommittee gathered more ammunition in a May 2024 hearing, calling two victims of Zelle scams as witnesses. One, Maryland retiree Anne Humphreys, was duped into sending emergency cash to a purported lawyer who requested it on behalf of her brother. Humphreys’ claim for reimbursement was denied, leading her to ask, “If Wells Fargo knew there were no consumer protections on Zelle, why did they offer the service to their customers?”
Senator Richard Blumenthal
The Senate panel’s ranking Republican member, Ron Johnson of Wisconsin, did not want the prevalence of legitimate transactions to be overlooked. But he conceded that “more may need to be done to assist individuals who have fallen victim to a scam that tricks them into sending money to another user . . . The banks need more incentives to invest in more secure systems for peer-to-peer payments.”
“Year after year,” Blumenthal said when announcing the July hearing, “Zelle and the banks that own it have failed to fully protect consumers from a growing threat of scams and fraud. The banks play ‘heads I win, tails you lose,’ as sophisticated scammers reap the benefits and consumers lose hard-earned money . . . Instant payments must not mean instant losses for consumers.”
Blumenthal joined with Warren and Representative Maxine Waters of California, the ranking Democratic member of the House Banking Committee, on August 2 in introducing the Protecting Consumers from Payment Scams Act. Blumenthal characterized it as taking “bold action where Zelle’s efforts at self-regulation have fallen short.”
In defense of the banks, American Bankers Association executive vice president Paul Benda said in February: “While banks need to have the technology and infrastructure in place to defend themselves and their customers, they can only provide the leads necessary for law enforcement to track down the perpetrators. Banks also need the telecom companies and their regulators to close regulatory loopholes that allow criminals to spoof legitimate names and phone numbers to convince customers they are speaking with a bank.”
Jennifer Lucas, EY Americas payments consulting leader, says P2P is part of a fraud landscape that includes checks and credit cards and transcends payments.
“What is remarkable,” she says, “is the well-orchestrated and effective efforts to get consumers to authorize and send funds to ‘scamsters’ using a variety of payment methods – from prepaid cards to real-time digital payments. This is creating a new category of fraud and pushing the boundaries of existing definitions of fraud and decades-old regulation that was designed to protect consumers from unauthorized access to their funds.”
While the perpetrators “are equal-opportunity when it comes to payments, it just happens that we’ve reinvented a safer version of cash in digital payments (immediate, irrevocable) that is an extremely efficient way for scamsters to cash out,” Lucas continues. “More can be and is being done to educate and protect consumers, and I would expect more and more investment in helping consumers identify scams and, within the banks, identifying scams when they happen."
As Deloitte Transactions and Business Analytics principal Josh Hanna points out, “Fraudsters are constantly seeking to gain access” to P2P money, whether by physically stealing a phone or other device, manipulating victims to allow entry, or unleashing malware.
"While fraud schemes could range from an offer of romance via social engineering to other forms of deception, bad actors work to convince victims that they owe or should pay a certain amount of money.”
Chris Clements of CISO Global
Can technology solutions stem the tide?
"In general, recovery depends on the fraud mechanism and timing," says Chris Clements, vice president of solutions architecture at cybersecurity and compliance company CISO Global. “The bigger platforms have mechanisms that, depending on their policy, can be employed to dispute a fraudulent transaction, but in some cases, if enough time has passed for the scammer to withdraw the funds to a different account, it may not be possible to recover the funds.”
Clements says Zelle became a favorite of fraudsters because of its irrevocability, but security measures implemented late last year made it less attractive to some on the dark side than are cryptocurrency apps outside of the fiat financial system.
As “an attorney who has helped numerous clients with financial messes only PayPal and Square can create,” says Martin Gasparian of California-based Maison Law, “I absolutely believe there should be more legal safeguards to address fraud when using person-to-person payment systems.” But he notes that “technology itself changes in the blink of an eye and swipe of a screen.
“While important and protective legislation is being assessed and implemented, users should always be aware of who they are working and interacting with on these platforms.”
As has been said by the Washington lawmaker-critics, the Electronic Fund Transfer Act of 1978 and Federal Reserve Regulation E protect against “unpermitted transfers of funds,” Gasparian states.
The Blumenthal-Warren-Waters bill would update the EFT Act, specifically protecting consumers “when they are defrauded into initiating a payment sent to a bad actor, when they lose funds through fraudulent bank wire transfers, and when their accounts are inexplicably frozen or closed,” according to the sponsors’ announcement.
“Please keep in mind,” Gasparian says with respect to existing law, “the required legal processes to recover lost money (and rebuilding of financial reputation) is lengthy and costly . . . I advise that all P2P payments be made with utmost discretion and attention. This is a case where the perk of convenience also contains the responsibility of discernment before clicking ‘send.’”
James Ruotolo, senior director in financial services at data analytics leader SAS, says, “The scope and scale of scam activity demands a new approach. Scammers are using robotics and automation technology to target more victims. This problem will get worse as scammers adopt new generative-AI-based tools.
“Regulators could also take a harder line on enforcing reimbursement policies consistently,” Ruotolo goes on. And “innovative GenAI solutions can be applied to detection engines, AI models, analytical platforms and advanced orchestration hubs to more accurately flag suspicious interactions and events.
“Scams are difficult to identify with traditional fraud detection methods because a legitimate customer initiates the transaction. In some cases, it may be easier for the receiving bank to identify behavior indicative of scam activity, but those banks need an incentive to do so.”
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals