On my blog and in my newsletter, I’ve been warning consumers about the lack of security when using electronic money transfer apps.
Now Zelle and three of the nation’s largest banks are being sued for failing to protect consumers from widespread fraud on America’s most widely available peer-to-peer payment network.
The Consumer Financial Protection said Bureau Early Warning Services, which operates Zelle, along with three of its owner banks – Bank of America, JPMorgan Chase, and Wells Fargo – rushed the network to market to compete against growing payment apps such as Venmo and CashApp, without carrying out effective consumer safeguards.
Customers of the three banks have lost more than $870 million during the network’s seven-year of operation due to these failures, the agency said.
The CFPB’s lawsuit describes how hundreds of thousands of consumers filed fraud complaints and were largely denied assistance, with some being told to contact the fraudsters directly to recover their money. Bank of America, JPMorgan Chase, and Wells Fargo also allegedly failed to properly investigate complaints or provide consumers with legally required reimbursement for fraud and errors.
“The nation’s largest banks felt threatened by competing payment apps, so they rushed to put out Zelle,” CFPB Director Rohit Chopra said in a statement. “By their failing to put in place proper safeguards, Zelle became a gold mine for fraudsters, while often leaving victims to fend for themselves.”
Zelle allows near-instant electronic money transfers through linked email addresses or U.S.-based mobile phone numbers, known as “tokens.” Users can create multiple tokens across different banks and quickly reassign them between institutions, a feature that has left consumers vulnerable to fraud schemes, according to the lawsuit.
The CFPB alleges widespread consumer losses have occurred since Zelle’s 2017 launch due to the platform’s and the defendant banks’ failure to carry out fraud prevention and detection safeguards. The agency also alleges that Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services violated federal law through critical failures including:
- Leaving the door open to scammers: Zelle’s limited identity verification methods have allowed bad actors to quickly create accounts and target Zelle users. For example, criminals often exploited Zelle’s design and features to link a victim’s token to the fraudster’s deposit account, which caused payments intended for the consumer’s account to instead flow to the fraudster account.
- Allowing repeat offenders to hop between banks: Early Warning Services and the defendant banks were too slow to restrict and track criminals as they exploited multiple accounts across the network. Banks didn’t share information about known fraudulent transactions with other banks on the network. As a result, bad actors could carry out repeated fraud schemes across multiple institutions before being detected, if they were detected at all.
- Ignoring red flags that could prevent fraud: Despite receiving hundreds of thousands of fraud complaints, the defendant banks have failed to use this information to prevent further fraud. They also allegedly violated the Zelle Network’s own rules by not reporting fraud incidents consistently or on time.
- Abandoning consumers after fraud occurred: Despite obligations under federal law, the defendant banks failed to investigate Zelle customer complaints and take action for certain types of fraud and errors.
The takeaway? Avoid electronic money transfer apps. They’re an example of a new technology that doesn’t measure up.
