Argelys Oriach was returning home from a shopping spree one evening in March when he was robbed at gunpoint. The thief demanded his iPhone and passcode. Mr. Oriach turned them over and fled.
The next morning, Mr Oriach, who lives in Brooklyn, said he discovered the thief had drained $8,294 from his bank accounts at Capital One, using several money transfer apps, including Zelle. He contacted Capital One, expecting the bank to reimburse him for the stolen money, as required by federal law. The bank only refunded $250, saying it found no evidence the rest of the money was stolen. Mr. Oriach was stunned.
“I filed a police report, identified the suspect at a police station and even testified before a grand jury,” he said. “But none of that seems to have helped my case.”
After The New York Times asked Capital One about Mr Oriach’s case, bank officials said they had determined there was fraud and would reimburse him. “We have contacted the client to apologize for any additional stress this matter has caused,” Capital One said in an emailed statement.
In recent years, payment apps such as Zelle, Venmo, and Cash App have become the preferred way for millions of customers to transfer money from one person to another. Last year, people sent $490 billion through Zelle, the country’s most popular payment app, and $230 billion through Venmo, its closest rival.
But the same reasons that have drawn customers to these apps — they’re free, fast, and convenient — have made them easy targets for scammers and thieves. While banks say they shouldn’t have to refund customers who inadvertently gave a scammer permission to use their accounts, they have also often been reluctant to refund customers like Mr Oriach whose money has been stolen. This could be a potential violation of the law.
Under a 1978 federal rule called Regulation E, banks are required to return customers whole if their money is stolen from a consumer account through an electronic payment initiated by another person, as in the case by Mr. Oriach.
Because Reg E was drafted long before payment apps existed, the Consumer Financial Protection Bureau released guidance last year saying the law covered all person-to-person online payments. The office clarified that all unauthorized online money transfers – meaning any payment initiated by someone other than the customer and made without the customer’s authorization – are the responsibility of the bank.
“When a consumer notifies a financial institution that money has been stolen from the consumer’s account, the onus is on the institution to show that the transfer of funds out of the consumer’s account was authorized by the consumer,” said said Raul Cisneros, a spokesman. for the office.
But despite the updated guidelines, banks are in many cases refusing to reimburse customers who claim – often with supporting documentation – that money was stolen from their accounts. Banks rarely provide clear explanations for their decisions, leaving victimized customers little recourse.
The updated guidance from the Office of Consumer Affairs “has caused a great deal of anguish and confusion for banks”, said payments consultant Peter Tapling. “Regulation E was never intended for instant money movement products.”
In early February, Chuck Ruoff said, a thief transferred his cell phone number to another device using an attack technique called “SIM swapping.” The thief then used Mr. Ruoff’s number to access his accounts at Bank of America and extract $3,450 through Zelle. Mr Ruoff reported the theft as soon as he discovered it, but his claim was dismissed. The bank said the transaction did not appear to be unauthorized.
Mr. Ruoff sent the bank additional documents, including a police report and a letter from Verizon outlining what happened, and asked that the matter be reconsidered. He was told to wait 45 days for a response. Once that time had passed, she was told to keep waiting. Mr. Ruoff spent hours on the phone, calling every few days for an update on his claim.
“I said repeatedly, ‘I’ve never used Zelle. I never authorized that,” said Mr. Ruoff, a Bank of America customer of 34 years. “I said to the lady I spoke to once, do you think I would go to the police department and file a fake report? That’s a crime.
After The Times contacted Bank of America, it refunded Mr. Ruoff’s money. The bank was already reconsidering its decision and paid the claim after considering additional information provided by Mr. Ruoff, said Bill Halldin, a spokesman for the bank.
Zelle, the most popular payment app, is owned and operated by Early Warning Services, a company based in Scottsdale, Arizona. Early Warning is owned by seven banks: Bank of America, Capital One, JPMorgan Chase, PNC, Truist, US Bank and Wells Fargo. But each of the 1,600 banks and credit unions that offer Zelle to their customers uses its own security settings and policies.
Neither the banks nor Early Warning publicly release fraud data, so it’s hard to tell how prevalent scams and thefts are on Zelle. Incidents like those described by Mr. Oriach and Mr. Ruoff are “rare” and represent a small portion of activity on the platform, said Meghan Fintland, a spokeswoman for Early Warning.
In a survey of nearly 1,400 people whose accounts were accessed without their consent last year, a quarter said Zelle or other person-to-person payment services had been used to make money transfers. unauthorized money, according to a report by Shirley Inscoe, an advisor at Aite-Novarica Group, a financial services consultant. This was right after the fraudulent credit card transactions.
Bob Sullivan, journalist and longtime consumer advocate, compared the current wave of scams and thefts – and banks’ reluctance to absorb the losses – to the early days of online banking, when phishing and other Tricks for obtaining customer logins and passwords were epidemic, and banks routinely turned down customer complaints. It took an order from the Federal Reserve in 2005 to make it clear to banks that they were supposed to cover such cases.
Outright theft is just one aspect of the much bigger problem of fraud on Zelle and other payment apps. In March, The Times reported that scammers and other con artists often trick people into making payments themselves, for example by posing as bank employees or selling fraudulent products. In these cases, banks typically refuse to make refunds, arguing that since the customers themselves initiated the transfer, it is not “unauthorized” as defined by law.
Some lawmakers are starting to take notice.
Asked by the House Financial Services Committee about the rise in online payment scams following the Times report, Rohit Chopra, the director of the consumer affairs office, said it was high on the radar from the office. “Fraud is piling up, and it’s a major problem,” Chopra said.
Representative Stephen F. Lynch, Democrat of Massachusetts, raised concerns during this hearing regarding consumer protections for Zelle transfers. “There is a responsibility in principle on the part of the banks,” Mr Lynch said.
Sen. Elizabeth Warren, Democrat of Massachusetts, recently criticized the big banks that own Zelle. “Reports of widespread fraud harming Zelle consumers are deeply concerning, especially as its parent company and the major banks that own it fail to take responsibility,” said Ms. Warren, who serves on the Senate Banking Committee.
In April, she sent a scathing letter to Early Warning Services along with another Democrat, Sen. Bob Menendez of New Jersey, blaming the company and its owners for creating a “confusing and unfair” situation for victims.
The customers filed separate lawsuits seeing class action status against Bank of America, Capital One and Wells Fargo, claiming the lenders had not done enough to protect consumers from the fraud that occurred on Zelle. Wells Fargo and Capital One declined to comment. Bank of America said it disagreed with the allegations.
Changing regulatory guidelines can change the fate of victims of theft. In May 2020, Martin Bronson, an 80-year-old retiree in Florham Park, NJ, received a call from a man claiming to be an Amazon customer service agent. Mr. Bronson gave the man access to his computer with TeamView, a remote control application. The caller then accessed his Bank of America account and used Zelle to transfer $3,316.
Mr. Bronson sent the bank his police report. His request was denied.
After the Consumer Affairs Office issued guidelines saying Reg E covered all unauthorized person-to-person transfers – and after The Times called Bank of America last month about Mr Bronson’s case – it said received good news. The bank refunded him the money.
“We decided on the claim based on the facts and current E-regulation guidelines, as we would any customer request,” said Mr. Halldin, a spokesman for Bank of America.
In January, Carla Lisio, a therapist in White Plains, NY, discovered that her checking account at Chase was $4,750 short. She said she informed the bank and discovered that the money had been sent through Zelle to a Gmail account she did not recognise. Ms Lisio insists she did not make the transfer.
The bank has repeatedly rejected his refund requests, saying it found no evidence of fraud. “The device used is consistent with your history, no new devices have been added, and there have been no invalid login attempts,” the bank wrote to him in March.
Ms Lisio said she was shocked that her flawless 25-year history as a Chase client seemed to count for nothing. “They call me a liar and they call me a criminal, because what they’re saying is I’m trying to steal $4,750 from the bank,” she said. “I really want to tell them, I can’t explain what happened. All I can tell you is that I didn’t do that. And all you can tell me is that you don’t believe me.
When The Times contacted Chase, it stood by its decision.
Jack Beg contributed to the research.