Argelys Oriach was on his way home from a shopping trip one night in March when he was robbed at gunpoint. The thief demanded the iPhone from him and password. Mr. Oriach turned them around and fled.
The next morning, Mr. Oriach, who lives in Brooklyn, said he discovered the thief had withdrawn $8,294 from his Capital One bank accounts, using various money transfer apps, including Zelle. He contacted Capital One, hoping the bank would reimburse him for the stolen money, as required by federal law. The bank refunded only $250 and said it found no evidence the rest of the money was stolen. Mr. Oriach was stunned.
“I filed a police report, identified the suspect at a police station and even testified before a grand jury,” he said. “But none of that seems to have helped in my case.”
After The New York Times asked Capital One about Mr. Oriach’s case, representatives for the bank said they had determined that fraud had occurred and that they would pay him. “We have reached out to the customer to apologize for any additional stress this matter has caused,” Capital One said in an emailed statement.
In recent years, payment apps like Zelle, Venmo, and Cash App have become the preferred way for millions of customers to transfer money from one person to another. Last year, people sent $490 billion on Zelle, the nation’s most popular payment app, and $230 billion on Venmo, its closest rival.
But the same reasons that have drawn customers to these apps—they’re free, fast, and convenient—have made them easy targets for scammers and thieves. While banks argue that they shouldn’t have to refund customers who inadvertently gave a scammer permission to use their accounts, they have also often been reluctant to refund customers like Mr. Oriach, whose money was Stolen. That could be a possible violation of the law.
Under a 1978 federal rule called Regulation E, banks are required to compensate customers if their money is stolen from a consumer account through an electronic payment initiated by someone else, as in Mr. Oriach’s case.
Since Reg E was written long before payment apps existed, the Consumer Financial Protection Bureau issued guidelines last year that said the law covered all person-to-person online payments. The bureau clarified that all unauthorized online money transfers, meaning any payment initiated by someone other than the customer and made without the customer’s permission, were the responsibility of the bank.
“When a consumer notifies a financial institution that money was stolen from the consumer’s account, the institution has the responsibility to demonstrate that the transfer of funds out of the consumer’s account was authorized by the consumer,” said Raúl Cisneros, a spokesman. . to The Office.
But despite the updated guidance, banks are in many cases refusing to refund customers who claim, often with supporting documentation, that money was stolen from their accounts. Banks rarely provide clear explanations for their decisions, leaving victimized customers with little recourse.
The updated guidelines from the consumer bureau “caused a lot of distress and confusion for banks,” said Peter Tapling, a payments consultant. “Regulation E was never intended for instant money moving products.”
In early February, Chuck Ruoff said, a thief transferred his mobile phone number to another device through an attack technique called “SIM swapping.” The thief then used Mr. Ruoff’s number to break into his Bank of America accounts and withdraw $3,450 through Zelle. Mr. Ruoff reported the theft as soon as he discovered it, but his claim was denied. The bank said the transaction did not appear to be unauthorized.
Mr. Ruoff submitted additional documentation to the bank, including a police report and a letter from Verizon describing what happened, and requested that the case be reconsidered. They told him to wait 45 days for a response. When he passed that deadline, they told him to keep waiting. Mr. Ruoff spent hours on the phone, calling every few days to get a claim update from him.
“I repeatedly said, ‘I’ve never used Zelle. I never authorized this,’” said Mr. Ruoff, who has been a Bank of America customer for 34 years. “I told the lady I spoke to once, do you think she would go to the police department and file a false report? That is a crime.
After The Times contacted Bank of America, it returned Ruoff’s money. The bank was already reconsidering its decision and paid the claim after taking into account additional information provided by Ruoff, said Bill Halldin, a bank spokesman.
Zelle, the most popular payment app, is owned and operated by Early Warning Services, a company based in Scottsdale, Arizona. Early Warning is owned by seven banks: Bank of America, Capital One, JPMorgan Chase, PNC, Truist, US Bank and Wells Fargo. But each of the 1,600 banks and credit unions that offer Zelle to their customers uses its own security settings and policies.
Neither the banks nor Early Warning publicly release any data on fraud, so it’s hard to know how prevalent scams and thefts are at Zelle. Incidents like those described by Oriach and Ruoff are “rare” and make up a small part of the activity on the platform, said Meghan Fintland, a spokeswoman for Early Warning.
In a survey of nearly 1,400 people whose accounts were accessed without their consent last year, a quarter said Zelle or other person-to-person payment services were used to make unauthorized money transfers, according to a report by Shirley Inscoe. , adviser to Aite. -Novarica Group, financial services consultancy. That was second only to fraudulent credit card transactions.
Bob Sullivan, a journalist and longtime consumer advocate, compared the current wave of scams and thefts — and banks’ reluctance to absorb losses — to the early days of online banking, when phishing and other tricks to obtain customer login credentials and passwords was epidemic, and banks routinely denied customer claims. It took a Federal Reserve order in 2005 to make it clear to banks that they were expected to cover such cases.
Outright theft is just one aspect of the much larger problem of fraud on Zelle and other payment apps. In March, The Times reported that fraudsters and other scammers often trick people into making payments themselves, such as by posing as bank employees or selling fraudulent products. In such cases, banks generally refuse to make refunds, arguing that since the transfer was initiated by the customers themselves, it is not “unauthorized” as defined by the law.
Some lawmakers are starting to take notice.
Asked by the House Financial Services Committee about the rise in online payment scams following The Times report, Rohit Chopra, director of the consumer bureau, said it was high on the radar of the office. “Fraud is piling up and it’s a major problem,” Chopra said.
Rep. Stephen F. Lynch, a Democrat from Massachusetts, raised concerns at that hearing about consumer protections for Zelle transfers. “There is a responsibility in principle on the part of the banks,” said Lynch.
Senator Elizabeth Warren, a Democrat from Massachusetts, recently criticized the big banks that own Zelle. “Reports of widespread fraud harming consumers at Zelle are deeply concerning, especially as its parent company and the big banks that own it are not taking responsibility,” said Ms. Warren, who sits on the Senate Banking Committee.
In April, he sent a scathing letter to Early Warning Services with another Democrat, Sen. Bob Menendez of New Jersey, criticizing the company and its owners for creating a “confusing and unfair” situation for victims.
Customers have filed separate lawsuits to see the status of a class action lawsuit against Bank of America, Capital One and Wells Fargo, alleging that lenders did not do enough to protect consumers from the fraud that occurred at Zelle. Wells Fargo and Capital One declined to comment. Bank of America said it did not agree with the allegations.
Changing regulatory guidelines has the potential to change the outcome for victims of theft. In May 2020, Martin Bronson, an 80-year-old retiree from Florham Park, New Jersey, received a call from a man claiming to be an Amazon customer service agent. Bronson gave the man access to his computer with TeamView, a remote control application. The person he called then logged into his Bank of America account and used Zelle to transfer $3,316.
Mr. Bronson sent his police report to the bank. His claim was denied.
After the consumer bureau issued guidelines clarifying that Reg E covered all unauthorized person-to-person transfers, and after The Times called Bank of America last month about Mr. Bronson’s case, he got some good news. . The bank returned the money.
“We decided the claim based on the facts and current Regulation E guidelines, as we would any customer request,” said Halldin, the Bank of America spokesman.
In January, Carla Lisio, a therapist in White Plains, NY, discovered that $4,750 was missing from her checking account at Chase. She said that she notified the bank and discovered that the money had been sent through Zelle to a Gmail account that she did not recognize. Mrs. Lisio insists that she did not make the transfer.
The bank has repeatedly rejected their refund requests, saying it found no evidence of fraud. “The device used is consistent with its history, no new devices were added, and there were no invalid login attempts,” the bank wrote to him in March.
Ms. Lisio said she was surprised that her 25-year impeccable record as a Chase client seemed to count for nothing. “They’re calling me a liar and they’re calling me a criminal, because what they’re saying is I’m trying to steal $4,750 from the bank,” she said. “I really just want to tell you that I can’t explain what happened. All I can tell you is that I didn’t do this. And all you can tell me is that you don’t believe me.
When contacted by The Times, Chase stood by his decision.
jack begg contributed research.