Argelys Oriach was on his way home from a shopping trip one evening in March when he was robbed at gunpoint. The thief demanded his iPhone and passcode. Oriach turned them over and fled.
The next morning, Oriach, who lives in New York City, said he discovered that the thief had drained $8,294 from his bank accounts at Capital One, using multiple money transfer apps including Zelle. He contacted Capital One, fully expecting the bank to refund him the stolen cash, as required by federal law. The bank refunded only $250, saying it found no evidence that the rest of the money was stolen. Oriach was stunned.
“I filed a police report, identified the suspect at a precinct and even testified at a grand jury,” he said. “But none of that seems to have helped my case.”
After The New York Times asked Capital One about Oriach’s case, bank representatives said they had determined there was fraud and would repay him. “We reached out to the customer to apologize for any additional stress this matter has caused,” Capital One said in an emailed statement.
In recent years, payment apps like Zelle, Venmo and Cash App have become the preferred way for millions of customers to transfer money from one person to another. Last year, people sent $490 billion on Zelle, the country’s most popular payments app, and $230 billion through Venmo, its closest rival.
But the same reasons that have drawn customers to these apps — they are free, fast and convenient — have made them easy targets for scammers and thieves. While banks argue that they shouldn’t have to refund customers who inadvertently granted a scammer permission to use their accounts, they have also often been reluctant to refund customers like Oriach whose money was stolen. That could be a potential violation of the law.
Under a 1978 federal rule called Regulation E, banks are required to make clients whole if their money is stolen from a consumer account through an electronic payment initiated by another person, as in Oriach’s case.
Since Reg E was written well before payment apps existed, the Consumer Financial Protection Bureau last year issued guidelines saying that the law covered all person-to-person online payments. The bureau clarified that all unauthorized online money transfers — meaning any payment initiated by someone other than the customer and done without the customer’s permission — were the bank’s liability.
“When a consumer provides notice to a financial institution that money was stolen from the consumer’s account, the burden is on the institution to show that the transfer of funds out of the consumer’s account was authorized by the consumer,” said Raul Cisneros, a spokesperson for the bureau.
But despite the updated guidance, banks in many cases are refusing to refund customers who claim — often with supporting documentation — that money was stolen from their accounts. The banks rarely provide clear explanations for their decisions, leaving victimized customers with little recourse.
The consumer bureau’s updated guidelines “caused a lot of angst and confusion for banks,” said Peter Tapling, a payments consultant. “Regulation E was never intended for instant money movement products.”
In early February, Chuck Ruoff said, a thief transferred his mobile phone number to another device through an attack technique called “SIM swapping.” The thief then used Ruoff’s number to get into his accounts at Bank of America and extract $3,450 through Zelle. Ruoff reported the theft as soon as he discovered it, but his claim was denied. The bank said the transaction did not appear to be unauthorized.
Ruoff sent the bank additional documentation, including a police report and a letter from Verizon describing what happened, and asked for the case to be reconsidered. He was told to wait 45 days for a response. When that deadline passed, he was told to keep waiting. Ruoff spent hours on the phone, calling every few days for an update on his claim.
“I said repeatedly, ‘I’ve never used Zelle. I never authorized this,’ ” said Ruoff, who has been a Bank of America customer for 34 years. “I said to the lady I spoke with once, do you think I would go to the police department and file a false report? That’s a crime.”
After the Times contacted Bank of America, it refunded Ruoff’s money. The bank was already reconsidering its decision and paid the claim after taking into account additional information provided by Ruoff, said Bill Halldin, a bank spokesperson.
Zelle, the most popular payments app, is owned and operated by Early Warning Services, a company based in Scottsdale, Arizona. Early Warning is owned by seven banks — Bank of America, Capital One, JPMorgan Chase, PNC, Truist, U.S. Bank and Wells Fargo. But each of the 1,600 banks and credit unions that offer Zelle to their customers uses its own security settings and policies.
Neither the banks nor Early Warning publicly release any data on fraud, so it’s hard to tell how prevalent scams and theft are on Zelle. Incidents like the ones described by Oriach and Ruoff are “rare” and make up a small portion of the activity on the platform, said Meghan Fintland, a spokesperson for Early Warning.
In a survey of nearly 1,400 people whose accounts were accessed without their consent last year, one-quarter said Zelle or other person-to-person payment services were used to make unauthorized money transfers, according to a report by Shirley Inscoe, an adviser at Aite-Novarica Group, a financial services consultant. That was second only to fraudulent credit card transactions.
Bob Sullivan, a journalist and longtime consumer advocate, likened the current wave of scams and thefts — and the banks’ reluctance to absorb the losses on them — to the early days of online banking, when phishing and other tricks to get customers’ login credentials and passwords were epidemic and banks routinely denied customers’ claims. It took an order from the Federal Reserve in 2005 to make it clear to banks that they were expected to cover such cases.
Outright theft is just one aspect of the much bigger problem of fraud on Zelle and other payments apps. In March, the New York Times reported that con artists and other scammers often trick people into making payments themselves — such as by posing as bank employees or selling fraudulent goods. In those cases, banks usually refuse to make refunds, arguing that since customers themselves initiated the transfer, it’s not “unauthorized” under the definition of the law.
Some lawmakers are beginning to take note.
Asked by the House Financial Services Committee about surging online payment scams after the Times report, Rohit Chopra, director of the consumer bureau, said it was high on the bureau’s radar. “Fraud is piling up, and it’s a major problem,” Chopra said.
Rep. Stephen F. Lynch, D-Mass., raised concerns at that hearing about consumer protections for Zelle transfers. “There’s a responsibility in principle on the part of the banks,” Lynch said.
Sen. Elizabeth Warren, D-Mass., recently criticized the big banks that own Zelle. “Reports of widespread fraud harming consumers on Zelle are deeply concerning, especially as its parent company and the big banks that own it fail to take responsibility,” said Warren, who sits on the Senate Banking Committee.
In April, she sent a scathing letter to Early Warning Services with another Democrat, Sen. Bob Menendez of New Jersey, blasting the company and its owners for creating a “confusing and unfair” situation for victims.
Customers have filed separate lawsuits seeking class-action status against Bank of America, Capital One and Wells Fargo, claiming that the lenders didn’t do enough to protect consumers from fraud that occurred on Zelle. Wells Fargo and Capital One declined to comment. Bank of America said it disagreed with the allegations.
Changing regulatory guidelines have the potential to change the outcome for victims of theft. In May 2020, Martin Bronson, an 80-year-old retiree in Florham Park, New Jersey, got a call from a man who claimed to be an Amazon customer service agent. Bronson gave the man access to his computer with TeamView, a remote control app. The caller then got into his Bank of America account and used Zelle to transfer $3,316.
Bronson sent the bank his police report. His claim was denied.
After the consumer bureau issued guidelines clarifying that Reg E covered all unauthorized person-to-person transfers — and after the New York Times called Bank of America last month about Bronson’s case — he got some good news. The bank refunded him the money.
“We decided the claim based on the facts and current Regulation E guidelines, as we would any client request,” said Halldin, the Bank of America spokesperson.
In January, Carla Lisio, a therapist in White Plains, New York, discovered $4,750 missing from her checking account at Chase. She said she notified the bank and found that the money had been sent through Zelle to a Gmail account she didn’t recognize. Lisio insists she did not make the transfer.
The bank has repeatedly rejected her reimbursement requests, saying it found no evidence of fraud. “The device used is consistent with your history, there were no new devices added and there were no invalid log in attempts,” the bank wrote to her in March.
Lisio said she was shocked that her spotless 25-year history as a Chase customer seemed to count for nothing. “They’re calling me a liar and they’re calling me a criminal, because what they’re saying is, I’m trying to steal $4,750 from the bank,” she said. “I really just want to say to them, I can’t explain what happened. All I can tell you is that I didn’t do this. And all you’re able to tell me is that you don’t believe me.”
When the New York Times contacted Chase, it stuck with its decision.