Argelys Oriach was on his way home from a shopping trip one evening in March when he was robbed at gunpoint. The thief demanded his iPhone and passcode. Mr. Oriach turned them around and fled.
The next morning, Mr. Oriach, who lives in Brooklyn, said he discovered that the thief had debited $8,294 from his bank accounts at Capital One, using multiple money transfer apps, including Zelle. He contacted Capital One, expecting the bank to refund him the stolen money, as required by federal law. The bank refunded only $250 and said it had found no evidence that the rest of the money had been stolen. Mr. Oriach was stunned.
“I have reported it to the police, identified the suspect at a police station and even testified before a grand jury,” he said. “But none of that seems to have helped my case.”
After the New York Times asked Capital One about Mr. Oriach’s case, bank representatives said they had identified fraud and would refund him. “We have reached out to the client to apologize for any additional stress this matter has caused,” Capital One said in an emailed statement.
In recent years, payment apps such as Zelle, Venmo and Cash App have become the preferred choice for millions of customers to transfer money from one person to another. Last year, people sent $490 billion through Zelle, the country’s most popular payment app, and $230 billion through Venmo, its closest rival.
But the same reasons that have drawn customers to these apps — they’re free, fast, and convenient — have made them easy targets for scammers and thieves. While banks claim that they should not refund customers who inadvertently allowed a scammer to use their accounts, they are also often reluctant to refund customers like Mr. Oriach whose money has been stolen. That could be a possible violation of the law.
Under a 1978 federal rule, Regulation E is required to make customers in full if their funds are stolen from a consumer account through an electronic payment initiated by another person, such as in Mr. Oriach’s case.
Since Reg E was written long before payment apps existed, the Consumer Financial Protection Bureau issued guidelines last year stating that the law covered all person-to-person online payments. The agency clarified that all unauthorized online money transfers — meaning any payment initiated by anyone other than the customer and without the customer’s consent — was the bank’s liability.
“When a consumer notifies a financial institution that money has been stolen from the consumer’s account, it is up to the institution to demonstrate that the transfer of money from the consumer’s account has been authorized by the consumer.” says Raul Cisneros, a spokesperson. in front of the desk.
But despite the updated guidelines, in many cases, banks are refusing to refund customers who claim — often with supporting documentation — that money has been stolen from their accounts. The banks rarely give clear explanations for their decisions, leaving customers with little recourse.
The Consumer Bureau’s updated guidelines “caused a lot of fear and confusion for banks,” said Peter Tapling, a payment advisor. “Regulation E was never intended for products for direct money traffic.”
In early February, Chuck Ruoff said, a thief transferred his cell phone number to another device using an attack technique called “Sim Swapping.” The thief then used Mr. Ruoff to get to his accounts at Bank of America and to extract $ 3,450 via Zelle. Mr. Ruoff reported the theft as soon as he discovered it, but his claim was denied. The bank said the transaction did not appear to be unauthorized.
Mr. Ruoff sent the bank additional documentation, including a police report and a letter from Verizon describing what happened, asking it to reconsider. He was told that he had to wait 45 days for a response. When that deadline had passed, he was told that he had to keep waiting. Mr. Ruoff spent hours on the phone and called every few days for an update on his claim.
“I repeatedly said: ‘I have never used Zelle. I never authorized this,” said Mr. Ruoff, who has been a Bank of America customer for 34 years. “I said to the lady I spoke to once, do you think I would go to the police and file a false report? That’s a crime. “
After The Times contacted Bank of America, Mr. Ruoff’s money was refunded. The bank has already reconsidered its decision and paid the claim after taking into account additional information provided by Mr. Ruoff, said Bill Halldin, a spokesman for the bank.
Zelle, the most popular payment app, is owned and operated by Early Warning Services, a company based in Scottsdale, Ariz. Early Warning is owned by seven banks – Bank of America, Capital One, JPMorgan Chase, PNC, Truist, US Bank and Wells Fargo. But each of the 1,600 banks and credit unions that offer Zelle to their customers uses its own security settings and policies.
Neither the banks nor early warning publicly release data on fraud, so it’s hard to say how prevalent scammers and theft are on Zelle. Incidents like those described by Mr. Oriach and Mr. Ruoff are “rare” and are a small part of the activity on the platform, said Meghan Fintland, an Early Warning spokeswoman.
In a survey of nearly 1,400 people whose accounts were accessed without their consent last year, a quarter said Zelle or other personal payment services were being used to conduct unauthorized money transfers, according to a report by Shirley Inscoe, a consultant at Aite. – Novarica Group, a financial services company. That was the second only for fraudulent credit card transactions.
Bob Sullivan, a journalist and longtime consumer advocate, compared the current wave of scams and theft — and the banks’ reluctance to absorb the losses — to the early days of online banking, when phishing and other ploys to steal customer credentials. and passwords were epidemic and banks routinely denied customer claims. It took a 2005 order from the Federal Reserve to make it clear to banks that they were expected to handle such matters.
Overt theft is just one aspect of the much bigger problem of fraud on Zelle and other payment apps. In March, The Times reported that scammers and other scammers often trick people into making payments themselves, for example by impersonating bank employees or selling fraudulent goods. In those cases, banks usually refuse to issue refunds, claiming that since customers themselves initiated the transfer, it is not “unauthorized” under the law’s definition.
Some lawmakers are starting to take note.
Asked by the House Financial Services Committee about the rising online payment scam in response to the The Times report, Rohit Chopra, the director of the consumer agency, said it was high on the agency’s radar. “The fraud is piling up and it is a big problem,” said Mr. Chopra.
Massachusetts Democrat Stephen F. Lynch expressed concerns about that hearing on consumer protections for Zelle transfers. “In principle, the banks have a responsibility,” said Mr. Lynch.
Massachusetts Democrat Senator Elizabeth Warren recently criticized Zelle’s large banks. “Reports of widespread fraud destroying consumers on Zelle are very worrying, especially since the parent company and the major banks that own it are not taking responsibility,” said Ms Warren, who sits on the Senate Banking Committee.
In April, she sent a scathing letter to early warning services with another Democrat, Senator Bob Menendez of New Jersey, destroying the company and its owners for creating a “confusing and unfair” situation for victims.
Customers have filed separate class-action lawsuits against Bank of America, Capital One and Wells Fargo, alleging that the lenders have not done enough to protect consumers from fraud that has taken place on Zelle. Wells Fargo and Capital One declined to comment. Bank of America said he did not agree with the accusations.
Changing legal guidelines may change the outcome for victims of theft. In May 2020, Martin Bronson, an 80-year-old retiree in Florham Park, NJ, received a call from a man claiming to be an Amazon customer service representative. Mr. Bronson gave the man access to his computer with TeamView, a remote control app. The caller then went to his Bank of America account and used Zelle to transfer $3,316.
mr. Bronson sent the bank his police report. His claim was rejected.
After the Consumer Bureau issued guidelines requiring Reg E to handle all unauthorized person-to-person transfers—and after the Times called Bank of America last month about Mr. Bronson’s case—he got some good news. The bank refunded him the money.
“We concluded the claim based on the facts and current regulatory action, as we would a customer request,” said Mr. Halldin, the Bank of America spokesperson.
In January, Carla Lisio, a therapist in White Plains, NY, discovered $4,750 missing from her checking account at Chase. She said she notified the bank and found that the money had been sent through Zelle to a Gmail account that she did not recognize. Mrs. Lisio maintains that she did not make the transfer.
The bank has repeatedly rejected its refund requests, saying it had found no evidence of fraud. “The device used is consistent with your history, no new devices were added and there were no invalid log attempts,” the bank wrote to her in March.
Ms. Lisio said she was shocked that her immaculate 25-year history as a Chase customer seemed to count for nothing. “They call me a liar and they call me a criminal because what they’re saying is, I’m trying to steal $4,750 from the bank,” she said. “I really just want to say them, I can’t explain what happened. I can only tell you that I didn’t do this. And all you can tell me is you don’t believe me.’
When The Times contacted Chase, it stayed with his decision.
Jack Begg research contributed.