Argelys Oriach was on his way home from a shopping spree one evening in March when he was robbed at gunpoint. The thief asked for his iPhone and passcode. Mr. Oriach turned her over and fled.
The next morning, Mr. Oriach, who lives in Brooklyn, said he discovered the thief had withdrawn $8,294 from his Capital One bank accounts using multiple money-transfer apps, includingzelle. He contacted Capital One with the full expectation that the bank would return the stolen cash to him, as required by federal law. The bank only refunded $250 and said it found no evidence the rest of the money was stolen. Lord Oriach was stunned.
“I filed a police report, identified the suspect at a precinct and even testified before a grand jury,” he said. “But none of that seems to have helped my case.”
After the New York Times asked Capital One about Mr Oriach’s case, bank officials said they had determined it was fraud and would pay him back. “We have reached out to the customer to apologize for the additional stress this matter has caused,” Capital One said in an emailed statement.
Over the past few years, payment apps like Celle, Venmo, and Cash App have become the preferred way for millions of customers to transfer money from one person to another. Last year, people sent $490 billion through cell, the country’s most popular payment app, and $230 billion through Venmo, its closest competitor.
But the same reasons that drew customers to these apps — they’re free, fast, and convenient — have made them easy targets for scammers and thieves. While banks argue they shouldn’t refund customers who accidentally gave a scammer permission to use their accounts, they’ve also often been reluctant to refund customers like Mr Oriach, whose money was stolen. This could be a possible violation of the law.
Under a 1978 federal regulation called Regulation E, banks are required to compensate customers when their money is stolen from a consumer account by an electronic payment initiated by someone else, as in the case of Mr. Oriach.
Because Reg E was written long before payment apps existed, the Consumer Financial Protection Bureau issued guidelines last year saying the law covers all online person-to-person payments. The bureau clarified that all unauthorized online money transfers – meaning any payment initiated by anyone other than the customer and made without the customer’s permission – are the bank’s responsibility.
“When a consumer notifies a financial institution that money has been stolen from the consumer’s account, the institution must demonstrate that the transfer of funds from the consumer’s account was authorized by the consumer,” said Raul Cisneros, a spokesman for the bureau.
But despite the updated guidance, in many cases banks are refusing to reimburse customers who claim – often with receipts – that money has been stolen from their accounts. Banks rarely provide clear explanations for their decisions, leaving aggrieved customers few options.
The Consumer Authority’s updated guidelines “have caused a lot of fear and confusion among banks,” said Peter Tapling, a payments advisor. “Regulation E was never intended for instant money movement products.”
In early February, Chuck Ruoff said a thief transferred his cell phone number to another device through an attack technique called “SIM swapping.” The thief then used Mr. Ruoff’s number to break into his Bank of America accounts and withdraw $3,450 through cell. Mr Ruoff reported the theft as soon as he discovered it, but his claim was denied. The bank said the transaction appeared to be unauthorized.
Mr. Ruoff sent the bank additional documentation, including a police report and a letter from Verizon describing what happened and asking for the case to be re-examined. He was told to wait 45 days for a reply. When that time limit expired, he was told to continue waiting. Mr. Ruoff spent hours on the phone, calling every few days to keep himself updated on his claim.
“I kept saying, ‘I’ve never used cell. I never authorized that,’” said Mr. Ruoff, who has been a Bank of America client for 34 years. “I once said to the lady I spoke to, do you think I would go to the police and make a false report? That is a crime.”
After the Times contacted Bank of America, they refunded Mr. Ruoff’s money. The bank is already reconsidering its decision and paying the claim after considering additional information from Mr. Ruoff, said Bill Halldin, a spokesman for the bank.
Cell, the most popular payment app, is owned and operated by Early Warning Services, a company based in Scottsdale, Arizona. Early Warning is owned by seven banks – Bank of America, Capital One, JPMorgan Chase, PNC, Truist, US Bank and Wells Fargo. But each of the 1,600 banks and credit unions that offer cell to their customers uses their own security settings and policies.
Neither the banks nor Early Warning publish data on fraud publicly, so it’s hard to tell how widespread fraud and theft is at Zelle. Incidents like those described by Mr Oriach and Mr Ruoff are “rare” and account for a small proportion of activity on the platform, said Meghan Fintland, a spokeswoman for Early Warning.
In a survey of nearly 1,400 people whose accounts were accessed without their consent last year, a quarter said cell or other person-to-person payment services had been used to make unauthorized money transfers, according to a report by Shirley Inscoe, a consultant at Aite – Novarica Group, a financial services consultant. That was second only to fraudulent credit card transactions.
Bob Sullivan, a journalist and longtime consumer advocate, compared the current spate of fraud and theft — and banks’ reluctance to absorb the resulting losses — to the early days of online banking, when phishing and other tricks were used to gain access to the Getting customer credentials and passwords was an epidemic and banks routinely denied customer claims. In 2005, it took a Federal Reserve order to make it clear to banks that they were expected to cover such cases.
Outright theft is just one aspect of the much larger fraud problem at cell and other payment apps. In March, The Times reported that scammers and other scammers often trick people into making payments themselves — for example, by impersonating bank employees or selling fraudulent goods. In these cases, banks typically refuse refunds, arguing that the transfer is not “unauthorized” within the meaning of the law because the customer initiated the transfer themselves.
Some lawmakers are beginning to take notice.
When asked by the House Financial Services Committee about the rise in online payment fraud following the Times report, Rohit Chopra, director of the Consumer Bureau, said it was high on the bureau’s radar. “Fraud is piling up and it’s a big problem,” Mr Chopra said.
Rep. Stephen F. Lynch, Democrat of Massachusetts, raised concerns about consumer protection in cell transmissions at the hearing. “The banks are fundamentally responsible,” said Lynch.
Senator Elizabeth Warren, a Democrat from Massachusetts, recently criticized the big banks that cell owns. “Reports of widespread fraud harming Zelle consumers are deeply concerning, especially as the parent company and the big banks that own it accept no responsibility,” said Ms. Warren, who sits on the Senate Banking Committee.
In April, she along with another Democrat, Senator Bob Menendez of New Jersey, sent a scathing letter to Early Warning Services, denouncing the company and its owners for creating a “confusing and unfair” situation for victims.
Customers have filed separate lawsuits seeking class action status against Bank of America, Capital One and Wells Fargo, alleging that lenders did not do enough to protect consumers from fraud that occurred at Zelle. Wells Fargo and Capital One declined to comment. Bank of America said it disagreed with the allegations.
Changing regulatory policies have the potential to change the outcome for victims of theft. In May 2020, Martin Bronson, an 80-year-old retiree in Florham Park, NJ, received a call from a man claiming to be an Amazon customer service representative. Mr. Bronson gave the man access to his computer using TeamView, a remote control app. The caller then went into his Bank of America account and used cell to transfer $3,316.
Mr. Bronson sent his police report to the bank. His claim was rejected.
After the Consumer Bureau issued guidelines clarifying that Reg E covered all unauthorized person-to-person transfers — and after The Times called Bank of America about Mr. Bronson’s case last month — he got good news. The bank refunded him the money.
“We decided the claim based on the facts and current Regulation E guidance, as we would with any client claim,” said Mr. Halldin, spokesman for Bank of America.
In January, Carla Lisio, a therapist in White Plains, NY, discovered $4,750 missing from her checking account with Chase. She said she notified the bank and found the money had been sent via cell to a Gmail account she didn’t recognize. Ms Lisio insists that she did not make the transfer.
The bank has repeatedly denied their refund requests, saying they found no evidence of fraud. “The device used matches your history, no new devices have been added and there have been no invalid login attempts,” the bank wrote to her in March.
Ms. Lisio said she was shocked that her impeccable 25-year history as a Chase customer seemed to be worth nothing. “They call me a liar and they call me a criminal because they say I’m trying to steal $4,750 from the bank,” she said. “I really just want to tell them, I can’t explain what happened. All I can tell you is that I didn’t do that. And all you can tell me is that you don’t believe me.”
When the Times contacted Chase, it stood by its decision.
Jack Begg contributed to the research.