iStock photo illustration

First, the good news: Zelle, the nation’s most popular peer-to-peer payment app, has recently implemented technology and policy changes that have improved money-transfer security at banks both big and small.

The bad news: Sophisticated bank scammers aren’t going away – and nor are controversies over banks’ reimbursement policies, or non-reimbursement policies, for victims of fraud involving Zelle and other leading instant-payment tools used by Massachusetts banks.

“We’re starting to see improvements,” said Lynn Starr, executive vice president and chief information and security officer at Hometown Financial Group, the parent company of Abington Bank, bankESB and bankHometown. “Zelle and other [payment apps] are taking steps to improve security. They’re trying. We’re all trying. We’re starting to see less fraud.”

But Starr, whose bank offers Zelle to customers via its core provider, and other industry figures acknowledge that highly sophisticated financial scammers, many associated with international criminal gangs, always seem to be a step ahead of banks’ and regulators’ anti-fraud measures.

“They’re professionals,” Starr said of modern-day digital con artists. “They do this full-time. It’s a way of life for them.”

Political Pressure on Banks, Apps

And as bank-transfer fraud relentlessly continues, so will disputes over fraud-victim reimbursements by banks.

In addition to Zelle, the brand-new FedNow and established RTP payment tools are also available to many bank retail and business customers.

All popular payment services, including popular peer-to-peer apps like Venmo, CashApp and Paypall, have seen their share of fraudulent transfer activity and disputes.

But because it’s the largest payment app out there today and because it’s ultimately owned by a consortium of large national banks via Early Warning Services LLC, Zelle commands national attention whenever troubles arise.

Recently, it’s been the center of controversy over its reimbursement policies related to various bank-transfer fraud cases, prompting outrage among consumer groups and politicians.

Among others, U.S. Sen. Richard Blumenthal, D-Conn., recently demanded that Zelle do more to protect consumers. He also said banks should reimburse defrauded customers, similar to what’s done in the credit-card industry.

Sen. Eizabeth Warren, D-Mass., has called Zelle a “facilitator of fraud”, and earlier this year joined colleagues on the Senate Banking Committee to pressure the service to change its fraud reimbursement policies.

But Trace Fooshee, a strategic advisor at Datos Insights, a Boston market research and banking consulting firm, said making victims of transfer fraud whole isn’t as simple as it sounds.

“It gets into a pretty arcane area” of the law, he said. “Most people don’t understand the governing [rules].”

Many Scams not Covered

Both the Uniform Commercial Code and federal Electronic Fund Transfer Act address disputes tied to fraudulent transfers of money – and the reimbursement obligations to those who are victims of fraud.

But reimbursements all come down to whether a bank transfer was an “unauthorized” or “authorized” form of fraud.

An “unauthorized” transaction is when a hacker somehow gets hold of critical bank account information and basically steals funds, via transfers, without the knowledge or consent of customers.

With the transferred funds considered “irrevocably lost,” banks are obligated to reimburse people for such “unauthorized” fraud incidents, though some banks stand accused of dragging their feet on such reimbursements.

An “authorized” fraud is where most reimbursement disputes arise, and an area where many of today’s bank-transfer scammers specialize.

An “authorized” case of fraud can occur when a bank customer is duped into thinking they’re sending funds to a legitimate organization that’s owed money. Think of a scammer, either online or over the phone, posing as a bill collector or government agency – or even a banking institution.

Under current legal practice, such “authorized” transfers – with a customer either hitting “send” on an online transfer or handing over sensitive bank-account info – are not subject to bank reimbursements.

Despite banks’ anti-fraud education programs, many customers are simply not aware that there are some forms of bank transfer fraud that fall within the “authorized” category, thus disqualifying them from reimbursements, Fooshee and others interviewed for this story say.

Mobile payment with wallet app and wireless nfc technology. Man paying and shopping with smartphone application and credit card information. Digital money transfer, banking and e commerce concept.

Bank customers have historically been unsatisfied with traditional bank fraud laws, which don’t account for criminals tricking people into willfully giving up funds. iStock photo illustration

Fraud Leaves Small Banks in Bind

Large banks have financial resources to invest in many layers of security to protect customers from transfer and other forms of bank-related fraud, Fooshee said.

Smaller banks may not have the deep pockets of larger banks to develop their own fraud-spotting tools. But they are good at hiring core banking service providers, such as FIS or Fiserv, to help out with their anti-fraud controls, Fooshee said.

Christopher Richards, first executive vice president and chief bank services officer at Hyannis-based Cape Cod 5, said his bank offers Zelle through Jack Henry, its core provider.

Richards didn’t release data on the number of fraud incidents reported at Cape Cod 5.

But he did say the institution tries its best to carefully review every fraud claim – and make reimbursements when appropriate.

“It can get really confusing,” he said of the differences between authorized versus unauthorized fraud-transfer cases. “It’s where it gets gray for clients.”

Hometown Financial’s Starr also didn’t release specific figures on how many bank-related fraud cases her company handles, but she did say that it’s in the “thousands per year” and that “I have a whole department dealing with it.”

“We’re doing everything we can to help our customers,” she said. “It’s in our own interests to do so.”

Zelle Changes Likely Not Enough

In a statement, Early Warning, owner of Zelle, said payment fraud is actually statistically rare, adding “less than one tenth of one percent (.1%) of transactions are reported as fraud or scams, making Zelle one of the safest ways for consumers to pay people they know and trust.”

The statement emphasized that Zelle has “always required that fraudulent payments – those where a bad actor initiates a Zelle transaction from a consumer’s account without authorization – be reimbursed.”

But as of June 2023, the company added it has “expanded our network operating rules to require all participating financial institutions to reimburse consumers for certain qualifying imposter scams.”

Starr said such changes are welcome. They include flagging transfers of $100 or more for newly enrolled Zelle users and new procedures for contacting parties to verify transfers.

But it’s likely Congress and other bank critics will demand more substantive changes – and they may look to Britain for guidance.

In the U.K, a number of new anti-fraud rules have been implemented, including holding both “sending” and “receiving” banks responsible for partially or fully reimbursing fraud victims. Previously, only “sending” banks were held liable, providing little incentive for “receiving” banks to crack down on potential scammers.

Whether the U.S. adopts U.K.-style reforms or not, Datos Insight’s Fooshee said it’s clear that some laws here need updating to meet today’s digital-fraud challenges. He noted that the Electronic Fund Transfer Act was written in the 1970s, long before the advent of online electronic banking.

“The most effective way to change is via an act of Congress,” he said. “Some laws need updating.”

Mass. Banks Stare Down Zelle Fraud

by Jay Fitzgerald time to read: 5 min