Who’s liable in authorized push-payment schemes?

In late 2020, Bruce Barth was hospitalized for COVID-19. His woes multiplied when someone lifted his phone from his hospital room. A thief accessed Barth’s digital wallet on his phone and stole a total of $2,500 in credit card charges and cash from an ATM and from the Zelle electronic money transfer system app on his phone. Barth’s bank quickly refunded his cash and credit card losses but denied the Zelle losses. According to Barth’s bank, codes sent to his phone had validated the transactions even though the phone had been stolen.

“It’s like the banks have colluded with the sleazebags on the street to be able to steal,” Barth told The New York Times. The bank finally refunded Barth his Zelle losses only after The Times intervened. (See “Fraud Is Flourishing on Zelle. The Banks Say It’s Not Their Problem,” by Stacy Cowley and Lananh Nguyen, The New York Times, March 6, 2022.)

Consumer frauds like the one Barth experienced are rampant. U.S. Federal Trade Commission (FTC) data shows that consumers lost $8.8 billion to scams in 2022 — up 30% over 2021 losses. One fraud that’s grown with the rise of payment apps is the authorized push payment (APP) scam, in which a fraudster deceives a consumer or individual to send them payments under false pretenses to bank accounts controlled by the fraudster. While Barth’s experience on Zelle wasn’t an APP fraud, it raises important questions about fraud liability that we’ll address later in this column. (See “Authorized payment scams climb in US,” by Tatiana Walk-Morris, Payments Dive, Dec. 14, 2023.)

Investment scams, imposter scams and social media contacts are the MVPs of the fraudster roster. The FTC data, released Feb. 23, 2023, show U.S. consumers lost more than $3.8 billion to investment scams — more than any other category and more than double the amount reported lost in 2021. But the second-highest reported loss amount came from imposter scams with losses of $2.6 billion reported up from $2.4 billion in 2021. Scams originating on social media have accounted for more losses than any other method with losses of $2.7 billion reported since 2021. (See “Payment Fraud?” by Sarah Rutherford, FICO Blog, Aug. 4, 2023; “New FTC Data Show Consumers Reported Losing Nearly $8.8 Billion to Scams in 2022,” FTC, Feb. 23, 2023; and “FTC Data Shows Consumers Report Losing $2.7 Billion to Social Media Scams Since 2021,” FTC, Oct. 6, 2023.)

Banks may routinely pay back victims for ATM and credit card losses, but are they liable for burgeoning mobile payment frauds? In this new column, we’ll explore who’ll pay for these frauds.

Zelle case study

According to an investigation led by Democratic U.S. Sen. Elizabeth Warren from Massachusetts, and other lawmakers, Zelle users lost roughly $440 million to various types of fraud in 2021 alone. Another report from Sen. Warren’s office, which cites data collected by four banks between 2021 and the first half of 2022, found that banks reimbursed less than a quarter of Zelle customers who fell victim to any type of fraud, while just roughly 2% of impostor scam victims were reimbursed.

(See “Warren, Menendez, Reed, Colleagues Demand Answers from Big Banks on Widespread Fraud on Zelle Instant Payment Application,” Elizabeth Warren U.S. Senate website, July 8, 2022; “New Report by Senator Warren: Zelle Facilitating Fraud, Based on Internal Data from Big Banks,” Elizabeth Warren U.S. Senate website, Oct. 3, 2022; and “Zelle faces surge in fraud and scams, Senate report finds,” CBS News, Oct. 3, 2022.)

Zelle is a U.S.-based digital payments network managed by Early Warning Services, a private financial services company owned by a collective of U.S. banks. Individuals can electronically transfer money from their bank accounts to other registered bank accounts or to participating financial institutions without charge. PayPal, Venmo (which is owned by PayPal), Apple Pay, Google Pay, Square Cash and Cash App are similar services. (See “Cash Faces a New Challenger in Zelle, a Mobile Banking Service,” by Stacy Cowley, The New York Times, June 12, 2017 and “Zelle, the Banks’ Answer to Venmo, Proves Vulnerable to Fraud,” by Stacy Cowley, The New York Times, April 22, 2018.)

Warren, who designed and established the Consumer Financial Protection Bureau (CFPB) before she was elected to the Senate, says that her Oct. 3, 2022, report findings “reveal that the CFPB must update and strengthen regulations governing the obligations of banks to repay customers who are defrauded on Zelle and other peer-to-peer payment platforms.”

Amid this pressure from lawmakers, banks that participate in Zelle have begun refunding money to victims of imposter scams. Since June 2023, more than 2,000 financial firms have begun reversing transfers their customers made to scammers who impersonated officials from government agencies, banks or other service providers, Early Warning Services told Reuters. (See “Payments app Zelle begins refunds for imposter scams after Washington pressure,” by Hannah Lang, Reuters, Nov. 13, 2023.)

And while certain details are unclear — such as the banks’ timelines for refunds, instructions on how fraud victims can request refunds, or if retroactive refunds for fraudulent transactions that occurred before the new policy went into effect are included — this is a positive shift.

I expect that U.S. financial institutions and digital payments companies, in response to U.S. government pressure, will assume even more liability in citizens’ losses from these scams. In July of 2019, the U.S. Office of the Comptroller of the Currency issued a bulletin to financial services organizations to abide by sound fraud risk management principles — all of which are embedded in the DNA of ACFE members. (The bulletin’s recommended readings include The Fraud Risk Management Guide, published by the Committee of Sponsoring Organizations of the Treadway Commission and the ACFE.)

The U.S. “Regulation E” (Reg E) implements the Electronic Transfer Act, which establishes a basic framework of the rights, liabilities and responsibilities of participants in electronic fund and remittance transfer systems. Reg E determines the conditions under which financial institutions will reimburse their customers for unauthorized electronic transfers. Updates to Reg E have been issued over the years. However, one thing continues to stand — if a customer performed an authorized transaction — even if a scammer manipulated them into doing so — they won’t be covered under Reg E, and the bank won’t be liable to reimburse customers.

However, U.S. regulators are now taking a closer look at how organizations are structuring and governing fraud programs. Based on my experience with clients, recent focus areas for regulators include fraud governance and oversight across lines of business, fraud risk management policy, metrics, reporting (including to organizations’ boards), training and awareness for employees and customers, and internal fraud monitoring.

This tells us that the focus on consumer protection through strong fraud management capabilities is paramount, and scam intervention should be top of mind for institutions as we prepare for a potential scam liability shift in the U.S.

U.K. is far ahead of the U.S.

U.S. legislators may have taken their cues from the U.K., which is much further along. The 2013 U.K. Financial Services (Banking Reform) Act created the Payment Systems Regulator (PSR). On Oct. 7, the U.K. will implement the requirement to refund people tricked by scammers. PSR says that APP fraud accounted for 40% of U.K. fraud losses in 2022. (See “APP fraud performance data,” Payment Systems Regulator and “PSR continues to take bold action on APP fraud as it publishes final reimbursement details ahead of 2024 implementation,” Dec. 19, 2023, Payment Systems Regulator.)

The U.K. isn’t alone in its forward thinking. In October 2023, the Monetary Authority of Singapore (MAS) released a consultation paper on a proposed shared responsibility framework that details a split liability plan in which consumers and banks are both on the hook for financial losses from scams. (See “Consultation Paper on Proposed Shared Responsibility Framework,” MAS, Oct. 25, 2023.)

Singaporean authorities first proposed shared liability in February 2022 after fraudsters used spoofed text messages to steal SG$13.7 million (USD$10.2 million) from about 800 customers of Oversea-Chinese Banking Corporation. Initially, the bank offered “goodwill” payments to only 6.4% of the victims. But the bank reversed course and said it would issue full payouts to all victims when authorities threatened action. (See “Singapore may split liability for phishing losses between banks and victims,” by Laura Dobberstein, The Register, Sept. 20, 2023.)

The bottom line is that an APP liability shift is looming for financial institutions around the world. They can either be proactively preventive or they can retroactively respond. Regardless, APP schemes won’t diminish, and governments will increase regulations.

Two sides to the coin

A shift in scam liability could yield positives for those falling victim to APP schemes; however, the other side of the coin is … more fraud. As liability shifts, it’s likely we’ll see an uptick in first-party fraud, such as false claims. This may be at the individual level. For example, a consumer might claim that they fell victim to an APP scam when they were only experiencing buyer’s remorse. Or we could see consumers and fraudsters work together to cash out.

This type of refund scheme isn’t novel. According to an October 2023 survey by Socure, a digital identity verification provider, a shocking 35% of U.S. respondents admitted to engaging in some form of first-party fraud, such as making a buy now, pay later (BNPL) purchase without intending to pay it back. Moreover, 45% of survey respondents indicated that they know someone who has committed first-party fraud. The figures highlight a troubling fact: First-party fraud is insidious and widespread. (See “ The Fraud Next Door: First-Party Fraud Runs Rampant in America,” Socure, Oct. 23, 2023.)

As the liability landscape shifts across the globe, institutions will need to consider how to proactively mitigate first-party fraud resulting from scam refund requirements. Further, institutions will need to tackle the other downstream impacts on fraud programs more widely as a result of liability shifts. For example, within fraud operations there may be an increase in inbound customer fraud claims. All of these downstream impacts will need to be addressed to blunt first-party fraud losses and reduce impacts to the efficiency and effectiveness of fraud operations. (Fraud operations typically include an institution’s fraud alert and referral triage and investigation functions.)

Let’s dig deeper

I’m thrilled to offer you this new column of insights from my daily experiences. In future issues, we’ll cover fraud management leading practices such as strategy, training and governance, fraud operations and investigations, generative AI, and global fraud stories.

Fraud is a constantly evolving problem regardless of industry. Please send me your ideas for future columns as we safeguard organizations and the public. Let’s dig deep together.

Sophia Carlton, CFE, is a senior manager in the fraud transformation practice at Accenture. Contact her at Sophia.Carlton@Accenture.com.