UPDATE: This article includes additional comments from JPMorgan Chase and the Bank Policy Institute.
The Consumer Financial Protection Bureau sued Zelle and three of the largest banks—Bank of America, JPMorgan Chase, and Wells Fargo — for failing to protect consumers from widespread fraud that the bureau says led to hundreds of millions of dollars in consumer losses on the bank-owned peer-to-peer payment network.
The CFPB announced a lawsuit against Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services — Zelle's operator — for enabling systemic fraud. The three banks' customers have lost more than $870 million over the network's seven-year existence, and even though hundreds of consumers have filed fraud complaints, the banks allegedly failed to prevent fraud and denied assistance.
Though Early Warning Services is owned by seven big banks, the bureau said it sued the three largest because they represent 73% of all Zelle network activity. The CFPB's
"This is about financial institutions fulfilling their basic obligations to protect customers' money and help fraud victims recover their losses," CFPB Director Rohit Chopra said on a call Friday morning with reporters. "These banks broke the law by running a payment system that made fraud easy and then refusing to help the victims. Consumers couldn't protect themselves, they couldn't control how the banks ran Zelle and couldn't reverse unauthorized transfers once they were sent, and had nowhere to turn when the banks denied their fraud claims."
The CFPB has been investigating payment networks since 2021.
The CFPB filed the lawsuit in the U.S. District Court for the District of Arizona, alleging violations of the Consumer Financial Protection Act and the Electronic Fund Transfer Act and Regulation E. Zelle's parent, Early Warning Services, is based in Scottsdale.
More than 143 million consumers transferred roughly $481 billion using Zelle in the first half of this year, the bureau said. The Zelle network allows near-instant electronic money transfers through linked email addresses or U.S.-based mobile phone numbers, known as "tokens." It is co-owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.
The CFPB, in its lawsuit, appeared to expand the definition of Regulation E to require that banks reimburse customers for unauthorized transactions by alleging that the failure by financial institutions to prevent fraud is an "unfair" practice that the CFPB could enforce under its general prohibition against "unfair, deceptive or abusive acts or practices," known as UDAAP.
Greg Baer, president and CEO of the Bank Policy Institute, said the CFPB was stretching its authority by claiming UDAAP violations that have no basis in the statute.
"The CFPB's 11th-hour announcement to invoke its UDAAP authority against EWS is the latest attempt to twist UDAAP to accommodate the Director's political views, completely independent of any case law reading of the term," Baer said.
Jim Nussle, president and CEO at America's Credit Unions said the premise of the CFPB's allegations "should be unsettling" for credit unions.
"The CFPB wants to make it harder for all financial institutions to raise defenses against liability for fraud, even when there may be compelling evidence that bears upon the question of who is ultimately responsible," Nussle said.
Jane Khodos, a Zelle spokesperson, said the CFPB's attacks are "legally and factually flawed, and the timing of this lawsuit appears to be driven by political factors unrelated to Zelle."
A Chase spokesperson called the lawsuit "a last ditch effort" by the CFPB "in pursuit of their political agenda."
Banks allege the CFPB created an entirely new reimbursement regime that it called "induced fraud," which would include fraud that takes place on social media platforms and includes romance and imposter scams, for which Zelle does reimburses customers. A Chase spokesperson said that 60% of scams on Zelle originated on social media.
"The CFPB is now overreaching its authority by making banks accountable for criminals, even including romance scammers," the Chase spokesperson said. "It's a stunning demonstration of regulation by enforcement, skirting the required rulemaking process. Rather than going after criminals, the CFPB is jeopardizing the value and free nature of Zelle, a trusted payments service beloved by our customers."
Banks and EWS are rebutting the CFPB's allegations by claiming current regulations do not hold financial institutions liable when a consumer incorrectly sends an electronic payment to the wrong person or authorizes a payment that turns out to be a scam or fraud.
Banks and lawmakers have repeatedly said that the CFPB would need to issue a rulemaking if it sought to mandate that consumers get repaid for authorized transactions that turn out to be fraud.
The CFPB's lawsuit states that induced fraud occurs when a consumer is tricked into sending a transfer to someone under false pretenses. Common fraud schemes include when a consumer is scammed into sending money in exchange for nonexistent goods or services. It also includes fictitious romantic relationships and various imposter schemes, such as when a bad actor seeks payment under the guise of being a business, financial institution, or government entity known to the consumer.
Requiring banks to pay for the actions of criminals could mean that the roughly 2,000 financial institutions that use Zelle will be forced increase fees for the services, which is currently free to customers. The CFPB's lawsuit will "unfairly shift the financial burden of criminal activity" to banks, Khodos said.
Still, the number of customers affected and amount of fraud committed are significant. At Chase, the CFPB estimates 420,000 customers lost $360 million due to Zelle fraud; at B of A, 210,000 customers lost $290 million, and at Wells, 280,000 customers lost $220 million.
Banks also claim the CFPB's $870 million number is an attempt to grab headlines but is inaccurate because it is calculated using customers' reported fraud claims. Banks say that figure includes cases where a customer forgot about an authorized purchase and reported it as fraud or made a payment to a legitimate business and then tried to get their money back.
In addition, the banks also alleged the CFPB's lawsuit included confidential business information that could not be made public.
The public version of the CFPB's lawsuit included redactions that the banks requested, claiming the the information was confidential, a CFPB spokesman said. The bureau intends to ask the court to seal the unredacted version of the complaint and to unseal it if no other motion is filed by the defendants within 14 days.
The CFPB's investigation uncovered two major patterns of fraud in which criminals took over consumers' accounts. Some criminals would obtain one-time passcodes to take over customer bank accounts and drain funds. Others would physically steal cell phones with banking apps installed and then immediately make unauthorized transfers.
Chopra said that "in case after case, banks routinely denied requests for help, turning a blind eye, even when customers provided clear evidence that criminals had taken over their accounts and that the transactions were unauthorized, including police reports, documenting the crime."
The lawsuit alleges that the largest banks rushed in 2017 to launch EWS due to competition from Venmo, Cash App and other payment apps. By 2015 Venmo was processing over $7 billion in payments and "this competitive threat triggered fear in the boardrooms of big banks," Chopra said. He claims EWS took eight years to put anti-fraud protections in place such as authenticating and identifying recipient names, fraud reporting, monitoring transfers and identifying and blocking bad actors from the network.
"Our investigation revealed that the bank's chaotic rush to market led to serious failures in fraud prevention and customer protection," Chopra said. "What they built became a gold mine for criminals, a system that made it easy for fraudsters to move money quickly while making it nearly impossible for victims to get their money back."
The lawsuit also alleges that EWS and the banks were slow to restrict and track criminals and did not share information about fraudulent transactions with other banks, which allowed criminals to repeat the fraud at multiple banks. Some consumers were even told to contact the fraudsters directly in order to recover their money, the bureau said.
Payments fraud is a big and growing problem, however, with some estimates suggesting it accounts for $150 billion of consumer losses per year — and banks are already paying for a significant portion of that amount. Many banks belong to the Aspen Institute's
