In mid-November, five news stories came out on the ‘new’ Zelle impostor scam reimbursement policy. Although this policy had taken effect in June of this year, why did it take until November to report on it? It turns out Reuters was able to get the first meaningful comments from Early Warning Services (EWS) on its reimbursement policy. EWS owns Zelle. And EWS itself is owned by seven major U.S. banks.
So let’s unpack what EWS told Reuters in its November 13 article and what it means for consumers who use Zelle, a highly popular P2P payment service. According to Reuters, EWS said: “The 2,100 financial firms on Zelle, a peer-to-peer network owned by seven banks, began reversing transfers as of June 30 for customers duped into sending money to scammers claiming to be from a government agency, bank or existing service provider.”
Previous statements by EWS were vague, only noting, “In addition, the network has a new consumer reimbursement benefit for specific scam types.” In August, EWS also reported total Zelle transaction volume for Q2 2023 was 705 million with a value of $197 billion. So, on an extrapolated annualized basis, Zelle has annual total transaction volume of an estimated 2.8 billion with a value of $800 billion.
The Reuters article also shed some light on how funds would be recovered and returned. Ben Chance, chief fraud risk officer at EWS commented, “Instead of requiring lenders to reimburse customers, EWS has implemented a mechanism that allows banks to claw back funds from the recipient's account and return them to the sender.”
The Reuters article said 99.9% of the transactions are without fraud or scam. This is consistent with statistics provided in an EWS press release in October 2022. So, up to 0.1% of the Zelle transactions are fraud or scams which means on an annual basis, there could be up to 2.8 million fraudulent or scam Zelle transactions worth up to $800 million. If we assume that half of these transactions fall into the authorized payment scenario, then there could possibly be 1.4 million scam Zelle transactions a year with a fraud loss value of approximately $400 million. The other 50% of the transactions would fall into the standard unauthorized payment category (account takeover scenario) and would be covered for reimbursement under existing Reg E protections.
In an Ars Technica article that came out on the same day as Reuters, an EWS spokesperson said, "As of June 30, 2023, our bank and credit union participants must reimburse consumers for qualifying imposter scams, like when a scammer impersonates a bank to trick a consumer into sending them money with Zelle. The change ensures consistency across our network and goes beyond legal requirements."
So, with the information from the Reuters and Ars Technica articles, we now know financial institutions on the Zelle network are voluntarily reimbursing for impersonation scams involving a “government agency, bank or existing service provider.” However, the Ars Technica article quotes EWS as saying there will be reimbursement for “qualifying” imposter scams. So, that means there are other unstated conditions that must be met before reimbursement occurs. We are still in the dark on these conditions although EWS probably does not want to fully disclose this level of detail to prevent fraudulent or first party fraud claims.
Another important point mentioned in the Reuters article was that reimbursement will be the responsibility of the receiving bank (‘claw back funds from the recipient's account’). Scam reimbursement from the receiving bank is somewhat similar to what will occur in the UK next year, where both sending and receiving bank will split the reimbursement 50-50 for Authorized Push Payment (APP) scam reimbursement.
Zelle Reimbursement Still Leaves Open Questions
Despite more clarity being shed on Zelle scam reimbursement policies, there are still some unanswered questions. First, we don’t know what the percentage of these defined impersonation scams, with unknown conditions, is to the total number of scams. One person I know suggested it might be only 15% of the total Zelle scams. EWS and the Zelle member banks have not provided any statistics that would help answer this question.
Another open question is what the Consumer Financial Protection Bureau (CFPB) will think about this Zelle reimbursement policy. I think they would view it as positive and that the discussions held in the Senate in 2022 and CFPB positioning have forced Zelle to take this action of limited reimbursement for Zelle scams. But I do not think the CFPB yet knows what amount of reimbursement has taken place and is it a significant portion of the Zelle scams. I personally think it will fall well short of my estimated annual Zelle scam amount of $400 million. So, I think the CFPB will still be watching closely (and waiting for the CFPB funding issue to be resolved by the Supreme Court) before it might take any additional action.
Increasing Fraud Controls to Prevent Scams
EWS is also talking about increasing fraud controls to prevent these scams. Ben Chance told Reuters, “Lenders on Zelle are also now required to implement a tool that flags transfers with risky attributes, such as a payment to an account that has never transacted on the Zelle network.” This is very important. A scam that is stopped is not a scam!
In 2022, I wrote a white paper, Top Ten Controls Banks Can Deploy Today to Protect Consumers, addressing this topic. Some of these controls are still valuable for the Zelle service, such as:
- Delay execution of payments for new payees. For the first Zelle payee, or additional new payees where the payment amount is over a certain threshold, delay the payment for a short amount of time- maybe up to four hours.
- Look for ‘me to me’ transactions. This control is to prevent the scammer from using the customer’s phone number or email address as a token at the receiving bank.
- Check if the customer is in a mobile phone session. In a majority of these scams, the scammer is on a call with the customer on the customer’s mobile phone.
- Make the default setup option for the Zelle service=NO. Customers should be required to take a step to set up the Zelle service. Add some friction along with interactive education.
- Look for signs of stress, distraction, or hesitation by the customer during a transaction. Even if it is a genuine customer making a payment, when a person is acting under the influence of a scammer, there are subtle changes in behavior that can build a picture of a user’s emotions or intention during a session and suggest a scam may be in progress.
- Detect unusual online session flow and behaviors. Session flows, or the tracking of the online user journey, can be strongly correlated with the potential risk for social engineering of a victim. Frequently, there is a script that the scammer will take the victim through, and this is a telltale sign for the subsequent transaction.
The Next Senate Hearing
Reuters also reported that bank CEOs will be appearing before the Senate in December 2023, and payment fraud should be one of the topics for discussion. I do not think there will be any meaningful statistics by then. But, there should be some questions posed to the bankers, such as:
- Based on how Zelle has defined scam impersonation reimbursement, what percent of the Zelle scam transactions are included in your impersonation reimbursement policy?
- For the past several years Zelle has said 0.1% of Zelle transactions are scam or fraud (about $400 million per year). Are your new fraud controls really lowering fraud and scams? Please quantify.
- What percent of the 0.1% of fraud/scam losses are actually scams?
- What percent of the fraud losses are you reimbursing?
In closing, we have seen Zelle really grow in volume since it began. Just amazing. And true to form, faster payments equal faster fraud. But Zelle has introduced some voluntary reimbursement for impersonation scams, which is over and above current regulation, and they are adding new fraud controls along the way to reduce fraud and scams. So, the spotlight on Zelle has produced good results. Now, we need to watch and see if scams can really drop. We wish you luck, Zelle!