Consumer Financial Protection Bureau: Zelle Lawsuit is the Wrong Focus

On December 20, 2024, the Consumer Financial Protection Bureau (CFPB) filed a lawsuit against three  major US banks and Early Warning Services (EWS), the operator of Zelle. The CFPB said they filed the  lawsuit against the three banks and EWS “for failing to protect consumers from widespread fraud”…”without implementing effective consumer safeguards”. The CFPB went on to say “Customers of  the three banks named in today’s lawsuit have lost more than $870 million over the network’s seven year existence due to these failures.”  

What the CFPB failed to say: 

• “The Zelle platform processed over $806  billion in transactions across 2.9 billion individual transfers in 2023. More than 99.95% of these  transactions were completed without any reports of fraud or scams, according to Zelle data.” (From the Bank Policy Institute on December 20)

• The CFPB has not commented on other non-bank P2P services such as PayPal, Venmo and  CashApp, which according to the Bank Policy Institute (BPI) have more disputed transactions.  See Chart 1 from the Bank Policy Institute. 

Source: Bank Policy Institute, “CFPB’s Allegations Against Zelle Have No Basis in Law”, December 20, 2024 

Zelle has some of the lowest fraud/scam losses for a P2P service. In 2023, with $806 billion in  transaction amounts, the fraud and scam losses totaled an estimated $400 million. Assume there is a  50/50 split between fraud (unauthorized transactions) and scams (e.g. impersonation authorized transactions). Then approximately $200 is fraud and typically reimbursed under Regulation E and the  other $200 million in scam transactions is mostly non-reimbursed (except for impersonation scams,  which are reimbursed). 

A Wall Street Journal article had several additional key points: 

• “The CFPB’s attacks on Zelle are legally and factually flawed, and the timing of this lawsuit  appears to be driven by political factors unrelated to Zelle,” a Zelle spokeswoman said in a  statement. 

• Trump hasn’t yet named a nominee to lead the agency, and it is possible that a future director would decide to abandon the action against Zelle and its operators. 

So, given there will be a new administration in the US in less than 30 days, it is not clear if this lawsuit  will move forward and why it was filed so close to the start of a new administration. The Financial Times went even further. Jared Seiberg, a financial research analyst at TD Cowen wrote in research which “said  the banks have a strong defense in the case ‘as much of the fight is over authorized transactions’.” There  are no current regulations around reimbursement for authorized transactions. 

What Should the CFPB Focus Be? 

While CFPB has spent most of the last half of 2024 on preparing for the Zelle lawsuit, the bigger issue of  consumer financial scams in the US, estimated by the FTC at $158 billion in 2023, was ignored by the  CFPB. Now, $200 million in Zelle scam losses per year is not small and should not be ignored. And if  there are weak controls in Zelle, identified by the CFPB, they should be fixed. But $158 billion in  estimated consumer scam losses for one year is where the CFPB should be focused. Zelle scams are  0.13% of the US consumer scams problem. 

Where the CFPB should be focused is creating a US government response to this massive consumer  financial scam problem. To address this problem, the CFPB needs to bring together other government  agencies (Federal Trade Commission, Federal Communications Commission and even the White House),  telecom providers, digital platforms and financial institutions.  

The government needs to be involved because these scams are initiated and controlled by transnational  criminal organizations and by nation states. It is no longer the one or two individual scammers. There  are scam compounds in Asia with hundreds of thousands of people, often coerced themselves, being  used to scam Americans, Canadians, Australians, Brits, Europeans and more. This is massive crime. 

Most of these scams start with a telephone call, a text message (on your mobile phone or  WhatsApp/Instagram), or from bogus ads on Facebook or Google/Bing search platforms. The UK’s  Payment Systems Regulator (PSR) released a report in December 2024 that shows how scammers initiate  contact with victims in the UK. Figure 1 shows how scammers initiate contact based on volume of  contacts and based on value of losses. You can see Facebook entities (54%) has the largest volume of  contacts, but telecommunication (31%) has the largest value of loss.

Figure 1. How Scammers Contact Victims To start a Scam 

Source: PSR Report, Unmasking how fraudsters target UK consumers in the digital age, page 12,  December 2024. 

And once the customers get pulled into the scam, they use their bank/credit union/neobank to send  funds to the scammer (via P2P payments, wires, cash withdrawals, money to crypto exchanges, etc.) 

In Australia and the UK, the governments have taken leadership to address the financial scams that  attack their consumers. Australia has created Scam Prevention Framework legislation that, once  approved, will require banks, telco providers and digital platforms to have controls in place to help  prevent consumer financial scams. And the Australian Banking Association and the Customer Owned  Banking Association created the Scam-Safe Accord in 2023 which committed Australian banks to adding  controls to help reduce scams. With banks, telcos, digital platforms, government regulators and the  Australian National Anti-Scam Centre coming together, Australia is already seeing a drop in financial  scam losses. The National Anti-Scam Centre reported: “Losses reported by the public to Scamwatch  decreased by 41.0% from $559.9 million between 1 July 2022 and 30 June 2023 to $330.0 million  between 1 July 2023 and 30 June 2024.” 

The UK regulators require banks and Payment Services Providers (PSPs) to have scam controls and  money mule management controls in place. Plus, there is mandatory reimbursement for scam losses up  to £85,000. The UK also has the Online Safety Act which requires digital platforms to protect consumers from fraud, with serious penalties for failure to comply. 

Australia and the UK are much smaller than the US, so it will be more difficult for the US to develop  similar solutions. To help in the US, in July 2024, the Aspen Institute Financial Security Program launched a National Task Force for Fraud & Scam Prevention. This will involve government agencies, financial  institutions, telcos and digital platforms. This is a good start, but for it to be effective there will need to  be regulations for banks, telcos and digital platforms to add controls to help stop scams, along with  penalties for failure to perform.  

In Australia, it is the upcoming legislation, with penalties for non-performance and possible  reimbursement that has captured the key participants attention and been the catalyst for action. And  yes, there is also a recognition by these entities that they have a responsibility to help protect consumers  from scams. But regulation does help get the funding for these control projects. 

Here are the some of the key actions that need to occur in the US to help stop these scams. 

• Financial institutions- US regulators need to require scam strategies to include tracking customer  scam incidents, implementing scam controls and money mule management (including sound  branch and online new account opening controls), training for staff to effectively interact with scam victims as suspicious transactions/cash withdrawals are identified, and education for  customers on scams. 

• Digital platforms- Regulators need to require digital platforms identify and remove bogus ads in  search, bogus financial ads on platforms and better vet customers on social media sites. In  February 2025 in Australia, Meta will start to validate sponsors of financial ads on its platforms. 

• Telcos- be required reduce scam calls and text messages. The FCC already has some  requirements in place and telcos have initiated several changes such as the US Telecom|The  Broadband Association’s Industry Traceback Group, but it is not enough. Plus, the vendors who  deliver text messages to the telcos must do a better job to control text messaging. 

• Government- There needs to be government leadership involving the regulators and law  enforcement. And there needs to be funding to help local law enforcement help customers try  to get recovery of funds (e.g. crypto). 

Let’s be realistic and follow the best parts of what is working in Australia and the UK—better controls by  banks, telcos and digital platforms- to help reduce consumer financial scams. Along with a dose of  regulation and government oversight to keep the focus. And strong law enforcement at the national and  local level. There have been some significant arrests involving the FBI, Secret Service and international  police organizations. And that must also continue.