Instant Payments

NH Banks Stare Down Zelle Fraud

Despite Recent Policy Changes, Problems Hang On


Bank customers have historically been unsatisfied with traditional bank fraud laws, which don’t account for criminals tricking people into willfully giving up funds. iStock photo illustration

Zelle, the nation’s most popular peer-to-peer payment app, has recently implemented technology and policy changes that have improved money-transfer security at both big and small banks.

But the battle against bank money-transfer scammers is far from over – and probably will never be over due to the relentless determination and technological sophistication of fraudsters, many of them associated with international criminal gangs, according to leading industry and New Hampshire banking industry officials.

“Our technology continues to evolve and improve,” Kristy Merrill, president and CEO of the New Hampshire Bankers Association, said of her industry’s increasingly robust counter-fraud measures in general. “But fraud [attempts] never stop. It’s relentless.”

Banks have long been targeted by an array of thieves, from old-fashioned masked bank robbers to personal-check counterfeiters to more modern online-bank scammers.

Bank money-transfer scams, involving peer-to-peer payment apps like Zelle, FedNow and Cash App, are just one of many different types of digital cons deployed by cyber-criminals to get their hands on others’ money.

In particular, money-transfer scams have been in the news of late due to banks’ reimbursement policies, or non-reimbursement policies, for victims of fraud involving Zelle and other leading instant-payment bank apps.

Consumers’ High Expectations

All payment services, which also include non-bank Venmo, PayPal and Apple peer-to-peer transfer products, have seen their share of fraudulent transfer activity and disputes over the years.

But many bank customers continue to believe that, in all cases, banks are obligated to reimburse customers for any type of bank-related fraud losses they incur – and that’s simply not the case, industry officials say.

Even though automatic fraud-loss reimbursements are not required in every case, Zelle, the nation’s largest peer-to-peer app that’s owned by a consortium of large banks, has taken recently taken highly publicized hits due to its reimbursement policies.

Among others, U.S. Sen. Richard Blumenthal, D-Conn., recently demanded that Zelle do more to protect consumers and to reimburse defrauded customers, similar to what’s done in the credit-card industry.

But Trace Fooshee, a strategic advisor at Datos Insights, a market research and consulting firm, said reimbursing victims of transfer fraud isn’t as simple as it sounds.

“It gets into a pretty arcane area” of the law, he said. “Most people don’t understand the governing [rules].”

Both the Uniform Commercial Code (UCC) and federal Electronic Fund Transfer Act address disputes tied to fraudulent transfers of money – and the reimbursement obligations to those who are victims of fraud.

But reimbursements all come down to whether a bank transfer was an “unauthorized” or “authorized” form of fraud.

Many Scams Not Covered

An “unauthorized” transaction is when a hacker somehow gets hold of critical bank account information and basically steals funds, via transfers, without the knowledge or consent of customers.

With the transferred funds considered “irrevocably lost,” banks are obligated to reimburse people for such “unauthorized” fraud incidents, though some banks stand accused of dragging their feet on such reimbursements.

An “authorized” fraud is where most reimbursement disputes arise.

An “authorized” case of fraud can occur when a bank customer is duped into thinking they’re sending funds to a legitimate organization that’s owed money. Think of a scammer, either online or over the phone, posing as a bill collector or government agency or even a banking institution – and then convincing a consumer to authorize a transfer of funds to them.

Under current legal practice, such “authorized” transfers – with a customer either hitting “send” on a transfer button or handing over sensitive bank-account info –­ are not subject to bank reimbursements.

Despite banks’ anti-fraud education programs, many customers are simply not aware that there are some forms of bank transfer fraud that fall within the “authorized” category, thus disqualifying them from reimbursements, Fooshee and others say.

Fraud Leaves Small Banks in Bind

Large banks have financial resources to invest in many layers of security to protect customers from transfer and other forms of bank-related fraud, Fooshee said.

Smaller banks may not have the deep pockets of larger banks. But they are good at hiring core-banking services, such as FIS or Fiserv, to help out with their anti-fraud controls and to obtain Zelle services, Fooshee said.

Portsmouth-based Piscataqua Savings Bank, for instance, contracts with Fiserv for its core-bank services, which offers a variety of online and mobile software products, including security. Through Fiserv, Piscataqua offers customers Zelle’s money-transfer app.

Besides Fiserv’s money-transfer security services, Joan Gile, chief executive of Piscataqua Savings Bank, said her institution also employs its own internal fraud-detection measures to protect customers.

Among other things, those internal measures include identifying and flagging suspicious banking activity – and then immediately informing consumers about what they’re seeing, she said.

Piscataqua is looking at all types of suspicious activities, not just money-transfer transactions, such as suspicious ATM, checking and money-wiring activities, she said.

“Overall, we’re seeing lots of fraud [attempts], but we’re lately seeing less money-transfer cases” due to more stringent instant-payment security measures, said Gile, who is also chair of the New Hampshire Bankers Association.

What’s one of the most effective anti-fraud measure banks can deploy to protect consumers from scams? Education, said Gile.

Consumers need to know, for instance, that banks will never send emails asking recipients to divulge sensitive bank information online, such as account numbers, passwords and user names.

Consumers also need to know, beyond any shadow of a doubt, exactly who they’re transferring funds to on the receiving end – or providing sensitive banking information to on the receiving end, she said.

“So much depends on consumer education,” said Gile. “We have to protect our customers. But customers also have to learn how to protect themselves.”

The New Hampshire Bankers Association’s Merrill agreed that consumer awareness is usually the first and best line of defense against most all online banking scams.

“Education is really key,” she said. “You have to be incredibly diligent these days.”