This article is reproduced from FIN, the best newsletter on fintech; subscribe here.
For most of 2022, FIN has been regularly covering the issue of fraud on the Zelle payment network. The first volley of coverage came in early March, with the New York Times’s foundational story showing widespread fraud on Zelle and, more important, the refusal of several of Zelle’s big bank owners to reimburse Zelle customers who get ripped off. (Whether Zelle is significantly more prone to fraud than competitors like Venmo or Cash App is still up for debate.)
That was followed by a legislative assault, particularly from Elizabeth Warren (MA), Robert Menendez (NJ) and a few other US Senate Democrats. Warren, for example, has dubbed Zelle “the preferred tool of fraudsters and other bad actors who abuse Zelle’s instantaneous, easy-to-exploit transfers to steal from and defraud consumers.” In addition to putting pressure on Zelle’s owners—who were less than eager to provide the Senate with details about Zelle fraud—this sustained attack actually moved the story forward by surfacing victims who demonstrate just how perfidious Zelle fraud can be. In October, for example, Menendez touted the plight of an East Orange constituent who “was scammed out of $3500 by a professional scammer who had told her he would help her refund an unauthorized Amazon purchase.” Her bank declined to reimburse her. According to Warren’s office, at the four banks that provided data, there will probably be about $255 million in Zelle fraud this year, most of which will not be reimbursed.
How have banks responded to Zelle fraud?
The response from America’s financial institutions has been largely unsatisfying.
Approximately 1700 banks and credit unions use Zelle, which is the product of the Arizona-based Early Warning Services (EWS), jointly owned by Bank of America (BAC), Capital One, JPMorgan Chase, PNC, Truist, U.S. Bank and Wells Fargo. In press statements and in Congressional testimony, the official message has been, first, that Zelle fraud is a minuscule problem in the nearly half-trillion dollars that flow through Zelle in a given year. After Warren’s office released some Zelle fraud data in October, for example, EWS issued a statement saying “tens of millions of consumers safely use Zelle every day with more than 99.9% of payments sent without any report of fraud or scams.” The second message has been that the type of fraud often associated with Zelle and other digital payment services—“me-to-me” transactions, in which a customer is tricked into authorizing a payment under false pretenses, as opposed to simple theft—falls into a grey area where existing regulations make it unclear that the banks should or need to make the customers whole.
But behind the scenes, it’s pretty obvious that the big banks know that Zelle fraud is a bigger problem than the aggregate numbers indicate, and that sooner or later the Consumer Financial Protection Bureau (CFPB) is going to crack down on them in some fashion. This week, the Wall Street Journal reported that at least some of the big banks that own Zelle—including Bank of America, JPMorgan Chase, and Wells Fargo—are talking about a shared-risk approach to reimbursing customers. According to the Journal, the plan being considered goes like this: a scammer convinces a customer to transfer money from her legitimate account at Bank A to a fraudulent account at Bank B. Assuming the banks agree that fraud occurred, Bank B would reimburse Bank A, and Bank A would reimburse the customer.
This plan would presumably deal with most scams that currently exist on Zelle and other platforms. But what if there were a technological method to detect and prevent the scams from taking place in the first place?
How can technology stop Zelle scams?
Seth Ruden, for one, says that he has the method. Ruden is the director of global advisory for the Americas for BioCatch, an Israel-based fraud protection firm. Ruden says that BioCatch measures how consumers typically react in an online banking environment, and that by tracking how a given transaction takes place, it can determine and stave off fraud before it happens. By capturing the “full user journey,” Ruden says, BioCatch can weed out transactions that don’t fit normal patterns. (Obviously large financial institutions have been using some form of this approach for years; if your credit card is used in a physical transaction that’s a thousand miles from where you live, you may get a call.)
How does this work with something tricky like a me-to-me fraud? Ruden says there are “tattletales” in such transactions, notably that the would-be scam victim is being coached to do things they’ve probably never done before, such as wire money to themselves. Thus, the customer will take longer, engaging in “mouse doodling and other hesitations,” Ruden says. BioCatch’s technology will pick up on this behavior in real time, attach it to a risk profile, and intervene to prevent the fraud.
Does it actually work? BioCatch is careful not to release any identifying details, but it has published a case study on a “top U.S. credit union” that began offering Zelle in August 2019. The credit union, according to BioCatch, immediately found that 7% of its Zelle transactions were fraudulent. It tried measures like limiting how much money could be transferred, but this irritated customers and didn’t eliminate fraud. Within two months of implementing BioCatch’s biometric solutions, the company said, Zelle fraud nearly disappeared, and today represents only 0.02% of Zelle transactions.
BioCatch isn’t the only company making such claims. FIN also spoke this week with Bill Sytsma, senior vice president at biometrics firm Callsign, who pointed out that his firm is able “to intercede during the transaction, and post whatever customized message the bank wants, because each bank wants to handle it a little differently.”
A few caveats here: It’s possible that biometric solutions work in some settings better than others. It’s possible that consumers might balk at the privacy implications of such approaches (although of course both companies say their data is sufficiently anonymized and protected to limit this concern). While individual banks and credit unions are already using these techniques, it’s entirely possible that the big banks that own Zelle will want to develop their own proprietary tech (and no doubt are working on it). Still, in a stagnant standoff between big banks and regulators, the idea of an easily implemented tech fix is very attractive.