CFPB Lawsuit Against Zelle Highlights Error Resolution Challenges
On December 20, 2024, the Consumer Financial Protection Bureau (“CFPB”) filed a lawsuit against Early Warning Services (“EWS”), which operates peer-to-peer payments network Zelle, and three of its owner banks (the “Bank Defendants”). The lawsuit alleges that Zelle and the Bank Defendants systemically failed to address rampant fraud on the Zelle network, in violation of Regulation E and the prohibition against unfair, deceptive, or abusive acts or practices (“UDAAPs”). The Defendants have denied all allegations raised in this lawsuit and have taken the position that they have met all legal and regulatory obligations. While much of the CFPB’s lawsuit raises well-worn issues about the overall adequacy of compliance management systems, third-party risk management, and product design practices, it also highlights issues related to common Regulation E error resolution practices that can become problematic in certain factual circumstances that many institutions may overlook. Specifically, (1) the different standard that applies to investigations where a third party with whom the institution has a contractual relationship is involved; (2) the extent to which an electronic funds transfer a consumer willingly consented to as a result of a bad actor’s deception or fraud can be considered “authorized” to impose liability for the transfer on the consumer; and (3) evolving expectations around the accessibility of customer service channels in the face of new technology.
With respect to investigation standards, Regulation E requires institutions to seek and consider information and documentation in the possession of third parties in circumstances where the third party is involved in the transaction and certain contractual relationships concerning such transactions exist between the third party and the institution. This differs from the general rule that institutions are only obligated to review their own records and documents in most other contexts. The CFPB has alleged that the Bank Defendants were obligated to review information and documents in the possession of EWS and/or the other Bank Defendants when investigating transactions initiated through Zelle given the nature of Zelle’s services and the contractual relationships between the parties. These allegations highlight the complex and thorny issues that can arise for institutions involved in technology service provider relationships and fintech partnerships related to error resolution and related financial institution liability.
The lawsuit also hits on the distinction between “unauthorized electronic fund transfers” as defined under Regulation E and “simple fraud,” where a bad actor deceives a consumer into providing consent to a transaction, such as by making misrepresentations or by engaging in imposter fraud. In general, simple fraud does not meet the regulatory definition of an unauthorized transaction, meaning that the consumer can be held liable for the transaction during error resolution processes for purposes of Regulation E. Thus, it appears the CFPB has chosen to address what it views as widespread fraud across the Zelle network by alleging a UDAAP violation. In sum, the CFPB alleges that the Bank Defendants’ systemic categorization of fraudulent transactions as “authorized” constitutes an unfair act or practice. Seemingly critical to the CFPB’s theory is the assertion that the Bank Defendants had the operational ability to claw back transactions if they were promptly disputed by the consumer but declined to exercise that ability. Instead, the CFPB alleges the Bank Defendants instructed consumers to “work out” the matter with the bad actor while declining to provide any further assistance, including declining to assist the consumer in identifying or contacting the bad actor. Institutions that recognize the simple fraud exclusion from Regulation E should consider whether such policies may increase UDAAP risk in the way they are administered.
Finally, the lawsuit represents an expansion of regulators’ nascent interest in requiring financial institutions to provide customer service through the “same channel” that consumers use for the product itself. The CFPB’s lawsuit takes issue with the Bank Defendants’ requirements that consumers call customer service to dispute Zelle transactions when Zelle itself is a digital service delivered through a mobile application and all transactions are initiated electronically. Such reasoning mirrors the “same channel” requirement for cancelling online subscription services found in the Federal Trade Commission’s recently-promulgated “Click-to-Cancel” rule. Financial institutions that offer web- or mobile app-based services may wish to consider whether the accessibility of their customer service channels are keeping pace with developing regulator and consumer expectations, both with competitive standpoint and a regulatory risk perspective.
How can we help? If you have any questions, please contact Chris Napier or Shelby Schwartz from our Fintech Practice.
Download a PDF of this article here.
About The Authors
Chris Napier is a Partner at Mitchell Sandler. His practice focuses on providing regulatory counseling, strategic advice and representation during government enforcement matters, including matters involving commercial, consumer and alternative credit products; money transmission and payments; deposit issues; and partnerships between fintech companies, depository institutions, and lenders.
Shelby Schwartz is Counsel at Mitchell Sandler. Her practice focuses on financial regulatory and compliance matters, with a concentration on deposit accounts, financial data privacy, and state lending laws. She advises a wide variety of financial services providers, from banks to financial technology companies. Shelby has successfully assisted clients in responding to regulatory inquiries and enforcement matters, including those brought by the Consumer Financial Protection Bureau, the Department of Justice, and various state regulators. She regularly assists clients in assessing their deposit account fee structures and deposit account agreements, analyzing data breach obligations, developing privacy policies, and developing financial products and services within appropriate regulatory models.
SIGN UP FOR UPDATES
Never miss our news, insights or events.
FEATURED NEWS
