[ad_1]
When US users have their online bank accounts hijacked and robbed by hackers, US financial institutions are legally required to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week shows that for some of the nation’s largest banks, repaying victims of account takeovers has become more the exception than the rule.
The findings came in a report released by Senator Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into related fraud Zellea “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Zelle is operated by Early Warning Services LLC (EWS), a private financial services company jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, US Bankand Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, although a large number of customers are still unaware of it.
Senator Warren said several EWS owner banks – including Capital One, JPMorgan and Wells Fargo – failed to provide all the data requested. But Warren got the requested information from PNC, Truist and US Bank.
“In total, the three banks that provided a complete data set reported 35,848 fraud cases, involving more than $25.9 million in payments in 2021 and the first half of 2022,” the report summarized. “In most of these cases, the bank does not refund the customers who were reported to have been defrauded. Overall these three banks reported refunding customers in only 3,473 cases (representing nearly 10% of fraudulent claims) and refunding only $2.9 million.”
Importantly, the report distinguishes between cases involving direct bank account takeovers and unauthorized transfers (fraud), and losses resulting from “fraudulently induced payments”, where victims are tricked into allowing funds to be transferred to fraudsters (fraud).
A common example of the latter is the Zelle Scam, which uses a constantly changing set of arrivals to trick people into transferring money to a scammer. Zelle Scams Scams often use fake text messages and phone calls to look like they’re coming from your bank, and the scams usually involve tricking customers into thinking they’re sending money to themselves when they’re actually sending it to a crook.
Here’s the problem: When a customer issues a payment order to their bank, the bank is responsible for honoring the order as long as it passes a two-step test. The first question asks, Did the request actually come from the owner or an authorized signatory on the account? In the case of the Zelle scam, the answer is yes.
Fooshee trailstrategic advisor in anti-money laundering practice at Aite-Novaricasaid the second stage requires banks to subject customer transfer orders to a sort of “sniff test” using “commercially viable” fraud controls that are generally not designed to detect patterns involving social engineering.
Fooshee said the legal phrase “commercially viable” is the main reason why no bank has much — if any — in the way of fraud detection controls.
“For them to use something that will detect a large fraction of fraud on something that is difficult to detect, they will generate a very high rate of false positives that will also make consumers (and, subsequently, regulators) very unhappy,” Fooshee said. “This will cover the business case for the service as a whole making it something the bank can claim is NOT commercially reasonable.”
Senator Warren’s report explains that banks in general don’t refund users if they were fraudulently induced to make Zelle payments.
“In short, Zelle stated that it will indemnify users in cases of unauthorized transfers where user accounts are accessed by malicious actors and used to transfer payments,” the report continued. “However, the EWS response also indicates that neither Zelle nor its parent bank owner will reimburse users who were fraudulently induced by bad actors to make payments on the platform.”
However, data suggests banks have repaid at least some of the stolen funds from fraud victims about 10 percent of the time. Fooshee said he was surprised that the number was so high.
“The fact that banks pay victims of fraudulent payment fraud that is allowed is worth paying attention to,” he said. “That’s money they pay out of pocket almost entirely for goodwill. You could argue that paying back all victims is a good strategy especially in the climate we’re in but to say what all banks should be doing remains an opinion until Congress changes the law.
FRAUD WITHOUT TRUTH
However, when it comes to repaying victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided a complete data set indicated that they reimbursed only 47% of the dollar amount of fraudulent claims they received,” the report notes.
How do banks behave individually? From the report:
-In 2021 and the first six months of 2022, PNC Bank showed that its customers reported 10,683 cases of unauthorized payments totaling more than $10.6 million, of which only 1,495 cases totaling $1.46 were returned to consumers. PNC Bank left 86% of its customers who reported fraud cases without assistance for the fraudulent activity that occurred on Zelle.
-During this same period of time, US Bank customers reported a total of 28,642 cases of unauthorized transactions totaling more than $16.2 million, while refunding only 8,242 cases totaling less than $4.7 million.
-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America reimbursed just $56.1 million in fraudulent claims – less than 45% of the total dollar value of claims made during that time.
–Truist indicating that the bank had a better record of repaying defrauded customers during this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims totaling $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist’s claims were reimbursed during this period. Overall, however, the four banks that provided a complete data set indicated that they reimbursed only 47% of the dollar amount of fraudulent claims they received.
Fooshee said there have long been many inconsistencies in how banks reimburse unauthorized fraudulent claims — even after Consumer Financial Protection Bureau (CPFB) issued guidance on what qualifies as an unauthorized fraud claim.
“Many banks report that they still do not comply with the standards,” he said. “As a result, I imagine that the CFPB will impose severe penalties on those fined and we will see corrections.”
Fooshee said many banks have recently adjusted their reimbursement policies to bring them more in line with the CFPB’s guidance from last year.
“So this is going in the right direction but not with enough enthusiasm and speed to satisfy the critics,” he said.
Seth Ruden is a payment fraud expert who serves as a global advisory director for a digital identity company BioCatch. Ruden said Zelle recently made “significant changes to its fraud program oversight because of consumer influence.”
“It’s clear to me that despite the sensational headlines, progress has been made to improve outcomes,” Ruden said. “Currently, in-network losses on a volume-adjusted basis are lower than typical credit cards.”
But he said any failure to reimburse victims of fraud and account takeovers only adds to the pressure on Congress to do more to help those defrauded to authorize Zelle payments.
“The bottom line is that regulation hasn’t kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment fraud losses have overtaken credit card losses and a regulatory response is now on the table. Banks have a choice now to take action and improve controls or wait for regulators to impose a new regulatory environment.”
Report Sen. Warren is available here (PDF).
Of course, there are several versions of the Zelle scam that may mislead financial institutions about “authorized” payment instructions. For example, a variant I wrote about earlier this year starts with a text message that spoofs the target bank and warns of suspicious pending transfers.
Those who answered at all received a call from a number spoofed to make it look like a victim’s bank call, and were asked to verify their identity by re-reading a one-time password sent via SMS. In fact, the thief simply asks the bank’s website to reset the victim’s password, and a one-time code sent via text by the bank’s site is all the criminal needs to reset the target’s password and remove the account using Zelle.
None of the above discussions involve risks affecting online banked businesses. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account being drained, most banks will not reimburse the loss.
That’s why I have always and will continue to urge small business owners to conduct their online banking only from dedicated, limited-access and security-hardened devices — and preferably non-Windows machines.
For consumers, the same old advice remains the best: Watch your bank statements like a peddler, and immediately report and contest any charges that appear fraudulent or unauthorized.
[ad_2]
Source link