Imagine sending $1,000 to a loved one, only to discover you’ve been scammed and your bank won’t help you recover the funds. While most peer-to-peer (P2P) transactions occur without incident, this nightmare is a reality for many users of P2P payment apps. Since Consumer Reports (CR)’s evaluation of P2P services in 2022, and despite increasing federal attention and service provider acknowledgement, the issue has only continued to increase. In 2023 alone, consumers reported losing $210 million to scams on these platforms, a staggering 62% increase from 2021. As these services surge in popularity, so do the risks to consumers.
CR evaluated four P2P payments apps in 2022 and found that policies for resolving fraud and errors can leave consumers at risk of losing money. Given the continued and increased risk, we took another look at the four companies’ user-facing policies to see what, if anything, had changed since our 2022 evaluation. We also reviewed the policies of the seven banks that co-own Early Warning Services, LLC., the company behind Zelle. We reviewed policies such as service agreements, terms and conditions, and electronic funds transfer disclosures. These documents define the specific legal responsibilities of the company and users relating to use of the app, including notification and reimbursement policies for potentially fraudulent transactions. Despite the increasing risk to consumers and federal attention on the issue, we found that:
- Two of the four companies evaluated in 2022 made changes to the relevant sections of their policies
- Most (10 of 11) companies’ policies have vague or no reference to how fraudulently-induced payments (scams) are not considered unauthorized and therefore not covered by liability protections, and
- About half (6 of 11) of the companies’ policies provide more generous protection than required by law for unauthorized transactions, though these protections still do not cover scams.
Scams and Fraud on P2P Services
Fraudulently induced payments, also known as authorized push payment scams, occur when a scammer tricks a user into willingly sending money. Unlike unauthorized transactions where someone gains illegal access to an account, these scams exploit trust and often leave victims with little recourse. These types of scams are becoming increasingly common and sophisticated, yet most P2P payment services do not consider them “unauthorized” transactions. Regulation E defines an unauthorized transaction as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” For example, if a users’ device or password were stolen and used to make transactions, those would be unauthorized and would be covered by the liability protections set out in reg E. But a scam where a user is fraudulently manipulated into sending money would not be covered. This leaves consumers vulnerable to increasingly sophisticated scams.
Additionally, while credit card users enjoy robust protections under the Fair Credit Billing Act, including the ability to dispute fraudulent charges, P2P payment app users are left largely unprotected. This disparity highlights the urgent need for updated regulations in the rapidly evolving digital payment landscape.
This gap between regulation and harm is well known. In 2022, CR conducted a comparative evaluation of four leading P2P payment apps – Apple Cash, Cash App, Venmo, and Zelle – assessing their safety, privacy, and transparency policies and practices. Among other things, we found that the companies’ policies for resolving fraud and errors left consumers at risk of losing money.
Federal lawmakers are increasingly focused on the issue, introducing a bill requiring P2P providers to reimburse consumers scammed into sending money to crooks and through an ongoing investigation into Zelle and the banks that co-own the company that operates the payment service. A recent subcommittee report found that the three largest banks reimbursed victims of Zelle scams just 38 percent of the time in 2023, down from 62 percent in 2019.
And some companies have made adjustments to address the harm. In June 2023, Zelle updated its reimbursement policy to include certain types of imposter scams. In a notable development, Apple recently announced a policy change effective October 4, 2024, requiring users to verify their identity for cumulative P2P transfers exceeding $500. However, these adjustments have not been consistently implemented or clearly communicated to users. This highlights the need for industry-wide improvements in user authentication and fraud prevention.
Zelle: Standalone App and Bank Integration
It’s important to note that, unlike other P2P service providers, Zelle operates in two distinct ways: as a standalone app and as an integrated service within many banks’ mobile platforms. While Zelle has its own policies, when used through a bank’s app, the bank’s policies apply. This dual nature means consumers may be subject to different terms depending on how they access Zelle. In our policy review, we examined not only Zelle’s standalone policies but also those of the seven banks that co-own Early Warning Services, LLC., the company behind Zelle. This comprehensive approach allows us to better understand the full landscape of consumer protections across Zelle’s various use cases.
Have Company Policies Changed to Address the Harm?
Of the four companies we evaluated in 2022, two have made relevant changes to their user-facing policies. Apple has added a clear statement that fraudulently induced transactions are not considered unauthorized. While this is not pro-consumer, it is the clearest statement in any of the policies reviewed. Venmo has removed the guarantee that users will be 100% covered for unauthorized transactions if they report within 60 days. Venmo’s previous policy went beyond minimum regulatory requirements and guaranteed consumers greater protection. While the new language still complies with minimum regulatory requirements, it appears to offer less explicit protection for consumers, and is less clear. Perhaps surprisingly, Zelle has made no relevant changes to its “Zelle Network® User Service Agreement”. Zelle’s June 2023 change to its reimbursement policy does not appear to be reflected in its user-facing policy, which has not been updated since May 2023.
Services Evaluated in 2022 | Policy Changes since 2022 |
Apple Cash | Yes Added the following: “Payments that you are induced to make by an imposter or by other fraud are not “unauthorized“.” |
Cash App | No |
Venmo | Yes
Removed the following statement that was included in the policy reviewed in 2022 : “If you tell us within 60 days after we provide you your Venmo account statement showing transfers you did not make, you will be eligible for 100% protection for Unauthorized Transactions. A similar statement appeared in their User Agreement last updated July 2, 2024 (“If you tell us within 60 days after we provide you your Venmo account statement showing transfers you or your Teen User did not make, you will be eligible for 100% protection for Unauthorized Transactions.”) but is no longer in the User Agreement last updated September 11, 2024. |
Zelle | No |
Are Company Policies Clear that Scams are Not Unauthorized Transactions?
At a minimum, we believe that the companies have a responsibility to transparently inform consumers of the risks of using their products, one of which is falling victim to a scam and not being able to recover their money. Clear communication about these risks is crucial for consumer protection. However, in our review of company policies, only one (Apple Cash) provided a clear explanation that scams are not unauthorized payments. Three companies (Cash App, Venmo, PNC) provide vague explanations of what transactions are “unauthorized” and which are not, and the remaining seven companies provided no explanation in their user-facing policies.
Service | Explanation of what isn’t considered “unauthorized” |
Companies Evaluated in 2022 | |
Apple Cash | Yes. The policy now clearly states that induced fraud (i.e., scams) are not considered “unauthorized” transactions. Although this is not a pro-consumer stance, it is at least clear. “Payments that you are induced to make by an imposter or by other fraud are not “unauthorized“.” |
Cash App | Vague “10. Risk of Fraudulent Transactions The Peer-to-Peer Service is a money transmission service. As a result, fraudulent transactions may result in the loss of funds with no recourse.” “The following are NOT considered Unauthorized Transactions: If you give someone access to your Account (e.g. by giving them your login information) and they use your Account without your knowledge or permission, unless you have notified us that transfers by that person are no longer authorized; If you, or someone else with whom you are acting in concert, act with fraudulent intent; or You reverse engineer or chargeback a transaction made with your Cash App Card. We rely on the information you provide us to send a payment. A misdirected payment, such as a payment, based on the information you provide us, that is sent to the wrong person, is an authorized payment, and will not be considered an Unauthorized Transaction.” |
Venmo | Vague “The following are NOT considered Unauthorized Transactions: If you or a Teen User grant authority to someone to use your Venmo account (by giving them the login information) and they exceed the authority you or a Teen User gave them. You are responsible for transactions made in this situation unless you have previously notified us that you no longer authorize transfers by that individual. Invalidation and reversal of a payment as a result of the actions described under Refunds, Reversals and Chargebacks.” |
Zelle | None |
Co-Owners of Early Warning Services, LLC. | |
PNC | Vague “When you give someone your password or other means to access your account through which you access the Zelle Service, you are authorizing that person to use your service, and you are responsible for all transactions that person performs while using your service. All transactions that person performs, even those transactions you did not intend or want performed, are authorized transactions. Additionally, transactions that you or someone acting with you initiates with fraudulent intent are also authorized transactions.” |
Bank of America, Capital One, Chase, Truist, U.S. Bank, Wells Fargo | None |
Liability for Unauthorized Transactions
Another thing that has not changed from our 2022 investigation: even if transactions fall into the definition of “unauthorized”, consumers may still be on the hook. Regulation E requires that a user report the loss or theft of an access device within 2 business days for their liability for unauthorized transactions to be capped at $50. If users do not report within 2 business days, their liability is capped at $500. And if users do not report within 60 days of receiving a statement from the financial institution that shows an unauthorized transaction, they may be liable for the unauthorized transactions made within that 60 day period. Many of the companies we reviewed follow reg E to the letter; few provide more generous protection by granting longer reporting timelines (Zelle), or fully protecting consumers if they report within 2 business days (Capital One, Chase), or within 60 days (Bank of America, Truist, U.S. Bank).
Service | Unauthorized Transaction Liability Policy | Relative to Reg E |
Companies Evaluated in 2022 | ||
Zelle | If users report within 4 business days, liability is capped at $50. If users report after 4 business days, liability is capped at $500. | Slightly more generous |
Apple Cash | If users report within 2 business days, liability is capped at $50. If users report after 2 business days, liability is capped at $500. If users report after 60 days, they may not recover any of their funds. The above only applies to P2P transfers funded by users’ Apple Cash balance, and not to P2P transfers funded by supported payment cards. |
Follows minimum requirements |
Cash App | If users report within 2 business days, liability is capped at $50. If users report after 2 business days, liability is capped at $500. If users report after 60 days, they may not recover any of their funds. | Follows minimum requirements |
Venmo | Venmo warns users that if they do not report unauthorized transactions within 60 days of receiving a statement, they may be liable for unauthorized transactions that occurred after those 60 days. Venmo does not specify its liability policy if users report in a shorter time frame. | Follows minimum requirements; unclear if the most recent policy is more generous, as past policies were |
Co-Owners of Early Warning Services, LLC. | ||
Bank of America, Truist, U.S. Bank | If users report within 60 days, they are fully covered. If users do not report within 60 days, they may not recover any of their funds. | More generous |
Capital One, Chase | If users report within 2 business days, they are fully covered. If users report after 2 business days, liability is capped at $500. If users report after 60 days, they may not recover any of their funds.
(Interestingly, Chase does have fine print on their Zelle overview webpage related to induced fraudulent transactions: “…Neither Chase nor Zelle® offers reimbursement for authorized payments you make using Zelle®, except for a limited reimbursement program that applies for certain imposter scams where you sent money with Zelle®. This reimbursement program is not required by law and may be modified or discontinued at any time.” This is not included in the Chase Zelle T&C and we did not find anything similar on the other EWS co-owners’ websites.) |
Slightly more generous |
PNC | PNC’s policy is vague: if users report “promptly”, they are fully covered. If users report after 60 days, they may not recover any of their funds. | Slightly more generous |
Wells Fargo | For unauthorized transactions involving the loss or theft of the users’ access device, user name, or password: If users report within 2 business days, liability is capped at $50. If users report from 2-60 business days, liability is capped at $500. If users report after 60 days, liability is capped at $500 for transactions occurring within the 60 day period. For transactions occurring after the 60 day period, users may not recover any of their funds. For unauthorized transactions not involving the loss or theft of the users’ access device, user name, or password: If users report within 60 days, they are fully covered. If users do not report within 60 days, they may not recover any of their funds. |
Follows minimum requirements |
Website and Educational Content
These companies do have webpages, FAQs, or blogs that educate users on the risk of scams, different types of scams, and how to identify a scam. However, some of these resources do not inform users that they may not get their money back if they fall victim to a scam. For example, Cash App has three relevant articles when searching ‘scam’ in the Cash App Support section of their website. The articles provide helpful information about different types of scams, but they do not explicitly warn consumers that they might not be able to recover their funds beyond stating “Keep in mind that Cash App to Cash App payments are instant and usually can’t be canceled.”
Others of these website and educational materials point users to policies. For example, Zelle has a Fraud and Scams Overview webpage that explains the difference between fraud (unauthorized transactions) and scams (authorized transactions). The page also states “It’s important to read the user service agreement and the account agreement with your financial institution to understand the terms of any payment service you intend to use.” But from our review, reading those agreements does not provide additional clarity to users.
Recommendations
Consumer advocates believe that consumers should also be protected from transactions that they are fraudulently induced to make, such as scams. We believe consumers should be protected from fraudulently induced payments because companies are in a much better position to put in place safeguards to address these issues than individual consumers.
Despite the increasing risk and harm of fraud and scams on P2P services, companies have made no pro-consumer changes to their policies. As companies have not satisfactorily addressed this risk, CR recommends that the CFPB update Reg E to require more generous liability protection for unauthorized transactions, and to implement liability protection for fraudulently induced transactions.
Given the evolving nature of P2P payment scams and the inadequacy of current protections, Consumer Reports is calling on companies to update their products and policies to protect consumers from fraud and scams. Specifically, companies can and should:
- Implement a mandatory 24 hour holding period for transactions of $500-750 or more, with an option for consumers to override by providing additional verification
- Institute a universal 12 to 24 hour window during which all payments can be easily reversed by consumers, similar to the cancelation policies of other financial institutions
- Commit to improving the transparency and thoroughness of internal investigation procedures and more fully reimbursing consumers who are the victims of sophisticated induced fraud scams. This includes expanding the categories eligible for reimbursement beyond the current limited scope.
- Implement purchase protections for payment disputes for Zelle payments made for commercial purposes, mirroring the protections that exist for credit cards under the Fair Credit Billing Act.
- Enhance parental controls to include 1) the ability to disable Zelle in their minor child’s online banking app and 2) mandatory approval or deny transactions initiated by minors 3) real-time transaction notifications for parents.
- Improve user authentication methods by implementing multi-factor authentication for all transactions over $500, similar to recent changes made by other P2P platforms.
The explosion of P2P payment apps has revolutionized how we transfer money, but it has also opened new avenues for fraud. As scams become increasingly sophisticated, it’s clear that current policies are inadequate. Consumers shouldn’t have to choose between convenience and security. It’s time for P2P payment providers to step up, implement stronger safeguards, and ensure that users are protected from the growing threat of financial fraud. With the right policies and protections in place, P2P payments can be both convenient and secure.