The P2P Fraud Conundrum

Regulators must strike a difficult balance in tamping down increased fraud on peer-to-peer payment platforms.

Have you ever received an automated message from your bank warning you about an unauthorized payment?

If so, you may want to think twice before acting on it. According to a recent report in The New York Times, some individuals have received instructions to send payments through peer-to-peer (P2P) payment apps such as Zelle or Venmo to reverse supposedly fraudulent transactions, only to have scammers steal those payments. And even if victims report the fraud, banks may refuse to return the credit.

This increasingly common scenario reveals a critical distinction in what consumer protection law considers to be an “unauthorized transaction.” When thieves hack consumers’ accounts or steal their phones and transfer money, the Electronic Fund Transfer Act (EFTA) considers the resulting transactions to be unauthorized and requires banks or payment services to refund them.

But in instances where scammers trick individuals into authorizing payments themselves, Regulation E, which implements the EFTA, does not protect the payments. This subtle distinction marks the difference between an easy refund and the loss of thousands of dollars for victims of fraud.

Currently, Regulation E requires financial institutions to credit customers for unauthorized transfers from their accounts made by third parties. In most cases of unauthorized transactions, the financial institution itself has liability. But in some cases where a third-party service gives a customer access to transfers from the customer’s bank account, the regulation holds the service provider liable for unauthorized transactions.

This dual system of liability means that Regulation E applies to all payments on P2P platforms, which allow consumers to instantly transfer money to another individual using their phone. In a December 2021 guidance document, the Consumer Financial Protection Bureau (CFPB) clarified that P2P payment services must credit customers for transfers in instances such as a thief stealing their phone or gaining access to their P2P account.

But the guidance contains no mention of cases where scammers trick their victims into transferring money.

Such instances of fraud have become increasingly common in the past several years. The cases usually have several defining characteristics. A scammer poses as someone else, such as a victim’s bank. Scammers then trick victims into transferring money to them via a P2P payment. By the time victims realize the transfers were illegitimate, the scammers will often have deleted their accounts and disappeared into cyberspace.

These scams are especially effective over P2P payment apps for several reasons. The simplicity of the apps helps draw in scammers because they only need an email address or phone number to create an account. The speed of payments on P2P apps also benefits hackers—as P2P payments clear instantly, rather than over several days like credit card payments and other bank transfers, giving consumers no time to cancel payments after they are made.

In short, the features of P2P apps that make them successful—convenience and speed—also make them susceptible to scams. This vulnerability has led some consumer advocates to call for the CFPB to update Regulation E to include under the definition of unauthorized payments instances where thieves trick or coerce victims into making P2P payments.

One concern with expanding Regulation E’s coverage is that it could decrease consumers’ incentives to exercise diligence when making P2P payments. If individuals get refunds for P2P fraud in situations they could have avoided with simple steps, such as verifying the identity of callers, their caution could decrease and the success of fraud might increase.

Extending Regulation E could also bring “chargeback fraud” to P2P payments. Chargeback fraud occurs when a consumer makes a payment, typically via credit or debit card, and then disputes the charge without a legitimate reason to do so. Chargeback fraud has been rare in P2P transactions because the payments clear instantly, and banks generally refuse to refund payments that have already gone through. But letting consumers dispute mistaken transactions could expand the possibilities for fraud by potentially allowing consumers to make legitimate P2P payments and then later dispute the charges to gain a refund.

Expanding Regulation E’s coverage could, however, prod P2P payment providers to help prevent fraud in the first place. Experts point to a number of steps these companies could take to tamp down on fraud, such as encouraging users not to share their usernames publicly and providing customer support hotlines. If P2P payment providers were on the hook for fraudulent activity, they may have more incentive to take such preventative actions.

Ultimately, as P2P payments grow in popularity, scams on these platforms will likely also continue to increase. Regulators currently face a choice in deciding how far they will go to prevent such fraud.