The Consumer Financial Protection Bureau (CFPB) closed out 2024 by filing a lawsuit against Bank of America, JPMorgan Chase, and Wells Fargo over those banks’ involvement in Early Warning Services (EWS), which operates Zelle, a peer-to-peer payment network.
The basic gist of the lawsuit is that the banks involved did not provide adequate security for the Zelle payment app, advertised the app as more secure specifically because it is operated by banks, allowed fraudsters to remain active on the network by hopping between banks, and failed to meet their Reg E requirements related to unauthorized transactions completed through Zelle.
The lawsuit alleges various failures to comply with Regulation E by, for example, instructing consumers to contact the fraudster to resolve a dispute once the bank determined that it could not claw back the funds. In this respect, the action serves as yet another reminder that banks should closely follow the dispute resolution process set out in Regulation E.
There is, however, additional guidance to be gleaned from the CFPB’s arguments. The lawsuit highlights the risks associated with poor management of reputational risk and third-party service providers. The CFPB’s argument is rooted in UDAAP as well as Reg E. It includes consumer statements that they relied on the banks’ recommendations when deciding to trust the Zelle app and concludes that the banks misled consumers about the app’s security and protection against unauthorized transactions. For example, banks included a Zelle function within bank-branded mobile banking applications offered to consumers and advertised that, unlike other P2P apps, Zelle was bank-backed or bank-endorsed.
Even though Zelle is ultimately owned by these banks and therefore not truly a third party in this situation, the CFPB complaint provides an example of how a bank’s endorsement or promotion of a third-party service can create direct legal risk to the bank. The allegations in the Zelle complaint do not depend on the banks’ ownership of EWS; the Bureau’s arguments could apply to any third-party service provider relationship. The Bureau argues that consumers relied on the banks’ representations that Zelle was secure and reasonably assumed, due to the banks’ endorsement of Zelle, that they would receive substantial protection against fraud and unauthorized transactions conducted through Zelle.
Because Zelle was not secure, according to the CFPB, and because the banks were not adhering to Regulation E requirements, consumers relying on the banks’ representations about Zelle security were subsequently harmed by fraudsters. Furthermore, the CFPB alleges that when fraud concerns came to light and when consumers complained to the banks about Zelle’s security shortcomings, the banks failed to take timely action to improve security or mitigate risks to consumers.
The lawsuit highlights how banks may be responsible for representations that they make about the reliability, security, or services offered by third parties. Additionally, banks may be liable for failure to take timely action to address third parties’ deficiencies or to resolve consumers’ issues with a third party that is recommended, used, or endorsed by the bank.
Ongoing monitoring of service providers and reviews of consumer complaints about service providers are therefore central to an effective third-party risk management program. The Compliance Alliance Vendor Management Toolkit is a great place to start when reviewing your vendor relationships and our Hotline staff is available to answer any additional questions you may have.