Online scams threaten thousands of Americans each year, and US regulators and financial institutions should pursue new methods to better fight these scams and bring relief to victims
Online scams are growing at an alarming rate, impacting consumers financially and emotionally. The impact of these scams is so significant, that there are cases of post-traumatic stress disorder (PTSD) and even suicide.
Total losses from online scams and identity theft reported to the Federal Bureau of Investigation (FBI) have increased to $10. 3 billion in 2022 from $6.9 billion the year before, according to the FBI Internet Crime Complaint Center report, and it is estimated that that numbers are much higher because less than 7% are assumed to report to any authority due to shame and embarrassment. One type of crime that is growing significantly is cryptocurrency investment scam, which climbed an alarming 183% to $2.57 billion in 2022 from $907 million in 2021.
With these monetary losses skyrocketing, one question arises: Who is protecting consumers? Many claim that this is a matter of personal responsibility, but with the alarming growth in losses, the societal impact of these scams is yet to be truly measured. Law enforcement and the FBI might investigate some cases, but the recovery possibilities are extremely limited once the money ends up in the hands of the criminals.
Of course, financial institutions hold some liability when it comes to fraudulent transactions, but the liability to reimburse customers only happens in the case of account takeover fraud, or unauthorized transactions. In this scenario, criminals will use an array of tactics such as stolen credentials or malware to login to the legitimate customer’s account or take over an existing online banking session.
In the United States, Regulation E (Reg E), which was issued by the Federal Reserve as an implementation of the Electronic Fund Transfer Act of 1978, determines the conditions under which financial institutions will reimburse their customers for unauthorized electronic transfers. While several clarifications have been issued over the years to outline specific cases for online banking and debit card activity, one thing remains clear — If a customer performed an authorized transaction even if they were manipulated to do so by a scammer, they will not be covered under Reg E and the bank will not be liable to reimburse customers. Given the amounts of money lost to scams such schemes as romance scams, investment scams, bank impersonation scams, and many others, and the implication of billions of dollars leaving the U.S. every year to illicit actors based in foreign countries, there is a need to take action.
Interestingly, there are several activities happening with numerous federal agencies pushing to do more around scams, such as the Federal Communications Commission (FCC) to take more action in detecting scam text messages, and the Federal Trade Commission (FTC) pushing social media and video platforms to address the surge in scams.
Embracing the Contingent Reimbursement Model
One interesting example of a model for scam loss reimbursement can be taken from the United Kingdom. The Contingent Reimbursement Model (CRM) was introduced in May 2019 in the U.K. in the form of an initiative designed to reimburse victims of authorized push payment fraud (APP fraud). This is a voluntary code that can be used by banks which agree to participate in the initiative.
Since its launch in 2019, the CRM has been successful in providing a more streamlined and efficient way of compensating victims of APP fraud. In fact, a total of almost 50% of reported scam losses have been reimbursed to victims of APP fraud under the CRM between the first half of 2020 and the second half of 2022, according to the latest figures released by U.K. Finance. This represents a significant increase compared to the previous reimbursement models, which often resulted in remaining financial losses to the victims. Under the CRM, the customer’s bank will reimburse the customer and take loss liability.
Unfortunately, the U.S. banking sector has been focused on an extremely narrow section of scams that has caught headlines, which is fraud on the Zelle payment platform. There has been a significant increase in Zelle fraud due to the nature of Zelle being a faster payment person-to-person network, with the money being transferred immediately to the beneficiary. Indeed, scams increased more than 250% to more than $255 million in 2022, compared to more than $90 million in 2020, according to a report released by Sen. Elizabeth Warren (D-Mass.) in October 2022.
From April to November 2022, Sen. Warren pushed the operators of Zelle — Early Warning Services, which itself is owned by a number of large U.S. banks — to provide numbers and explain their plan to reimburse customers and provide better protection. In November 2022, the seven banks that own Zelle started to work on a rule change that will require the network’s member banks to compensate customers who fall victim to certain kinds of scams. The shift would reverse the network’s current policy, which typically leaves customers with the losses on any Zelle transactions that the customers initiated themselves — even if they were tricked into sending their cash to a criminal.
Under the planned rules, if the banks determined that a customer had been deceived into sending money, the recipient bank — the one holding the scammer’s bank account — would be responsible for returning the money to the victim’s bank. That bank would then refund its defrauded customer.
This announcement is a huge change and brings a wave of optimism; however, there are many issues with the proposed reimbursement model. First, it is still unclear which cases will be reimbursed. The news of the proposal model has also received pushback by smaller banks that claimed that they cannot afford to pay for customer scam losses on Zelle, and they might need to leave the Zelle network if this rule will be reinforced, driving more competitive challenges for smaller banks. In addition, and perhaps most obvious, although Zelle scams are skyrocketing, we see other scam vectors growing significantly in which transfers to criminals are not conducted on the Zelle payment platform.
Clearly, the industry needs a more holistic approach to protect consumers who are losing money in growing amounts, especially since Zelle fraud is a comparative drop in the multi- billion-dollar ocean of similar financial scams.
So, to answer the original question: Could the U.K.’s CRM model be deployed in the U.S.? It seems like the Zelle liability initiative that was taken to address a very isolated issue might quiet broader conversations for the time being. However, with the sophistication of the banking ecosystem in the U.S. and the many stakeholders that would need to get involved, it is highly unlikely that this model will be implemented in the U.S. as a voluntary measure.
There is a broader ecosystem that needs to take more responsibility across the scam lifecycle, starting with telecom companies and social media platforms, which facilitate communication, and then onto the banks which enable these illicit transactions.
There definitely should be more collaboration and data-sharing across sectors, and that should be facilitated by the government. At a minimum, banks should take better care of their customers by erecting stronger controls to prevent scams and drive better awareness of these schemes.
For more on protecting yourself from online scams, check out the author’s recent podcast on the Scam Rangers site.