Understanding Bank Liability for Unauthorized Zelle Payments

by Brian Malcom, Waller

Zelle, ever heard of it? If you are in the banking industry, the answer is almost certainly yes. Zelle is a service that allows bank customers to instantly send funds to others. In 2017, Zelle handled roughly $75 billion in transfers. Venmo, another peer-to-peer (P2P) payment platform that is owned by PayPal, not banks, also handled billions of dollars in P2P payments in 2017. Plainly, P2P transfers are an important aspect of modern banking.

So, who is liable for unauthorized electronic funds transfers (EFTs) using mobile phones? The answer is: it depends. Sometimes the law saddles the consumer with some costs, but the bank often absorbs most of the costs. The bank can, however, make a customer contractually responsible for an authorized EFT that the customer mistakenly sends to an unintended recipient.

Regulatory framework
The Electronic Funds Transaction Act (EFTA) and Regulation E establish rules for electronic funds transfers (EFTs) involving consumers and governs transfers by mobile phone apps like Zelle or Venmo. The ground rules, liabilities, and rights of consumers who use EFTs and those who provide EFT services, including financial institutions, are set out in the EFTA and its implementing rule, Regulation E. An EFT is defined as any transaction “initiated through an electronic terminal, telephone, computer (including online banking), or magnetic tape that instructs a financial institution either to credit or debit a consumer’s account.”

Proper disclosures help shift some risk for unauthorized EFTs to consumers
Most banks qualify as financial institutions under the EFTA. Financial institution is defined under the EFTA as “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person who, directly or indirectly, holds an account belonging to a consumer ….” Accordingly, banks allowing electronic transfers through their websites or apps like Zelle, Venmo, or their own mobile banking apps, must provide required disclosures to consumers and must comply with procedures for consumer notifications, investigation of unauthorized EFTs, and resolution of alleged fraudulent or unauthorized EFTs within specific timeframes.

Reg. E provides that the disclosures be “clear and readily understandable, in writing, and in a form the consumer may keep . . . .” These disclosures can be delivered in electronic form, but the financial institution must comply with the requirements for electronic signature, including the consumer consent rules. These initial disclosures must be made “at the time a consumer contracts for an electronic fund transfer service or before the first electronic fund transfer is made.” The disclosures must include, among other things, the consumer’s liability for unauthorized transfers, the consumer’s right to documentation, telephone numbers and addresses for the consumer to give notice of a suspected unauthorized EFT, the types of transfers the consumer can make, and fees. Importantly, the financial institution must also provide disclosures outlining the error resolution process and the liability of the financial institution to the consumer for the financial institution’s failure to stop certain transfers or make certain transfers.

Limits of Consumer Liability Under the EFTA
A consumer may be liable for some amount of an unauthorized EFT, if the disclosure requirements and other requirements are met. The EFTA and Regulation E limits consumer liability for fraudulent or unauthorized transactions, and the consumer’s liability varies based upon timing of notification to the financial institution. Importantly, a consumer’s liability for unauthorized EFTs may depend on the timeliness of his or her notice to the financial institution. Timeliness is measured from the loss or theft of an “access device.” Under the EFTA and Reg. E, if an unauthorized purchase is charged to a debit card account and the affected consumer notifies the financial institution within two business days after learning of the loss or theft of the consumer’s “access device,” the consumer’s liability is limited to the lesser of $50 or the amount of unauthorized transfers that occur before notice. If the consumer fails to notify the financial institution within two business days following the loss or theft of an access device, the consumer’s liability is capped at the lesser of $500 or the $50 that occurred within two business days and the amount of unauthorized transfers after the two business days and before notice to the institution, assuming the financial institution can show that the transfers after the two-day period would not have happened if the consumer had provided timely notice. If a bank violates the EFTA, it may be forced to pay statutory damages and attorney’s fees for a consumer plaintiff.

Is a mobile phone an “access device?” In other words, if a consumer loses his or her mobile phone that is signed into an app like Venmo or Zelle, is the consumer required to notify his or her financial institution to limit his or her liability? If the consumer does so, is the consumer afforded the same protections as if a debit card were lost or stolen? The answer to these questions is not currently clear, and the answer to these questions could have a significant impact on a consumer’s liability and, by extension, a bank’s liability for unauthorized EFTs using a consumer’s mobile phone.

Access device is currently defined as “a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.” The definition of access device under Reg. E and the staff interpretation example for the same currently supports an interpretation that a mobile phone with stored credentials qualifies as an access device. Thus, if the mobile phone is considered an access device, a consumer can limit his or her liability under the EFTA by giving timely notice to a financial institution that his or her mobile phone is lost or stolen.

The 60-day rule
If an unauthorized EFT appears on a regular statement, the consumer is required to notify the institution that sent the statement within 60 days. This rule applies regardless of whether an access device is lost or stolen and applies to all card-not-present transactions, which includes mobile payments.  If a consumer fails to notify the financial institution within 60 days of the statement’s transmittal, “the consumer’s liability shall not exceed the amount of the unauthorized transfers that occur after the close of the 60 days and before notice to the institution, and that the institution establishes would not have occurred had the consumer notified the institution within the 60-day period.”

The power of the customer agreement
Financial institutions can insulate themselves against customer claims for refunds following third-party fraud through clear terms in their customer agreements. Banks should provide terms that make customers aware that they are responsible for all EFT payments to recipients using recipient information generated by the customer, even if that recipient turns out to be a fraudster or different than the intended recipient. This will give banks a contractual basis for shifting liability to a consumer for EFTs involving fraud. Bank’s should work closely with counsel when drafting terms and conditions relating to Zelle or other EFT technologies to ensure contractual rights protect the bank as much as possible.

Brian J. Malcom is a partner at Waller in Birmingham. Top banks and financial institutions seek his counsel in all areas of litigation, including contract disputes, trust and fiduciary litigation, consumer claims, and bond and warrant claims. Brian was profiled in 2017 by the Birmingham Business Journal as one of Birmingham’s Rising Stars of Law. He was also named a Top Attorney for Banking Law in 2018 in Birmingham Magazine’s annual peer-reviewed survey.