Corporate Misconduct Accountability Project
Early Warning Services, LLC ยท enforcement action
Zelle Fraud: Banks Put Profit Over Consumer Safety, Lose $870M+
Early Warning Services, Bank of America, JPMorgan Chase, and Wells Fargo launched Zelle without adequate fraud prevention, exposing millions of consumers to losses while marketing the platform as safe and secure.
CRITICAL SEVERITY
TL;DR
The Consumer Financial Protection Bureau sued Early Warning Services and three major banks for failing to protect Zelle users from fraud. Despite marketing Zelle as safe and secure, the defendants rushed the platform to market without basic fraud prevention measures. Over 900,000 consumers lost more than $870 million to fraud that the defendants failed to prevent, detect, or address. The banks refused to reimburse most victims.
This case shows how corporations prioritize rapid market expansion over consumer safety, leaving everyday people to bear the financial and emotional costs.
$870M+
Consumer fraud losses across three banks
900,000+
Consumers who reported fraud losses
143M
Zelle users as of 2024
$481B
Transferred in first half of 2024 alone
73%
Zelle activity controlled by three defendant banks
The Allegations: A Breakdown
Core Allegations
What they did · 8 points
| 01 | Early Warning Services rushed Zelle to market in 2017 without adequate fraud prevention measures, prioritizing market share over consumer safety. The company failed to implement basic authentication requirements, allowing fraudsters easy access to the network. | high |
| 02 | Bank of America, Chase, and Wells Fargo marketed Zelle as safe and secure while knowing the platform lacked effective fraud protections. They embedded Zelle in their banking apps to exploit consumer trust without implementing adequate safeguards. | high |
| 03 | The defendants allowed users to register with high-risk phone numbers like VoIP and Canadian numbers, violating their own network rules. This permitted fraudsters to create accounts and evade detection through repeated token reassignments. | high |
| 04 | Zelle displayed only recipients’ first names at the point of transfer, making it easy for fraudsters to impersonate legitimate entities. Consumers had no way to verify they were sending money to the intended recipient. | high |
| 05 | The defendants failed to suspend or restrict accounts after receiving multiple fraud complaints about the same users. Known fraudsters continued operating on the network, victimizing additional consumers. | high |
| 06 | When consumers reported fraud, the banks denied most claims and told victims to contact the fraudsters themselves to recover their money. The banks provided no meaningful assistance or additional identifying information about the criminals. | high |
| 07 | Early Warning Services failed to require participating banks to report fraud data promptly and accurately. Even when reporting requirements existed, EWS did not enforce compliance, allowing fraud patterns to go undetected. | medium |
| 08 | The defendants did not use information from consumer complaints to prevent future fraud. They failed to identify repeat bad actors or emerging fraud patterns, leaving consumers vulnerable to the same schemes repeatedly. | medium |
Regulatory Failures
How oversight broke down · 6 points
| 01 | Early Warning Services created a formal fraud monitoring program only in April 2021, almost four years after launching Zelle. For years, the company devoted insufficient resources to enforcing its own network rules. | high |
| 02 | Bank of America and Chase failed to treat misdirected transfers as errors under federal law when the Zelle Network Directory contained outdated information. Between 2017 and 2018, they did not investigate these complaints properly, denying reimbursement to victims. | high |
| 03 | The defendant banks failed to conduct reasonable investigations when consumers reported unauthorized transfers. They did not review relevant information held by Early Warning Services or other participating banks, relying only on incomplete data in their own possession. | high |
| 04 | Chase denied claims from 17,000 accountholders between January 2019 and January 2021 for transfers misdirected due to directory errors. The bank incorrectly classified these as authorized transactions rather than errors requiring reimbursement under federal law. | high |
| 05 | Wells Fargo denied fraud claims based on non-dispositive information like device history and login failures. These factors had no bearing on whether devices had been stolen or accounts compromised, yet the bank used them to reject legitimate claims. | medium |
| 06 | Bank of America denied fraud claims based solely on whether previous transfers had occurred from the same device. This determination was irrelevant to whether the device had since been stolen or the account compromised. | medium |
Profit Over People
The business model · 6 points
| 01 | Bank of America, Chase, and Wells Fargo launched Zelle to compete with non-bank peer-to-peer platforms and capture market share from their existing customer base. They prioritized rapid growth over implementing fraud prevention measures that would slow enrollment. | high |
| 02 | The defendant banks focused heavily on marketing and growing Zelle’s user base while conducting minimal fraud prevention analysis, testing, and diligence before launch. They devoted insufficient time to understanding the fraud prevention measures needed for a network of Zelle’s size and speed. | high |
| 03 | Early Warning Services generated approximately $200 million in revenue from Zelle in 2022 out of $429 million in total revenue. The company prioritized this revenue stream over implementing effective fraud controls. | medium |
| 04 | Bank of America, Chase, and Wells Fargo controlled 73% of Zelle activity in 2023 as the largest participating institutions. They used their ownership stake in Early Warning Services to influence network rules while failing to implement adequate fraud protections. | medium |
| 05 | The defendants marketed Zelle as free, fast, and easy to use, emphasizing frictionless transactions. They designed the signup process to be intentionally fast with minimal authentication, making it equally easy for fraudsters to access the network. | medium |
| 06 | Zelle is embedded in the defendant banks’ mobile apps and cannot be removed by consumers. This forced integration exploited consumer trust in their banks while exposing them to fraud risks the banks knew existed. | medium |
Economic Fallout
Who paid the price · 7 points
| 01 | Bank of America received complaints from over 324,000 customers about potentially fraudulent induced transfers totaling over $207 million. The bank did not provide credits for these losses, leaving consumers to absorb the full financial impact. | high |
| 02 | Chase customers filed more than 320,000 complaints about fraudulent induced transfers totaling over $251 million that the bank refused to reimburse. An additional 40,000 customers complained about misdirected transfers due to directory errors. | high |
| 03 | Wells Fargo received complaints from over 160,000 accountholders about fraudulent inducement totaling over $105 million and from over 120,000 accountholders about unauthorized fraud totaling over $110 million. The bank denied reimbursement for the vast majority of these losses. | high |
| 04 | Bank of America customers in Arizona alone filed 29,289 complaints about Zelle fraud from June 2017 to August 2023, with 74% relating to fraud. Chase and Wells Fargo received 40,054 and 43,571 Arizona complaints respectively, with 66% and 71% fraud-related. | medium |
| 05 | Over 1,000 Chase customers lost more than $1.1 million to Me-to-Me fraud schemes where fraudsters convinced victims they were transferring money to their own accounts. The bank denied reimbursement despite the obvious fraud indicators. | medium |
| 06 | More than 3,900 Wells Fargo customers lost over $5 million to Me-to-Me fraud schemes. The bank refused to credit these losses even though the fraudsters had taken over the victims’ tokens and redirected the funds. | medium |
| 07 | Bank of America received over 161,000 complaints about potentially unauthorized transfers totaling over $85 million and more than 1,200 complaints about Me-to-Me schemes totaling over $1 million. The bank did not reimburse these victims. | medium |
Corporate Accountability Failures
When systems fail to protect · 6 points
| 01 | Early Warning Services identified numerous anti-fraud measures in internal documents but took years to implement them or never implemented them at all. The company recognized the problems but prioritized other business objectives over consumer protection. | high |
| 02 | The defendant banks repeatedly violated network rules requiring prompt fraud reporting, yet Early Warning Services failed to enforce compliance or impose fines. This lack of accountability allowed fraud to proliferate unchecked across the network. | high |
| 03 | Bank of America permitted users to register VoIP numbers and Canadian phone numbers through at least September 2019 and May 2020 respectively, violating network rules. These violations allowed high-risk accounts to operate on the platform. | medium |
| 04 | Chase failed to categorize misdirected transfers as errors under federal law between 2017 and 2018. The bank’s representatives incorrectly denied 17,000 legitimate claims, forcing consumers to bear losses caused by the bank’s own directory errors. | medium |
| 05 | Wells Fargo did not require consumers to register a token to send money until March 2022, five years after Zelle launched. This increased vulnerability to Me-to-Me schemes where fraudsters registered victims’ unregistered tokens to their own accounts. | medium |
| 06 | The defendant banks knew from early consumer complaints that victims felt misled about Zelle’s security, yet they continued advertising the platform as safe and secure. They ignored clear evidence that consumers could not recognize or avoid the fraud risks. | medium |
The PR Machine
Marketing deception · 7 points
| 01 | Early Warning Services advertised Zelle as fast, safe, and easy, telling consumers to pay it safe. Television ads suggested consumers could safely buy playoff tickets with Zelle because it was backed by banks so you know it’s secure. | high |
| 02 | Bank of America promoted Zelle from 2017 through at least October 2020 by stating consumers would not be liable for fraudulent transactions. The bank displayed this message in promotional emails, mobile apps, FAQs, and landing pages despite knowing fraud protections were inadequate. | high |
| 03 | Chase advertisements from 2019 through 2020 claimed multiple security checks have been added to make sure you’re sending and receiving money to or from the right person. In reality, the bank displayed only first names and conducted minimal verification. | high |
| 04 | Wells Fargo marketed Zelle as the fast, safe, and easy way to pay for everything you need on the go, encouraging consumers to send money to almost anyone. The bank’s website and mobile app repeatedly emphasized safety and security despite widespread fraud. | high |
| 05 | Bank of America’s sign-in pages encouraged users to send money to hairstylists, landscapers, and other workers using Zelle. The bank ran multimedia campaigns claiming Zelle is the fast, safe and easy way to pay for everything while failing to implement fraud protections. | medium |
| 06 | Wells Fargo’s enrollment process from 2019 through 2021 told consumers to move money in the moment simply and securely with lots of people you know. The bank promised to send money safely to people and businesses you know despite knowing the platform was vulnerable to fraud. | medium |
| 07 | Early Warning Services created ads during the COVID-19 pandemic touting Zelle as a fast, safe, and contact-free way to transfer money. The company exploited pandemic circumstances to grow the user base while fraud problems persisted. | medium |
Exploiting Delay
Slow-walking solutions · 6 points
| 01 | Early Warning Services and the defendant banks recognized fraud problems shortly after Zelle’s July 2017 launch but did not take meaningful action for years. They repeatedly identified necessary fraud prevention measures in internal documents but failed to implement them in a timely manner. | high |
| 02 | Bank of America did not consistently display recipients’ first names until mid-2020 and did not display last names until November 2022, more than five years after launch. This delay allowed fraudsters to continue impersonating legitimate entities. | medium |
| 03 | Chase did not begin displaying recipients’ last names until May 2023 at the earliest, nearly six years after Zelle launched. The bank knew this information would help consumers identify fraud but delayed implementation while losses mounted. | medium |
| 04 | Wells Fargo did not proactively alert senders when recipient names differed from what senders entered until 2022. The bank had the capability to implement this basic fraud prevention measure years earlier but chose not to prioritize it. | medium |
| 05 | Early Warning Services did not require participating banks to report induced fraud data until years after launch, and even then many banks failed to comply. The company’s inadequate enforcement allowed fraud patterns to continue undetected. | medium |
| 06 | The defendant banks did not implement mechanisms to identify and suspend suspicious email tokens at signup until 2023. For years, fraudsters registered tokens using email addresses impersonating banks and government entities with no restrictions. | medium |
The Bottom Line
What this means · 6 points
| 01 | The defendants prioritized capturing market share and generating revenue over protecting consumers from fraud. They rushed Zelle to market with inadequate safeguards, marketed it as safe despite knowing otherwise, and refused to reimburse most victims when fraud occurred. | high |
| 02 | Consumers suffered over $870 million in fraud losses across three banks because the defendants failed to implement basic fraud prevention measures. These losses represent real financial devastation for everyday people who trusted their banks to protect them. | high |
| 03 | The defendants violated federal consumer financial protection laws and electronic fund transfer regulations by failing to reasonably investigate fraud claims and denying reimbursement for errors. They treated consumer losses as acceptable business costs. | high |
| 04 | This case demonstrates how corporations exploit regulatory frameworks by treating fines as costs of doing business rather than incentives to change. Without meaningful accountability, companies will continue prioritizing profits over consumer welfare. | high |
| 05 | The Zelle fraud epidemic shows what happens when financial institutions control both the infrastructure and the rules governing a payment network. The defendant banks used their ownership of Early Warning Services to avoid implementing fraud protections that might slow growth. | medium |
| 06 | Consumers need stronger legal protections for peer-to-peer payment fraud and must demand accountability from banks that market products as safe without implementing adequate safeguards. Grassroots pressure and regulatory enforcement are both necessary to force change. | medium |
Timeline of Events
December 2015
Defendant banks sold clearXchange to Early Warning Services, announcing plans to create the largest, most secure real-time payments ecosystem in the U.S.
Spring 2017
Defendants pushed to rapidly launch, market, and brand Zelle, focusing heavily on marketing and growth.
July 2017
Zelle launched with inadequate fraud prevention measures. Significant fraud problems became apparent shortly after launch.
September 2018
Early Warning Services required participating banks to display recipients’ first names at point of transfer, but no other identifying information.
October 2018
Zelle reported processing more than 375 million transactions valued at $106 billion over the past year, showing rapid growth.
April 2021
Early Warning Services created a formal Fraud Monitoring Program, almost four years after launching Zelle.
November 2022
Bank of America began consistently displaying recipients’ last names at point of transfer, more than five years after launch.
Mid-2023
Zelle network began requiring participating institutions to reimburse a limited category of imposter schemes, covering only a fraction of induced fraud.
May 2023
Chase began displaying recipients’ last names at point of transfer, nearly six years after launch.
First Half 2024
Zelle users transferred $481 billion across more than 1.7 billion transactions with more than 143 million users on the network.
December 20, 2024
Consumer Financial Protection Bureau filed lawsuit against Early Warning Services, Bank of America, Chase, and Wells Fargo for unfair practices and EFTA violations.
Direct Quotes from the Legal Record
QUOTE 1
Marketing vs. Reality
allegations
“Defendants have leaned into these consumer expectations and have widely marketed Zelle, such as through their websites, television, podcasts, radio, and on social media. Defendants encouraged consumers to use Zelle by promising that it is ‘safe’ or ‘secure,’ and EWS even encouraged consumers to use Zelle to ‘pay it safe.'”
๐ก The defendants actively exploited consumer trust while knowing their fraud protections were inadequate.
QUOTE 2
Profits Over People
profit
“At its inception, Defendants focused on quickly bringing Zelle online to capture market share by leveraging their existing customer base and offering peer-to-peer money transfer services directly to those consumers. This rush to market was prioritized at the expense of consumers because Defendants have failed to institute effective anti-fraud measures for the network or otherwise comply with consumer financial protection laws.”
๐ก The lawsuit explicitly states that defendants chose rapid growth over consumer protection.
QUOTE 3
Victims Left Behind
economic
“Since 2017, hundreds of thousands of consumers complained about being defrauded by Zelle users through various schemes. Yet consumers who went to their banks for help were largely denied relief, and some were even told to try getting their money back by contacting the person who had defrauded them.”
๐ก Banks told fraud victims to contact their own criminals rather than providing meaningful assistance.
QUOTE 4
Known Vulnerabilities Ignored
accountability
“Defendants could have taken numerous steps, both individually and collectively, to prevent much of the harm to consumers. In addition to failing their customers, Defendants’ actions and failures to act violated Federal consumer financial law.”
๐ก The defendants knew how to prevent the fraud but chose not to implement the necessary measures.
QUOTE 5
Massive Scale of Harm
economic
“Defendants’ failures resulted in millions of complaints about Zelle fraud at these three banks alone, including complaints of over $290 million in fraud losses by 210,000 Bank of America customers, over $360 million in fraud losses by 420,000 Chase customers, and over $220 million in fraud losses by 280,000 Wells Fargo customers.”
๐ก Nearly one million consumers across three banks lost over $870 million total to fraud the banks failed to prevent.
QUOTE 6
Inadequate Authentication
allegations
“EWS created a consumer sign-up process that was intentionally fast and frictionless, which allowed users to register for a Zelle token if they had a bank account and U.S.-based mobile phone number or email address and could access the email or mobile device to receive and enter a one-time passcode.”
๐ก The deliberately minimal authentication made it equally easy for fraudsters to access the network.
QUOTE 7
Hiding Recipient Identity
allegations
“In September 2018, EWS required participating financial institutions to display the recipient’s first name at the point of transfer. But since then, EWS has not required participating financial institutions to display any additional identifying information that would help senders identify recipients, such as the recipient’s last name, the age of the token, or amount of time the user was on Zelle.”
๐ก For years, consumers saw only first names when sending money, making impersonation fraud trivially easy.
QUOTE 8
Failure to Remove Bad Actors
accountability
“Since Zelle launched, each of the Defendant Banks has failed to prevent its own accountholders from using Zelle to defraud others, while also failing to protect other of its own accountholders from fraud when using Zelle. These failures were as basic as Defendant Banks not restricting the Zelle activity of their accountholders who engaged in Zelle fraudโor not sharing that information with EWS or other participating financial institutions on the Zelle networkโwhich allowed those fraudsters to continue defrauding consumers across the Zelle network.”
๐ก Banks allowed known fraudsters to keep operating even after receiving multiple complaints about them.
QUOTE 9
Delayed Fraud Prevention
delay_tactics
“Over the next six-plus years, EWS and Defendant Banks, including through their involvement on EWS committees and in their entity-specific materials, have repeatedly identified numerous fraud prevention failures, including with respect to authenticating, verifying, and displaying recipient names, fraud reporting, monitoring transfers, and identifying and blocking bad actors across the network. After identifying such measures, Defendants, however, took years to implement certain measures or have yet to implement other measures, almost eight years after Zelle’s launch.”
๐ก The defendants identified the problems and solutions but deliberately delayed implementation for years.
QUOTE 10
Inadequate Investigation
regulatory
“When investigating such Notices, each Defendant Bank has reviewed only records in its respective possession and not the other relevant information held by EWSโor the other participating financial institutionsโall of whom have agreed to participate in the network.”
๐ก Banks violated federal law by failing to conduct reasonable investigations using available information.
QUOTE 11
Consumer Trust Exploited
pr_machine
“Consumers had little reason to suspect that the Zelle network was rife with fraud. Consumers were not told about the lack of authentication and verification of Zelle users’ token identities, including Zelle token names, email addresses, and other identifying information. Consumers were not told about the lack of fraud prevention measures, including as to the lack of restriction of bad actors, lack of processes to pause or block suspicious transfers, and lack of information sharing about fraud. Instead, Defendants advertised the Zelle network to consumers using descriptions such as ‘safe,’ ‘secure,’ and ‘backed by the banks.'”
๐ก Banks deliberately concealed Zelle’s vulnerabilities while marketing it as safe and secure.
QUOTE 12
Early Awareness of Problems
delay_tactics
“By July 2017, Zelle had launched and was rapidly growing. Accompanying Zelle’s rapid growth were significant fraud problems on the network.”
๐ก The defendants knew about significant fraud problems immediately after launch but continued prioritizing growth.
QUOTE 13
Token Takeover Fraud
allegations
“This level of authentication leaves consumers susceptible to fraud by bad actors. For example, in a scenario known as a token ‘takeover,’ a bad actor obtains a one-time passcode and token information from an unsuspecting consumer and reassigns that token to a deposit account in the bad actor’s control.”
๐ก The basic authentication system allowed fraudsters to hijack consumer accounts and redirect payments.
QUOTE 14
Failure to Enforce Rules
accountability
“The network rules state that EWS will impose fees on participating financial institutions when it determines that they have failed to comply with certain network rules. [Redacted content indicating EWS failed to enforce its own rules].”
๐ก Early Warning Services failed to enforce its own fraud prevention rules against participating banks.
QUOTE 15
Consumer Complaint Evidence
pr_machine
“An early consumer complaint to Wells Fargo highlighted consumers’ belief that Zelle was secure: ‘The scammer assured me that the transaction was secure because I was using the Wells Fargo app. It is reasonable to assume that bank transactions are secure against fraud, and the design of the Wells Fargo app does not make it clear that Zelle is a distinct, non-secure service.'”
๐ก Consumers trusted Zelle because it was embedded in their bank apps, exactly as the defendants intended.
Frequently Asked Questions
What is Zelle and who runs it?
Zelle is a peer-to-peer payment network that allows consumers to send money instantly using email addresses or phone numbers. It is operated by Early Warning Services, a company owned by seven major banks including Bank of America, JPMorgan Chase, and Wells Fargo. Over 2,200 banks and credit unions participate in the network, with more than 143 million users.
What fraud schemes have been targeting Zelle users?
Fraudsters have exploited Zelle through unauthorized account takeovers, induced fraud where victims are tricked into sending money under false pretenses, imposter scams where criminals pose as banks or government entities, and Me-to-Me schemes where victims are convinced they are transferring money to their own accounts when it actually goes to fraudsters. The minimal authentication and lack of recipient verification make these schemes easy to execute.
How much money have consumers lost to Zelle fraud?
At the three defendant banks alone, over 900,000 consumers reported more than $870 million in fraud losses that the banks refused to reimburse. Bank of America customers lost $293 million, Chase customers lost $251 million, and Wells Fargo customers lost $220 million. These figures only include reported losses at three banks and represent a fraction of total fraud on the network.
Why did the banks refuse to reimburse fraud victims?
The banks classified most fraudulent transfers as authorized transactions, claiming consumers voluntarily sent the money even when victims were tricked or their accounts were compromised. The banks told many victims to contact the fraudsters themselves to recover their money. They failed to conduct reasonable investigations and denied claims based on incomplete or irrelevant information.
What did the banks do wrong?
The banks rushed Zelle to market without adequate fraud prevention measures, marketed it as safe and secure despite knowing otherwise, allowed easy access for fraudsters through minimal authentication, failed to display sufficient recipient information to help consumers identify fraud, did not suspend known fraudsters from the network, and refused to reimburse most fraud victims. They prioritized rapid growth and market share over consumer protection.
Did the defendants know about these fraud problems?
Yes. Significant fraud problems became apparent shortly after Zelle launched in July 2017. The defendants repeatedly identified necessary fraud prevention measures in internal documents but took years to implement them or never implemented them at all. They received hundreds of thousands of consumer complaints about fraud but continued marketing Zelle as safe and secure.
What laws did the defendants violate?
The Consumer Financial Protection Bureau alleges violations of the Consumer Financial Protection Act for unfair practices and violations of the Electronic Fund Transfer Act and Regulation E. The banks failed to reasonably investigate fraud claims, did not treat certain transfers as errors requiring reimbursement under federal law, and offered services that did not comply with consumer financial protection laws.
Why did it take so long to address these problems?
The defendants deliberately delayed implementing fraud prevention measures they had identified as necessary. For example, Bank of America did not consistently display recipients’ last names until November 2022, more than five years after launch. Early Warning Services did not create a formal fraud monitoring program until April 2021, almost four years after Zelle launched. The defendants prioritized growth over consumer protection.
What happens to fraud victims now?
The CFPB is seeking monetary relief for affected consumers, civil penalties against the defendants, and injunctive relief to prevent future violations. However, most victims have already absorbed their losses. The lawsuit aims to force the defendants to implement proper fraud protections and reimburse victims, but recovery will depend on the litigation outcome.
What can consumers do to protect themselves?
Consumers should be extremely cautious using Zelle and understand that transfers are essentially irrevocable with limited fraud protections. Only send money to people you know and trust. Never send money to someone claiming to be from your bank, a government agency, or a business asking for payment via Zelle. Be skeptical of any urgent requests for money. Document everything if fraud occurs and file complaints with your bank, the CFPB, and your state attorney general.
๐ก Explore Corporate Misconduct by Category
Corporations harm people every day โ from wage theft to pollution. Learn more by exploring key areas of injustice.
- ๐ Product Safety Violations โ When companies risk lives for profit.
- ๐ฟ Environmental Violations โ Pollution, ecological collapse, and unchecked greed.
- ๐ผ Labor Exploitation โ Wage theft, worker abuse, and unsafe conditions.
- ๐ก๏ธ Data Breaches & Privacy Abuses โ Misuse and mishandling of personal information.
- ๐ต Financial Fraud & Corruption โ Lies, scams, and executive impunity.
