New York Attorney General Sues Zelle Parent Over Fraud Failures, Raising Stakes for Real-Time Payment Security
If Zelle thought it had sidestepped the wrath of the courts over the rampant fraud and a series of scams between 2017-2023, just because the Trump administration dropped a suit filed by the now-severely hobbled Consumer Financial Protection Bureau, then the company was sadly mistaken.
Waiting in the wings to avenge Zelle customers left scrambling, at risk and out over a billion dollars, was New Attorney General Letitia James, who doggedly pursued President Trump and who now has filed a suit against Zelle’s parent Early Warning Services, a conglomerate of big banks, for failing to safeguard customers — accusing the company of poor security measures, chiefly failing to patch old vulnerabilities that they knew existed.
“EWS knew from the beginning that key features of the Zelle network made it uniquely susceptible to fraud, and yet it failed to adopt basic safeguards to address these glaring flaws or enforce any meaningful anti-fraud rules on its partner banks,” the AG’s office said in a release.
After the CFPB abandoned its efforts, James is seeking to get restitution and damages for the victims, vowing to get justice for “New Yorkers who suffered because of Zelle’s security failures.”
The lawsuit brought by James against EWS “raises important questions about the responsibilities of real-time payment platforms in protecting consumers from fraud,” says John Anthony Smith, CSO at Fenix24.
While the longer-term answers are likely complex and require a dialogue between consumer agencies, regulators, banks, technologists and consumers, the short-term answer is “more than what Zelle did,” which, from previous reports, wasn’t much.
“I think there’s a reasonable argument that EWS could be doing more to meet basic consumer protection standards,” says Smith, though whether that might align with current legal requirements is for the courts to decide.
And how much to award also lands squarely in the court of the judiciary. Quantifying loss in court can be challenging, but it can also be difficult for companies to assess loss — and associated risk — internally.
While Randolph Barr, CISO at Cequence, says that translating cyber risks into defensible financial terms requires both technical depth and financial fluency, he notes that is “a rare skill set to find in one person.”
He explains that most companies struggle because “their risk teams are comfortable with qualitative ‘high/medium/low’ scoring, but lack the actuarial, statistical, and financial modeling experience” demanded by Factor Analysis of Information Risk (FAIR).
“The cleanest way is to anchor it in the company’s risk management program and use FAIR,” which “ties security lapses to actual financial impact — the language boards, regulators, and courts care about — by modeling loss frequency and loss magnitude across direct fraud, legal/settlement costs, remediation, downtime, churn, and reputational impact,” he says.
To get it right, organizations must pull in “security practitioners who understand the threat landscape, risk analysts who can quantify probabilities, and finance/legal experts who can map losses to real-world costs,” says Barr. “Without the right people developing and validating the model, organizations risk producing numbers that look precise but don’t hold up under scrutiny from regulators, auditors, or in court.
Smith doesn’t believe EWS is solely to blame for the proliferation of scams; he notes the platform could and should do more to protect customers.
Trey Ford, chief strategy and trust officer at Bugcrowd, says fraud and abuse losses and primary impacts can be organized and quantified than those caused by cybersecurity incidents.
Noting that fraud and abuse teams “are battling misuse, abuse, malice, and crime, which requires a massive tranche of data and intelligence that is different from, but complimentary to, cybersecurity research, testing, and work,” he says addressing it “is often more complicated than simply changing a computer configuration, or installing a vendor patch” and “requires significant engineering, product feature planning, and adjustments in business strategy.”
Fixing requires “significant engineering, product feature planning and adjustments in business strategy,” says Ford.
Smith called for stronger identity verification at the point of registration that includes names, email addresses, phone numbers and even geolocation data. “If someone claims a U.S. mailing address but is physically located abroad, that should raise a red flag.”
Platforms could also include “a short delay, say 8 to 24 hours, for transfers to new recipients” to give users a window for canceling or reporting “suspicious activity before funds are irreversibly moved,” says Smith. “It’s a small friction that could make a big difference.”
For now, all eyes will be on the courts in New York. “Organizations with mature fraud and abuse teams, especially in the B2C space, will be watching this lawsuit closely,” says Ford.
In the end, though, Barr believes there are no winners. “Some frame this as political, but controls were delayed for years while workable safeguards existed elsewhere,” he says
While a win for New York “would likely result in a fine and perhaps some mandated reforms,” says Smith, it remains to be seen “whether that translates into meaningful change for consumers, especially in terms of recovering lost funds.”
Barr notes the implications of a NY win could be vast —”stronger requirements for networkwide fraud controls and reimbursement policies, faster adoption of UK-style protections in U.S. real-time payments, and more board accountability to document why known controls weren’t deployed sooner.”
Unlike cybersecurity, the primary impacts and losses associated with fraud and abuse can be easily organized and quantified. Secondary and tertiary losses (loss of trust, brand impact, and, in this case, lawsuits) are hard to quantify and plan for in risk management and investment decisions.
There is a natural (and correct) tension associated with privacy, and the need to de-anonymize users and usage patterns, to identify fraud and abuse, requiring strong alignment and commitment from the business, engineering and legal.
Addressing fraud and abuse is often more complicated than simply changing a computer configuration or installing a vendor patch. It requires significant engineering, product feature planning, and adjustments in business strategy. Organizations with mature fraud and abuse teams, especially in the B2C space, will be watching this lawsuit closely.
Whether that aligns with current legal requirements is a question for the courts. A win for New York would likely result in a fine and perhaps some mandated reforms. But whether that translates into meaningful change for consumers, especially in terms of recovering lost funds, remains to be seen.
Smith calls for stronger identity verification at the point of registration that includes names, email addresses, phone numbers, and even geolocation data. “If someone claims a U.S. mailing address but is physically located abroad, that should raise a red flag.”
Platforms could also include “a short delay, say eight to 24 hours, for transfers to new recipients” to give users a window for canceling or reporting “suspicious activity before funds are irreversibly moved,” says Smith. “It’s a small friction that could make a big difference.”
That said, user education is just as critical. Many scams succeed not because of technical flaws, but because users are unaware of the risks. Platforms like Zelle should invest more in proactive education and in-app warnings to help users recognize and avoid scams.
As for the lawsuit itself, I think there’s a reasonable argument that EWS could be doing more to meet basic consumer protection standards. Whether that aligns with current legal requirements is a question for the courts. A win for New York would likely result in a fine and perhaps some mandated reforms. But whether that translates into meaningful change for consumers, especially in terms of recovering lost funds, remains to be seen.
