Why banks can’t ignore the “money out” moment anymore

Last week we talked about how fraudsters exploit social engineering — and why smart money out limits are more important than ever. This week, we’re diving deeper. Because this isn’t just a product challenge. It’s a regulatory one. A reputational one. And soon, a compliance one.

Social engineering fraud is everywhere. Fraudsters don’t hack systems — they hack people. And when a victim authorizes a payment under false pretenses, it’s often treated as their mistake. But regulators are no longer buying that argument. In fact, across the U.S., U.K., EU, and Nordics, there’s a clear pattern emerging: banks are being told to step up — or be held accountable.

U.S. regulators are closing the gap

The CFPB’s stance has sharpened. In December 2024, the agency sued Zelle’s operator (Early Warning Services) and three major banks for enabling widespread scams on their platform. The allegation? These banks failed to investigate fraud reports, left victims to fend for themselves, and didn’t meet their obligations under federal law — specifically the Electronic Fund Transfer Act (EFTA).

The suit challenges a long-held industry position: that if a payment is “authorized” — even under manipulation — it’s not covered by Reg E. In May 2024, the CFPB made its position clear in court: if a scammer initiates a transfer through a bank’s platform, that’s fraud, and banks can’t hide behind technical definitions.

And Congress is backing this direction. The Protecting Consumers from Payment Scams Act, introduced in August 2024, would modernize Reg E to treat fraudulently induced payments like unauthorized ones. The bill also targets gaps in online wire transfers and includes protections for when banks freeze or close accounts without cause.

Legal risk is catching up, too

Even without new laws, the legal tide is shifting. Multiple class-action lawsuits have been filed against major banks, arguing that they breached contract terms and misled customers by promoting Zelle as a “safe” way to send money — while offering little recourse when fraud occurred.

In parallel, regulators are invoking UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) to challenge how banks handle these cases. The result? Banks are starting to settle. And some, like Zelle, have introduced voluntary reimbursement policies for imposter scams — even though those payments are technically authorized. It’s not perfect (most victims still go uncompensated), but it’s a signal that liability is shifting.

State-level action is filling the gaps

New York’s Attorney General sued a national bank in 2024 for refusing to reimburse a socially engineered wire transfer. The CFPB weighed in with an amicus brief, supporting the state and arguing that Reg E applies, even if a wire transfer is used.

In California, the Department of Financial Protection and Innovation has flagged a steady rise in P2P scam complaints and is pushing banks to do more. Other states are watching closely, and financial regulators are beginning to test their authority under consumer protection statutes.

FedNow, Zelle, and Venmo are all under pressure

FedNow, the Federal Reserve’s instant payment system launched in 2023, built in fraud controls from day one — including configurable transaction limits and suspicious activity flags. Banks can delay crediting suspicious transfers, helping to catch fraud before money disappears.

Zelle, meanwhile, is trying to rehabilitate its image. It now requires banks to warn users clearly before completing a transfer — and suspends recipients if multiple fraud reports are filed. It’s also pushing improved fraud data sharing across the network.

Venmo and PayPal have taken a slightly different route, offering buyer protection (for a fee) and flagging suspicious payment notes. These platforms now also investigate scam reports more actively, and are nudging users toward “safe” payment behaviors with in-app messaging.

The U.K. has flipped the script

As of October 2024, the U.K. mandates reimbursement for authorized push payment (APP) fraud. Under the Payment Systems Regulator’s new rules, both the sending and receiving banks are liable — by default. Exceptions are narrow and don’t apply to vulnerable customers.

The U.K. didn’t stop there. It also introduced Confirmation of Payee, performance metrics for fraud prevention, and public scorecards that show which banks do the best (and worst) job stopping scams.

The message is clear: If banks can’t prevent fraud, they’ll have to pay for it.

PSD3 is setting a new baseline in Europe

In the EU, PSD2 introduced strong customer authentication (SCA), which helped curb unauthorized fraud. But it didn’t stop social engineering. PSD3 is designed to go further.

Draft rules would make payment service providers liable for impersonation scams — and shift the burden of proof to them, not the victim. If the PSP can’t prove gross negligence or fraud by the customer, they’ll need to reimburse.

The EU also wants Big Tech and telecoms to share the load. If scammers use ads, SMS, or social platforms to target victims, those intermediaries could be liable too. It's a broader, platform-aware framework that reflects how modern fraud actually works.

The Nordics are quietly ahead

Nordic countries already have strong authentication thanks to systems like BankID. But even here, scams are on the rise — and regulators are watching. Fraudsters are adapting, tricking users into approving transfers with their secure ID.

The response? Collaboration. Nordic banks are building shared transaction monitoring systems and fraud data networks. They often reimburse victims without a mandate, simply because trust is the product. They’re also running national awareness campaigns and lobbying for Europe-wide standards in PSD3.

What this all means for banks

The days of simply processing payments and disclaiming responsibility are coming to an end. Regulators expect banks to:

• Monitor transactions for risk in real time

• Trigger friction (like holds, phone calls, or second-factor approvals) before money leaves

• Intervene on red flags — even if a payment is “authorized”

• Educate customers and staff on how scams actually work

This isn’t just about reducing fraud losses. It’s about staying ahead of reputational risk and regulatory pressure.

If you’re a bank or fintech building payment infrastructure, it’s time to treat the “money out” moment as a controlled space — not a blind handoff.

The insights in this post are based on industry research, conversations with banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.