The magic spell that makes banks give you your money back

Patrick reads his latest Bits about Money essay explaining why he “loves Regulation E more than any rational person does.” He explains how Reg E created a privately-administered legal system processing over 100 million complaints annually—dwarfing the formal U.S. court system—and why banks are now trying to avoid these obligations for Zelle's nine figure fraud problem.

Thanks to our sponsors: MongoDB & Framer

Tired of database limitations and architectures that break when you scale? MongoDB is the database built for developers, by developers: ACID compliant, Enterprise-ready, and fluent in AI. Start building faster at mongodb.com/build

Building and maintaining marketing websites shouldn’t slow down your engineers. Framer gives design and marketing teams an all-in-one platform to ship landing pages, microsites, or full site redesigns instantly—without engineering bottlenecks. Get 30% off Framer Pro at framer.com/complexsystems.

Timestamps:

(00:00) Introduction
(02:46) These newfangled computers might steal our money
(12:45) The contractual liability waterfall in card payments
(20:35) Sponsors: MongoDB and Framer
(22:23) The contractual liability waterfall in card payments (continued)
(23:47) Enter Zelle
(25:46) Zelle is an enormous fraud target
(32:23) Banks may attempt to extend the Zelle precedent
(35:02) Reg E encompasses almost every technology which exists and many which don’t yet

Transcript:

Welcome to Complex Systems where we discuss the technical, organizational, and human factors underpinning why the world works the way it does.

Hideho everybody. My name is Patrick McKenzie, better known as Patio11 on the Internet. So I read my ChatGPT recap for 2025, and it called me the person most likely to quote Reg E at a dinner party - Regulation E. And for reasons that will become obvious to you in a minute, that's actually probably reasonably accurate.

I have factually quoted Reg E at dinner parties and I just love it both for what it says about this nation, for its distributional effects, for its actual impact on the operation of the credit card industry among many other industries near and dear to my heart, and for the frequent and successful use of it in helping people who were in diminished financial circumstances. And I'll tell you a little bit about that anecdote in a few minutes.

Regulation E has recently come up in a couple of Bits About Money issues, including how gift cards have such an asymmetric issue with fraud and unwillingness of either the card issuers or the card program managers to deal with it and take responsibility for it in a way which surprises people who have dealt with similar things on, say, credit cards or debit cards.

The banks feel very responsive to them. I would argue, with some evidence behind it, that the reason for that responsiveness is fundamentally Regulation E, and I think everybody should know a little bit more about it than most people do. And so, without further ado, I want to talk through both the history of Regulation E and some live controversies, particularly around one payment method - Zelle - and potentially some future payment methods.

So reading a Bits About Money issue: Consumer Protection and Its Discontents. [Patrick notes: Published as One Regulation E, Two Very Different Regimes after I did an editing pass after the recording session. The content is not strictly identical, and as always I inserted some live commentary, set out via the magic of bold italics.]

Periodically, the U.S. is often maligned as being customer-hostile compared to other comparable nations, particularly those in Europe. One striking counterexample is that the government, by regulation, outsources to the financial industry an effective, virtually comprehensive, and extremely costly consumer protection apparatus covering a huge swath of the economy. It does this by strictly regulating the usage of what were once called "electronic" payment methods, which you now just call "payment" methods, in Regulation E.

Reg E is not uniformly loved in the financial industry. In particular, there has been a concerted effort by banks to renegotiate the terms of it with respect to Zelle in particular. This is principally because Zelle has been anomalously expensive, as Reg E embeds a strong, intentionally bank-funded anti-fraud regime, but Zelle does not monetize sufficiently to pay for it.

And thus a history lesson, a primer, and an explanation of a live public policy controversy.

These newfangled computers might steal our money

If you were to ask your friendly neighborhood reference librarian for Electronic Fund Transfers (Regulation E), 44 Fed. Reg. 18469 (Mar. 28, 1979), you might get back a document yellowed with age. Congress, in its infinite wisdom, intended the Electronic Funds Transfer Act to rein in what it saw as the downsides of automation of the finance industry, which was in full swing by this time.

Many electronic transactions might not issue paper receipts, and this would complicate he-said bank-said dispute resolution. So those were mandated. Customers might not realize transactions were happening when they didn't have to physically pull out a checkbook for each one. Therefore, institutions were required to issue periodic statements, via a trustworthy scaled distribution system, paper delivered by the United States Postal Service. And electronic access devices—the magnetic-stripe cards, and keyfobs, and whatever the geeks dreamed up next—might be stolen from customers.

And therefore the banks were mandated to be able to take reports of mislaid access devices, and there was a strict liability transfer, where any unauthorized use of a device was explicitly and intentionally laid at the foot of the financial institution.

A footnote here about key fobs.

The first credit cards were not the plastic with a magstripe form factor, which came to dominate, but rather charge plates. They were physical tokens, which pointed at a record in, for example, a department store's internal accounts, usually by means of an embossed account number to be read by the Mark 0 human eyeball, and later copied to a paper record via ink. Many were metal and designed to be kept around a key ring.

As Matt Levine and many others have mentioned, the crypto community has speedrun hundreds of years of financial history, and keeping your account identifier on etched metal enjoyed a short renaissance recently. Unlike the department stores' bookkeepers a hundred years ago, crypto enthusiasts lost many millions of dollars of customer funds by misplacing their metal. See page 20 in the writeup about the Prime Trust bankruptcy in Nevada.

Back to the essay.

Some of the concerns that were top of mind for lawmakers sound even more outlandish to us, today. Financial institutions can't issue credit cards without receiving an "oral or written request" for the credit card. That sounds like "Why would you even need to clarify that, let alone legislate against it?!" unless you have the recent memory of Bank of America having the Post Office blanket a city with unsolicited credit cards then just waiting to see what happened.

Now for a fun side note about the Fresno Drop.

Market research in the 1950s was hard. The short story of the Fresno Drop: Bank of America lost money due to abuse by a small segment of users in the city of Fresno, where they delivered substantially everyone a credit card without them asking for it. But this successfully proved the middle class would happily use plastic to transact if it were offered, and if it were generally accepted by businesses as opposed to being tied to a single store - status quo for the last few decades.

They then scaled the 60,000 card pilot to millions within a year. Visa is the corporate descendant of that program, MasterCard of what the competitors did in response to it.

Back to the body of the essay.

The staff who implemented Reg E and the industry advocates commenting on it devoted quite a bit of effort to timelines, informed by their impression of the cadence of life in a middle class American household and the capabilities of the Operations departments at financial institutions across the U.S.'s wide spectrum of size and sophistication. Two business days felt like a reasonable timeline after the theft of a card to let the financial institution know. They picked sixty business days from the postmark for discovering an unauthorized transaction in your periodic statements. That felt like a fair compromise between wanting to eventually give financial institutions some level of finality while still giving customers a reasonable buffer to account for holidays, vacation schedules, the time it takes a piece of mail to travel from New York City to Hawaii, and the reality that consumers, unlike banks, do not have teams paid to open and act upon mail.

And, very importantly for the future, Congress decided that unsophisticated Americans might be conned into using these newfangled electronic devices in ways that might cost them money, and this was unacceptable. Fraudulent use of an electronic fund transfer mechanism was considered an error as grave as the financial institution simply making up transactions. It had the same remedy: the financial institution corrects their bug at their cost.

"Unauthorized electronic fund transfer" means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.

Reg E provided for two caps on consumer liability for unauthorized electronic fund transfer: $50 in the case of timely notice to the financial institution, as sort of a deductible (Congress didn't want to encourage moral hazard), and $500 for those customers who didn't organize themselves sufficiently. Above those thresholds, it was the bank's problem.

Reg E also establishes some procedural rights: an obligation for institutions to investigate claims of unauthorized funds transfers (among other errors—Congress was quite aware that banks frequently made math and recordkeeping mistakes), to provisionally credit customers during those investigations, strict timelines for the financial institutions, and the presumptive burden of proof.

In this privately-administered court system, the bank is the prosecutor, the defendant, and the judge simultaneously, and the default judgment is "guilty." It can exonerate itself only by, at its own expense and peril, producing a written record of the evidence examined. This procedural hurdle is designed to simplify review by the United States' actual legal system, regulators, and consumer advocates.

The institution's report of the results of its investigation shall include a written explanation of the institution's findings and shall note the consumer's right to request the documents that the institution relied on in making its determination. Upon request, the institution shall promptly provide copies of the documents.

Having done informal consumer advocacy for people with banking and debt issues for a few years, I cannot overstate the degree to which this prong of Reg E is a gift to consumer advocates. Many consumers are not impressively detail-oriented, and Reg E allows an advocate to conscript a financial institution's Operations department to backfill the customer's files about a transaction they do not have contemporaneous records of. In the case that the Operations department itself isn't organized, great, at least from my perspective. Reg E says the bank just ate the loss. And indeed, several times over the years, the prototypical grandmother in Kansas received a letter from a bank vice president of consumer lending explaining that the bank was in receipt of her Reg E complaint, had credited her checking account, and considered the matter closed. It felt like a magic spell to me at the time.

And as an aside, I'll give you a little bit of the backstory of what people do when they're underemployed in their twenties while not playing World of Warcraft. 

So when I first got to Japan in my early twenties, I did something which all the guides for people establishing their adult lives said to do. Be a responsible person. Get a handle on your finances. Order a copy of your credit report from the official website you can get it for free from. And so I did. And I was surprised to learn that despite my expectation that the only thing that I had ever borrowed money for was to attend college, my credit report listed more than $100,000 in debt dating (in some cases) to before when I was born.

This set me into an absolute panic mode. I thought I would be bankrupt before I even got my first paycheck from a real job. I thought there was potentially the possibility of litigation. I was deeply unsophisticated at the time, as many consumers are, and so I went out to the Internet and I found a few watering holes where people who had problems with banks and debt collectors and similar gathered, and I learned the rules about the Fair Debt Collection Practices Act and the Fair Credit Reporting Act.

After about six months, I had straightened out my own situation and my credit report correctly listed only my student loan debts and one ding from an encounter with the United States healthcare establishment that I hadn't understood at the time wasn't paid for by somebody else.

But I stayed on these forums and people would routinely ask questions that were similar in character to questions I had had. “You know, the bank is telling me this thing, people are calling me at all hours of day and night. I have no idea. I'm so overwhelmed. What do I do to get out of this? “And being the helpful Internet denizen that I was, I would go to the forum and say, the thing you need to do is just write a quick professional letter to the bank, explain the circumstances and they will take care of it.

Sometimes when people hear me say it in that tone of voice, they think I am charmingly naive about how financial institutions operate, but I do genuinely have a strong regard for the probity of American financial institutions.

So often the people who I gave this advice to would say, "Look, dude, that might as well be on the moon for me." And indeed many of the people who end up in financial precarity with large debt or conflicts with the financial institutions are not socially advantaged. They genuinely do find it difficult to just write a quick letter in a professional tone of voice. They find it difficult mustering the social capital for financial institutions to take them seriously.

So here I was a 20-something in Central Japan with no formal authority and no formal expertise on this matter, with only one asset to my name: I write really, really well. And yeah, I went to a good university in America and I can adopt the mien of the American professional managerial class when required to.

[Patrick notes: I think the second factor is more load-bearing than the first, to be honest, but one of the core things that separates the American PMC from the rest of the country is facility with wading through text. You don’t need to produce Shakespearean levels of drama in your demand letters to convey to a responsible professional “If I’ve gotten this far, I am the sort of person who keeps detailed records, will successfully read everything you send me and follow every deadline, and be freakishly sympathetic to a regulator or judge later reviewing your actions. That can be a potentially expensive headache. Paying me off is cheap, and it isn’t even your budget, to say nothing of your money.”] 

And so I told the people on the forums, if you can't write the letter, no worries. Send me the circumstances. I'll ghostwrite a letter for you. You can sign it and put it in the mail. And when they write a response back, pass that over to me, I'll tell you what to do in response to it.

Was this the unlicensed practice of law? Eh, who cares? 

[Patrick notes: Me, at the time. That kept me up at night, but not enough to not do it.]

Anyhow, so that was the thing I did for a few years in my twenties. I don't do it anymore, but that greatly informs why I love Regulation E more than any rational person does.

Back to the essay.

The contractual liability waterfall in card payments

Banks do not like losing money, citation hopefully unnecessary, and part of the business of banking is arranging for liability transfers. Insurance is many people's paradigmatic way to understand liability transfers, but banks make minimal use of insurance in core banking services. (A bank which is robbed almost always self-insures, and the loss—averaging four figures and trending down—is so tiny that it isn't worth specifically budgeting for.)

The liability transfer which most matters to Reg E is a contractual one, from issuing banks to card processors and from card processors to card-accepting businesses. These parties' obligations to banks and cardholders are substantially broader than the banks' obligations under Reg E, but the banks use a fraction of those contracts to defray a large portion of their Reg E liability.

For example, under the various brands' card rules, (brands is, by the way, the industry term of art for Visa, MasterCard, American Express, and so on) an issuer (that's the bank that is named on your plastic) must have the capability for a customer to say that a transaction which happened over plastic (or the electronic equivalent) simply didn't meet their expectations. The issuer's customer service representative will briefly collect facts from the customer, and then initiate an automatic process to request information from a representative of the card-accepting business. On receipt of that information, or non-receipt of it, a separate customer service representative makes a decision on the case. This mechanism is called a "chargeback" in the industry, and some banks are notorious for favoring the high-income quite-desirable customers who hold their plastic over the e.g. restaurant that the bank has no relationship with. "My eggs were undercooked" is a sufficient reason to ask for a chargeback and will result in the bank restoring your money a large percentage of the time.

In the case where the complaint is "My card was stolen and used without my knowledge", essentially the same waterfall activates, perhaps with the internal note made that this dispute is Reg E sensitive. As an aside, why did you need that internal note? Well, your regulator is very likely to ask you once a year or so, "How many Reg E disputes have you had this year?" And you need to have an exact count ready for that question.

Mechanically, it will be quite similar. The bank tells processor "Customer asserts fraud", processor tells business, business replies with a fax, bank staff reviews fax and adjudicates.

There are on the order of 5 million criminal cases in the formal U.S. legal system every year. There are more than 100 million complaints to banks, some of them alleging a simple disagreement (undercooked eggs) and very many alleging crime (fraud). It costs banks billions of dollars to adjudicate them.

The typical physical form of an adjudication is not a weeks-long trial with multiple highly-educated representatives debating in front of a more-senior finder of fact. It is a CSR clicking a button on their web app's interface after 3 minutes of consideration, and then entire evidentiary record often fits in a tweet.

"Customer ordered from online store. Customer asserts they didn't receive the item in six weeks. No response from store. Customer wins. Next.", "Customer ordered from online store. Customer asserts they didn't receive item. Store provided evidence of shipping via UPS. Customer does not have a history of fraudulent chargebacks. Customer wins. Next.", "Customer's bookkeeper asserts ignorance of software as a service provider charge. Business provided written statement from customer's CEO stating chargeback filed in error by new bookkeeper. Customer wins. Next." (I'm still annoyed by that last one, years later, but one has to understand why it is rational for the bank and, in a software company's clearer-minded moments, rational for them to accept the risk of this given how lucrative software is.)

As an aside, since we don't have the tyranny of column inches constraining us here: Why is the bank more likely to rule against the business that is the vendor versus the business that is the consumer? One reason is, well, assuming that this is actually a legitimate business relationship and that these two parties actually do deal with each other on an ongoing basis, they'll work it out between themselves over the course of the next couple of weeks.

Clearly, the SaaS company just needs to send another invoice and that CEO who gave the affidavit will pay it. If the CEO, in fact, did give the affidavit. In the case where the CEO didn't give the affidavit, well, I want to rule on the side of caution, give him his money back and then let him decide where the ball needs to be.

And explaining that in as many words to people who run SaaS companies is something that gets them very, very hot under the collar. However, the actual realized experience for most companies in the economy is that they're abused relatively little by the chargeback guarantee.

This is one of the reasons why I wrote the essay that the optimal amount of fraud is not zero back in the day. We wouldn't want to erect barriers as high around the chargeback guarantee as we do around the legal system because they would cause customers to use it less.

Sounds great, says businesses, but no, you don't actually want that! You want use of the chargeback system! The fact of nature that transacting on plastic is virtually riskless to the customer without the customer having to do any sort of underwriting of their counterparty, without the customer having to be particularly careful - I give out my Visa and nothing bad ever happens to me - that fact of nature is worth billions of dollars.

It is why people can transact on the Internet at all, and we spent a stupendous amount of money as the tech industry broadly in the 1990s convincing customers: Yeah, you might've heard in the media that the Internet is a hive of scum and villainy, but don't worry about any of that. Don't worry about the hackers. We'll try to teach you what a lock means and what SSL means, but we know you're never going to truly grok 256-bit encryption. Anyhow, so just internalize this message: If something goes wrong with your credit card, the bank has your back.

And that requires a different burden of proof and different evidentiary standards than the formal legal system has. It also implies very different cost burden on the businesses. Sure. If you want to have the formal written record of your dispute with the customer reviewed by someone who went to Yale Law, you can purchase from the United States legal system. Opening bid is a hundred thousand dollars, goes up from there. It's basically impossible to do a court case below that.

[Patrick notes: Slight exaggeration, and of course most controversies like this don’t actually end up in court. Your lawyer swaps letters with their lawyer, and then you reach an amicable settlement, which will often include a release of claims, so that no one is tempted to roll the dice on the resolution pathway where the winner can lose $100,000 trivially.]

Well, that sounds great. If your average transaction size is $80, like say the economy at large, a hundred thousand dollar dispute resolution process doesn't exactly sound like what the doctor ordered. The typical dispute resolution process in the case of a chargeback is free to the customer (obviously), and costs perhaps $15 plus the cost of the chargeback to the accepting business. And as long as the business doesn't accumulate an anomalous number of them is basically consequence-free long-term. Pay back the money, you lose one sale at the margin, oh well, cost of doing business.

[Patrick notes: That “unless” is very, very important. You profoundly do not want to have a sustained elevated chargeback rate at your company. It will endanger not just your relationship with your current processor, but potentially your ability to ever again own/represent a company which wants to touch card rails. It does not require gross moral turpitude or fraudulent intent to end up with your name and social security number on the MATCH database, or a similar blacklist, for… well it will default to “forever.”]

Granted, chargebacks are not distributed fairly or evenly across the economy. There are some sectors which are relatively fraud-plagued for various reasons. One being that the fraud can most easily get money out of them. Also, bluntly, customers who are predisposed to commit fraud do not consume all goods at equal rates. For example, video games on the Internet suffer a greatly disproportionate amount of fraud.

[Patrick notes: They deal with quite a bit of what is variously called “family fraud” or “friendly fraud”, where the person with their hands on the credit card absolutely intends on consuming the good or service obtained with the card, but retrospective review by e.g. their parents might not approve of $600 of Fortnite skins, and so… Doesn’t Matter, That’s Reg E. Children are very not the only guilty party here; first-party fraud is common enough that the industry invented “friendly” fraud to try to distinguish it from cases where the fraudster does not know the cardholder.]

Counterintuitively, charities suffer a greatly disproportionate amount of fraud - not because fraudsters are just so civic-minded, but because victimizing the charity is the first step in the supply chain for validating the credit card that the fraudster acquired through nefarious means. Validating that it can be used in any transaction increases the value of that credit card. And when they sell it on to someone else in the fraud supply chain or when they send it to their colleague who'll be doing the actual exploitation, safe in the knowledge that this card is active versus the other cards that were already deactivated.

Back to the main body of the essay.

The funds flow in a chargeback mirrors the contractual liability waterfall: the issuing bank gets money back from a financial intermediary, who gets it back from a card processor (like Stripe, which I once worked for, and which doesn't specifically endorse things I write in my own spaces), who will attempt to get it back from the card accepting business.

That word "attempt" is important. What if the business doesn't have sufficient money to pay the aggrieved customer, or they can't be located anymore when the system comes to collect? Reg E has a list of exceptions and those aren't on it. The card processor then eats the loss.

The same frequently happens to cover the provisional credit mandated while the bank does its investigation, and the opposite happens in the case where the issuing bank decides that the card accepting business is in the right, and should be restored the money they charged a customer.

This high-frequency privately-funded alternative legal system has quietly ground out hundreds of millions of cases for the last half century. It is a foundation upon which commerce rests. It even exerts influence internationally, since the card brand rules essentially embed a variant of the Reg E rights for cardholders globally, and since nowhere in Reg E is there a carveout for transactions that a customer might make electronically with their U.S. financial institution while not physically located in the United States. If you are mugged and forced to withdraw money at an ATM in Caracas, Uncle Sam says your bank knows that some tiny percentage of cardholders will be mugged every year, and mandates they pay.

Enter Zelle

Zelle, operated by Early Warning Systems (owned by a consortium of large banks), is a substantially real-time electronic transfer method between U.S. bank accounts. Bank web and mobile apps have for decades supported peer to peer and customer to business transfers, via push ACH (and, less frequently, by wire), but ACH will, in standard practice, take a few days to be credited to the recipient and a few hours until it will become known to them as pending.

Zelle is substantially a blocking play, against Venmo, Cash App, and similar. Those apps captivated a large number of mostly-young users with the P2P payments, for use cases like e.g. splitting dinner, spotting a buddy $20, or collecting donations for a Christmas gift for the teacher from all the parents in a class. After attracting the users with those features, they kept them with product offerings which, in the limit, resemble bank accounts and which actually had bank accounts under the hood for at least some users.

And so the banks, fearing that real-time payment rails would not arrive in time (FedNow has been FedLater for a decade and RTP has relatively poor coverage), stood up Zelle, on the theory that this feature could be swiftly built into all the bank apps. Zelle launched in 2017.

Zelle processes enormous volumes. It crowed recently that it did $600 billion in volume in the first half of 2025. Zelle is much larger than the upstarts like Venmo (about $250 billion in annual volume) and Cash App (about $300 billion in customer inflows annually). This is not nearly in the same league as card payments (~$10 trillion annually) or ACH transfers (almost $100 trillion annually), but it is quite considerable.

All of it is essentially free to the transacting customers, unlike credit cards, which are extremely well-monetized. And there is the rub.

Zelle is an enormous fraud target

"Hiya, this is Susan calling from your bank. Your account has been targeted by fraudsters. I need you to initiate a Zelle payment to yourself to move it to a safe account while we conduct our investigation. Just open your mobile banking app, type the password, select Zelle from the menu, and send it to your own phone number. Thank you for your cooperation."

Susan is lying. Her confederates have convinced at least one financial institution in the U.S. that the customer's phone number is tied to a bank account which fraudsters control. That financial institution registered it with Zelle, so that when the victim sends money, the controlled account receives it substantially instantaneously. They will then attempt to immediately exfiltrate that money, sending it to another financial institution or a gift card or a crypto exchange, to make it difficult for investigators to find it faster than they can spend it. This process often repeats; professionals call this "layering."

So, some days later, when the victim calls the bank and asks what happened to the money the bank was trying to secure from fraud, what does the bank tell them?

Zelle is quick to point out that only 0.02% of transactions over it have fraud reported, and they assert this compares favorably to competing payments methods. Splendid, then do the banks want to absorb on the order of $240 million a year in losses from fraudulent use of a technology they built into their own apps which is indisputably by any intellectually serious person an electronic funds access device?

Frequently in the last few years, the bank has said "Well, as Gen Z would say, that sounds like a bit of a skill issue." And Reg E? "We never heard of it. Caveat emptor."

To be slightly more sympathetic to the banks, they're engaged in fine-grained decisioning on Zelle frauds, which have many mechanisms and flavor texts. They are more likely to reimburse as required in the case of account takeovers, where the criminal divines a customer's password, pops an email address, or steals access to a phone number, and then uses it to empty a bank account. They are far less likely to reimburse where the criminal convinces the customer to operate their access device (mobile phone) in a way against their interests. Skill issue.

Banks like to pretend that the dominant fraud pattern is, for example, a social media scam where an ad on Facebook or a TikTok video leads someone to purchase sneakers with a Zelle payment from an unscrupulous individual, who doesn't actually send the sneakers. This pattern matches more towards "well, that's a disagreement about how your eggs were done, not a disagreement about how we operate payment rails." Use a card and we'll refund the eggs (via getting the restaurant to pay for them); don't and we won't.

So, in sum and in scaled practice at call centers, the bank wants to quickly get customers to admit their fingers were on their phone when defrauded. If so, no reimbursement.

This rationale is new and is against our standard practice, for decades. If you are defrauded via a skimming device attached to an ATM, the bank is absolutely liable, and will almost always come to the correct conclusion immediately. It would be absurdly cynical to say that you intended to transact with the skimming device and demonstrated your assent by physically dipping your card past it.

Bank recalcitrance caused the Consumer Financial Protection Bureau to sue a few large banks in late 2024. The CFPB alleged they had a pattern and practice of not paying out claims for fraud conducted over Zelle rails. The banks will tell you the same, using slightly different wording. Chase, for example, now buries in the fine print "Neither Chase nor Zelle® offers reimbursement for authorized payments you make using Zelle®, except for a limited reimbursement program that applies for certain imposter scams where you sent money with Zelle®. This reimbursement program is not required by law and may be modified or discontinued at any time."

The defensible gloss of banks' position on "purchase protection" is that the purchase protection that customers pay for in credit cards which makes them whole for eggs not cooked to their liking is not available for Zelle payments. Fine.

The indefensible extension is that banks aren't liable for defrauded customers. That is a potential policy regime, chosen by the polity of many democratic nations. The United States is not one of those nations. Our citizens, through their elected representatives, made the considered choice that financial institutions would need to provide extraordinary levels of safety in electronic payments. In reliance upon that regime, the people of the United States transacted many trillions of dollars over payment rails, which was and is very lucrative for all considered.

The CFPB's lawsuit was dropped in early 2025, as CFPB's enforcement priorities were abruptly curtailed. (Readers interested in why might see Debanking and Debunking and Ctrl-F "wants some examples made.") To the extent it still exists after being gutted, it is fighting for its life.

There's currently a court case ongoing as to whether the Trump administration is allowed to not pay the CFPB money that has been appropriated for them under law. One of the legal issues under discussion here is what's called an impoundment, which is referenced in the Impoundment Control Act of 1974.

Briefly, the Appropriations Clause in the Constitution - "No money shall be drawn from the treasury, but in consequence of appropriations made by law" - establishes that Congress has the power of the purse. And the Take Care Clause, Article Two, Section Three - "The President shall take care that the laws be faithfully executed" - collectively create a bind on the Executive Branch which was then encoded into law explicitly that the executive branch doesn't have the discretion to simply not spend money that Congress has appropriated for the execution of laws that Congress has passed.

You don't get to sort of veto anything you don't like just by saying, "Well, I don't actually need to do that, so you can have your money back, taxpayer." And so this has been one of the arguments that's been raised in the CFPB matter after DOGE terminated the employment of over 90% of CFPB staff in early 2025 and the administration has variously tried to curtail their activities.

Back to the essay.

But knifing the CFPB doesn't repeal Reg E. In theory, any bank regulator (and many other actors besides) can hold them to account for obligations under it. One of the benefits of Reg E is that the single national standard is easiest to reason about, but in the absence of it, one can easily imagine a patchwork of state-by-state consumer protection actions and/or coalitioning between state attorneys general. I will be unmoved if banks complain that this is all so complicated and they welcome regulation but it has to be a single national standard.

Banks may attempt to extend the Zelle precedent

Having for the moment renegotiated their Reg E obligations by asserting they don't exist, and mostly getting away with it, some banks might attempt to feel their oats a bit and assert that customers bear fraud risks more generally.

For example, in my hometown of Chicago, there has been a recent spate of tap-to-pay donation fraud. The fraudster gets a processing account, in their own name or that of a confederate/dupe, to collect donations for a local charitable cause. (This is not in itself improper; the financial industry understands that the parent in charge of a church bake sale will not necessarily be able to show paperwork to that effect before the cookies go stale.) Bad actors purporting to be informal charities accost Chicagoans on the street and ask for a donation via tap-to-pay, but the actual charged donation was absurdly larger than what the donor expected to donate; $4,000 versus $10, for example. The bad actor then exits the scene quickly.

(A donor who discovers the fraud in the moment is then confronted with the unfortunate reality that they are outnumbered by young men who want to rob them. This ends about as well as you'd expect. Chicago has an arrest rate far under 1% for this. A cynic might say that if you don't kill the victim, it's legal. I'm not quite that cynical.)

But Reg E doesn't care about the safety of city streets, in Chicago or anywhere else. It assumes that payment instruments will continue to be used in an imperfect world. This case has a very clear designed outcome: customer calls bank, bank credits customer $4,000 because the customer was defrauded and therefore the "charity" lacked actual authority for the charge, bank pulls $4,000 from credit card processor, credit card processor attempts to pull $4,000 from the "charity", card processor fails in doing so, card processor chalks it up to tuition to improve its fraud models in the future.

Except at least some banks, per the Chicago Tribune's reporting, have adopted specious rationales to deny these claims. Some victims surrender physical control of their device, and banks argue that that means they authorized the transaction. Some banks asserted the manufactured-out-of-their-hindquarters rationale that Reg E only triggers when there is a physical receipt. (This inverts the Act's responsibility graph, where banks were required to provide physical hardcopy receipts to avoid an accountability sink swallowing customer funds.)

Banks will often come to their senses after being contacted by the Chicago Tribune or someone with social power and gravitas who knows how to cite Reg E. But it is designed to work even for less sophisticated customers who don't know the legislative history of the state machine. They just have to know "Call your bank if you have a problem."

That should work and we are diminished if it doesn't.

Reg E encompasses almost every technology which exists and many which don't yet

With a limited number of carveouts (e.g. wire transfers), Reg E is intentionally drafted to be future-proof against changes in how Americans transact. This is why, when banks argue that some new payments rail is exempt because it is "different," the correct legal response is usually some variation of: doesn't matter—that's Reg E.

Did he punch you in your face and steal your card? Doesn't matter. That's Reg E.

Did she call from the bank—except it was a lie. Doesn't matter. That's Reg E.

Did he copy your mag stripe onto blank plastic? Doesn't matter. That's Reg E.

Did your computer catch a virus? Doesn't matter. That's Reg E.

Did your computer with a privileged session join a botnet? Doesn't matter. That's Reg E.

Did cosmic rays corrupt a database? Doesn't matter. That's Reg E.

Did an inattentive banker make a typo? Doesn't matter. That's Reg E.

Our friends in crypto generally believe that Reg E is one star in the constellation of regulations that they're not subject to. They created Schrödinger's financial infrastructure, which is the future of finance in the boardroom and just some geeks playing with an open source project once grandma gets defrauded. There is an unresolved tension in saying "Traditional institutions like Visa are adopting stablecoins" and in the see-no-evil reimburse-no-losses attitude issuers and others in the industry take towards fraud which goes over their rails.

Reg E doesn't have an exception in its text for electronic funds transfers which happen over slow databases.

A hypothetical future CFPB, given the long-standing premise that fraud is not an acceptable outcome of consumer payment systems, would swiftly come to the conclusion that if it walks like a checking account, quacks like a checking account, and is marketed as an alternative to checking accounts, then it is almost certainly within Reg E scope.

Casting one's eyes across the fintech landscape, many players seem to have checking account envy. In the era of the "financial superapp" where everyone wants to bolt on high-frequency use cases like payments to e.g. AUM gathering machines like brokerage accounts, that is worth a quick chat with Legal before you start getting the letters from Kansan grandmas.

This isn't free. It never was.

Thanks very much for listening to this episode of Complex Systems, and we'll be back next week. Thanks for tuning into this week's episode of Complex Systems. If you have comments, drop me an email or hit me up at patio11 on Twitter. Ratings and reviews are the lifeblood of new podcasts for SEO reasons, and also because they let me know what you like.