news

CR Finds Potential Consumer Risks for Users of Apple Cash, Cash App, Venmo, and Zelle

admin

CR’s evaluation of these peer-to-peer payment apps identified potential concerns and ways to protect yourself

By Lisa L. Gill

A parent in Shawnee, Kan., uses Venmo to collect money from his kids to cover part of the family’s cell phone bill. A couple in Woodinville, Wash., uses Apple Cash during the holidays to send cash gifts to their adult children. A man in Penn Hills, Penn., used Zelle to pay for a vacation rental property last summer.

The speed and simplicity of such transactions—a few taps on a mobile phone and, bam, a few seconds later the money lands in the recipient’s account—have rapidly turned these and other peer-to-peer (P2P) payment apps into everyday tools for millions of Americans. Nearly two-thirds of us use a P2P app to send money to other individuals, according to a nationally representative March 2022 CR survey of 2,116 U.S. adults (PDF). And over $1 trillion changed hands this way in 2022, according to research firm Insider Intelligence.

Unfortunately, user protections and regulations are not keeping pace with the speed of P2P payment app adoption, or the evolving risks consumers face when using these apps, says Delicia Hand, director of financial fairness for Consumer Reports. 

In fact, Hand says, the problem is bigger than P2P payment apps. A broad range of financial technology, or fintech, innovations have provided consumers new, mobile-device-centric ways to borrow, spend, and invest money and monitor their credit scores. These services offer clear benefits but can also leave consumers confused and uninformed about how they work, how to choose among them, and the risks they face when using them. “Meanwhile the regulatory vacuum around these new tools has allowed potentially unfair, unsafe, and discriminatory practices to spread unchecked,” Hand says. 

For this reason, CR has developed the Fair Digital Finance Framework, a set of criteria and procedures for evaluating a range of digital finance products and services. CR began with a limited application of the framework to four popular P2P apps: Apple Cash, Cash App, Venmo, and Zelle. (For Zelle, the researchers looked at the stand-alone Zelle mobile service and the bank apps of three large, national banks that allow customers to send cash via Zelle, which might not necessarily be the version you enter from your bank’s website or mobile app.) CR plans to apply the full framework to other fintech categories in the months and years ahead, including buy now, pay later loans, mobile banking apps, and cryptocurrency wallets and exchanges. 

When fully deployed, the evaluation framework will look at seven broad areas, or “principles,” of consumer concern: safety, privacy, transparency, user-centricity, financial well-being, inclusivity, and environmental, social, and governance concerns. For its preliminary P2P evaluation, however, CR focused on the first three to determine how safe the apps are to use, how they collect and handle user data, and how transparent they are about the practices outlined in their consumer disclosures. 

CR analyzed the terms of service, privacy disclosures, and other publicly available documents found on P2P company websites and mobile apps. CR researchers used the apps to locate and review those materials but did not use or test the apps directly to determine, for example, how easy they are to navigate and use, or how much personal user data they capture. Direct app use and testing of that kind, as well as a full application of the framework’s seven principles, will be part of future evaluations, Hand says. (For details, see CR’s full report on P2P services.)

What follows is a look at some of the concerns that evaluation raised, plus a handful of ways consumers can protect themselves. (See our tips on how to safely use P2P apps, below.)

Although the apps under review all address their data security controls and fund protection practices in their disclosure documentation—which is why they received strong ratings for safety and security—CR researchers identified several ways in which all the apps can and should do more to protect users in these areas.

Fund protection: Consumers can lose money in a range of ways while using P2P apps, but the most common problems generally fall into two categories: Authorized and unauthorized transactions. 

Authorized transactions include the most familiar pitfall, where a user accidentally sends money to the wrong person, often by mistyping the recipient’s name or mobile phone number. Six percent of people who have used P2P say they have made such errors, according to CR’s March 2022 survey. Another frequent scenario involves sending too much money by mistakenly adding extra digits to the intended amount. 

CR’s evaluation determined that none of the four P2P apps will reimburse users or otherwise intervene in such cases. The money can typically be recovered only at the discretion, and with the cooperation, of the person who accidentally received it.

Nor will the apps intervene or compensate users in cases where, for example, a scam artist fraudulently dupes a user to send them money via a P2P app—because, the thinking goes, the user did in fact authorize the transaction. 

On the other hand, the apps will sometimes compensate victims of certain other types of fraud—specifically, fraud that leads to unauthorized P2P transactions. If, for example, you lose money because your device and/or password are hacked, and you played no active role in authorizing the transaction, you may be covered. Cash App and Apple Pay cap user liability at $50 if you notify them within two days of the fraudulent activity. After two days you could be on the hook for $500, and after 60 days you might not be reimbursed at all. With Zelle, if you lose your phone, tablet, or computer, or if your password is compromised, and you notify the company within four days, your liability is capped at $50. Wait longer than that and you could be on the hook for up to $500. Venmo says it will cover the full unauthorized amount if you alert the company within 60 days.

Although P2P companies are not falling short of their legal obligations with respect to authorized or unauthorized transactions, CR’s Hand says, they can and should do more to help users who lose their money in these ways. “Providers could create a fund to reimburse users who are victims of scams and tricked into transferring money,” she says. 

When asked for their response, the companies emphasized that they proactively fight fraud on their platforms and encourage users to transact only with people they know and trust, take care to verify the identity of their intended recipients, and learn to recognize and avoid scams. 

FDIC insurance: CR also examined whether user funds stored in the apps are insured by the Federal Deposit Insurance Corp., a government agency that protects against loss on deposits of up to $250,000 per account in the event that an insured bank fails. 

This is important, Hand says, because P2P companies are increasingly encouraging consumers to store funds in their P2P accounts, where they may or may not be protected in the event of the provider hitting financial troubles. “Companies should make absolutely certain that consumers know if they are covered,” she says. 

Unfortunately, that’s not always the case. Users can obtain FDIC coverage through three of the four apps: Apple Cash, Cash App, and Venmo. (Zelle, which is co-owned by seven of the largest U.S. banks, transfers funds directly between FDIC-insured bank accounts and does not hold funds in-app as the others do, so funds are covered.) But with none of those three apps are funds covered by default—and in each case users must jump through sometimes confusing technical or procedural hoops to obtain FDIC coverage. With Apple Cash you need to register your account with Green Dot, the bank Apple Cash uses. Cash App’s documentation states that, by default, funds are not eligible for FDIC pass-through insurance. But if a user chooses to apply for the company’s debit card, known as the Cash Card, and Cash App determines that a person is eligible for it, the person’s funds held within Cash App are protected with FDIC pass-through insurance through a banking partner. Notably, the app explicitly informs users during the sign-up process that their funds are not FDIC-covered by default and directs them to register for the debit card for coverage. With Venmo, only funds that arrive via direct deposit or remote check capture are covered, not those sent by other Venmo users.

According to another recent CR survey, this one a nationally representative survey of 2,123 U.S. adults in August 2022, 65 percent of Americans say they are somewhat or very concerned about how much information financial apps collect and store about their users. Over half believe that financial apps should not be allowed to share user data with other companies. 

CR’s analysis confirms that many P2P users have reason to be concerned. 

Data collection: In addition to gathering information about a person’s activity when using the P2P service—payment amounts, dates, recipients—the apps we looked at gather large amounts of personal data they do not need in order to provide their core service. 

This can include data from your mobile device, such as contacts, information about your other web activity, and even the digitized record of your fingerprint that your phone uses for security. P2P apps also grant themselves, in their privacy disclosures, the right to collect data from third-party services, including credit bureaus and financial institutions. 

Some P2P apps go further. Cash App, Venmo, and Zelle, for example, all collect profile photos and geolocation data. Venmo also says it may collect a list of your social media contacts and your bank account log-in information. Cash App says it may collect your passport and driver’s license numbers. And Zelle says it may collect a user’s personal information from unspecified “service providers.” 

Several of the companies told us that you can update your app settings to stop sharing certain types of data, such as phone contacts.

These practices fall short in terms of so-called data minimization, Hand says. “Companies should collect, share, and retain only data that is required for the prevention of fraud and for provision of the service, and no more,” she says. 

Data handling: Once consumer data is collected, what does the company do with it? Their public disclosures make it hard to tell. Venmo and Zelle offer vague descriptions of possible third-party vendors they may share customer information with, while Apple Cash, Cash App, and Zelle say they will share data with law enforcement and governments. Apple Cash says it shares data with third-party vendors.

Data deletion: CR also reviewed company policies on whether consumers are able to delete personal information after they stop using the service. Apple Cash says it may store your transaction data for up to five years after you close an account. The other apps are far less definitive about their data deletion policies and practices.

CR researchers found that their security and privacy concerns were compounded by a general lack of transparency about these issues. Explanations of policies and procedures were consistently either hard to find, difficult hard to understand, or both. 

For example, P2P companies are required to disclose how they collect, retain, share, and control your personal data, Hand says. But CR’s researchers found the information difficult to locate. In one instance a company had five sets of disclosures scattered in different places across the app and on its website. And in all cases, the disclosures were filled with technical jargon that would be difficult for a typical user to understand. 

The language describing the apps’ privacy policies raised particular concerns regarding their transparency, Hand says. Companies used vague, catch-all phrases that, read literally, would seem to grant them virtually unlimited rights to collect and use consumer data. For example, Venmo’s disclosure states that it may collect “additional information in other ways not described in the privacy policy and user agreement.” 

When it comes to whether companies sell your data, only one company, Apple, clearly says it does not sell data to third parties. Cash App and Zelle are vague on the subject, and Venmo says that information collected may be used for advertising.

Under the heading of transparency, CR also looked at how quickly companies say they will alert consumers to security breaches with their accounts, or other problems, also known as “incident notifications.” Here again, these policies are unclear if they are addressed at all. “To best serve consumers, companies should commit to providing real-time notification of service disruptions and to communicating about cybersecurity incidents,” Hand says.

CR also found that all four apps require users to agree in advance to use binding arbitration, rather than a conventional court process, in the event of a legal dispute. (In some cases, new users have a limited time window to opt out of these “arbitration clauses”; see below for our advice.) Arbitration is a closed-door proceeding that typically prevents consumers from joining together to bring lawsuits and that consumer advocates say is stacked in favor of businesses.

CR shared its findings with the four companies and asked each whether they would review their policies to improve transparency around data sharing and usage. Only Cash App explicitly acknowledged this as an area for greater clarity and and committed to work with the CR team to provide users a clearer understanding of data sharing and usage.

How to Use P2P Payment Apps Safely

Many of the concerns raised by CR’s evaluation have to do with issues over which consumers have little control beyond deciding not to use the apps—and as P2P app usage grows, opting out is becoming increasingly difficult for many Americans. Instead, these issues will need to be addressed either by the P2P companies themselves or by policy makers. 

In the meantime, here are steps you can take to minimize the risks of using P2P payment apps. 

Confirm the identity of a recipient before you send money. Remember the old carpenter’s saying, “Measure twice, cut once?” The P2P equivalent is double-checking the recipient’s phone number and/or email address before hitting send. To their credit, all the apps we looked at use in-app alerts to encourage senders to confirm that information. Some of the apps also offer fail-safe technological tools, as well. For example, Cash App, Venmo, and Zelle give users the ability to scan a QR code on the recipient’s mobile device (if you happen to be in physical proximity with one another). 

Send a small test payment and confirm it was received by the right person. Such “micropayments,” which can range from a few cents to a dollar, are especially important if you later intend to send a lot of money. If the test payment isn’t received, check to make sure you have the recipient’s correct P2P account information and try another micropayment.

Move incoming funds from your P2P account to your bank account as soon as possible. That ensures that your funds are covered by FDIC insurance.

Turn on all identity-verification options available in the P2P app. With those features activated, anyone trying to use the account will first have to get through additional security measures, such as two-factor authentication.

Check and adjust your app’s default privacy settings. This will minimize how much of your personal information is collected and shared beyond what is required for delivery of the service. 

Frequently monitor your P2P accounts. That way, you may be able to catch problems early enough to report them to companies and not be on the hook for unauthorized payments, says Ed Mierzwinski, senior director of the federal consumer program at the nonprofit U.S. Public Interest Research Group (U.S. PIRG). Consider checking them weekly.

Delete your account within any P2P apps you no longer use. It’s not enough to simply remove the app from your phone; instead, to make sure you’ve closed and deleted the account, select the “delete account” option within the app.

Opt out of binding arbitration if possible. Cash App, Venmo, and Zelle give users 30 days to opt out of the requirement by mailing a written notice. (Apple Cash does not allow users to opt out.) And if you do have a dispute, try negotiating with the company before going to arbitration. Many companies will try to settle claims to avoid the risk and expense of any legal proceedings.

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2023, Consumer Reports, Inc.


Older Post Newer Post