Breaking Regulatory Compliance
Regulation E and P2P Payment Scam Liability: What the $175M Cash App Consent Order Tells Banks About Their Investigation Process
The CFPB's $175M consent order against Block/Cash App wasn't about the fraud — it was about the investigation process. Here's what financial institutions must document, how the 10-business-day clock works, and where authorized P2P scam liability actually lives.
Table of Contents
TL;DR:
- Block, Inc. (Cash App) paid $175M in January 2025 — not because fraud happened, but because the error resolution process was broken: no proper investigations, no written findings, no two-year documentation retention.
- Reg E distinguishes “unauthorized” transactions (covered, consumer liability capped) from “authorized” scam payments (not directly covered by liability caps, but error resolution obligations still apply).
- The 10-business-day investigation window is mandatory; extensions to 45 days require provisionally crediting the disputed amount first.
- Denying a Reg E claim requires a written findings letter to the consumer within 3 business days of your decision — this is not optional, and it’s one of the most common deficiencies CFPB examiners find.
January 16, 2025. The CFPB ordered Block, Inc. to pay $175 million for failures in how Cash App handled fraud complaints. Not for allowing the fraud to happen. Not for inadequate security controls. For what happened after consumers called to report a problem — and Block failed to run the investigation Regulation E required.
That enforcement action is the clearest statement regulators have made about where P2P payment scam liability actually lives. It’s not in the fraud itself. It’s in the response.
The Authorized/Unauthorized Line and Why It Matters
Regulation E covers “unauthorized electronic fund transfers” — defined in §1005.2(m) as transactions “initiated by a person other than the consumer without actual authority to initiate such transfer.” When a fraudster compromises a consumer’s credentials and moves money without the consumer’s knowledge, that’s unauthorized. The consumer’s liability is capped at $50 (if reported within 2 business days), $500 (if reported within 60 days), or potentially unlimited beyond 60 days.
P2P payment scams typically work differently. A fraudster poses as the IRS, a bank representative, or a family member in distress. The consumer — believing the story — logs into their own app and sends the money themselves. The transaction is technically authorized by the account holder. Reg E’s liability caps don’t directly cover the underlying loss.
This is the authorized payment gap. The CFPB has been trying to bridge it through enforcement and rulemaking for several years. The dropped Zelle lawsuit (against JPMorgan Chase, Bank of America, and Wells Fargo) and the ongoing state AG investigations represent two tracks of that effort. But the more immediate and documented enforcement risk isn’t about the gap in coverage — it’s about the investigation process that every bank must run regardless of how the claim is ultimately categorized.
What Regulation E Actually Requires When a Consumer Files a Claim
When a consumer notifies a financial institution of a potential error — including a transaction they didn’t authorize or a P2P payment they believe was fraudulent — §1005.11 kicks in immediately.
Step 1: Take the notice seriously from day one.
An error notice can be oral or written. §1005.11(b) defines the minimum information required: consumer’s name, account number, the reason the consumer believes an error occurred, and the dollar amount. A consumer calling to report a Zelle payment to a scammer satisfies this. You cannot require a written dispute form as a precondition to beginning the investigation.
Step 2: Start the clock.
The 10-business-day investigation window begins the day the consumer notifies you, not when you’ve verified the facts or confirmed the consumer’s identity. Block’s consent order cited the practice of deferring investigations pending documentation that wasn’t actually required to start the process.
Step 3: Either resolve in 10 business days or provisionally credit and extend.
Under §1005.11(c):
| Path | Timeline | Requirement |
|---|---|---|
| Resolve within 10 business days | 10 business days from notice | Investigate, determine if error occurred, notify consumer |
| Take more time | Up to 45 business days (90 for POS or foreign transfers) | Must provisionally credit disputed amount within 10 business days |
| New account (open < 30 days) | Up to 20 business days | Provisionally credit within 20 business days if extending |
Provisional credit is not a courtesy. It’s a condition of using the extended investigation timeline. Banks that skip the provisional credit step but take 30 days to investigate are non-compliant — even if they ultimately deny the claim.
Step 4: Send written findings regardless of outcome.
§1005.11(d) requires written notification to the consumer within 3 business days of completing the investigation, whether you found an error or not. If you find no error:
- Explain the results of the investigation
- State that provisional credit (if any) will be reversed
- Include the date and amount of the reversal and the consumer’s right to request the documents relied upon
This is the step Cash App systematically failed. The CFPB found Block routinely denied claims through automated processes without generating the required written findings letter.
What the Cash App Enforcement Tells You About Your Own Program
Block’s $175 million consent order is a detailed compliance audit you can use to test your own processes. The violations weren’t exotic — they’re the kind that emerge when a company scales a payment product faster than its compliance infrastructure.
Violation 1: Substituting chargebacks for Reg E investigations.
Cash App routed many dispute claims through Visa and Mastercard’s chargeback processes rather than conducting its own Reg E investigation. The CFPB found this violates §1005.11 — chargeback is a dispute mechanism between payment networks and merchants, not a substitute for the institution’s own obligation to investigate errors and assess consumer liability.
If your bank processes P2P disputes by telling consumers to “dispute the charge through the card network,” verify that a Reg E investigation is running in parallel or instead.
Violation 2: Denying claims without written findings.
The written findings requirement under §1005.11(d)(2) is explicit. Block denied claims without sending letters. That’s a direct violation regardless of whether the underlying denial was substantively correct. The consumer never received the mandatory explanation, denial reason, or notice of their right to request the documentation relied upon.
Violation 3: Failing to retain compliance evidence.
§1005.13 requires maintaining records sufficient to demonstrate compliance with EFTA and Regulation E for a minimum of two years. Block failed to retain adequate documentation of its investigation process and outcomes. In an examination, the CFPB expects to pull case files and trace the full investigation — notice received, investigation timeline, findings, provisional credit status, written notification. Missing records = presumed non-compliance.
The Investigation Documentation Checklist
Every P2P dispute case file should be able to answer these questions from the paper trail:
| Item | What to Document |
|---|---|
| Notice receipt date | Date and channel (phone call, app, email, branch) |
| Investigation start | Day 1 timestamp; staff assigned |
| Provisional credit decision | If applicable: date issued, amount, account credited |
| Investigation steps | Systems queried, data reviewed, fraud indicators checked |
| Finding | Error / No error determination with rationale |
| Written notification | Date mailed/delivered to consumer; content of letter |
| Consumer response | Any follow-up, right to request documents exercised? |
| File retention | Record retained for 2-year minimum from date of notice |
If your current claims process doesn’t generate all eight items for every case, you have a documentation gap that will surface in an exam.
Where Authorized Payment Scam Liability Is Heading
The regulatory trajectory on authorized P2P scam reimbursement is worth watching even though no federal mandate currently exists. Three dynamics are in play:
Zelle’s network reimbursement program. Early Warning Services (which operates Zelle) implemented a qualifying imposter scam reimbursement program for member banks. This requires member financial institutions to reimburse consumers who were deceived by fraudsters impersonating a bank, government agency, or utility. This is a contractual obligation between Zelle and its member banks — it’s enforceable and expands your effective reimbursement obligations beyond what Reg E requires.
State UDAP enforcement. State attorneys general have more flexibility than federal agencies when it comes to authorized scam reimbursement. Cases brought under state unfair or deceptive acts and practices (UDAP) statutes don’t require demonstrating an “unauthorized” transaction — they require demonstrating that the institution’s conduct was unfair or deceptive. A bank that marketed its P2P platform as “secure” or “protected” while denying virtually all fraud claims without adequate investigation is exposed to state UDAP action regardless of the Reg E authorized/unauthorized line.
CFPB interpretive guidance. The CFPB has signaled that authorized payment scams can constitute errors under EFTA when the authorization was induced by impersonation of the financial institution itself. This interpretation, if formalized, would expand the mandatory reimbursement obligation substantially. Watch for guidance under new CFPB leadership on whether and how they pursue this theory.
So What? Three Things to Fix This Week
The Block/Cash App consent order was January 2025. Examiners and state AGs have had 18 months to study what violations look like. Here’s what to prioritize:
Audit your written findings letters. Pull a sample of Reg E claims denied in the last 90 days. Does each one have a written findings letter in the file? Was it sent within 3 business days of the investigation decision? Does it include the reason for denial and the consumer’s right to request documentation? If any of these are missing, fix the process before the next exam cycle.
Verify you’re not routing Reg E claims through chargeback only. If your operations team treats P2P fraud disputes as chargeback cases and closes them when the chargeback fails, you likely have Reg E violations in your queue. Reg E investigations and chargebacks can run simultaneously, but the Reg E process must be completed independently.
Test your 2-year retention. Pick a fraud claim from 24 months ago and find the file. Can you reconstruct the full investigation trail — notice date, investigation steps, provisional credit disposition, written findings, consumer notification? If not, your retention process needs work before it surfaces in an examination document request.
The Incident Response & Breach Notification Kit includes P2P fraud investigation playbooks, written findings letter templates, and a documentation checklist built for Reg E compliance — so your team has the process in place before the next consumer complaint.
Related Reading
- Instant Payments Fraud Controls: The Operational Risk Framework Financial Institutions Need for FedNow and RTP
- Synthetic Identity Fraud Bust-Out Response: How Financial Institutions Detect, Contain, and Report the Fraud Nobody Sees Coming
- Incident Triage Techniques: Severity Classification, Materiality, and the SEC 4-Day Clock
Sources:
- CFPB Consent Order — Block, Inc. (January 16, 2025)
- §1005.11 Procedures for Resolving Errors — CFPB Regulation E
- Error Resolution Procedures Under EFTA and Regulation E — Consumer Compliance Outlook (2025)
- Regulation E Error Resolution Challenges and Common Pitfalls — RSM US
- Zelle Fraud Reimbursement Demands on Banks and Credit Unions — Kaufman & Canoles
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does Regulation E require banks to reimburse consumers who were tricked into authorizing a P2P payment?
What exactly is the 10-business-day rule under Regulation E?
What documentation must we maintain when denying a Reg E error claim?
What did the Cash App CFPB consent order actually find?
How does Zelle's internal fraud reimbursement policy interact with Reg E?
Are states changing liability standards for P2P authorized payment scams?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
● Don't wait for your own enforcement action
Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026