Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Breaking Regulatory Compliance

Regulation E and P2P Payment Scam Liability: What the $175M Cash App Consent Order Tells Banks About Their Investigation Process

The CFPB's $175M consent order against Block/Cash App wasn't about the fraud — it was about the investigation process. Here's what financial institutions must document, how the 10-business-day clock works, and where authorized P2P scam liability actually lives.

By Rebecca Leung · June 16, 2026 ·
Table of Contents

TL;DR:

  • Block, Inc. (Cash App) paid $175M in January 2025 — not because fraud happened, but because the error resolution process was broken: no proper investigations, no written findings, no two-year documentation retention.
  • Reg E distinguishes “unauthorized” transactions (covered, consumer liability capped) from “authorized” scam payments (not directly covered by liability caps, but error resolution obligations still apply).
  • The 10-business-day investigation window is mandatory; extensions to 45 days require provisionally crediting the disputed amount first.
  • Denying a Reg E claim requires a written findings letter to the consumer within 3 business days of your decision — this is not optional, and it’s one of the most common deficiencies CFPB examiners find.

January 16, 2025. The CFPB ordered Block, Inc. to pay $175 million for failures in how Cash App handled fraud complaints. Not for allowing the fraud to happen. Not for inadequate security controls. For what happened after consumers called to report a problem — and Block failed to run the investigation Regulation E required.

That enforcement action is the clearest statement regulators have made about where P2P payment scam liability actually lives. It’s not in the fraud itself. It’s in the response.

The Authorized/Unauthorized Line and Why It Matters

Regulation E covers “unauthorized electronic fund transfers” — defined in §1005.2(m) as transactions “initiated by a person other than the consumer without actual authority to initiate such transfer.” When a fraudster compromises a consumer’s credentials and moves money without the consumer’s knowledge, that’s unauthorized. The consumer’s liability is capped at $50 (if reported within 2 business days), $500 (if reported within 60 days), or potentially unlimited beyond 60 days.

P2P payment scams typically work differently. A fraudster poses as the IRS, a bank representative, or a family member in distress. The consumer — believing the story — logs into their own app and sends the money themselves. The transaction is technically authorized by the account holder. Reg E’s liability caps don’t directly cover the underlying loss.

This is the authorized payment gap. The CFPB has been trying to bridge it through enforcement and rulemaking for several years. The dropped Zelle lawsuit (against JPMorgan Chase, Bank of America, and Wells Fargo) and the ongoing state AG investigations represent two tracks of that effort. But the more immediate and documented enforcement risk isn’t about the gap in coverage — it’s about the investigation process that every bank must run regardless of how the claim is ultimately categorized.

What Regulation E Actually Requires When a Consumer Files a Claim

When a consumer notifies a financial institution of a potential error — including a transaction they didn’t authorize or a P2P payment they believe was fraudulent — §1005.11 kicks in immediately.

Step 1: Take the notice seriously from day one.

An error notice can be oral or written. §1005.11(b) defines the minimum information required: consumer’s name, account number, the reason the consumer believes an error occurred, and the dollar amount. A consumer calling to report a Zelle payment to a scammer satisfies this. You cannot require a written dispute form as a precondition to beginning the investigation.

Step 2: Start the clock.

The 10-business-day investigation window begins the day the consumer notifies you, not when you’ve verified the facts or confirmed the consumer’s identity. Block’s consent order cited the practice of deferring investigations pending documentation that wasn’t actually required to start the process.

Step 3: Either resolve in 10 business days or provisionally credit and extend.

Under §1005.11(c):

PathTimelineRequirement
Resolve within 10 business days10 business days from noticeInvestigate, determine if error occurred, notify consumer
Take more timeUp to 45 business days (90 for POS or foreign transfers)Must provisionally credit disputed amount within 10 business days
New account (open < 30 days)Up to 20 business daysProvisionally credit within 20 business days if extending

Provisional credit is not a courtesy. It’s a condition of using the extended investigation timeline. Banks that skip the provisional credit step but take 30 days to investigate are non-compliant — even if they ultimately deny the claim.

Step 4: Send written findings regardless of outcome.

§1005.11(d) requires written notification to the consumer within 3 business days of completing the investigation, whether you found an error or not. If you find no error:

  • Explain the results of the investigation
  • State that provisional credit (if any) will be reversed
  • Include the date and amount of the reversal and the consumer’s right to request the documents relied upon

This is the step Cash App systematically failed. The CFPB found Block routinely denied claims through automated processes without generating the required written findings letter.

What the Cash App Enforcement Tells You About Your Own Program

Block’s $175 million consent order is a detailed compliance audit you can use to test your own processes. The violations weren’t exotic — they’re the kind that emerge when a company scales a payment product faster than its compliance infrastructure.

Violation 1: Substituting chargebacks for Reg E investigations.

Cash App routed many dispute claims through Visa and Mastercard’s chargeback processes rather than conducting its own Reg E investigation. The CFPB found this violates §1005.11 — chargeback is a dispute mechanism between payment networks and merchants, not a substitute for the institution’s own obligation to investigate errors and assess consumer liability.

If your bank processes P2P disputes by telling consumers to “dispute the charge through the card network,” verify that a Reg E investigation is running in parallel or instead.

Violation 2: Denying claims without written findings.

The written findings requirement under §1005.11(d)(2) is explicit. Block denied claims without sending letters. That’s a direct violation regardless of whether the underlying denial was substantively correct. The consumer never received the mandatory explanation, denial reason, or notice of their right to request the documentation relied upon.

Violation 3: Failing to retain compliance evidence.

§1005.13 requires maintaining records sufficient to demonstrate compliance with EFTA and Regulation E for a minimum of two years. Block failed to retain adequate documentation of its investigation process and outcomes. In an examination, the CFPB expects to pull case files and trace the full investigation — notice received, investigation timeline, findings, provisional credit status, written notification. Missing records = presumed non-compliance.

The Investigation Documentation Checklist

Every P2P dispute case file should be able to answer these questions from the paper trail:

ItemWhat to Document
Notice receipt dateDate and channel (phone call, app, email, branch)
Investigation startDay 1 timestamp; staff assigned
Provisional credit decisionIf applicable: date issued, amount, account credited
Investigation stepsSystems queried, data reviewed, fraud indicators checked
FindingError / No error determination with rationale
Written notificationDate mailed/delivered to consumer; content of letter
Consumer responseAny follow-up, right to request documents exercised?
File retentionRecord retained for 2-year minimum from date of notice

If your current claims process doesn’t generate all eight items for every case, you have a documentation gap that will surface in an exam.

Where Authorized Payment Scam Liability Is Heading

The regulatory trajectory on authorized P2P scam reimbursement is worth watching even though no federal mandate currently exists. Three dynamics are in play:

Zelle’s network reimbursement program. Early Warning Services (which operates Zelle) implemented a qualifying imposter scam reimbursement program for member banks. This requires member financial institutions to reimburse consumers who were deceived by fraudsters impersonating a bank, government agency, or utility. This is a contractual obligation between Zelle and its member banks — it’s enforceable and expands your effective reimbursement obligations beyond what Reg E requires.

State UDAP enforcement. State attorneys general have more flexibility than federal agencies when it comes to authorized scam reimbursement. Cases brought under state unfair or deceptive acts and practices (UDAP) statutes don’t require demonstrating an “unauthorized” transaction — they require demonstrating that the institution’s conduct was unfair or deceptive. A bank that marketed its P2P platform as “secure” or “protected” while denying virtually all fraud claims without adequate investigation is exposed to state UDAP action regardless of the Reg E authorized/unauthorized line.

CFPB interpretive guidance. The CFPB has signaled that authorized payment scams can constitute errors under EFTA when the authorization was induced by impersonation of the financial institution itself. This interpretation, if formalized, would expand the mandatory reimbursement obligation substantially. Watch for guidance under new CFPB leadership on whether and how they pursue this theory.

So What? Three Things to Fix This Week

The Block/Cash App consent order was January 2025. Examiners and state AGs have had 18 months to study what violations look like. Here’s what to prioritize:

Audit your written findings letters. Pull a sample of Reg E claims denied in the last 90 days. Does each one have a written findings letter in the file? Was it sent within 3 business days of the investigation decision? Does it include the reason for denial and the consumer’s right to request documentation? If any of these are missing, fix the process before the next exam cycle.

Verify you’re not routing Reg E claims through chargeback only. If your operations team treats P2P fraud disputes as chargeback cases and closes them when the chargeback fails, you likely have Reg E violations in your queue. Reg E investigations and chargebacks can run simultaneously, but the Reg E process must be completed independently.

Test your 2-year retention. Pick a fraud claim from 24 months ago and find the file. Can you reconstruct the full investigation trail — notice date, investigation steps, provisional credit disposition, written findings, consumer notification? If not, your retention process needs work before it surfaces in an examination document request.


The Incident Response & Breach Notification Kit includes P2P fraud investigation playbooks, written findings letter templates, and a documentation checklist built for Reg E compliance — so your team has the process in place before the next consumer complaint.



Sources:

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does Regulation E require banks to reimburse consumers who were tricked into authorizing a P2P payment?
Not automatically. Reg E mandates reimbursement for unauthorized transactions — where someone else initiated the transfer without the consumer's permission. When the consumer initiated the transfer themselves under false pretenses (the classic 'authorized scam'), Reg E's liability caps don't directly apply to the underlying loss. However, the CFPB has found that banks can still violate Reg E's error resolution process requirements on these claims — dismissing them without a proper investigation triggers its own exposure, separate from whether the loss itself is reimbursable.
What exactly is the 10-business-day rule under Regulation E?
Section 1005.11(c)(1) requires financial institutions to investigate an error notice and determine whether an error occurred within 10 business days of receiving the consumer's notice. If the institution needs more time, it may extend to 45 business days (90 for POS debit or foreign-initiated transfers) — but only if it provisionally credits the full disputed amount to the consumer's account within that initial 10-business-day window. Provisional credit is not optional if you're using the extended timeline.
What documentation must we maintain when denying a Reg E error claim?
Section 1005.11(d)(2) requires written findings to be mailed or delivered to the consumer no later than 3 business days after completing the investigation — including the reason(s) for denial and the consumer's right to request the documents relied on. Section 1005.13 separately requires retaining evidence of compliance with EFTA and Regulation E for at least two years. Block/Cash App was cited for both: denying claims without sending written findings, and not retaining documentation for the mandatory two-year period.
What did the Cash App CFPB consent order actually find?
The January 2025 CFPB consent order against Block, Inc. found three core Reg E violations: (1) relying on chargeback processes instead of conducting its own Reg E investigation; (2) failing to provide required written findings when denying error claims; and (3) failing to retain compliance evidence for the mandatory two-year period under §1005.13. Block also faced UDAAP findings for misrepresenting fraud protections and making phone support functionally unavailable. The total enforcement action was $175M — $55M civil penalty plus at least $120M in consumer redress.
How does Zelle's internal fraud reimbursement policy interact with Reg E?
Zelle's network rules require member financial institutions to reimburse consumers who were victims of certain 'qualifying imposter scams' — cases where the fraudster impersonated a bank, government agency, or utility company. This goes beyond what Reg E technically mandates for authorized transactions. However, Zelle's internal policies don't define your Reg E investigation obligations, which exist independently. You must still run a compliant Reg E error resolution process even for claims you ultimately deny under Zelle's imposter scam standard.
Are states changing liability standards for P2P authorized payment scams?
No state has yet passed a law specifically mandating reimbursement for authorized P2P scams. However, state attorneys general in California, New York, and Minnesota have opened investigations under UDAP statutes — the state-law equivalents of CFPB's UDAAP authority — targeting banks and platforms alleged to have misled consumers about fraud protections. The CFPB dropped its own lawsuit against JPMorgan Chase, Bank of America, and Wells Fargo over Zelle in early 2025, but that dismissal does not bind state enforcement.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

● Don't wait for your own enforcement action

Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.

Incident Response & Breach Notification Kit

Step-by-step incident response playbooks and breach notification templates for all 50 states.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.