Simplicity, convenience, and speed.

They’re among the key reasons that consumers have so enthusiastically embraced so-called peer-to-peer (P2P) payment services like Venmo, which let individuals seamlessly transfer money to one another, electronically, with just a few taps on their smartphones.

Those admirable qualities are, for the most part, complemented by a degree of security. According to a comprehensive Consumer Reports study of five of the most popular services, P2P payments are generally safe.

We emphasize generally, however, because important caveats are in order. The truth is, some of the same qualities that make P2P services so appealing to consumers also expose them to significant risks—risks that users should take seriously and that both P2P service providers and government regulators should do more to mitigate.

More on peer-to-peer

Those two conclusions—one a limited endorsement, the other an urgent warning—are the primary lessons to emerge from CR’s in-depth review of mobile P2P payment services, including Apple Pay, Facebook Payments in Messenger, Square’s Cash App, Venmo, and the Zelle app. (The Zelle service accessible through many banking apps was not studied.)

But given how popular P2P payments has become, the warnings require special attention.

Warning 1: Problem Resolution

P2P providers deserve credit for designing simple and easy-to-use applications that belie their underlying technological and financial sophistication.

But that simplicity smooths over more than just technical wizardry. It also hides a thicket of overlapping and uncoordinated legal agreements, financial regulations, and consumer protections. The upshot: It’s almost impossible for consumers—even the rare ones who read user agreements—to understand their rights and obligations in the event of error or financial fraud.

How can this affect you? Take a misdirected payment, where a user accidentally sends money to the wrong person. Our study found it can be alarmingly easy to make this mistake, and that consumers may not know they can't necessarily reverse such payments. Nor do they know that in most cases, providers won't help if the recipient refuses to return the misdirected funds.

Another issue is outright fraud. Thieves are increasingly exploiting consumer enthusiasm for—and trust in—P2P services. If you or a family member is tricked into sending money to a scammer via P2P, the law doesn’t require P2P services to return or help recover the funds.

Warning 2: Payment Security

CR’s study found that most companies are investing significant resources in security and allow users to set up extra layers of security. But nearly all of them could do more to keep users safe.

In particular, they could design their apps to “default” to the highest security level, meaning users would have to actively chose to opt out. Instead, Venmo, Square's Cash App, and Facebook Payments in Messenger require no password, PIN, or fingerprint for repeat access to the app or to initiate a transaction when their default security settings are in place. Only one provider, Apple, requires users to confirm a payment before it is sent.

Warning 3: Privacy

When it comes to privacy practices, there's a lot of room for improvement. Most of the apps we looked at reserve broad rights to use your data for unrelated purposes, including targeted advertising. Many reserve the right to sell your information to third parties.

There are positive privacy innovations, as well. Apple designed its systems to strictly limit the data it collects from its users. And only Apple follows the principle of data minimization, which holds that collected data should not be held or used unless it is essential for reasons clearly stated in advance.

One provider, on the other hand, stands out for an especially problematic practice. Venmo makes certain transaction details public by default, presumably believing its core customers like to share that information with their friend communities. That setting can—and, we feel, should—be turned off by users. All other services CR studied keep financial transactions hidden from public view as a matter of course.

How to Fix the Problems

So what should be done to address these issues? Consumers can do a lot to protect themselves. But Consumer Reports urges immediate action on the part of policymakers and P2P service providers.

Policy makers. First, victims of fraud should be entitled to error resolution rights even if they were tricked into authorizing a transfer of funds themselves. As such, the Consumer Financial Protection Bureau (CFPB) should extend the Electronic Funds Transfer Act (EFTA) protections against unauthorized transactions to include so-called victim-assisted fraud, which refers to cases where victims are induced by fraud to authorize a payment.

Second, consumers who mistakenly send money to the wrong person should have recourse beyond trying to contact and reason with the recipient. In fact, we believe the right to a formal error resolution process is already established by the Regulation E implementation of EFTA. But P2P providers frequently tell consumers that they bear sole responsibility for such errors, and it appears that regulators have not enforced Regulation E in this context. The CFPB should clarify procedures to remove any uncertainty and enforce the rule if providers don’t comply.

Providers. For starters, P2P providers should do more to ensure that funds make it to the right person every time, even if it slightly slows the user experience. For example, misdirected payments could be reduced by requiring a micro transaction confirmation before each new payee is added. And all parties in the liability chain should offer robust error and fraud resolution policies and should make it easy for users to get help from trained customer service reps through the apps, online, and by telephone.  

Introducing a small amount of friction—say, requiring users to enter a PIN or password and to confirm payee details for each transaction—would likely reduce fraud and mistakes. Providers should make these more secure settings the default and allow users to opt out if they find them burdensome.

Providers should also be more transparent about data collection and should practice data minimization in line with the Digital Standard.

P2P services continue to evolve, and their ever-increasing ease of use and range of features are almost certain to draw a growing number of users. Providers, policymakers, and users alike need to make sure their great promise is realized.