YONKERS, NY – A new Consumer Reports evaluation of digital wallets found that they provide many benefits to consumers, including convenience, speed, safety, and record-keeping, but also pose some risks. CR’s evaluation comes at a time when the Consumer Financial Protection Bureau is deprioritizing oversight of digital payments and Congress has repealed a rule that gave the CFPB supervisory authority over digital wallets.
CR found that some digital wallet providers use and share customer data for purposes beyond what is necessary to provide their core service, don’t clearly explain fraud monitoring and liability protection policies, and require extra steps to ensure that funds stored in the wallet are covered by FDIC insurance. All the digital wallets CR evaluated do the basics to help users manage and track their spending from the app, but providers could do more to promote financial well-being.
“Digital wallets have become a popular financial tool for many consumers, with three out of every four Americans now using them, because they provide a secure and easy way to make purchases and send money to friends and families along with many other benefits,” said Delicia Hand, senior director, digital marketplace, at Consumer Reports. “But there are some risks and challenges users may encounter that they should keep in mind to protect their money and privacy.”
Hand continued, “Digital wallet providers should limit the collection of sensitive customer data and give consumers more control over how their information is used. Some of the digital wallet apps we examined could be improved by making it easier to qualify for FDIC insurance, adding more money management tools, and providing clearer disclosures about how transactions are monitored for fraud and whether users are protected when they are scammed by crooks.”
Digital wallets enable users to conduct financial transactions without a physical card by storing card and bank account information in the wallet. Many also offer additional features, such as storing tickets or IDs, rewards or cash-back features, and additional financial services such as credit or debit cards and cryptocurrency trading.
A nationally representative survey conducted by CR in February 2024 of 2,035 U.S. adults found that 76 percent of Americans use one or more digital wallets, with 29 percent using them at least weekly, and an additional 24 percent using them once or a few times a month. The top three ways digital wallet users reported using their wallets were to make a purchase through online merchants (61 percent did so), send payments to friends and family (50 percent), and make a purchase in-person at a store (38 percent). Users’ top concerns were about security (42 percent), privacy (36 percent) and widespread acceptance of the wallet (30 percent).
CR’s evaluation explored the mobile digital wallets offered by three multi-sector tech companies (Apple, Google, and Samsung) and three fintechs (Cash App, PayPal, and Venmo). CR evaluated digital wallets using its Fair Digital Finance Framework. Among CR’s key findings:
Fraud monitoring and liability protection varies depending on the service and transaction: Fraudulently induced transactions have become an increasingly common risk for consumers using peer-to-peer payment services. CR found that fraud monitoring and liability protection policies vary across wallet providers and may not be clear to consumers, which could cause confusion and frustration. Cash App, PayPal, and Venmo commit to proactively monitor account and transaction activity for fraud and suspicious activity. Apple Wallet, Google Wallet, and Samsung Wallet do not commit to comprehensive fraud monitoring for third party payments funded by a stored payment card. That responsibility falls to the card issuer involved in the transaction.
Providers only extend liability protection for unauthorized transactions. Cash App, PayPal, and Venmo provide definitions of “unauthorized transactions” and “errors,” but do not specify that scams are not considered either. Samsung Pay Cash does not provide a definition of “unauthorized transactions” or “errors.” Apple Cash’s Terms of Service clearly specify that “Payments that you are induced to make by an imposter or by other fraud are not ‘unauthorized.’” Because Apple Wallet, Google Wallet, and Samsung Wallet transmit stored account credentials to facilitate a transaction, they are not held directly responsible under Regulation E for liability coverage for unauthorized transactions and errors.
CR’s Recommendation: Providers should extend liability protection to fraudulently induced transactions. In the absence of that protection, these companies should be more transparent about the limits of their liability.
Eligibility for FDIC insurance varies and requires extra steps: Consumers must take extra steps to ensure their money stored in the app is covered by FDIC insurance. Often, they must either register their account by verifying their identity or use one of the provider’s other services to qualify.
CR’s Recommendation: Providers should test the language they use to describe FDIC insurance eligibility with actual users to make sure that it is clear. If users are required to register their account and verify their identity to qualify, providers should make that part of the onboarding process. If users are required to use a specific service to insure their funds, providers should expand those options so they are relevant and accessible for all users.
Most companies do not practice data minimization: Because of the nature of the services they provide, digital wallet providers collect, use, and share sensitive information, such as social security numbers and financial information like transaction data. The majority of Apple’s data collection, usage, and sharing appears to be necessary to deliver its core services. Most of the providers evaluated do not limit their use of data in this way.
For example, Google and Samsung are both able to link wallet, pay, and in the case of Samsung, stored balance account data with the user’s overall Google or Samsung account. This means that these companies have access to a significant amount of data on each user. Apple and Google use, but do not share, data for marketing purposes. Cash App, PayPal, Samsung, and Venmo use and share data for marketing purposes.
CR’s Recommendation: Providers should go beyond what is required by law by practicing data minimization. Secondary uses of data should be limited to fixing errors and performing internal research to improve customer experience. Providers should offer in-app settings for users to control their privacy and exercise their data rights.
Providers could do more to foster users’ financial well-being: CR found that the wallets provide basic tools to help users track their spending. All of them have easy, in-app ways for users to see their payment history and the apps with a stored balance feature have easy, in-app ways for users to see their balance. All the apps send users transaction notifications, but not all provide periodic summaries of transactions conducted through the service, which would help users track spending patterns.
CR’s Recommendation: Providers should integrate features that actively support users’ financial well-being, including smart alert systems for potential overdrafts; meaningful spending insights that account for irregular income; tools for short-term saving and financial planning; and clear information about fees before transactions.
For a more complete explanation of CR’s findings and recommendations, see Raising the Bar on Digital Wallets: How Six Leading Platforms Stack Up on Safety, Privacy, and Financial Well-Being. See also: Digital Wallet Best Practices Playbook
CR’s evaluation of digital wallets builds on recent evaluations of mobile banking apps, peer-to-peer payment systems, and buy now, pay later (BNPL) services. See cr.org/digitalfinance for information about CR’s Digital Finance Standard.
Media contact: Michael McCauley, michael.mccauley@consumer.org