How do bank drafts / electronic debits work?
August 1, 2014 3:22 PM Subscribe
I believe that bank account and routing information is sufficient to initiate a bank draft or electronic debit of one's bank account. I had always assumed that to be true, but my boss found the information alarming and wants to secure our accounts. I'm ... not sure it can be done. Can anyone explain how it works and why that system isn't more frequently abused?
I called our bank, and they confirmed that they don't ask for a signature or agreement before processing an electronic debit. If that's the case, why isn't fraud more common? Google returns some results about fraudulent debits by telemarketers, but nothing in the business world. Explain it to me so I can explain it to him!
I called our bank, and they confirmed that they don't ask for a signature or agreement before processing an electronic debit. If that's the case, why isn't fraud more common? Google returns some results about fraudulent debits by telemarketers, but nothing in the business world. Explain it to me so I can explain it to him!
Many banks offer fraud-prevention services for commercial accounts that prevent what your boss is worried about. One service is called positive pay, where you send records of all the checks you write to the bank everyday and they only allow debits that match what you've sent them. If your bank doesn't offer positive pay, you can switch to one that does.
posted by grouse at 4:05 PM on August 1, 2014 [3 favorites]
posted by grouse at 4:05 PM on August 1, 2014 [3 favorites]
There has actually been a tremendous amount of fraud in connection with the practice of withdrawing funds from customer accounts without signatures, much of it with the active connivance of the bank itself.
Back in 2008, Wachovia got in a lot of trouble -- but not nearly enough, frankly -- for such practices:
I haven't kept up with this all that well in the intervening years, but as far as I know, the problem still exists and I think your boss is right to be concerned.
posted by jamjam at 4:09 PM on August 1, 2014
Back in 2008, Wachovia got in a lot of trouble -- but not nearly enough, frankly -- for such practices:
The Wachovia Corporation agreed on Friday to pay as much as $144 million to end an investigation that accuses the bank of allowing telemarketers to use its accounts to steal millions of dollars.
The settlement, one of the largest penalties ever demanded by the federal Office of the Comptroller of the Currency, concludes an 18-month inquiry into Wachovia’s relationships with schemes that investigators say stole from thousands of victims, many of them elderly.
Though Wachovia did not admit or deny wrongdoing, the investigation found that Wachovia, one of the country’s largest banks, engaged in unsafe practices — failing to conduct suitable due diligence, failing to monitor accounts used by telemarketers and failing to follow normal procedures that would probably have uncovered the thefts.
The bank’s actions were “part of a pattern of misconduct” that resulted in Wachovia’s collecting millions of dollars in fees, regulators wrote.
...
“YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others.
...
In 2005, attorneys general of 35 states urged the Federal Reserve to end the unsigned check system. But the Federal Reserve demurred.
“We really need these unsigned checks to be prohibited completely,” said Mr. Miller, the Iowa attorney general. “There’s still a lot of work to be done.”
I haven't kept up with this all that well in the intervening years, but as far as I know, the problem still exists and I think your boss is right to be concerned.
posted by jamjam at 4:09 PM on August 1, 2014
You need to tell your boss about "Regulation E" which limits your liability quite a bit if you're the victim of fraud using an electronic transaction. Most banks further limit that liability all the way down to $0. And, the burden of proof is usually on the party that initiated the transaction (IE: The account holder the funds were deposited into) to prove that they verified your identity properly.
Your bank basically assumes that you authorized every transaction on the account unless you tell them that you didn't. Reg. E specifies that you have two business days to notify your bank to limit your liability to $50 but most banks will give you 30-days and limit the liability to $0.
It's been since I've had to know this information in a professional capacity and, even then, the training I received never really drew a good line between what was required by regulation and what was bank policy over-and-above it.
posted by VTX at 4:17 PM on August 1, 2014 [3 favorites]
Your bank basically assumes that you authorized every transaction on the account unless you tell them that you didn't. Reg. E specifies that you have two business days to notify your bank to limit your liability to $50 but most banks will give you 30-days and limit the liability to $0.
It's been since I've had to know this information in a professional capacity and, even then, the training I received never really drew a good line between what was required by regulation and what was bank policy over-and-above it.
posted by VTX at 4:17 PM on August 1, 2014 [3 favorites]
It's very common for telemarketers when the person making the purchase doesn't have a credit card. They sell sheets of generic blank checks that you can print the name, account number, routing info and amount. It's part of the Quicken suite [I'm sure it's a part of many others also] and there are online services that do this as well.
Fraud is an issue. Accounting software maintained vigilantly is the defense. Banks will refund fradulently issued checks but it's up to you to find them.
posted by vapidave at 4:35 PM on August 1, 2014 [1 favorite]
Fraud is an issue. Accounting software maintained vigilantly is the defense. Banks will refund fradulently issued checks but it's up to you to find them.
posted by vapidave at 4:35 PM on August 1, 2014 [1 favorite]
Best answer: I'd like to highlight and expand on grouse's answer having run the gamut of bookkeeping and accounting operations for a small (~$20MM per annum) business that was the victim of check fraud. This is not accounting advice. Your account manager at your bank will be able to tell you about available products, services and protections.
Let's draw a clear distinction between checking and Electronic Funds Transfer (EFT). Checks are physical paper instruments which include payer information (your bank's ABA routing number, your checking account number, your business name, your authorized signature, &c), payee name, monetary value, date, and check number. EFTs may refer to wire transfers or ACH transactions which are initiated by fax (yes, really) or online banking.
Your first defense against check fraud is the secrecy of your checking account number. This is, obviously, a poor defense as anyone you have ever written a check to has this information. However it is the prerequisite for all attempts at fraud, so don't be profligate with it. Don't make it easy for them!
Your next line of defense against a bad check are the eagle eyes of bank tellers across the nation. During a spate of false checks, I received three calls in one month from quick-thinking and -Googling tellers who exercised their initiative and searched for our business name, found my phone number on our corporate website and called to ask if what they were holding was a valid instrument. Sometimes you get lucky and bad checks look like bad checks. Don't count on this either, it's not a legal protection.
Your first real security comes from statistics, heuristics and random sampling on behalf of your bank. Technology has enable a profusion of methods here, so your bank may use computer image recognition to, e.g., compare check faces or authorized signatures between the presented instrument and known good examples of checks drawn against your account (I've found this to be very unusual though). More typically you will see technical solutions like ensuring that checks are presented in ascending order by number and date (i.e., if check 100 was written on 2/1 then check 101 being presented as having been written on 1/1 will cause your bank to flag the transaction) or checking that there aren't large gaps in check number (checks are numbered in sequence, so if you've been writing checks with numbers like 100 and then a check is presented with number 073462, that's a flag). Your bank will also likely flag a random sample of checks for manual review by a human, and someone familiar with your account will give everything a good thorough looking at every so often to be proactive.
Now a historical note, when a check is processed the physical instrument is "cancelled". Cancelled checks used to actually be returned to you from your bank with your monthly statement. Now state law and electronic check scanners have mostly put an end to this, practice depends on your bank and state law but you may receive pages of miniaturized cancelled check images with your monthly statement, or be provided access through online banking. As part of reconciling your bank account monthly (or if you're really good weekly or even daily!) your accountant "should" be reviewing these images to look for fraud, but long before they have to look at signatures they should notice the discrepancy with your check register. If the business owner is writing checks without anyone updating a check register and your accounting practices (or lack thereof) see you only recording transactions when they clear the bank... Well, some clients get your Special Executive Accounting Rate For Special Executives. Reconciling a statement to your check register is your ultimate and final line of defense! Be proactive, be detailed, be prepared. You typically have 30 days to dispute a check from when it was presented, so stay on top of your reconciliations.
Okay! After all that, what are the ways to be proactive about check security? The best advertised way is obviously to purchase commercial checks with security features like watermarks or icons that disappear when heated by friction or special UV ink microprinting or acid-resistant paper and ink or magic seals which invoke the seven seals of Agorath to ward off all with evil intent. I, personally, believe there are diminishing returns from all those security features and have only ever purchased check stock that is fancy enough to obviously feel secure, distinguishing it intuitively from junk run off on a home laser printer on cheap card stock.
Less well known but infinitely more valuable is (trumpets please) Positive Pay. Your bank likely offers a financial product called positive pay that you can have added to your business bank account (and if not, it's time to look for a new bank). The idea is that it is a whitelist for your checks. When you write a check, you record its details (payee, amount, date, check number) in your check register. Daily (or as often as you do check runs) you send the new entries from your check register to your bank (through online banking or a separate special purpose portal) and the bank will refuse all presented checks that fail to match your provided positive pay items. There are all sorts of knobs and configurations you can work out with your bank like giving you a day to go into the portal and manually approve checks that you may have missed uploading before items are refused, but that's all detail work.
Alright! Now I'm finally done with checks, and we can move on to the comparatively simpler world of EFTs. First up, wire transfers. Wire transfers are awful. If you have the option, skip even having wire transfers set up for your business banking account. The system is woefully out of date (yes, seriously, it primarily runs on faxes, it isn't just your bank) and if you make a mistake in sending a wire you are pretty much SOL, that cash can't be recalled because wires are irreversible.
Now some good news is that wire service is typically split between wire origination (you choosing to send money) and drawdown wires (someone choosing to take your money, sometimes confusingly called reverse wires). Never in all my experience was it necessary to even enable drawdown wire functionality, so I made sure the bank didn't have it set up on our account. Due to the irreversible nature of wires, you might see contracts written that require your company to allow the other party to make drawdown wire requests against your account in case of failure to deliver or such. In my particular experience we were able to replace those clauses with assured Letters of Credit drawn against a Line of Credit we had from our bank, never forget to negotiate! I consider it an extremely poor idea to give any other party the ability to withdraw cash from your accounts at their whim in any amount they desire, don't allow drawdown wires.
Far more commonly electronic debits will refer to ACH debits. ACH is a more modern system than wire transfers, and so is a little more user friendly and actually allows for some good cash management controls. ACH credits refer to your sending money, debits again refer to money being taken from your accounts. You have some ability to reverse ACH transfers within certain windows, your account manager can give you both the official timeframes from the NACHA (National Automated Clearing House Association) and their operational constraints.
Unlike checks (or even wires really) you always know who the counterparty is when dealing with ACHs due to the way transactions are constructed. Using this information banks typically implement a product called something like ACH Positive Pay, ACH Blocks & Filters, or ACH Filters. If this isn't enabled for your account request it, and if your bank doesn't provide it, switch. This operates as a whitelist for counterparties, you provide the bank with a list of approved names and tax IDs of businesses which can ACH debit you (like ADP for payroll, or your corporate credit card provider, &c) and all ACH debits from other parties will be returned or brought to your attention for approval from an account signer. This isn't as fine grained as check positive pay, i.e. you can't control the individual transactions, but you can leave certain counterparties off of your approved whitelist and manually approve each transaction if you're diligent about responding to your bank in an extremely timely manner.
And that's it. Disabling wire service and requesting check and ACH positive pay services from your bank is high quality protection from drive-by fraud attempts, provided that you have good and regular bookkeeping and accounting services. Now all you have to be worried about are con artists and embezzlers.
posted by books for weapons at 3:17 AM on August 2, 2014 [22 favorites]
Let's draw a clear distinction between checking and Electronic Funds Transfer (EFT). Checks are physical paper instruments which include payer information (your bank's ABA routing number, your checking account number, your business name, your authorized signature, &c), payee name, monetary value, date, and check number. EFTs may refer to wire transfers or ACH transactions which are initiated by fax (yes, really) or online banking.
Your first defense against check fraud is the secrecy of your checking account number. This is, obviously, a poor defense as anyone you have ever written a check to has this information. However it is the prerequisite for all attempts at fraud, so don't be profligate with it. Don't make it easy for them!
Your next line of defense against a bad check are the eagle eyes of bank tellers across the nation. During a spate of false checks, I received three calls in one month from quick-thinking and -Googling tellers who exercised their initiative and searched for our business name, found my phone number on our corporate website and called to ask if what they were holding was a valid instrument. Sometimes you get lucky and bad checks look like bad checks. Don't count on this either, it's not a legal protection.
Your first real security comes from statistics, heuristics and random sampling on behalf of your bank. Technology has enable a profusion of methods here, so your bank may use computer image recognition to, e.g., compare check faces or authorized signatures between the presented instrument and known good examples of checks drawn against your account (I've found this to be very unusual though). More typically you will see technical solutions like ensuring that checks are presented in ascending order by number and date (i.e., if check 100 was written on 2/1 then check 101 being presented as having been written on 1/1 will cause your bank to flag the transaction) or checking that there aren't large gaps in check number (checks are numbered in sequence, so if you've been writing checks with numbers like 100 and then a check is presented with number 073462, that's a flag). Your bank will also likely flag a random sample of checks for manual review by a human, and someone familiar with your account will give everything a good thorough looking at every so often to be proactive.
Now a historical note, when a check is processed the physical instrument is "cancelled". Cancelled checks used to actually be returned to you from your bank with your monthly statement. Now state law and electronic check scanners have mostly put an end to this, practice depends on your bank and state law but you may receive pages of miniaturized cancelled check images with your monthly statement, or be provided access through online banking. As part of reconciling your bank account monthly (or if you're really good weekly or even daily!) your accountant "should" be reviewing these images to look for fraud, but long before they have to look at signatures they should notice the discrepancy with your check register. If the business owner is writing checks without anyone updating a check register and your accounting practices (or lack thereof) see you only recording transactions when they clear the bank... Well, some clients get your Special Executive Accounting Rate For Special Executives. Reconciling a statement to your check register is your ultimate and final line of defense! Be proactive, be detailed, be prepared. You typically have 30 days to dispute a check from when it was presented, so stay on top of your reconciliations.
Okay! After all that, what are the ways to be proactive about check security? The best advertised way is obviously to purchase commercial checks with security features like watermarks or icons that disappear when heated by friction or special UV ink microprinting or acid-resistant paper and ink or magic seals which invoke the seven seals of Agorath to ward off all with evil intent. I, personally, believe there are diminishing returns from all those security features and have only ever purchased check stock that is fancy enough to obviously feel secure, distinguishing it intuitively from junk run off on a home laser printer on cheap card stock.
Less well known but infinitely more valuable is (trumpets please) Positive Pay. Your bank likely offers a financial product called positive pay that you can have added to your business bank account (and if not, it's time to look for a new bank). The idea is that it is a whitelist for your checks. When you write a check, you record its details (payee, amount, date, check number) in your check register. Daily (or as often as you do check runs) you send the new entries from your check register to your bank (through online banking or a separate special purpose portal) and the bank will refuse all presented checks that fail to match your provided positive pay items. There are all sorts of knobs and configurations you can work out with your bank like giving you a day to go into the portal and manually approve checks that you may have missed uploading before items are refused, but that's all detail work.
Alright! Now I'm finally done with checks, and we can move on to the comparatively simpler world of EFTs. First up, wire transfers. Wire transfers are awful. If you have the option, skip even having wire transfers set up for your business banking account. The system is woefully out of date (yes, seriously, it primarily runs on faxes, it isn't just your bank) and if you make a mistake in sending a wire you are pretty much SOL, that cash can't be recalled because wires are irreversible.
Now some good news is that wire service is typically split between wire origination (you choosing to send money) and drawdown wires (someone choosing to take your money, sometimes confusingly called reverse wires). Never in all my experience was it necessary to even enable drawdown wire functionality, so I made sure the bank didn't have it set up on our account. Due to the irreversible nature of wires, you might see contracts written that require your company to allow the other party to make drawdown wire requests against your account in case of failure to deliver or such. In my particular experience we were able to replace those clauses with assured Letters of Credit drawn against a Line of Credit we had from our bank, never forget to negotiate! I consider it an extremely poor idea to give any other party the ability to withdraw cash from your accounts at their whim in any amount they desire, don't allow drawdown wires.
Far more commonly electronic debits will refer to ACH debits. ACH is a more modern system than wire transfers, and so is a little more user friendly and actually allows for some good cash management controls. ACH credits refer to your sending money, debits again refer to money being taken from your accounts. You have some ability to reverse ACH transfers within certain windows, your account manager can give you both the official timeframes from the NACHA (National Automated Clearing House Association) and their operational constraints.
Unlike checks (or even wires really) you always know who the counterparty is when dealing with ACHs due to the way transactions are constructed. Using this information banks typically implement a product called something like ACH Positive Pay, ACH Blocks & Filters, or ACH Filters. If this isn't enabled for your account request it, and if your bank doesn't provide it, switch. This operates as a whitelist for counterparties, you provide the bank with a list of approved names and tax IDs of businesses which can ACH debit you (like ADP for payroll, or your corporate credit card provider, &c) and all ACH debits from other parties will be returned or brought to your attention for approval from an account signer. This isn't as fine grained as check positive pay, i.e. you can't control the individual transactions, but you can leave certain counterparties off of your approved whitelist and manually approve each transaction if you're diligent about responding to your bank in an extremely timely manner.
And that's it. Disabling wire service and requesting check and ACH positive pay services from your bank is high quality protection from drive-by fraud attempts, provided that you have good and regular bookkeeping and accounting services. Now all you have to be worried about are con artists and embezzlers.
posted by books for weapons at 3:17 AM on August 2, 2014 [22 favorites]
« Older How to unindoctrinate an indoctrinated child? | Need help picking an anniversary gift Newer »
This thread is closed to new comments.
I know it's terrifying when you first think of it - I occasionally configure Accounts Receivable ACH for my customers and every time I'm like "this should be...harder" but the fact is that when my customer takes money out of their customer's bank account, there is an electronic paper trail.
posted by Lyn Never at 3:31 PM on August 1, 2014 [4 favorites]