What stops someone from clearing out the Treasury via check?
April 17, 2020 1:52 PM Subscribe
As I understand it, personal checking accounts in the US are not particularly secure because the routing and account numbers shown on paper checks are all that's needed to access funds. Is the checking account used to mail out tax refunds at the same risk or does the Treasury do something special? Bonus pandemic CARES Act question inside.
Obviously criminal charges for check fraud exist but to me tracking down money after the fact seems pretty inelegant. I like to think there'd be a clever way to prevent this sort of thing up front.
I've heard that business checking accounts can have some sort of verification step, where (and I may have this entirely off) the business can somehow tell the bank that check #3261 was written for $2,452.73. If that check number is cashed with a different amount, or a check is cashed with a number the bank wasn't informed about, it would be rejected as part of the ACH process. If I have that right, I can imagine such a thing being used for tax refunds and generally keeping the Treasury account safer than my checking account. Is this an actual account feature? What's this called?
Bonus pandemic question: Assuming the above system is in place for the more-or-less random dollar amount checks issues for tax refunds... What's the deal with all the $1,200 and $2,400 checks being mailed out? Seems like the check number/check amount confirmation might not do much there. Are there other ways to protect a checking account, or is the paper check system a complete house of cards for the US government just like it is for individuals?
Obviously criminal charges for check fraud exist but to me tracking down money after the fact seems pretty inelegant. I like to think there'd be a clever way to prevent this sort of thing up front.
I've heard that business checking accounts can have some sort of verification step, where (and I may have this entirely off) the business can somehow tell the bank that check #3261 was written for $2,452.73. If that check number is cashed with a different amount, or a check is cashed with a number the bank wasn't informed about, it would be rejected as part of the ACH process. If I have that right, I can imagine such a thing being used for tax refunds and generally keeping the Treasury account safer than my checking account. Is this an actual account feature? What's this called?
Bonus pandemic question: Assuming the above system is in place for the more-or-less random dollar amount checks issues for tax refunds... What's the deal with all the $1,200 and $2,400 checks being mailed out? Seems like the check number/check amount confirmation might not do much there. Are there other ways to protect a checking account, or is the paper check system a complete house of cards for the US government just like it is for individuals?
Best answer: I am somewhat familiar with large-scale check processing and ACH processing due to a previous job managing some small parts of specialized back-end payment processor infrastructure. Although that sounds impressive, it mostly consisted of solving formatting inconsistencies between bank-to-bank communication systems. I'm not an accountant, nor am I providing any knowledgable advice for you. My response here is dated by several years; I no longer work in the area.
There are a number of solutions to check fraud and ACH fraud depending on the size of the organization. For a large number of organizations, and essentially every individual (even substantially rich ones), people simply rely on check fraud and ACH fraud being a crime. For ACH transfers, the money that might be taken has to be deposited in another bank account. If a bank isn't keeping good track of who is holding accounts and receiving ACH transfers fraudulently, they are very quickly going to find themselves under the attention of the government and banned from ACH transfers. Unauthorized ACH transfers carry $0 liability to individuals, so banks and ACH organizations have a vested interest in avoiding that as much as possible. Checks used to be a bit trickier, but it's become increasingly rare for any bank to cash a check without an account. The places that will cash checks without an account generally only do so for small amounts (<$5K). The fraud only matters if you have the funds in your account anyway. Most people don't keep much money in their checking accounts - the median balance is $2900 right now.
For larger organizations, the primary solution is "positive pay" and "reverse positive pay". In a positive pay system, the organization issuing checks will provide a list of the check number, amount, and payee to the bank every day. The bank will then verify that each payment matches an entry in the list and reject any that don't. I don't know if this is universally true, but my organization charged a fee per check (think fractions of a cent) to perform the service. In a reverse positive pay system, the bank will tell the organization about all pending checks on a daily basis, and the organization will have to call out which ones are fraudulent. If the organization doesn't say anything, the charges are assumed valid and allowed to continue. My organization charged a smaller fee for this because the effort was lower and because sometimes organizations would miss fraudulent charges (and hence, they'd be liable for the miss instead of us).
Most organizations have a large number of checking accounts rather than one large one. Sometimes this is for segregating funds rather than any legal reason. For instance, retirement fund payments from employees will be segregated from business expenses. Different levels of security may be applied to each. For instance, an organization may have an account for paying rent and only issue checks to a very limited number of other organizations that are perceived as highly unlikely to commit fraud. I don't know in practice if organizations decided to save a small transaction fee very often, but they did have the ability. Inside accounts that had limited function, organizations apply "ACH filters" for transactions. For instance, a rent-only account may be filtered to only allow landlords as payees, and only for the exact amount of rent. As before, my organization charged a per-transaction fee for this service, although again the fee declined because an ACH filter is even simpler than [reverse] positive pay.
Even simpler mechanisms exist for those who either don't have the infrastructure or interest to protect their transactions. Sometimes organizations will take each checking account and split it in two - one checking account for receiving money, and one for spending money. A organization can issue an "ACH block" to prevent withdrawals from a receive-only account.
The final layer I can think of is simply not keeping a large balance in an account. Some organizations fund their accounts frequently - up to daily - to ensure the least amount of money is present in a checking account in any time. There are security benefits to this, but I believe this is primarily done for investment reasons - companies would like to keep their money in higher paying accounts/investments as much as possible.
posted by sockmypuppet at 3:31 PM on April 17, 2020 [6 favorites]
There are a number of solutions to check fraud and ACH fraud depending on the size of the organization. For a large number of organizations, and essentially every individual (even substantially rich ones), people simply rely on check fraud and ACH fraud being a crime. For ACH transfers, the money that might be taken has to be deposited in another bank account. If a bank isn't keeping good track of who is holding accounts and receiving ACH transfers fraudulently, they are very quickly going to find themselves under the attention of the government and banned from ACH transfers. Unauthorized ACH transfers carry $0 liability to individuals, so banks and ACH organizations have a vested interest in avoiding that as much as possible. Checks used to be a bit trickier, but it's become increasingly rare for any bank to cash a check without an account. The places that will cash checks without an account generally only do so for small amounts (<$5K). The fraud only matters if you have the funds in your account anyway. Most people don't keep much money in their checking accounts - the median balance is $2900 right now.
For larger organizations, the primary solution is "positive pay" and "reverse positive pay". In a positive pay system, the organization issuing checks will provide a list of the check number, amount, and payee to the bank every day. The bank will then verify that each payment matches an entry in the list and reject any that don't. I don't know if this is universally true, but my organization charged a fee per check (think fractions of a cent) to perform the service. In a reverse positive pay system, the bank will tell the organization about all pending checks on a daily basis, and the organization will have to call out which ones are fraudulent. If the organization doesn't say anything, the charges are assumed valid and allowed to continue. My organization charged a smaller fee for this because the effort was lower and because sometimes organizations would miss fraudulent charges (and hence, they'd be liable for the miss instead of us).
Most organizations have a large number of checking accounts rather than one large one. Sometimes this is for segregating funds rather than any legal reason. For instance, retirement fund payments from employees will be segregated from business expenses. Different levels of security may be applied to each. For instance, an organization may have an account for paying rent and only issue checks to a very limited number of other organizations that are perceived as highly unlikely to commit fraud. I don't know in practice if organizations decided to save a small transaction fee very often, but they did have the ability. Inside accounts that had limited function, organizations apply "ACH filters" for transactions. For instance, a rent-only account may be filtered to only allow landlords as payees, and only for the exact amount of rent. As before, my organization charged a per-transaction fee for this service, although again the fee declined because an ACH filter is even simpler than [reverse] positive pay.
Even simpler mechanisms exist for those who either don't have the infrastructure or interest to protect their transactions. Sometimes organizations will take each checking account and split it in two - one checking account for receiving money, and one for spending money. A organization can issue an "ACH block" to prevent withdrawals from a receive-only account.
The final layer I can think of is simply not keeping a large balance in an account. Some organizations fund their accounts frequently - up to daily - to ensure the least amount of money is present in a checking account in any time. There are security benefits to this, but I believe this is primarily done for investment reasons - companies would like to keep their money in higher paying accounts/investments as much as possible.
posted by sockmypuppet at 3:31 PM on April 17, 2020 [6 favorites]
So a bunch of layers of security, best practices and good accounting, but it happenes, not here (cough) but the great Bangladesh central bank SWIFT fraud was basically caught due to the banditos making a typo on one of the forms. Well that stopped the transfers but many millions vanished down transfer paths never to be seen again. Still working to fix it too.
Robbers get away with a lot, 50% of regular hold ups are solved, not much chatter about the other 50% (numbers made up but not too far off...) My fav that I read about was a woman that was a many decades loyal employee (read dumped on) one day (was "retired" with no benefits?) just walked into the vault, walked out with a cool million. They knew but could not prove so nothing happened to her!
posted by sammyo at 3:48 PM on April 17, 2020 [1 favorite]
Robbers get away with a lot, 50% of regular hold ups are solved, not much chatter about the other 50% (numbers made up but not too far off...) My fav that I read about was a woman that was a many decades loyal employee (read dumped on) one day (was "retired" with no benefits?) just walked into the vault, walked out with a cool million. They knew but could not prove so nothing happened to her!
posted by sammyo at 3:48 PM on April 17, 2020 [1 favorite]
Response by poster: For larger organizations, the primary solution is "positive pay" and "reverse positive pay".
Positive pay! That's the term I've been trying to find. Sounds like the big missing piece is that you can set names or account numbers.
Very insightful information all around, thanks everyone.
posted by Nonsteroidal Anti-Inflammatory Drug at 7:05 PM on April 17, 2020 [1 favorite]
Positive pay! That's the term I've been trying to find. Sounds like the big missing piece is that you can set names or account numbers.
Very insightful information all around, thanks everyone.
posted by Nonsteroidal Anti-Inflammatory Drug at 7:05 PM on April 17, 2020 [1 favorite]
« Older Espaciel balcony light reflector - worth it?... | Help Me Paint a Mural (Please God help Me!) Newer »
This thread is closed to new comments.
I work in a company that handles lots of banking transactions. Even for us, it would be easily noticeable if someone made a fraudulent charge. We have an entire team dedicated to maintaining our AR/AP balance on a daily basis.
Besides that, Treasury checks are watermarked, and any bank will be able to recognize a fake. And it's not like you can initiate a payment from the Treasury for any personal or business transaction like you could with an individual account.
And yes, there is a system in place tracking check numbers, payees, and amounts. Its automatic and happens as soon as the check is processed. So even if you were able to slip a fake check by a banker, the bank couldnt complete the transaction and put the money in your account without the approval of the Treasury's system, which will show the date, payee, and amount and not honor anything that doesnt match.
posted by ananci at 2:45 PM on April 17, 2020 [1 favorite]