ACH Is a Sieve of Fraud That Needs to Be Fixed
EXCLUSIVE – This month, my company, Royal Media, was robbed. This was a civilized heist, mind you. No guns were involved, no one got hurt — in fact, not a sound was even heard.
It was a faceless theft, as well. Its discovery started with an innocuous question by a colleague: “Do you have a Walmart credit card?”
“No,” I responded, “why?”
“It seems there is a payment for a Walmart credit card on our bank statement.”
From this one debit, we discovered that nearly a dozen illicit payments were put through our bank account to various parties. In just a few days, nearly $50,000 was siphoned from us.
And it was all avoidable.
The theft was perpetrated through the Automated Clearing House, or ACH, as it is known in banking. ACH, founded in 1974, is the main electronic network for financial transactions in the United States. About $12 trillion in around 5.5 billion transactions moved through ACH last quarter alone, according to its steward, NACHA, an industry group.
It is also rife with fraud. The thief or thieves who got us needed just two elements: our company’s bank account number and routing number. Those elements are prominently displayed on every paper check, and required for inbound wire transfers. It is nearly impossible to ensure that those numbers are kept safe from criminals. Beyond poaching account info, the options available to thieves are astounding. According to NACHA, criminals can use various methods to exploit the ACH network, including issuing counterfeit checks, impersonating a customer over the phone to arrange funds transfers, or mimicking legitimate communication from the financial institution to “verify” transactions. And there is little authentication. You, dear reader, could take this company’s account information, log in to your online credit card account, and pay off your credit card bill with my company’s bank account information — without needing to validate that the bank account is yours. As one victim of account fraud wrote in 2016, “There’s two-factor authentication, there’s one-factor authentication, and then there’s this, which I think I can call zero-factor authentication.”
And, yet, these simple account-routing-number heists are avoidable. In fact, the technology necessary to stop this fraud is actually old. Just consider all the mobile phones that employ fingerprint ID and how QR codes are increasingly common in mobile payments. Those technologies can be used to better protect checks. The fact that checks still broadcast account and routing numbers for thieves to steal is astounding, especially since the vast majority of checks today are digitally deposited or processed.
This is a problem that has been well-known by the banking industry and NACHA for years. After all, the legislation allowing for digital checks was passed in 2004. My company banks with JPMorgan Chase & Co., and I am certainly grateful that the bank refunded us the stolen money, as it should. But equally I was told by a JPMorgan Chase employee that the bank simply writes off such instances of fraud, which are increasingly common. At a bank that generated more than $4.2 billion of net income last quarter, maybe that writeoff doesn’t amount to much, but it is an economic loss all the same.
There is another, greater loss that merits a renewed effort on the part of the banking community to fix ACH: the loss of trust and security. I felt nothing short of violated by the larceny, and it has led me to greater suspicion of the banking system as a whole. To be sure, there is cost in fixing this vulnerability, and likely great cost, but the U.S. banking industry has been on a growth tear since 2013. The means for the fix is there.
If there is one lesson in all this, look more carefully at your bank statement. It is easy to gloss over it month after month, but the fact is, there might be a robbery underway. In a civilized manner, of course.
