My employer has my routing number and account number for direct deposit of my paycheck. When I pay my taxes, I provide my routing number and account number so the government can withdraw the money. Is there any backflow valve that can prevent the money from flowing in a different direction than I want? Or would the bank let my employer take all the money they want out of my account?
I am trying to determine under what circumstances it would be safe to give anyone this data.
Every time I’ve authorized direct deposit for my paycheck, I’ve been required to allow them to withdraw money in case of overpayment. So, yes, presumably the routing number and account number information that allows them to deposit money would also let them withdraw money.
What would happen if you didn’t allow them to withdraw money? Is that just on paper or is there a mechanism in place that could prevent it? Suppose I wanted to use my bank account the same way I use PayPal–deposits only; any payments have to be explicitly authorized by me. Does the ACH system support that, or as far as the banks are concerned I gave them the keys to the vault?
I don’t know. It may be possible to set up a “deposit only” bank account.
I pay bills all the time using that same information. So yeah, they can withdraw money.
Don’t you need to sign an authorisation for withdrawing funds?
I can deposit money into any old bank account, but there’s no way I can withdraw it. If a company wants to be able to withdraw from my account, I have to fill out paperwork that authorises withdrawals.
You need to be authorized to withdraw money. Historically, banks placed more emphasis on just knowing the account number, which sort of meant less emphasis on being authorized, but either way, knowing the account name and number is the first step towards withdrawing money from it.
The steps for authorizing a withdrawal depend on what kind of account it is, and what kind of bank it is, and what kind of customer you are. When I was younger, it was sometimes easier to get money out of a business account that was used for disbursements, than to get money out of a personal savings bank account. I could wander into any bank with a ‘pay cheque’ and get cash, but that wasn’t going to happen with my bankbook/savings account.
Frank Abagnale has written/said that it used to be that you had to meet an employee in the carpark to get bank account details that are now casually available.
Yes. I have to tell them to take money from there.
That said I honestly don’t know what would stop them from taking whatever they want, whenever they want beyond legal ramifications. When they tell the bank that @Whack-a-Mole said it is ok to withdraw $50 what happens if they try to take $500? I really do not know how the bank makes sure the withdrawal was approved and the amounts are correct. The bank never asks me.
Well, I’m not in the US so maybe it’s different, but I have to fill out a direct debit form and my understanding was that this was given to the bank as proof that I have allowed the company to withdraw from my account.
I too have to approve company-X to be able to withdraw from my account.
But once that is done I just have to trust them that they will withdraw the appropriate amount and not clean me out.
Of course, I only give this approval to trusted companies and I know I have recourse against them. While they may charge fees that are criminal they are not actual criminals.
I also make sure my checking account that bills are paid from is not all of my money. I transfer enough in at the beginning of each month to cover expected bills plus a little cushion. If someone goes nuts and empties my account (think of living in Texas when power prices spiked and your power bill went from $200/month to $10,000) it would be bad but it would not be catastrophic either.
Right, so just the routing number and account number is not enough, you need some kind of authorisation as well.
Personally I don’t use direct debits, mostly so I have control over the timing of payments, but also so that I don’t get stung by someone else’s misplaced decimal point error.
Yes, but to be fair when I give authorization it is to the company. So, when I signup for paying a bill electronically with (say) my power company I do not contact my bank. I tell the power company it is ok.
So, if some bad actor at the power company decides to tell the bank that @Richard_Pearse gave approval what is to stop them?
And I hear you on controlling the timing. I have found you can ask the companies to process the bill on a given date and mostly they will be happy to adjust those times. As for the decimal point error that is why I use a specific checking account for paying bills that does not contain all of my money. If I have $1000 of bills per month on average I will make sure there is $1300 in there. If someone screws up I am not wiped out.
These days I can do all of the transfers on my phone and it is really easy. Something to do during commercials when watching TV once a month.
Of course YMMV.
I have been paying all my regular bills by DD for decades without problems. Naturally, I would not give a DD authorisation to an organisation I don’t trust.
As for control, I just make sure that my current account has a sufficient balance when payments are due - if it is short, I just transfer some cash from reserves. This works fine for me because I have a cushion - I guess that if I were living hand-to-mouth, I might do it differently.
Cheques are pretty much obsolete on this side of the Atlantic. I have had one this year, and that was from HMRC (IRS). I had to work out how to pay that one in via a smartphone and my bank’s app.
When it comes to transferring money to individuals, I do that electronically, which means they have to give me their bank details. This does not allow them to empty my account though as they don’t have the required passwords.
There have been cases where thieves spoof people into paying them instead of the person they were expecting:
You have to settle a payment of $20,000 for your house repairs. The builder is J Jones. Someone sends you an email asking you to pay the $20k into an account and gives you the details - you don’t notice that the name on the account is J James.
This relied on the banks taking no notice of names on bank transfers, but the loophole has now been closed, so hat the account number and the payee name have to match.
This is a bit of a tangent, but given the topic, people here might find it as interesting as I did.
When I moved from the US to Europe, I was very surprised to see how openly personal bank IDs, specifically IBANs, are shared. People use them to pay bills and exchange money with each other (for any sum greater than is convenient with cash) almost entirely electronically. Nobody writes checks; they’re essentially unknown.
If you want to buy, say, a used bicycle from someone, it works like this. (1) You agree on an amount. (2) They give you their IBAN. (3) You launch your banking app on your phone. (4) You define the other party as a payee, using the info they gave you. (5) You tell the app to send them the agreed amount. (6) The transfer happens and they receive the money.
This is a casual everyday thing here. Everybody does it. It’s effectively equivalent to Venmo-ing money from person to person (or Paypal, or whatever), but there’s no middleware. It’s just bank account to bank account. You can set up middleware applications that handle the same function, if you don’t like your own bank’s app interface for some reason, but it’s unnecessary.
Every organization that sends bills expects to be paid this way. The electrical utility, the heating-and-cooling service vendor, whoever, they all put their IBAN at the bottom of the invoice. Some of them even use a Digicash service, which collapses the banking details into a QR code and simplifies the process even more.
The first time I saw this, after I moved, was on a solicitation for donations from a charitable organization that was dropped in my mailbox. On the flyer, they had the IBAN prominently featured, which I thought was weird. Eventually I worked out this was the mechanism by which they expected people to give them money. From my American perspective, this was very strange, because I’m used to personal banking information being guarded as highly confidential. But here, it works, and now that I’m used to it, it’s remarkably quick, easy, and efficient.
We also don’t set up our automatic bill paying with an authorization to “pull.” The payee never gets the right to withdraw funds. We always schedule it as a “push.” There’s probably a correlation here, i.e. there’s no risk of a malicious person using the bank account number to steal money, because it’s just not done that way.
Just one of the many, many small conveniences I’d lose if I ever went back to the States.
Lots of good advice upthread from folks who live in civilized countries. Not so applicable to the primitive and Wild West banking as done in the USA.
Ask your bank. They may well have mechanisms you can opt into to ensure no ACH withdrawals occur without your specific authorization to your bank, not to the counterparty.
The ACH system itself assumes any transactions in either direction are legit and are approved by both parties. The assumption is the legal system will prevent or clean up any problems that occur.
When you signed up for DD from your employer, that paperwork almost certainly included you granting them the right to withdraw any mistakenly deposited funds. Of course they can always be honestly mistaken about what’s a mistake and then clean you out anyhow. That’s before we even get into any dishonesty.
This seems like a perfectly rational system as long as the IBAN can’t also be used to take the person’s money.
In the US, we authorize deposits by putting our routing number and account number on a form. To authorize withdrawals, we use the exact same information on a form. You don’t give this form to your bank. The person who has the form just goes to the bank and says “Give me whatever money I’m asking for.” Maybe they turn the form over to the bank, but it would be trivial to fake it if you already have the routing number and account number. If you write a check, it’s just a piece of paper with the routing number and account number, which could also very obviously be used to populate the “give me all the money” form.
For the life of me, I can’t understand how this system works. The best answer someone came up with in another thread was that the only people who are allowed to debit accounts through ACH are reliable businesses. I don’t buy it. Check cashing places and shady used car dealers can do it. Someone may be a reliable business right up until the day they wipe out $100 million in accounts, buy a bunch of bitcoin and move the Cayman Islands. I simply do not understand this system and yet I’ve got enough money for a nice new car riding on it every day. Nothing in this thread has convinced me this isn’t insane.
Kind of a highjack, but I’ve always wondered about checks. I mail a check for payment of whatever, could whoever processes that payment take all my information from my check - name, address, routing number & account number and use it for online purchasing? I’ve never heard of that happening.
With a DD it is a ‘push’ payment so the most one could lose would be a single payment.
For one-off payments, one always uses a credit card because if the payee defaults, the CC company is liable.
Well, yes, a DD is a push. But once somebody has your two numbers there’s nothing procedural or technological preventing them from creating as many “pull” payments as they want of whatever size they want and stealing all your money.
The only obstacle is that most ordinary people don’t have the tools to launch ACH debits and most businesses are honest, if not 100% competent.
What T_and_C finds odd (and he’s not alone in that) is that the whole system hasn’t long since been defrauded into unusability given its near total lack of actual built-in safeguards.
I don’t hear about it either but nobody can tell me what’s stopping it.
I think you are saying that a direct deposit is a “push payment” and that the bank would only allow the depositor to withdraw a single payment it claims was made in error. This seems to assume that the bank wouldn’t reverse multiple payments at the same time. Is that true? I have no idea.
This misses the point. The information needed to set up an ACH debit from my account is not very highly guarded. Everyone I’ve ever written a check to has this information. What keeps it from being exploited more? .
What stops the bank employee from setting up a shitty used car dealership, taking my deposit information (or a copy of my check and hundreds of others) and telling the bank that I authorized a $30,000 debit to buy a Jeep Wrangler?