Can the same data needed for direct deposit also enable withdrawals?

Factual Questions
21

Nothing except the threat of lawsuit or prosecution. Nothing.

It’s a system designed in the 1950s. I too wonder how many billions are stolen unnoticed from big businesses this way, and how many ordinary schlubs lose the contents of their checking accounts the same way.

Actually, my “nothing” needs a small caveat. There’s some small opportunity to hold the bank that originated a fraudulent debit liable. But not much of an opportunity. They have some obligation to “know” their customers, but they’re also entitled to “trust” their customers to be generally honest until proven otherwise.

22

The risk of jail time.

Setting up their car dealership would require them to have their personal information recorded as the proprietor of the dealership and user/owner of the bank account. Or they could use fake information, which would be a crime.

If they hadn’t already committed a crime in setting up the dealership, charging $30,000 to your account is probably doable, although it’s possible banks require some history of transactions before they let you do any and everything, but to keep that money they have to do a minimum of one additional crime beyond the fraudulent charge, and unless they did a lot of criming setting up the dealership and account without linking it to their real persona, the investigation only has to be into whether the charge was fradulent, not into who did it.

23

Okay, maybe a car dealership isn’t the best idea. How about an online seller of widgets at many price points? I do some legitimate transactions but I use the remainder of the credibility gained over a couple of months from my legitimate transactions to just flat out steal a bunch of money using data copied from checks. Wire the money to offshore accounts. Sure, at that point the business is burned. The bank will shut down the accounts and I have to start over with a new widget business and a new bank but this business is replicable and it wouldn’t necessarily easy to locate and arrest the actual people behind the activity.

24

We have had business cheques that we have sent out stolen, ‘washed’ where the payee is removed, and deposited into someone else’s account. Our bank protects us against this fraud as long as we promptly notify them, but as a result of the hassle we send out cheques as rarely as possible and depend on direct deposit.

We had a contractor who did not want to provide us with banking info as we could “steal all his money” and insisted on a cheque. I pointed out that he was asking us for a piece of paper with our banking info printed on the bottom, how is that any different?

25

The same applies to credit cards, where you don’t even have to be concerned that the people not currently having sufficient funds in their account.

Our economic system weighs convenience vs. risk of fraud all the time and comes down on the side of convenience a lot of the time without being crushed by fraud, so far.

26

True but banks are on the hook for credit card fraud (all but $50 of it by statute, and generally all of it by practice). As a result, banks have taken a lot of steps behind the scenes to identify and stop fraudulent credit card use before it happens. Merchant systems have to have certain data protections to prevent misuse. For example, although you submit the CVV number to a website when you buy something online, the merchant isn’t supposed to save the code. Visa and Mastercard audit merchants’ computer systems to make sure they comply with the data safety standards. They also use artificially intelligent systems to identify and decline fraudulent transactions. It’s not a perfect system but even when it fails, the risk of fraud isn’t really on the credit card holder. Presumably, banks are investing in systems that are expected to prevent more fraud than they cost, which means they have found the level of fraud for them that isn’t worth worrying about. (Although large and small credit card issuers may have different opinions about what is the efficient level of fraud).

ACH transactions don’t have the same protections for depositors and they don’t seem to enjoy the same efficient level of fraud prevention systems. Maybe I’m wrong (it wouldn’t be the first time) and there is more going on behind the scenes than I am aware of but I don’t understand the poor level of ACH security in this country.

27

I think the important point here is - another person knows your bank info for getting a payment from your account. So what? What are they going to do with that?

If it’s an authorized withdrawal- into what? Typically, it’s the power company or the finance company for your car loan. In reality, it’s not them, it’s their account in an accredited bank. So they have to tell their bank “please pull $387.50 out of Mr. Jones account as an authorized debit - account details as follows…” If it’s NOT authorized, presumably (a) the finance company has committed a crime and (b) the bank that pulled the money from your account is on the hook to reverse the transaction once the dust has settled. The real question is who can do this? I assume, not foreign banks, certainly not ones in Nigeria. I’m going to guess the process is limited to other domestic banks covered by Federal Deposit Insurance. How they vet their customers for such process permissions is likely up to each bank’s procedures. But basically, you as John Doe cannot just walk in and ask your bank to transfer $30,000 from Sam Roe’s account in Second National Deuschebank.

The same goes for cheques. Forged and overdrawn cheques, kiting (bouncing money around so it appears there’s enough in the account), running accounts with legit transactions for a few months until the bank trusts the account holder - all used to be common games. Catch Me If You Can is a (true) tale of a particularly clever cheque forger.

The whole banking business is based on trust. In fact, the collapse and almost-paralysis in 2008 was based on the fear each bank had that there was a serious risk other banks would not be able to cover those cheques and other transfers that happen daily between banks - I cash a cheque from Bob, my bank sends it (via clearing house) to Bob’s bank to get the money, etc. I suppose games with cheques is the same category as “what stops someone for taking a car for a test ride and never bringing it back?” (Hint - the police)

Fun story - we visited China a decade ago, including a visit to Tibet. When we arrived, they took us straight to the office in Lhasa where we paid the balance of the tour package by credit card in their credit machine. When we checked out of the hotel, our guide paid the hotel for our stay with a huge wad of 100Yuan bills. I assume the tour company could not accept (were not allowed to submit) payments without “card present” and PIN, and the hotel was not willing to submit a bill to the tour company and wait for payment. It was a whole different level of trust between businesses from what we expect in the west.

In Canada, we have eTransfer via email. But in reality, it’s everyone who has signed up for a service that transfers from one bank account to another - so again, accredited banks. Also, it only works as initiated by the sender, not the receiver.

28

Two car purchase stories:

Back in 2015 we bought a used car for £21,500. I would have paid by CC but the dealer wanted to add 1½%, so I moved some cash around and paid with a debit card. No problem, but the bank did phone me to check before processing it.

Less than a year later we realised that the car was not what we wanted, so I searched until I found one (direct from Ford but via my local dealer). The trade-in was not a good offer so I went to one of the we buy cars for instant cash places. At the dealership, I offered my debit card for a £22,000 purchase and they didn’t even blink. This time there wasn’t even a phone call.

29

We used to get a phone call when transferring money from a business account in Australia to a personal account in Ukraine. That was sufficiently suspicious looking that they called on several transfers, before accepting that it was business as normal for us.

30

This is sort of a side-topic, but I found out earlier this week I had messed up someone’s bank account number on their tax return, and they didn’t get their federal refund despite the IRS saying it had sent it to the bank. Thankfully, today I learned that the IRS issued them a check as the bank apparently rejected the money as the account number was not legal. Interestingly enough, at the same time we had a direct debit set up to take the money she owed the state, and I wondered what the likelihood was that it was be rejected while the refund would actually end up in someone else’s account because of the greater security behind “pull” transactions. I don’t know the answer to the question, as I don’t know what safeguards the IRS and the states have to prevent people from accidentally (or not) as in my case ending up pulling money from the wrong account. But it made me rant a little about how stupid the US system is compared to Europe.

As to sending money quickly via phone in Europe, what’s the authentication like when you have to authorize a payment? How does the bank know you are the owner of the account? Is it just a password? Do you have to authorize every single transaction that happens? Do you have to initiate the transaction, as in entering the IBAN and the amount, or do people you regularly do business have the ability to send you bills which you then approve? Even if your app saves past vendors, without receiving a bill into the app, you’d have to manually enter every amount that someone wants, and that’s just an extra hassle compared to approving a bill, which is at least only very minimally more work than just not worrying at all about making the credit card payment because you know you didn’t spend all that much and have plenty of money in the bank account to cover the automatic payment in full of the balance. I set up bill pay and have it done automatically, and only bother to check in once a week to make sure there’s nothing fraudulent and to gauge the level of my account so I know how much I can send from it to my broker.

31

The first time you set it up, there is a lot of validation. The bank verifies your identity in person, and issues you a SecureID-type token with a rotating checksum. Then you download and set up the app, using the token to connect and validate your account. On the app for our bank, it also asks for your fingerprint when you launch the app, as a second layer of verification (for the corner case where you hand your phone to someone who wants to make a call, and they quickly try to get into your bank app, I guess). The app also requires you to re-authenticate the account with the token on an irregular basis, every 4-6 months or so.

Yes. There are no “pull” payments where the other party removes money from the account without your involvement each time. They are all “push” payments.

Yes, we initiate the transaction. The IBAN is saved with the payee, so all we have to do is pick the recipient and enter the amount. It takes literally 5-10 seconds. Even accounting for the extra time to open the app and have it read your fingerprint, it’s still quicker than writing a check. If the bill is set up with Digicash, you don’t even have to manually type the amount; you just point the phone at the QR code and tap a button to authorize the transaction.

As an American who relocated to Europe, please believe me when I say that I find this process to be faster, more convenient, and more secure. It seems odd because it’s new to you, and you’re accustomed to your current procedure. That’s fine, if you’re happy with it and don’t see any reason to improve, then you’re good. But for me, I’ve done it both ways, and I greatly prefer this system. We pay all of our bills one Saturday each month, and the whole process takes a maximum of ten minutes, including the time to open all the envelopes and then file the bills in the drawer at the end.

32

Of course, all this has had a knock-on effect. All the bank groups have been closing smaller branches as fast as they can. Today I see Santander (one of our big five) is closing over 100 branches with the loss of 800 jobs. Even if some of those find alternatives in the same company, that means a lot more ex bank employees looking for work. It also means that people who need face-to-face contact with their bank will have further to travel.

My own bank still has a presence in our town, but I was surprised when I popped in yesterday to get some cash in coins (Town centre parking is still coin-in-the-slot). Once through the lobby where the ATMs are the main banking area is more like an office, with people working at desks. No screens anywhere.

I was the only customer and was promptly pounced on by a nice young lady offering help. I felt almost guilty that all i wanted was £10 worth of coins. A few years ago, I would have joined a queue for one of the half-dozen tellers behind their bulletproof glass.

33

Substantially the same technology is now available in teh US. The major banks got together and created a thing called “Zelle” (rhymes with “sell”) that does that.

The sender never learns the actual account and routing numbers of the recipient. And it’s all push, no pull.

There are (and have ben for years) any number of 3rd party apps that will do the same thing between registered participants. This is the first thing that works for substantially everybody and substantially every big bank in the USA. Super convenient.

34

Now all they have to do is convince people that it’s safe. There are plenty of people over here that don’t trust the system.

35

It’s safe in the sense that nobody can use it to vaccuum your account.

But it has no particular consumer protection legislation covering it, and the last screen with the submit button makes it clear that once you push [submit] the money is gone. If you sent it to the wrong John Smith, too bad so sad; better be more careful next time.

In that sense it’s very unsafe compared to the US consumer expectation that they’ll be fully protected from their own incompetence and folly as well as from criminal action.

36

I seem to recall a case here some years ago where motoring journalist Jeremy Clarkson published his bank account and sort code (aka routing number) in his newspaper column, precisely on the basis that it wasn’t possible to withdraw money from his account with just those details. Some smartass found out his home address (probably not too difficult - he’s hardly low-profile, and I know the name of the village he lives in/near as he has mentioned this publicly in the past) and using this information was able to impersonate him sufficiently to set up a Direct Debit from his account with Greenpeace (or some such similar charity that he was unlikely to normally support). Clarkson basically laughed it off in a ‘well played’ sort of way and I believe pledged to let it stand, despite it being set up fraudulently. Note that it wouldn’t have been possible for a fraudster to do similar but divert the money to their own account, unless they set up or had a company that was part of the Direct Debit scheme - and even then, I’m sure it would be found out and corrected sooner or later.

TLDR: as Cervaise already said, here in Europe we don’t tend to worry too much about just giving out bank details, as they can’t generally be used to withdraw money. And as also pointed out, they’re printed on the bottom of any cheque you write.

37

A few years ago I did exactly that. I mistakenly sent £100 to my student daughter’s landlady. Fortunately, she willingly withdrew the cash and passed it over. There would have been no way to compel her to do it.

38

OK, yes, it’s obviously illegal to vacuum out someone’s account. And it’s also obviously illegal to just walk into the bank building and cart off all of the cash they have in the place. If it being obviously illegal were enough security, then why does the bank bother with the big steel vault with the fancy locks on the door? And why does the bank not have the virtual equivalent of steel vaults with locks on the accounts?

It seems to me that, if someone pulls money out of my account without my permission, I should be able to hold the bank liable. I told them to hold onto my money for safekeeping, and they stole my money and gave it to someone else. If they don’t want that to happen, then they need to do something to prevent it.

39

There are two banks in every ACH transaction, the originating bank (ODFI - Originating Depository Financial Institution) & the receiving bank (RDFI - Receiving Depository Financial Institution). They can be the same (I’ll get to that below) but frequently aren’t. Depending upon how an ACH Originator is set up with their bank (the ODFI) they can initiate credits (ie. direct deposit, bill payments for individuals, etc) & possibly debits (car, mortgage, utility payments, etc.). The ODFI isn’t going to let just anyone initiate debits & will do appropriate due diligence when approving a customer to initiate debits. This can include looking at financials & the type & size of business. The bank internally assigns a business a risk rating including limits on how much the business can initiate & how much, if any, of that must be prefunded. There are limits per file, per day, & in total. (ACH traditionally was a multi-day transaction from initiation until effective date; there is now same-day ACH). Obviously, the electric utility or cable company will have a much higher limit than a small professional services firm that bills you; an accountant, lawyer, engineering office, etc. The ODFI is bound to the ACH rules & anyone who initiates ACH transactions (txns) is bound to the ACH rules vis-à-vis the contract they sign with the ODFI to participate in that service. One of the items in that contract is that they will only initiate duly authorized txns & for the approved amount. In the older days of ACH that was an actual wet ink signature on a dead tree piece of paper from you, the party that was being debited. Obviously, electronic (or telephonic) approvals are allowed now. At the appropriate time(s) of day, the ODFI sends A file to the ACH operator who slices & dices it & creates files to be sent to the various RDFIs, much the same way that one drops a bunch of letters/packages off at Fed-Ex/UPS/USPS for delivery to various addresses in various states. The RDFI then posts the various debits & credits to their customer's accounts. You look in your account & see your paycheck/direct deposit, as well as various debits, one for your mortgage, one for your car payment & one you don't recognize at all. If this is a consumer account, you have 60 days to notify the bank that there was an unauthorized txn thanks to [Reg E](https://www.google.com/search?q=Reg+E&oq=Reg+E&aqs=chrome..69i57.631j0j1). You notify your bank, they send a (code R10) rejection notice back to the ODFI who then reaches out to their originator & basically says, "Show me what you got". If the originator can't produce appropriate authorization, that txn gets reversed & you get your money back. The ODFI then debits the Originator for the amount of the txn. If for some reason, there’s no money left in the Originator’s account, the ODFI bank eats the loss; banks don’t like to eat losses! There’s basically two reasons this can happen, bankruptcy of the Originator or fraud. In the latter case, it’s a federal offense & you have lots of resources & G-men coming after you. Yes, unauthorized txns happen in the wild occasionally; especially when an acct # typo results in an incorrect but valid acct # but if an originator comes anywhere close to the limits the ODFI stipulates in the contract, they’re going to be monitored closely & possibly have their acct closed. The banks have a compact where they report closed accts & the reason; good luck opening a new acct at a different bank.
Further, if an ODFI has too many returns for that reason (<½%), across ALL of their originators they can lose the ability to initiate ACH txns, which means they’ll most likely lose all of their business accounts. If NACHA (the ACH governing body) were to do that, you’d better believe that they whole host of different bank regulators would be scheduling audits & going over the ODFI’s policies, procedures, & practices with a fine-toothed comb. No banker wants that.

The above being said, a variable rate bill much higher than expected, like the TX electric co bills last month, or back in the olden days (2019) you’d occassionally hear a story of someone who went to a different coutry & racked up a multi-hundred/thousand dollar cell phone bill because of roaming charges & not being on a local plan in whatever country the trip occurred in is NOT unauthorized. They take their billed amount & you’re now screwed because you now can’t pay your rent/mortgage. Nope, I don’t let any variable bill (utilities) to make a debit to my account other than possibly a one-time debit (where I get to approve the $ amt being debited)

40

Yes, I too do not let anyone to take payments of an indeterminate amount from my account.

But thanks, it still shows it boils down to trust. You can tell Bank O to withdraw (pull) from an account in bank R but only if the O bank truly trusts you (thinks it trusts you) as a business and you have a legitimate reason for the process.

A friend of mine who was not too good with money management once remarked to m that the cardholder agreement with a bank says that they can just take the money from your account to pay your credit card if you are behind. While I never have been in that situation, I recognized it as a risk should I get into a dispute with my bank over an unauthorized CC transaction, so I made a point of having credit card and banking in separate institutions. (Except now, the bank gives me a much better deal if I consolidate everything.)

Back when bank cards were first a thing in Canada, I had moved temporarily to return to university. It took a long time for the small-town branch to finish setting up my bank card, since they had never done so in the small town my account was located - there were no ATM’s there at the time. Finally, it worked, but I kept wondering why my savings account balance was always wrong. No big deal, I only used my chequing account. The local branch couldn’t tell me. One day I noticed my savings account was over $1000 too high, so I transferred $1000 to my chequing account. The next day, my card was suspended and the transaction reverse, and I went in to find out why - turns out the small town branch had attached the wrong person’s account to my savings and nobody noticed. Once they fixed that, no problem.