6

I need to receive payments from several institutions, so I shared my bank routing number and account number with a few people for legitimate purposes. Recently, however, I discovered an unauthorized transaction of several thousand dollars withdrawn from my bank account.

My questions are:

  1. Why does the banking system allow withdrawals using only a routing number and account number? These numbers are required for me to receive payments, but I do not understand why possession of the same information also allows others to withdraw funds without my explicit authorization.
  2. How can I prevent this from happening again while still being able to receive regular payments from organizations? Are there safeguards, account settings, or alternative arrangements that would allow me to accept deposits without exposing my account to unauthorized withdrawals?
Improve this question
9
  • 1
    Is this for US? Commented 2 days ago
  • What did your bank say when you talked to them about it? Commented 2 days ago
  • @DJClayworth, as they suggested, I closed my account, opened a new one and get my money back. But the bank did not give information regarding how it happened. Commented 2 days ago
  • @littleadv, yes. I edited the tags accordingly. Commented 2 days ago
  • 4
    @keshlam Even if they know, they're not going to give that information to OP regardless. The knowledge of HOW it happened does not help the bank prevent it, so they're not going to give that away. If they think OP did something wrong, they wouldn't have gave them the money back. Commented 2 days ago

3 Answers 3

Reset to default
16

The ACH system is designed to fix fraud after it happens, not prevent every attempt. Every paper check you write has the same ACH information on it, so it's not hard to obtain.

The good news is that they are very traceable - the vendor must use a real bank with lots of identifying information. If you contact your bank immediately and report an "unauthorized ACH debit" they will likely reverse the charge and investigate. It's akin to someone cashing a forged check against your account.

Improve this answer
2
  • 7
    It's worth noting that outside North America the system is very different, and banks generally want to see your authorization before transferring money out of your account. Commented 2 days ago
  • 3
    Outside North America, it has also become very uncommon for people to let their credit cards out of their sight; here, it is still common for waiters, for example, to carry your card to the register rather than bringing a billing machine to the table. It also took us forever to adopt chip cards. The disadvantage of being an early adopter of one generation of technology is that it is harder to persuade people to move to the next one. Commented 2 days ago
5

Why does the banking system allow withdrawals using only a routing number and account number?

Because that's how the ACH system works. ACH ("Automated Clearing House") is a system designed to route transactions, and all it needs is the routing number that identifies the bank, and the account number that identifies the account within the bank. This is how checks work, and ACH debits are basically checks in electronic form (and paper checks nowadays are translated into an ACH debit).

How can I prevent this from happening again while still being able to receive regular payments from organizations?

Generally, you cannot. You may be able to find banks offering accounts that only allow deposits but not withdrawals, but that would be something the bank offers specifically as an account feature. You'll need to check with your bank to see if they offer such accounts, and it would be more likely than not that if they do - these would cost extra, be considered "business" accounts, etc. It would complicate your own life since you'd need to utilize other methods for withdrawals (wire transfers, cash withdrawals, etc).

The above is true for the US, in most of the world checks have been phased out and the banking transfer systems are much more flexible. But even with IBANs and SEPAs, fraud may still occur.

Improve this answer
8
  • Thank you for this information! It sounds very unsafe as people can obtain my routing number and account number relatively easily. I am surprised it is the way it works today. Commented yesterday
  • 2
    The safety for the customer comes in your ability to say "that transaction was a forgery" and be repaid. The safety for the bank comes in the ability to drag back the money, leaving the other bank to try to drag it back in turn, and from their ability to take action if they think you are abusing the system to cancel legitimate transactions. Very similar, in fact, to how chargebacks work with credit cards. It isn't a perfect solution, but it works well enough for banks to offer the service. Engineering, not science; recognize the failure modes and design to be able to operate despite them. Commented yesterday
  • 1
    @Zuriel people can also rob banks. But laws are in place to protect customers from fraud and criminals. You have recourse, and in this case - fairly straightforward. Commented yesterday
  • @keshlam, yes, I did not lose money; all it costs me are inconveniences (calling the customer service, closing and opening a bank account, updating my bank information to other people, etc.) It seems to be reasonable to request my approval (such as sending a text message to me) when such a withdrawal is requested. Commented yesterday
  • 1
    Some banks will let you set a threshold above which they will immediately inform you of a transaction; some will let you set a threshold of above which they will want confirmation. Shop around, if this is important to you. (I have the former at my credit union; I have not investigated the latter.) Commented yesterday
2

The way companies do this (at least in the UK) is by having a "collection" account. This permits only deposits, and the balance is normally swept to a normal current account automatically. In the UK this is a standard option if you are "larger than an SME" (ie dealing with commercial banking).

The fraud is reasonably easy to perpetrate (often through setting up a direct debit) which requires very little information beyond account details. You'll get your money back (in the UK) eventually but the fraudster will often not be caught.

Improve this answer
2
  • This sounds a good option! I wish I could open a bank account that only allows deposits, as well as withdrawals by me only. Commented yesterday
  • A slightly tweaked alternative sometimes used in the US is "reverse positive pay." Here, all outgoing transactions are blocked until they are manually reviewed by the accountholder. Larger companies (who cut more checks) normally use traditional "Positive Pay" instead. This is the same as reverse positive pay, but the outgoing transactions are pre-authorized, possibly via the same system that is cutting the checks. This mostly eliminates the review process. Commented yesterday

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.