One fear that people have with internet banking is having their money stolen by electronic means. Bank-to-bank transfers via ACH make it easy for consumers to transfer money, but unfortunately, it can also allow tech savvy criminals to steal your money. Here are two possible ways that money can be stolen via ACH transfers:
- An ACH debit originates from your bank. This could happen if someone has your password, logs into your account, sets up an external link, and transfers out money.
- An ACH debit that originates from another bank. If someone has your bank's routing number and your account number, they could pull funds from your account.
As you can see, the second way can be easier for the criminal. If you dispute an unauthorized ACH transfer (for #2 above) within 60 days, the bank will likely refund the lost money since it's not liable for the money. After 60 days, it can get more complicated.
An example of what can happen if you wait too long was provided by FW member leony in this FW thread. He described how his father-in-law had a fraudulent debit of over $1,900 from his FNBO Direct online savings account. Since it was discovered many months after the incident, FNBO Direct is claiming that it's too late for them to do anything:
My father-in-law has an FNBOdirect online savings account. Because he never received any paper statements, he just never bothered to look at his account. Today he discovered that in October of last year, there were 2 unauthorized transfer of $1900+ each to some unknown bank account in BoA! He called FNBO and they told him it's too late to do anything.
The FW member lastgaspjr has a useful description of the regulations involved, NACHA and the Federal Reserve Regulation E, and he describes how Regulation E can help in this case. Here's an excerpt:
Federal Reserve Regulation E makes a consumer's bank liable for unauthorized electronic transfers from a consumer's account. There is no time limit for filing a claim of unauthorized electronic transfer under Regulation E if the transaction does not involve an "access device" (such as a debit card).
Even though the customer may have Regulation E on his side, the bank is likely not to make it easy for him to get back his stolen money since the bank can't pass on the cost to the other bank where the fraudulent ACH originated.
This reminds me of an incident that I had with my credit union. I had a mysterious ACH debit of around $100 from my reward checking account. I had an account alert that sent me an email when my balance went below a threshold. So I was immediately able to report the problem. This turned out to be the credit union's mistake, and they quickly refunded the money after I reported it. Setting up account alerts when your balance falls below a certain threshold is good way to monitor your accounts.
This issue of bank's liability for ACH transfers is one reason why some banks have many limitations on their ACH transfers. I reviewed these details in this post on restrictive ACH policies.
I haven't had time to read through Regulation E to confirm all the details mentioned in the FW thread. Please leave a comment if you can provide insights into this regulation.