Fraudulent ACH Transfers

The following is an article reprinted with permission from the Summer 2010 edition of Viewpoint (WWR’s Governmental Collections newsletter):

By: W. Cory Phillips, Associate

Taking into consideration the costs of operation, a decrease in tax payments, the large number of foreclosures filed and pending, along with the amount of abandoned homes in neighborhoods, municipalities cannot afford having their bank or escrow accounts swindled by thieves preying on unsuspecting finance departments. Many municipalities, in an effort to more quickly realize revenues, have instituted an online payment system. With this increased efficiency, however, comes possible exposure to fictitious or fraudulent ACH transfers. 

A blog post from April 6, 2010* reports on a recent string of governmental bodies across America that have seen their coffers cleaned out by organized crime, who specialize in looting online bank accounts. Accordingly, it is important that notice is taken of this recent trend, and proper safeguards are established to protect against a potential financial disaster. 

Most financial institutions and finance departments are aware of the standard check schemes that take advantage of the Funds Availability rules**. Under the Funds Availability rules, depository banks are required to make a portion of the funds. Here, checks are drawn on accounts in an amount unsupported by the necessary funds. The Funds Availability rules require depository banks to make certain amounts available to the payee before the funds have actually been verified and cleared. As a result, by the time the dishonor of the check has been discovered, it is often too late to reverse payments in order to minimize or eliminate liability for the losses.

Recently, organized thieves have become more technical, tapping into online accounts held by municipalities in order to make ACH transfers from such accounts. For example, online crooks have recently managed to steal $100,000 from a New Jersey township, $130,000 from a public water utility in Arkansas, $378,000 from a New York town, $160,000 from a Florida public library, $500,000 from a New York middle school district, and $415,000 from a Kentucky county***.

Another recent example of how online crooks have taken advantage of municipalities took place in the Village of Summit, a town outside of Chicago. A town administrator logged into the town’s online account and submitted the necessary credentials to gain access. Upon providing the credentials, the administrator was redirected to a page telling her that the bank’s site was experiencing technical difficulties. This redirection, however, was a scam, allowing the thieves to create an interactive session with the town’s bank account.  The following day, the Village of Summit was notified by their bank that someone had completed several ACH transfers from the account. As of last month, the town has been unsuccessful in retrieving the funds transferred from their account****.

ACH transfers are automated with a vast majority of them processed without personal review. Accordingly, municipalities need to establish safeguards or security procedures to prevent such thievery. Ohio Revised Code (“O.R.C.”) actually provides greater protection to those who establish and use security procedures with their banks in the transmission of funds*****. The O.R.C. defines “security procedure” as a “procedure established by agreement of a customer and a receiving bank for the purpose of verifying that a payment order or communication amending or cancelling a payment order is that of the [municipality], or detecting error in the transmission or the content of the payment order or communication******.” A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices********. 

By creating and properly using security procedures, the municipality would not bear the loss created by an electronic payment order purporting to be that of the municipality or its authorized agents if the payment order was fraudulently transmitted by a person who did not have authority to act for the municipality. Instead, the receiving bank would be responsible for the loss********. This protection is based upon the assumption that losses due to fraudulent payment orders can be best avoided by the use of commercially reasonable security procedures*********. 

Accordingly, municipalities who use ACH transfer systems need to establish a security procedure with their bank. The security procedures should use various levels of security such as passwords, codes, identifying words, and encryption; however, based upon the fraudulent activity reported above, callback procedures are likely to be the most effective. Because municipalities do not typically have a high volume of outgoing electronic transfers in a single day, it would be reasonable to incorporate a callback system into the security procedure. 

The law provides bank customers with protections and limited liability for fraudulent transactions if, and only if, reasonable security procedures are in place. Accordingly, check with your bank to either verify or establish a security procedure that incorporates passwords, codes, identifying words, encryption, and most importantly, callback procedures. As always, WWR is readily available to answer any question you may have regarding this topic or others.    
W. Cory Phillips is an Associate in Consumer Collections; Consumer Collections (General), Governmental Collections and Healthcare Groups. He is based in the Cleveland office and can be reached at (216) 685-1157 or
** 12 USC § 4002.
***** ORC 1304.58.
****** ORC 1304.56.
******* Id.
******** Official Comment no. 2 of ORC 1304.58.
********* Official Comment no. 3 of ORC 1304.58.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s