1

How can I setup a bank account in the US that can receive ACH credits but block all ACH debits?

I have a bank account for my business that has an ACH routing and account number, so that my customers can pay me over ACH transfers. Unfortunately, unlike cryptocurrencies like bitcion, the security model of ACH is fundamentally flawed and backwards in that it's a pull-based transfer, not push-based. That means, unless you setup safeguards with your bank otherwise, anyone with you bank's routing number and your account number has all the technical credentials required to withdrawal money from your account.

What I want is a push-only (bitcoin-like) US bank account. One where nobody but me has the credentials to withdrawal money from the account. One where the only way for money to leave the bank account is by me pushing it out. And I don't want this protection to be provided by "policy" or "legal" means. I want a technical solution that locks the funds with a private key that I never share with anyone.

inb4: Oh but ACH is secure

The FTC reports that consumers reported losing more than $5.8 billion to fraud in 2021. Millions of that was ACH fraud.

Of course the US federal government mandates that consumers have the legal right to fight the charges and get them rolled-back, but only if you report them within 60 days. So if someone maliciously uses your payment information to steal money from your account and you don't notice it for a few months, good luck.

Those legal protections don't help for idle accounts that you just want to leave in cold storage for a few years--where you only check on their balance and accrued interest once every 12-36 months.

I'd rather just eliminate the risk by blocking all Direct Debits.

The US government gives consumers of financial products some legal rights. I have a few questions:

  1. Does the US give bank customers the right to issue a formal ACH instruction: Block Account to all Direct Debit Payments that forces the bank to block all direct debits?
  2. If not, which banks allow me to setup a bank account with "ACH credit-only" account details?
  3. And, better, is there any bank that will allow me to mint a new "ACH credit-only" account number for every transaction, like how bitcoin public keys work?
littleadv
  • 172,884
  • 15
  • 295
  • 479
Michael Altfield
  • 204
  • 1
  • 13
  • See also https://money.stackexchange.com/questions/15218/is-it-safe-to-give-out-ones-bank-account-number – Michael Altfield Nov 05 '22 at 18:24
  • "So if someone maliciously uses your payment information to steal money from your account and you don't notice it for a few months, good luck." How is that wven possible? Are there people who are so unintersted in money that they don't look at it for months? – glglgl Nov 29 '22 at 12:26
  • @glglgl I know we're on the "money" SE, but of course there's people who are uninterested in money lol. But there's also people with US bank accounts that don't live in the US and of-course they don't check it for months. Like US Americans who live/work overseas and leave their old accounts open for obvious reasons, but only check their balances once or every few years. Or people from other countries that worked in the US for some time but no longer do. I'd argue that banks should be designed to be secure, so you can trust them not to loose your money. Unfortunately, they're not :( – Michael Altfield Nov 29 '22 at 18:26

2 Answers2

4

TL;DR:

No, you can't easily get what you want in the US (but you can in most of the rest of the world).

Background/Rant

I have written on multiple occasions on this site about the archaic and frail US banking system (example). You're describing the consequences.

Almost everywhere else in the world, your question wouldn't even make sense. Someone withdrawing money from my account? How? Why? In the US, however, that's exactly how it works. All the inter-account bank transfers are handled either through FedWire or through ACH. The FedWire is for wire transfers and is working using the "push" model you want. You cannot pull wire transfers. ACH, on the other hand, is for everything else and is much cheaper to use. It works both ways - you can push money using ACH and you can pull it as well.

The reason ACH works the way it works is because it was initially design to handle check clearing. You write someone a check, they deposit it and their bank pulls the money through ACH. Nowadays you don't have to give an actual paper check for that to work, you can just give your account details (account number and routing number) that are usually printed on every check - and the person can pull funds as if they had a check in their hands.

Answers

Back to your specific question - can you block the "pull" ACH mode? Let's cover some options:

Does the US give bank customers the right to issue a formal ACH instruction: Block Account to all Direct Debit Payments that forces the bank to block all direct debits?

It would probably depend on a bank, but I'm not familiar with any bank that would advertise any such feature.

If not, which banks allow me to setup a bank account with "ACH credit-only" account details?

Similarly, not familiar with any bank explicitly advertising such a feature.

And, better, is there any bank that will allow me to mint a new "ACH credit-only" account number for every transaction, like how bitcoin public keys work?

Highly unlikely. While technically possible, I don't see why any bank would agree to thrash their account databases in such a way.

Alternatives

Negotiate with the bank. While they may not be advertising features for general public, they may be able to enable/disable certain specific features for specific clients on an individual basis. If you're a large volume business account that provides revenue to the bank in fees, balances and loans - they may be more willing to tailor account specifically to your needs.

Dedicated accounts can help - use one specific account that you give out to others and leave only enough money to satisfy any potential obligations on it. Any extra money that arrives from your payers would be immediately transferred to your main account. Thus risk is limited to the minor ($0?) balance of the dedicated account.

littleadv
  • 172,884
  • 15
  • 295
  • 479
  • "Thus risk is limited to the minor ($0?) balance of the dedicated account." Is that true? An ACH pull against an empty account wouldn't just be considered an overdraft? – glibdud Nov 05 '22 at 19:04
  • 2
    @glibdud you can instruct your bank to not allow overdrafts. In fact, AFAIK overdraft rules were recently changed so that you must opt-in for banks to allow overdrafts. – littleadv Nov 05 '22 at 19:11
  • 1
    littleadv: overdraft opt-in was in 2010 but ONLY prohibits fees for ATM and debit-card overdrafts; it does not outright block overdrafts the FI is willing to finance at zero, and does NOT apply at all to checks (when they still existed) and ACH; see https://www.consumerfinance.gov/rules-policy/regulations/1005/17/ – dave_thompson_085 Nov 06 '22 at 03:29
  • 2
    Here's an example of a bank explicitly advertising declining charges for lack of funds as an account feature: https://personal.chase.com/personal/secure-banking – littleadv Nov 06 '22 at 03:55
  • 1
    @dave_thompson_085 Actually what I meant ended up not passing Congress... See here: https://www.congress.gov/bill/117th-congress/senate-bill/2677/text – littleadv Nov 06 '22 at 03:58
  • 2
    "Almost everywhere else in the world, your question wouldn't even make sense. Someone withdrawing money from my account? How?" Unfortunately, the same problem exists outside the US. SEPA also supports pull-based direct debits, and you only need the IBAN and account number to take money from someone else's account. Further restrictions vary country-to-country. One example: https://www.telegraph.co.uk/news/uknews/1574781/Jeremy-Clarkson-eats-his-words-over-ID-theft.html – Michael Altfield Nov 06 '22 at 19:12
  • 1
    I found it just as difficult to find a bank that will support blocking all SEPA direct debits in the EU as it is to find a bank that will block all ACH direct debits in the US. See also https://money.stackexchange.com/questions/150264/sepa-direct-debit-blocking-in-eu-iban-security – Michael Altfield Nov 06 '22 at 19:12
  • The biggest practical difference between the US system and the EU system is that the EU gives you 90 days to report the theft before they tell you to "get fucked". The US only gives you 60 days. – Michael Altfield Nov 06 '22 at 19:15
  • @MichaelAltfield that's an article from 15 years ago behind a paywall, so can't comment on that, but my personal experience with banks working under EU regulations is that it is nearly impossible to perform an unauthorized pull, compared to the ease with which someone was able to pull hundreds of dollars from my checking account in the US at a random store. – littleadv Nov 06 '22 at 19:41
  • @MichaelAltfield it also appears that others commented on your EU-related question similarly, denying your premise. As I said, the regulations in the EU are much stricter, and what you're looking for is easily achievable in the EU while being nearly impossible in the US. – littleadv Nov 06 '22 at 19:45
  • 2
    @littleadv even N26 said they wouldn't be able to block all direct debits. Most EU banks will block a single recipient, but if you want to setup a "block all" or "block everyone except those on this allowlist", most EU banks won't do it (from my experience). If you know how to force an EU bank to block all SEPA direct debits, then please answer the linked question. – Michael Altfield Nov 06 '22 at 20:14
  • @MichaelAltfield I don't know how to "block" because in the country where I used the banking system it was not a thing. A random person couldn't pull anything from your account, only pre-approved entities that were whitelisted at my bank ahead of time were able to do that. I recognize that regulations differ from country to country and maybe in other places experiences differ, but that was my experience. – littleadv Nov 06 '22 at 20:16
  • 1
    @MichaelAltfield And just a side note - you may want to educate yourself about the EU - it is not an equivalent to "the US". The EU is not a country and legal framework between different countries in the union, and countries outside of it that adopt its standards, may be vastly different. While in the US the banking system is Federally regulated and is using the same legal framework everywhere in the US, in the EU (and the rest of the world) that is not the case. You brought the example of the UK (which isn't even in the EU now), but that's just one country. – littleadv Nov 06 '22 at 20:20
  • 2
    Even in germany (where regulations are extremely strict), you can do a direct debit from anyone's bank account with just an IBAN and account number, and a document that authorizes them to do so. So in probably the most difficult country in the EU to do this, all you need is to forge a non-cryptographic signature. That's not hard. – Michael Altfield Nov 06 '22 at 20:21
  • @MichaelAltfield and a document that authorizes them to do so - yeah, that little pesky thing. – littleadv Nov 06 '22 at 20:21
  • @MichaelAltfield The main difference is that in the United States, there is no guarantee that the bank will rule in your favor when disputing fraudulent ACH transactions. In the EU, customers automatically win SEPA direct debit disputes provided they initiate the dispite within eight weeks. – John Militer Nov 28 '22 at 11:14
  • @MichaelAltfield Even worse: No one will ask for that document, except for the case of disputes. – glglgl Nov 30 '22 at 16:10
  • Coming from Australia, I find it weird that US banks didn't have a simple EFT system between bank accounts. But still businesses can push money to each other with wire. But so many personal accounts don't support it, or charge for wiring money to another bank account. Whereas it's pretty much been free all the time in Australia. – CMCDragonkai Nov 06 '23 at 02:04
4

Business accounts

Positive Pay

Several banks offer a service called "Positive Pay" for business accounts, which basically offers the ability to create a list of checks you have issued and a list of merchants who are permitted to make ACH debits against the account.

Anytime someone attempts to cash a check against the account or make an ACH debit against the account, and the check or ACH debit is not on the list of authorized transactions, this will be considered an "exception item."

Whenever there is an exception item you will have the opportunity to review the transaction and either approve or return it. If you do not review the transaction by the deadline, most banks will automatically return the transaction.

A few things to keep in mind:

  • Some banks advertise that they offer "Positive Pay" but they actually only offer Check Positive Pay and not ACH Positive Pay. When looking for banks offering Positive Pay, ensure that they also offer ACH Positive Pay

  • Some banks will refer to ACH Positive Pay as "ACH Debit Filters"

  • Some banks will pay exception items by default instead of returning them if no decision is made. I would suggest using a bank that returns items by default.

  • For most banks, this service is offered as part of their "treasury management" or "cash management" services

ACH Debit Block

This is not as common as Positive Pay, but several banks do offer a service called "ACH Debit Block" which blanketly blocks all ACH debits.

Like Positive Pay, this is typically only offered on commercial accounts.

Note that simply using this will not block checks from cashing. You'll need to either place a "Check Block" (if offered) or enroll in Check Positive Pay to block checks from cashing.

Personal accounts

Account restrictions

Some banks offer consumers the ability to place a restriction on their accounts which blocks all withdrawals but still allows deposits. Some banks offer a similar option but the restriction blocks deposits as well.

At my primary bank, I keep one of my accounts with such a restriction in place and use this account to receive direct deposits. Because of the restriction, the direct deposits (ACH credits) go through but any ACH debits would be blocked.

Once I receive the direct deposit, I call the bank to temporarily lift the restriction, make an internal transfer to my other accounts, and then ask them to reinstate the restriction.

I also keep such a restriction in place with my "long term savings" account so that any attempt to withdraw money would fail until I call the bank to remove the restriction.

Some things to keep in mind:

  • Most banks do not offer this, but there are a sizable amount of banks which do

  • Make sure that you keep the account active, as inactive accounts can sometimes be automatically closed, and in some cases, they can be turned over to the state

  • Some banks will allow you to keep this restriction for as long as you want with no caveats (as long as the account remains active). However, other banks might automatically close the account if the restriction remains in place long enough

  • Of the banks that offer this, most banks allow you to place lift the restriction without delay by calling the bank. However, a few of the banks that offer this are not able to place or lift the restriction immediately and you may need to wait a few days for it to take effect

CD accounts

Most CD accounts are not able to accept ACH debits (or credits). Therefore, I would consider a CD account to be much more secure than a regular savings account.

Some banks offer "No Penalty CDs" which allow you to withdraw from the CD at any time without penalty.

Having multiple non-overdraftable accounts at the same bank

I would suggest having at least two accounts: one to make transactions, and one to hold money. When I am not expecting an ACH debit to come through, I keep the transactional account empty. I virtually never share the account number for the account which holds the money

Personally, I go beyond two accounts and have distinct accounts for different roles: one for credit card payments, one for external transfers, one for pushing money, one for debit card use, etc.

Therefore, if one of the account numbers is compromised, the worst case scenario is that only one of the accounts is drained and I keep most of my money.

However, it is important to note that this only works if the bank doesn't allow the accounts to be overdrafted. If the accounts do allow overdrafts, one of these accounts can go in the negative, which defeats the purpose of doing this.

ACH fraud is a valid concern. Contrary to popular belief, you do NOT need to be a reputable business to initiate an ACH debit.

Most major Banks even offer a service called "ACH Debit Origination" (the ability to post ACH debits) as part of their treasury management solutions, which they will provide to almost any business willing to pay the fees needed to utilize this service.

It is my belief that the entire concept of "ACH debits" is extremely dumb. It makes zero sense to allow anyone with the account number to withdraw money, and then say "dOn'T wOrRy aBoUt fRaUd, yOu cAn DiSpUtE iT" (not to mention that there is no guarantee that they will rule in your favor, even if the transaction was actual fraud).

That's like saying "don't bother keeping a fire extinguisher in your house, home insurance will buy you a new house if your's burns down."

In any case, I have done significant research on the topic and these are the only solutions that I have been able to find.

John Militer
  • 156
  • 6
  • "Of the banks that offer this, most banks allow you to place lift the restriction without delay by calling the bank." Ugh, what good is a security measure if an attacker can simply call the bank, and socially engineer the customer support representative to bypass the block (of course "proving" they're you by supplying them with "private" information about you that's trivial to buy online). Point is: only requests that are cryptographically signed by your private keys should be sufficient to change the account's security settings. – Michael Altfield Nov 28 '22 at 13:52
  • Fantastic answer, especially the tip to use no-penalty CDs. But all this begs the question: where can I find a list of banks that offer ACH Check Block and ACH Debit Block for personal accounts? – Michael Altfield Nov 28 '22 at 13:59
  • @MichaelAltfield sadly, I have searched extensively and was unable to find even a single bank in the US that offers this for personal accounts. I would suggest either using a business account or finding a bank that offers account restrictions that also offers verbal passwords to prevent callers from pretending to be you. Some banks will require a photo ID and an in-branch visit to reset a verbal password, and this is the best security you're going to get from a bank. This is the beautiful thing about crypto: if they don't have the keys, they CANNOT steal the crypto. – John Militer Nov 28 '22 at 15:22
  • @MichaelAltfield I should also note that CDs typically won't accept ACH credits either, so they should be seen as a way of "holding money" and not as a way of "collecting money." – John Militer Nov 28 '22 at 15:26
  • Verbal passwords are not passwords. Passwords don't get stored in cleartext, and there's a very high chance that US banks are storing your "verbal password" on their system in plaintext. Also, this concept is vulnerable to replay attack. Once you use it once over the phone, it's definitely no longer secure. The name "verbal password" itself is misleading. They should just be called "insecure, emergency, one-time-use, backdoor phrase". Personally, I'd rather not have any backdoors into my bank account. – Michael Altfield Nov 28 '22 at 15:32
  • @MichaelAltfield I agree, but having a verbal password is definitely more secure than not having one. The bank that I personally use supports account restrictions, and in order to lift the account restriction, I not only need to say the verbal password but also receive a text to my phone number on file and read the code back to the representative. I wish banks in the US supported 2fa apps, I don't know of any that do. I do know of one bank which requires in-branch visits with ID to remove or lift the freeze. – John Militer Nov 28 '22 at 15:38
  • Actually, there's a lot of US banks that support 2FA over TOTP (and you can disable insecure 2FA over SMS, which is often just another backdoor). See https://2fa.directory – Michael Altfield Nov 28 '22 at 15:39
  • @MichaelAltfield I checked the list, and it appears that this list primarily looks at which ones support it for their online accounts, and not necessarily for phone security which is what I had in mind. I think it is worth it to investigate for each listed bank (before choosing a bank) whether or not the 2fa is actually enforced when calling in as opposed to only being enforced for online logins. For example, an attacker might call the bank pretending to be you and say "I lost access to my 2fa app" and the representative might respond by "verifying" you and removing the 2fa requirement. – John Militer Nov 28 '22 at 15:53