Some bankers are worried that a key electronic payment system will become a prime target for con artists.
The system, called the automated clearing house, or ACH was developed in the 1970s as a computerized substitute for checks. It now delivers payments to nearly can households.
Originally For Small Payments
The ACH was designed primarily to handle recurring low-value transactions, like paychecks and insurance premium payments. But it can carry payments of up to $100 million.
Now volume is starting to take off, and disturbing reports of fraud and other foul-ups have emerged in the past year:
* First Interstate Bank of California nearly lost $70 million when it executed apparently fraudulent transaction instructions.
* Security Pacific National Bank in California and Wachovia Bank of North Carolina botched an ACH transaction, mistakenly giving $2.1 million to a now bankrupt firm undergoing a fraud investigation.
* NCNB National Bank in North Carolina deducted money from scores of consumer accounts at other banks on behalf of a telemarketer, only to learn later that many of the debits were not authorized by the consumers, according to sources. (A bank spokesman neither confirmed nor denied the report.)
ACH fraud is impossible to measure precisely. Banks are tight-lipped about security breaches of any kind, and the examples listed above came to light months after the occurrences.
Relatively Minor Problem
Experts believe such cases are still relatively rare. Known losses total only a few million dollars annually - a pittance compared with the billions of dollar surrendered each year to check kiters and the like.
But, increasingly, industry officials worry that ACH processing controls are inadequate, leaving banks vulnerable to fraud and mistakes. Safeguards need to be stepped up, they argue, before the system is deluged with the kinds of problems experienced by First Interstate, Wachovia, and other banks.
"We're lucky that there hasn't been a big history of losses,." said John R. Mohr. executive vice president of the New York Clearing House. which operates a regional ACH. "But criminals are getting smarter, and it's only a matter of time before someone takes a serious hit."
Sides Are Drawn
The fears have spurred calls for new controls. which in turn have embroiled the ACH industry in a bitter debate.
Some, like Mr. Mohr, favor more stringent procedures. But others say the potential risk is being exaggerated.
"The banking industry is by and large aware of the risks in originating ACH transactions," said Elliott McEntee, president and chief executive officer of the National Automated Clearing House Association, which sets rules for ACH networks nationwide. "And they've taken steps to control those risks."
An Alternative to Checks
The dispute centers on the security procedures built into the system. When first developed, the ACH was billed as a safe, cheap alternative to checks.
The network grew slowly at first, but last year it handled 1.7 billion payments. That's more than 30 times the volume of any other electronic payment system but still only a fraction of the estimated 57 billion annual check payments.
The dollar value transmitted over the ACH is still relatively small, totaling $6.9 trillion last year, compared with more than $192 trillion over the Fed Wire and $65 trillion by check.
Banks offer ACH payments at less than a tenth of the $10 to $20 charged for payments over Fed Wire and Chips, officials say. This pricing was essential to make ACH services competitive.
But it also ensured that ACH transactions were processed with relatively low-budget, batch-computing systems, while the Fed Wire and Chips, two large-dollar wire transfer networks, use more sophisticated, and expensive, on-line systems.
As a result, ACH transactions may take one or two days to clear through the Federal Reserve System, while Fed Wire transactions clear immediately and Chips transactions are settled at the end of the processing day.
Risky for Big Amounts
The slower clearing times are fine for low-dollar payments, Mr. Mohr said, but can create a big security risk for larger transactions.
Here's why: A customer might have adequate funds on deposit when a transaction is initiated, but withdraw them or go bankrupt before settlement occurs. That would leave the sending bank or receiving bank - or both - on the hook for a loss.
"You can run a kite on the ACH very easily," Francis X. Pokorny, senior vice president at First National Bank of Maryland, said in a speech this spring.
The perpetrators of the First Interstate transaction, for example, apparently tried to do just that by exploiting the delayed funds settlement. They successfully transferred $70 million before an overdraft was discovered and the the bogus payment was reversed.
$1 Million Cap Proposed
To limit banks' exposure, Mr. Mohr and other officials have pushed to cap ACH credit transactions at $1 million.
Mr. Mohr said that only a fraction of a percent of all ACH transactions are for more than $1 million, but they account for nearly two-thirds of the money tranferred.
The proposal was discussed earlier this year by the New York Clearing House's ACH committee, but was voted down by 7 to 5.
The New York Clearing House floated the idea again in June before a meeting of the National Automated Clearing House's board of directors.
Lack of Support
But James J. Hopes, president of Chase Manattan Corp.'s ACH unit, said the proposal got virtually no support at the board meeting.
The reasons: The cap could be easily circumvented by stringing multiple ACH payment orders together and would dampen demand for corporate transactions, particularly trade payments, which the network is seeking to attract.
"As far as I'm concerned it's dead," Mr. Hopes said.
But New York Clearing House officials said the cap proposal may be revived next year when the Federal Reserve proposes a series of new ACH rules.
Meanwhile, other changes are being pushed. By yearend the New York Clearing House is scheduled, for the first time, to let member banks limit their exposure to ACH credit transactions originated by private data processors or correspondent banks.
Many banks use private data firms to handle their ACH processing. But banks have no way to keep private data processors from sending out reams of unauthorized ACH transactions that banks are liable to cover.
Similarly, there are few controls on banks that initiate transactions through accounts at correspondent banks. The New York Clearing House rules will, for the first time, enable banks to ensure that limits are enforced by the computers that run the organization's ACH system.
Late this year or early next year, the Federal Reserve Board is also expected to propose new controls for third-party data processors.
Additionally, the Fed's staff may require banks to control credit granted to customers that originate ACH transactions. Compliance with the rule might be used to determine intraday overdraft limits.
The Fed is also expected to propose speeding up the settlement of transactions by up to two days, said Florence Young, a staff member. That would reduce exposure to fraud.
But the most important reforms will have to be made by banks themselves.
Jane Wallace, vice president and ACH specialist at Bank of America, said that over the past few years banks have made big strides in improving their internal ACH operational controls.
She said that during this period the Bank of America was so concerned about improving ACH security that it stopped new product development until better controls were established.
But Ms. Wallace cautioned that many banks' ACH controls are still not up to snuff. Persuading them to fix operational weaknesses could mean sounding an alarm about ACH security problems, a prospect that Ms. Wallace said makes her uncomfortable.
"The thing that's so scary is that you have to hit the message just right," she said. "You want to scare the institutions into acting, but you don't want to give ideas to people inclined to perpetrate fraud."