The crimes were so surprising, if only in their circumstance, that they captured national attention: Up to 4,000 members of New York's Municipal Credit Union took advantage of its post-9/11 technological distress to overdraw their accounts with automated teller machine and debit cards.
Though some did so inadvertently and paid the credit union back when asked to, 101 of the most egregious offenders - those who looted more than $7,500 from the bank - had been arrested or were being sought by the Manhattan District Attorney, who announced the thefts last week.
What went wrong and who is liable for the roughly $15 million taken in all is already a hot topic, and could become more so if the same thing happened to other institutions. With the debit and ATM industry debating who is to blame in other types of fraud, such as skimming, the industry may also feel compelled to adjust the way it handles emergencies of this type in accordance with the lessons learned here.
NYCE Corp., which processes ATM transactions for Municipal Credit Union, says that its network functioned perfectly during and after the terrorist attacks, and that none of the illegal withdrawals represented mistakes on its part. Municipal Credit Union does not blame NYCE, which, under a standing agreement, was authorized to let customers withdraw $200 a day.
Ten days after the attacks, the credit union raised the limit to $500 a day, saying that its members were under hardship and would need cash to pay rent and grocery bills.
Yet the person who allegedly stole the most, a city-employed nurse, is said to have taken out at least $500 twice a day for six days straight to rack up a negative balance of minus-$18,111.01.
And more than 540 customers withdrew at least $5,000 more than they had on account in the weeks after Sept. 11. More than 1,700 overdrew their accounts by at least $3,000, and more than 4,000 overdrew their accounts by at least $1,000.
There are several possible answers to the question of how people were able to get so much cash, apparently more than their daily limits. Customers may have used more than one card to make withdrawals and debit purchases - because there were different numbers on the two cards, NYCE would not have noticed the double-dipping.
Customers may have figured out their daily withdrawal limits and timed the transactions to get as much as they could.
Or the "business day" for the network may have ended in the middle of the afternoon, which would permit someone to take out $500 in the morning and again later in the day, when it would count as a new day to the network. But that would still not explain how someone took out $1,000 a day for six consecutive days.
Susan Zawodniak, a vice president at NYCE Corp., which is majority-owned by First Data Corp., said that Ms. Hutchinson-Jones and other people who may have withdrawn more than the daily limit might have had multiple ATM cards tied to the same account. Since the cards would have different numbers, NYCE would permit each card to get the $500-per-day limit.
The credit union blamed the crimes on the disabling of its customer database. This prevented NYCE from contacting the bank so it could check people's balances before authorizing the transaction. It also prevented customers from seeing their actual balances - the balance number on the ATM screen remained frozen where it had been before the database got knocked out.
NYCE did not know directly if there was enough money in any given account, but it kept records of each transaction, which it sent to Municipal Credit Union through the automated clearing house nightly, Ms. Zawodniak said.
But since Municipal Credit Union could not check its database to see if the accounts were covered, it could not tell NYCE to shut people off. Members "could only take out a certain amount of money," said Thomas Siciliano, the general counsel for Municipal Credit Union, which has assets of more than $1 billion. "Nobody got $10,000 in a day. They may have come back 20 days in a row, or maybe more."
Ms. Zawodniak said she doubted that NYCE's system did not work properly. The policy at NYCE, as at all EFT networks, is that financial institutions use their risk management guidelines to construct a set of parameters that the network must follow in case of a disaster. Whenever something disrupts communication between the network and the institution's database, the network defaults to "stand-in" mode, following the set parameters.
"I've never heard of a stand-in limit not working as designed," Ms. Zawodniak said, adding that she would have to look into the specific card or cards used to know precisely what took place. NYCE conducted 100% stand-in for Municipal Credit Union until Sept. 19, dropping to about 50% until November, when MCU's data center was up and running.
Ms. Zawodniak said that NYCE was not aware of the thefts until the arrests were made. The numerous withdrawals by Municipal Credit Union members did not tip the network off because NYCE does not track the number of transactions per card, known in the industry as the "velocity." NYCE simply authorized a transaction if the PIN was correct, the card was not in a "negative file" (which would indicate that it had been used fraudulently), and the daily limit had not been reached.
"We were doing what we were contracted to do," Ms. Zawodniak said. "It's only the bank or credit union that holds the actual account that can see that the individual doesn't have the money in the account. We can't see how much the individual has in the account."
Municipal Credit Union, whose headquarters is across the street from what was the World Trade Center, caters primarily to firefighters, police officers, hospital workers, housing authority employees, board of education employees, and their families.
Ms. Zawodniak said that stand-in can sometimes take place in ordinary situations with a single cardholder when a transaction takes too long. "Each switch has a clock," she said. "I need to get a response in so many seconds. If that clock goes out, either the network stands in, or sends the transaction back to the acquirer to say try it again. Stand-in works without the cardholder even knowing about it."
Stan Paur, the president and chief executive officer of the Pulse EFT Association, a Houston-based rival to NYCE, said that his network's standard stand-in withdrawal limit is $125 a day. He said that the millions in losses seemed to occur because Municipal Credit Union bumped up the limit to $500 - which was understandable and humane under the circumstances. He added that Pulse also raises the daily limit on stand-in when a financial institution requests it.
