Questions about the relevance of 20-year-old payments regulations to Internet commerce were raised last week upon the discovery of unauthorized funds transfers at X.com, a new financial services company.
William F. Harris, chief executive officer of Palo Alto, Calif.-based X.com, confirmed Friday that his company's practice of letting customers transfer money to X.com accounts from other institutions resulted in security breaches involving "relatively small" amounts of money. The incident was first reported in The New York Times.
Customers of X.com, which was established in March 1999 and went on-line last month, needed only the account and routing numbers of accounts at other institutions to execute funds transfers, a selling point for a company whose home page proclaims: "Move your money where you want, when you want, for free."
X.com changed its policy last week and now requires customers wishing to transfer money from accounts at other institutions to send X.com a copy of a voided check from those accounts. X.com, which offers banking services through a Colorado bank that it has agreed to purchase, was processing the transactions through the automated clearing house network.
"This is really a policy issue," said Mr. Harris, who was the CEO of Intuit Inc. until September. "It has nothing to do with our software."
David Kvederis, chairman of the National Automated Clearing House Association's emerging authorizations technology work group, said he questions whether ACH rules, which evolved before the Internet, can work in electronic banking. "Those rules need to be redone to take into account that the virtual world is very different," he said.
In 1997, the Federal Reserve modified its rules to allow password-protected transmissions to serve as authorizations in lieu of written signatures. Even so, existing regulations provide effective protection for on-line transactions, Nacha executives said.
If the originating bank - in this case X.com - follows guidelines, there should be no problem, said Jane Larimer, senior counsel at Nacha.
"It's putting risk management into place," she said. "On the Internet you really have to know who you are doing business with."
Elliott C. McEntee, president and CEO of Nacha, said X.Com is not using the ACH system in a new way. Brokerage firms have been sweeping client funds in and out of banks for several years using ACH debits, he said. He cited Merrill Lynch as one of several firms that have developed sophisticated risk management procedures to prevent fraudulent debits.
The X.com problem "is what you get when a nonbank gets access to the payments system," Mr. McEntee said. Nonbanks do not have the regard for safety and soundness of the banking system that banks do, he said.
Christopher Musto, director of financial services at Gomez Advisors in Lincoln, Mass., said, "This is an example of the battle between the desire to deliver on the Internet's promise of immediacy and convenience, and a banking system that still relies on risk and uncertainty and archaic settlement practices." The issue is really one of fraud and risk management, he said.