October 5, 2019
By John F. Connolly
This article was published in the Cherokee Tribune & Ledger News on October 5, 2019: Tribune Ledger News – FROM THE BENCH & BAR.
Recently, a long-time client of mine called me and explained that he had a dispute with his bank. His business account had been hacked, and unknown to him, a $10,000 wire transfer had been made on his account from a bank in the Midwest.
He had been on vacation when the unauthorized withdrawal occurred, but he notified the bank when he returned about 10 days later. To my client’s shock, the bank told him that it would not reverse the charges, and that the owner of a business bank account must report a fraudulent transfer within 24 hours of a fraudulent event.
The client could not believe that he was not protected. He thought he had up to 60 days to detect and report fraud, and he had done so well within this time frame. However, as he learned, most of the regulations safeguarding bank accounts that he referenced apply only to consumers, and business accounts are governed by different rules and restrictions.
Personal accounts are governed under Federal Reserve Regulation E. These regulations provide consumers with coverage and reimbursement for lost funds due to fraudulent activity, so long as they are reported in a timely manner.
Commercial accounts, however, are not covered by this regulation. Rather, they are governed under the Uniform Commercial Code (UCC), which provides far less protection. The UCC places more pressure on businesses to take proactive measures to prevent fraud. For example, business account holders have much shorter timelines for reporting fraud, often as short as the next business day, after which the business suffers the full loss. Consequently, as my client unfortunately learned, thieves can siphon off large sums before a company realizes that it is a victim of fraud, and the money can be lost if the crime is not swiftly reported.
In an age when identity theft is rampant; it is important for businesses to protect themselves. Fraudsters only need two pieces of information to pull off Automated Clearing House (ACH) fraud: a checking account number and a bank routing number. In its simplest form, a thief uses the bank account and routing numbers to initiate transfers of money for his benefit. This means that anyone who has a check from your business has all the information needed to steal money from your account via a fraudulent ACH transfer. According to the Federal Trade Commission, in 2018, wire transfers like the one that happened to my client were the most frequently reported payment method of fraud, with an aggregate loss of $423 million.
Given this, entrepreneurs cannot rely on banking regulations to protect themselves from fraudulent activity. Rather, they must be proactive and take steps to protect their businesses.
Here are some common ways for businesses to protect themselves from bank fraud.
First, a business should reconcile its accounts every day. Many small business owners spend so much time with client contact, supervision of employees, and simply getting the job done that they find it difficult to look over their finances on such a regular basis. Nonetheless, daily monitoring of accounts cannot be stressed enough. Timely reporting of fraud to a bank will help reduce or even eliminate a business’s liability for any fraud losses.
Second, a business owner must implement security measures for its computer systems. Secure computers with the use of anti-virus or anti-spyware software. Educate employees about the potential damage that ACH fraud can inflict. Make sure staff knows how such fraud can be prevented, from low-tech tools like shredding financial data to internet and email safe practices designed to avoid malware and phishing attempts.
Third, a business should contact its banks and put restrictions on the types of withdrawals that can be made on its accounts. For example, some banks have systems that limit ACH transactions to pre-authorized parties, offer user reviews of all requests before money is transferred, or give a proxy account number for ACH transactions. Some banks also have a system called Positive Pay, which allows a commercial account holder to notify the bank of all debits for the company. Any incoming debits not on the approved list must be approved before clearing the account. Account holders can even block all account transactions in their entirety.
Fourth, a business should review its general liability policy and consider adding coverage for loss due to bank fraud.
There are other ways to protect your business, and a first step to prevent fraud is to talk to your bank and see what services it offers. Be aware of the bank’s policies for reporting fraud. See what systems they have and would work best for your business. Look into other banks and compare services. Consider switching to online banking and monitor accounts daily. Finally, report any suspicious or unauthorized activity in a timely manner.
Unfortunately, ACH fraud can happen to anyone and, when it happens, can cause great losses for a business. To avoid such losses, a business owner must be diligent and take steps to protect the business before ACH fraud happens.
John Connolly is a partner at Flint, Connolly & Walker, LLP and assists individuals and companies in business, real estate, and complex litigation. He graduated from Georgia State University School of Law and has practiced in metro Atlanta for his entire career.