The world of direct deposit has become the go-to payment method for businesses, governments, and people to move currency from bank account to bank account. These direct deposit transactions range from anything like personal bill pay, internet purchases, company payroll, stimulus checks, utilities, and even person to person transactions. The ACH direct deposit system is truly fascinating and complex, but I keep asking myself how can Blockchain technology fit into this puzzle? We will explore this a little bit later, but first I have a little story to tell you.
Recently a company that I work with was hacked and a fraudulent ACH direct deposit was processed that wiped out the company’s entire bank account. This was a complete shock for this small business owner, especially during the COVID-19 pandemic. As you could imagine calls were made to the originating bank, the bank that received the funds, the software company that managed the direct deposit, police departments, cybercrime units, and the FDIC. After countless hours of going through audible menus and being redirected to many different fraud and dispute departments, the business owner was able to gather all the facts about what happened, how it happened, and what the next steps in the process were to ever seeing those funds again.
What the business owner found was that this all started with an email address that had been compromised. The hacker gained access to an email address and used this to hack the direct deposit software. The hacker sent themselves a reset password link via the direct deposit software to the compromised email address where they were easily able to reset the password and gain entry. After gaining access to the direct deposit software the hacker then set up fake vendors to be paid via ACH Direct Deposit all with different account numbers. The hacker(s) first attempted making large transactions and after each was declined smaller transactions were attempted until the hackers reached an amount that was less than what was in the bank account. Let’s just say the final number that was stolen was five figures and that transaction was ultimately processed by both the direct deposit software company and authorized by the originating bank.
48 hours go by after the initialization of the transaction and the owner of the business account was never notified via email, phone call, or text about an abnormally large transaction that was processed via ACH Direct Deposit. Call it a lapse in security or negligence, but there is no doubt about it that this should have been caught by one of the two entities. In context, this small business’s biggest monthly expense is the payroll of its employees. Not once in the small business’, ten-year history had the company made a transaction this large to any outside vendor via ACH Direct Deposit. It seems as though both the direct deposit software company and the originating bank were both asleep at the switch while these hacker(s) literally robbed this business owner. I call it a digital smash and grab because just as quickly as they came, they left.
One would think that this whole quagmire could be resolved with a few clicks of a button and a reversal from the originating bank. Come to find out, I couldn’t be any more wrong. This whole situation became much worse after the 24-hour window closed after the transaction was initialized. Once this 24-hour window closes the money from this transaction is pretty much as good as gone after it hits the final bank account. What I learned is that in these types of scenarios time is absolutely of the essence. The more time that goes by it seems like the less power the banks, Automated Clearing House (ACH), or victim, in this case, have in resolving the issue.
After the transaction was processed (by both the originating bank, the receiving bank, and the ACH), claims filed, disputes made, etc. it then became a waiting game for each bank to communicate to each other sending over forms via fax to make one another aware that this particular transaction was fraudulent. Why on God’s green earth are we still using fax machines? The fact that major financial institutions are having to resolve fraud issues by sending each other fax is absolutely ridiculous. In one of the most regulated industries in the United States, we can’t figure out how to send a fast and secure message from one bank to another to notify them about a fraudulent transaction? This is where I believe Blockchain technology will serve as the concrete to fill the cracks of an aging system and aid in manufacturing synergy, efficiency, security, and trust between participants.
After several days filled with phone calls and helping with the investigation, I started to feel the overwhelming sense of helplessness and exhaustion. All the answers that the victim business owner and I were getting from the entities involved consisted of finger-pointing and blame being passed around, but no definite answers to almost everything. It felt as though no one involved could offer a timeline for anything and updates from each party were consistently being pushed back two business days. The red tape was everywhere and the regulations of the industry put a stranglehold on the business owner’s personal investigation. A week after the initial fraud event, things are still ongoing and either bank has yet to communicate a final determination is any funds will be recovered. It’s crazy to think that this could even happen, but even crazier to think if either bank cannot recoup any of the funds.
There I was smack dab in the middle of this situation and it made me want to understand more about how the current ACH system operates, the processes, the entities involved, the rules, and the technology behind it all. All in all the Direct Deposit ACH system is complex yet fairly efficient at doing certain things, but it has its flaws. What I found is that these weaknesses would include verification methods surrounding fraudulent transactions, interoperability between different size or classification banks, and standardization of payment-related data and information. These flaws were magnified through this unfortunate event and at times it felt like all the entities involved were never on the same page or had no sense of uniformity. I wouldn’t wish this situation on my worst enemy.
As recently as February 2020, the National Automated Clearing House Association (NACHA) announced that they will be implementing Phixius which is an online blockchain platform that brings together blockchain technology, industry rules, and qualified participants into a streamlined exchange of information and data. NACHA is its own entity or steward separate from the United States Government and creates the guidelines for transactions and oversees all transactions done on the Automated Clearing House Network. The Automated Clearing House (ACH) is the institution that plays the role of intermediary between banks in the movement of money from bank account to bank account in the United States. You could imagine the sheer number of nuances and complexities it must take to efficiently run a system necessary to conduct billions of transactions securely each year. Queue Blockchain.
Phixius will be applied as a solution to ensure that data transmitted between participants is authentic, maintaining compliance data for participants, and payment remittance. Other areas within the ACH environment that Phixius will have an impact on is the standardization of payment information, interoperability of payment-related data, and fraud protection. From what I have learned about Phixius it appears that the company will be the one-stop-shop for NACHA to rely on for bridging some of the current gaps and inefficiencies in its system. It’s exciting to know that blockchain tech like Phixius will hopefully prevent incidents from happening like the one I mentioned earlier. Moreover, it will be an even bigger undertaking for Phixius to efficiently scale their tech platform for the tracking, verifying, and authenticating of $51 Trillion of transactions per year. I think my biggest takeaway is that if such a large organization like NACHA can effectively deploy this blockchain platform it could trailblaze a path forward for other industries to have mass adoption of blockchain in the near future. Phixius is the first of many dominoes to fall in the financial industries across the globe and I am willing to bet that we haven’t seen the last of Blockchain.
In summation, I know the ACH Direct Deposit system may not be the most interesting thing in the world, but it is a system that has been an integral part of our financial industry and economy that mostly operates behind the scenes. When it’s working properly it can be one of the greatest inventions in the world, but the time has come for evolution and change. It is important that we get this evolution of technology right so that it can thrive in the coming years and centuries ahead. We know that the world is moving towards a less frictionless transaction process through digital payments and I am looking forward to seeing more blockchain technology deployments like Phixius throughout the world.