Things like this are my problem with the pull style payment systems. It would be nice for online systems if you were given an invoice, and you had to tell your bank to push the money to the other party. (or confirm the pull). For recurring bills that are always under a certain amount, he was a customer can give a business some limited amount they are allowed to pull every month.
In a system where we turn over our payment information to all these companies and they can accidentally pull any kind of money from your account, it just leads to problems.
Once I have your bank account number and I tell the bank that I have permission, I can pull out any amount of money I want.
Only protection you can offer yourself as a business owner is having a separate account, keeping the absolute minimum required and sweeping balances off to another account as fast as you can. I feel for Etsy, as someone that has built a funding system, the thought of this type of event use to give me nightmares.
I only guarded by testing as if people's live depends on it, because it really does. Screwing up someone's account could mean them not being able to afford food, rent, could be the start of an eviction, job loss, losing their business, not paying employees, many other terrible events or worse taking their own life.
Circuit breakers are also important. If Etsy typically does 2,000 withdrawals on average, and one day their system has to do 50,000 ACH debits. The circuit breaker should kick off so someone can review and manually push it through if correct.
It's incredible to me that you can give your bank information away to a company and they can withdraw whatever they like.
There's a bunch of companies (utilities such as power companies, for example) that allow an individual to set up such direct withdrawals. They also seem to let you do this without any kind of special authorization from the bank -- I've done this many times and I've never been forced through any kind of bank login to authorize them to withdraw money.
In Norway, you have two systems ("avtalegiro" and "autogiro") for direct debit. You have to go through the bank to authorize the setup, and you have to specify a max amount. There's also a system called eFaktura where companies can send digital invoices to your bank account; paying them requires going into your bank's app and approving each one individually.
Anybody in the US can try and pull as much as they can. This is a very old system going back before electricity. Paper checks signed by pen sent by mail (horse back) to banks. They checked that the signature on the check matched the one on file and released the funds. This system worked in that era but now someone gets your bank account number and can use it online to pay for something without a signature and banks don't really verify anything.
Someone I know had checks stolen and the people used the info on the checks to pay their electricity bill. The police were notified and even though they new exactly where these people lived, did nothing. The only thing to do is close the account and open a new one. What a stupid system for the user, but the banks don't care enough to change it.
Business accounts can sign up for something called “positive pay.” You set a default rule (e.g. accept below a threshold amount and otherwise deny). You can review transactions on a daily basis and override the default. This works for both ACH and checks.
We currently use one account for everything, including Stripe deposits from SaaS applications. But as soon as practical, I intend to move to a model where there is a separate "staging" account for any kind of 3rd party interfaces.
The businesses sends the invoices electronically, and I get an e-invoice in the bank and have to confirm it before it is being paid. Nobody has access to my account but me.
One can also set up auto-payments with limits per business, like one limit for the energy bill and another for rent.
This sounds like a very weak excuse. Why can't the bank show the account owner the incoming pulls, and let the owner authorize them? (And then send the authorized ones out as proper push transfers in the next ACH batch.)
It's how banking works nearly everywhere outside of the US, that's why most brokers handle US money transfers on separate forms. PayPal was built on top of this banking insanity, in most other countries PayPal would solve a problem that doesn't exist.
Whole thing is kind of like the imperial vs metric system.
Which makes me wonder - which other countries have banking systems that routinely allow pull-based access to accounts?
In the UK, PayPal can take what they want from my bank account, BUT I can just say "Reverse that" and it is done instantly, no questions asked (I might still be on the hook for legitimate transactions, but I'm not responsible for fraudulent ones).
(Case in point - a company I'd never heard of set up a Direct Debit on my account, and I didn't notice for about 6 months. One call to my bank, and I had the money back immediately.)
It's part of the Direct Debit guarantee:
> If an error is made in the payment of your Direct Debit, by the organisation or your bank or building society, you are entitled to a full and immediate refund of the amount paid from your bank or building society
> If you receive a refund you are not entitled to, you must pay it back when the organisation asks you to
Germany has had direct debit since the 1950s, Britain since the 1970s, the difference being that as a consumer you can cancel the transaction within 8 weeks, no questions asked. Why the US can't follow suit is beyond me, instead people have to hack their own workarounds with prepaid credit cards.
Germany has had direct debit since the 1950s, Britain since the 1970s, the difference being that as a consumer you can cancel the transaction within 8 weeks, no questions asked. Why the US can't follow suit is beyond me
In the U.S. you can cancel a transaction that you don't believe is legitimate. I did it as recently as last week and as long ago as the 90's when State Farm's auto-debit pulled $2,500 out of my bank account instead of $250. It's nothing new.
privacy.com allows creating credit cards with preset spending limits, either one-time or recurring. I use it for subscription services. (No affiliation just a happy user.)
privacy.com would be really attractive to me, but it comes with a mandatory arbitration agreement, and I'm trying to limit the number of businesses I interact with that rely on one.
Certainly the combination of mandatory arbitration and "we have your banking info" is a no go for me. If you want access to my bank account, you need to have some liability.
At some point I'm probably going to need to bite the bullet and sign up for an actual bank account or credit card with someone who offers it under normal terms -- but even that's been kind of frustrating to find. Capital One requires a browser extension. A bunch of places require phone apps.
I just want a banking site that lets me go to a webpage and click a "generate" button.
This sort of error, where they accidentally pull thousands of dollars out of your checking account, can happen with privacy.com because you give them access to your bank account to use it.
Yes it’s neat, but also involves giving privacy.com unfettered pull access to an account. Not to mention the data pipeline for profiling your use. Not a bad trade if it suits you, but things to be aware of, certainly.
Credit cards already have legal protections so worst case you can file a charge back and your money is safe. Etsy has access to bank accounts which don't even have the credit card protections.
To my knowledge, they make money because they act like a credit card (they collect cc fee from the seller), but actually just proxy the charge to your bank account. You basically lose out on any your own cc rewards though since you can't proxy to another cc (then they would lose their profit margin paying your cc provider).
Personal example of when I found it useful:
I used a burner card from them to buy a board game online, turns out the site was hacked, leaked the card info, additional charges were attempted but failed because the burner card settings only allowed the original charge through. Was really glad I didn't use my own cc.
Unfortunately if one must supply privacy.com with access to a bank account, it's not an improvement over Etsy in terms of exposure. And with Etsy you can directly supply a credit card, leaving your bank account isolated.
I use separate bank accounts for various isolation purposes, but they generally have a monthly fee when below a substantial balance. Direct deposit accounts are the exception in my experience, and one doesn't generally have multiple direct deposit employment sources.
If I need to setup a separate account to isolate privacy.com's use, why wouldn't I just make it a Citi account and use their virtual cards instead of providing all my identifying information to yet another third party open to hacking and diminishing of corporate values?
In a system where we turn over our payment information to all these companies and they can accidentally pull any kind of money from your account, it just leads to problems.