Fidelity – fraud or clerical error? (either way seems scary to me)

[Earl E Retyre]

Luckily, I looked at my Fidelity statement and noticed $225 was withdrawn on a cash account that I have not touched in years. A direct debit was made from my account to Ally bank auto finance which I assume was to pay for someone else’s auto loan.

I filled out a Direct Debit Dispute Form and faxed to Fidelity and they reimbursed my $225 but also asked that I notify Ally. Sparing you the details, I spent hours talking to several people at Ally and faxed lots of paperwork but never got an answer as to what happened. I do not even have an Ally Auto Finance account.

You would think that would be end of story, but then, on the same day of the month, the following month, lo and behold another $225 taken out. I filled out another Fidelity form and again they reimbursed my $225 and this time we just closed that account to stop the madness.

Fidelity told me the name of the person that was listed in the Debit Notes for whose auto loan it was paying and I obviously never heard of that person. What I do not know, and do not think I will ever know, is if this was Fraud – and someone purposely withdrew money from my account … or whether it was a simply clerical error on Ally’s part and someone accidentally typed in my account number and Fidelity routing number.

The scary thing is that seemingly anyone can get your routing/account number and make a withdrawal and your name or social are not checked for a match.

Coincidentally, on 7/5 Fidelity sent an email indicating they were implementing two-factor authentication for stronger account protection to allow its members to specify a phone number to receive a verification code by text. I believe Vanguard already has that implemented. Hopefully this would prevent something like this in the future but I am not sure if two factor authentication applies to direct debits.

Has anyone else had a similar situation?

 

[MichaelB]

Has anyone else had a similar situation?

Good thing you caught it in time. It is scary how the obsession with reducing the cost of financial transactions has opened a door to easier fraud, and it just reaffirms that the first line of defense is regular monitoring of one's own accounts.

 

[easysurfer]

That is scary. I seem to recall a bogus check printing company years back that operated as a front to steal back routing and account numbers from folks who just thought they were ordering checks.

 

[GTFan]

I've always wondered what kind of security was involved with ACH transfers (i.e. direct debits). It seems like all you need is someone's account number and you can do what you want, but that can't be true (routing numbers are easily obtainable for any institution).

 

[Aerides]

Yes, any bank transaction is as simple as providing a valid ABA/DBA.

Fidelity CS was (IMO) stupid to tell you to contact Ally when you didn't have a relationship with them. And they should have recognized the transaction was of a repeating nature and taken better steps to resolve it the first time. Good that they have done that now by changing the account.

More than likely it was a clerical error, and the person on the Ally side will have to figure that out - not you.

 

[MRG]

Probably an honest mistake due to a fat finger. I w*rked in a transfer agency, while internal fraud exists and is carefully monitored for, it's generally caught before anything is mailed.

I received the two factor security communication, can't see how it was different from what they had before.

Far as wire security, it's better than it used to be, not saying much.

 

[GrayHare]

I was shocked to learn that with the account and routing numbers anyone can withdraw any amount from anyone's account. It's up to the account owner to notice and promptly report any unauthorized activity. Prosecution of the wrongdoers discourages it from happening much. Once you get used to the idea, you realize it's very efficient.

 

[audreyh1]

Yep - someone could put any routing and account numbers into their application to set up automatic debit payments. It would be really nice if they checked that names matched first before setting up an auto debit from bank account payment system. And I think they sometimes do, but apparently often not. You just have to be vigilent.

 

[CaliKid]

That is scary. Shows you how important is to check each statement and each transaction!

 

[Sunset]

So scary.

Wherever I can set up alerts for example on my bank accounts, what I do is change the alert number to a low value so for outgoing payments, transfers I now set it to $1.00 as I want to catch some scammer doing a test transfer right away.

It does mean I get some extra emails, but since I just paid that bill or deposited money I know exactly what it is and can look and delete the email, assured the alert mechanism is working.

 

[ownyourfuture]

I've been with Fidelity since 1986, when I opened my first IRA.
I've never had a problem, but I do check my account activity in both the IRA & my taxable account at least three times a week.

 

[donheff]

I have always been nervous about how easy it is to set up auto payments from my checking account and do not keep large sums in it for that reason. My big accounts at Vanguard don't have checking attached to them and can only transfer funds to our checking.savings institution.

Does anyone know if banks require validation for larger, non-routine transfers? Hopefully they are like credit card companies and figure they can make whole the little problems but don't let unverified sources yank multi-thousand dollar sums from accounts.

 

[pb4uski]

I suspect an error on the part of the auto loan borrower or Ally. Unlikely to be fraud because it would be relatively easy to identify whose account the payment is going to.

What is more alarming is Ally and Fidelity's nonchalance regarding the issue.

 

[MichaelB]

All bank account owners must have their identity verified and banks usually require an application from business account owners to enable ACH debits. This is not something random and does leave a clear audit trail, which is why banks embrace it.

Fidelity's response is unacceptable. It is their responsibility to contact the other financial institution and inform them of the error. If the OP were to contact Ally Bank, that bank's proper response would be "we have no idea who you are, please have your financial institution contact us". The second debit should not have happened.

Consumer protection regulations give 60 days from the date of the monthly account statement to file a claim. To be safe, every account transaction should be reviewed monthly.

 

[kaneohe]

I have an autopay w/ Humana for my Rx plan linked to checking account.....something like $18/mo. One day there was a $200 debit from Humana that Humana could not explain.......it was obvious that they were not interested in helping either. Fortunately I learned that the bank/credit union can reverse that charge with your written instructions. Never did figure out why that happened .

 

[MRG]

I have always been nervous about how easy it is to set up auto payments from my checking account and do not keep large sums in it for that reason. My big accounts at Vanguard don't have checking attached to them and can only transfer funds to our checking.savings institution.

Does anyone know if banks require validation for larger, non-routine transfers? Hopefully they are like credit card companies and figure they can make whole the little problems but don't let unverified sources yank multi-thousand dollar sums from accounts.

I know fund companies do apply rules based on the dollar amounts of transactions. Some actually route work to another human to check the work the first human did. Of course what's high dollar to the fund companies may not be what you consider a large number.

Keep in mind wires are a very easy transaction to automate, I doubt any fund company is still processing those manually. What value would a human add to the process of a wire? If the routing number is valid and funds are available the transaction should be IGO. How would anyone other than the requestor know if the transaction(routing number) is correct?

 

[audreyh1]

I only have one account at Fidelity that I do bill pay, and that actually is a bank account.

I have checkwriting on one fund account, but not on the main brokerage account. I've purposely avoided that.

 

[jazz4cash]

Another reason I avoid authorizing anyone to pull from my account. As much as possible I initiate payment from my account so any debit initiated by the payee is suspicious. I do have two monthly payments initiated by the vendor and my blood pressure spikes every time I see their debits until I realize it's routine.


Sent from my iPhone using Early Retirement Forum

 

[Tadpole]

I really don't know any easy way for Vanguard to grab money from my bank or PenFed to get money from another bank for a CD other than ACH transfers. For what little auto-bill-pay I do I usually dedicate a ShopSafe at BoA to the routine charges. I admit that the ShopSafe route is not as easy as ACH is. Then there is SS, pension, and IRS deposits. Those along with Allstate insurance payments are all ACH.


ACH is not instantaneous so if you have set up some sort of way to receive a warning such warnings usually arrive before execution of the ACH transfer, at least mine do.


I think what happened here was Ally was an acceptable source for the transfer request. I wonder how it is determined that Ally received permission from the account owner. No bank or financial institution has ever asked me for a list of sources acceptable to me.

 

[jazz4cash]

. I wonder how it is determined that Ally received permission from the account owner. No bank or financial institution has ever asked me for a list of sources acceptable to me.

Pretty sure they assume it is ok since the requesting institution has your acct nbr and routing nbr. That's why a simple name on account verification should be required (or additional authorization if it is for benefit of another party).


Sent from my iPhone using Early Retirement Forum

 

[RobbieB]

The scary thing is they did it twice.

The first was a routing error I'm sure.

But the second time was just sloppy incompetence.

 

[Dare]

I had a similar thing happen to me at Schwab. Two different debits from two different vendors (a cable company I don't use, and AAA), taken from a Schwab brokerage account. Freaked me out good. One debit had a name (not mine) attached to it; the other one I couldn't get the detail. Schwab could see that one debit had been initiated online, and the other one over the phone, but other than that I couldn't get much detail. After I signed an affidavit saying that these were not my transactions, Schwab refunded the money to my account (about $300), closed the account and moved everything over to a new account number.

In trying to figure out how it happened and how to prevent it, I learned that there's really nothing I could do to prevent it. All someone needs is an account number, a routing number, and a vendor that doesn't bother to verify anything and they can debit any account they want. Disabling checkwriting wouldn't make these transactions impossible - the only benefit would be that if you had no checks in circulation, people couldn't get your account number off of a check you'd written. Two factor authentication? Good to have, but wouldn't prevent this. Schwab said they couldn't flag an account to never accept autodebits, and it sounded like they're not alone in that - it's just the way the system works.

I've always been pretty good about reviewing my statements regularly, but believe me, I'm even better about it now! I shudder to think what the process would be if they'd debited a lot more than $300.

 

[Earl E Retyre]

I had a similar thing happen to me at Schwab. Two different debits from two different vendors (a cable company I don't use, and AAA), taken from a Schwab brokerage account. Freaked me out good. One debit had a name (not mine) attached to it; the other one I couldn't get the detail. Schwab could see that one debit had been initiated online, and the other one over the phone, but other than that I couldn't get much detail. After I signed an affidavit saying that these were not my transactions, Schwab refunded the money to my account (about $300), closed the account and moved everything over to a new account number.

In trying to figure out how it happened and how to prevent it, I learned that there's really nothing I could do to prevent it. All someone needs is an account number, a routing number, and a vendor that doesn't bother to verify anything and they can debit any account they want. Disabling checkwriting wouldn't make these transactions impossible - the only benefit would be that if you had no checks in circulation, people couldn't get your account number off of a check you'd written. Two factor authentication? Good to have, but wouldn't prevent this. Schwab said they couldn't flag an account to never accept autodebits, and it sounded like they're not alone in that - it's just the way the system works.

I've always been pretty good about reviewing my statements regularly, but believe me, I'm even better about it now! I shudder to think what the process would be if they'd debited a lot more than $300.

Yes, sounds very similar. I still do not know why they could not change the system to indicate that a last name needs to match in addition to the banking and routing number. This may not prevent fraud but would prevent clerical errors.

 

[MJ]

I don't know about auto loan payments but I was shocked to find that a credit card holder can set up a payment with someone else's account# and routing number. Since it was allowed, I have paid several of my wife's CCs. Note, she does not have the same last name as I do. I think it is stupid but it is allowed by the CCs and the banks I did it with.
You need to always keep track of your account either via statements or online inquiries.

 

[COcheesehead]

#1 set up alerts on the account. You'll get an email for every type of transaction of your choosing.
#2 Don't let people have access to the account. I know the OP didn't it was an error, but never let anyone do ACH transactions. Always just set it up as a billpay transaction. Once someone has access to your account, you lose control.