[wplug-board] Created a Gittip account

[Pat Barron]

On 1/14/2014 3:55 AM, Vance Kochenderfer wrote:
> Deposits are done by ACH transfer. My main question (maybe Pat can 
> contact the bank and ask?) would be whether an ACH transfer can be 
> done *out* of our account without explicit authorization of the 
> transaction. I would be concerned that a hack could result in our 
> account being cleaned out and we would have no recourse (since 
> Gittip's terms require us to indemnify them)

ACH transactions (either in or out of an account) are basically assumed 
to be authorized, no prior authorization is needed.  You can put an ACH 
block on an account, but it's a total block - you can't pick and choose 
(as far as I know).  Anyone who has knowledge of your routing number and 
account number (even, say, for your own personal checking account) could 
post an ACH debit to the account and clean it out.  It then becomes your 
(the account holder's) problem to dispute the transaction as 
unauthorized.  As far as I know, the bank is not responsible to make 
good on the funds taken in a fraudulent transfer if they are unable to 
retrieve the funds from wherever they were transferred to.  The 
indemnification provision here basically means that if they have a 
security breach and someone absconds with users' ACH information, it is 
not their responsibility to do anything about that insofar is it affects 
the users (i.e., making good on misappropriated funds from fraudulent 
ACH transactions that occur as a result of the breach, being responsible 
for financial harm that befalls a user as a result of not having the 
funds while the bank investigates the disputed transaction. etc.).

For better or worse, these are pretty standard terms for entities that 
do ACH transactions.  So if you're going to agree to such terms, the 
question you have to consider is, how much do you trust the data 
security of whomever you're entrusting your routing number and account 
number to....

--Pat.