Question: are US banking really this dysfunctional? Where I'm from, a bank consortium already provided unified login services (while banks still have their own websites, as a merchant you only need to integrate the consortium-provided APIs rather than using Plaid) simplifying things.
That is the case in most of Europe as well (under SEPA Direct Debit), and has been for many years now.
I've not had to dispute an ACH debit yet, but at least at most German banks, it's literally a single click and the money is back in your account – up to 8 weeks after the payment (any reason, no questions asked), and up to 13 months in case of fraud ("no mandate").
Part fraud controls (which don't necessarily work), part being able to undo transactions.
Being able to undo mistakes means far more than anything else; it means it's permanently superior to all ""web3"" tech no matter how much fancier they may make that look.
A check needs a signature and has some security feature built-in. You might argue that it's not sufficient, but it's the same deal as paper money for example. The cost/benefit ratio is too low for counterfeiting checks to be useful, most of the time.
The routing and account numbers are printed on every paper check in the US. Those are all that you need to process an ACH. The onus is on the ACH originator to make sure the numbers are not stolen.
I believe you need a specific bank authorization to do ACH withdrawal using only routing and Account#. Plus, your beneficiary bank does screen for such services given out to clients very closely. No random joe schmo can do auto ach debit
Unless you are referring to passing forged checks, I'm not sure what you mean by this.
My understanding is that in the US to pay your rent you either send a literal paper check, which had no serious authorisation at all, or your land lord reaches into your account using your bank account number and debits it, without you having to approve.
If not - why do people protect their bank account numbers in the US? In the UK mine is printed on my bank card - anyone can read it off.
It’s like social security numbers in the US - they became passwords when they weren’t supposed to be.
Quite interesting. In Poland a lot of places have their bank number just on their website if you want to donate something, I don't think you can place a debit like that.
"I believe you need a specific bank authorization to do ACH withdrawal using only routing and Account#"
No. All you need is an account number and routing number (which are printed on paper checks). The ACH originator is responsible for ensuring the numbers are owned by the payer.
Maybe they pointed out as an indication that some financial institutions in the US are not modern technologically speaking, and that may be a cause for lacking better APIs?
That was probably the intention but I think that isn't a core reason. It's more about business/tech incentives around these APIs. The industry is more risk-averse, and frankly there isn't necessarily a great business case for doing integrations if you're a big bank because you don't want to be commoditized into "pipes" and then have to compete on low-margin products all the while the middle companies have better margins and skim off the top of you. At least on the consumer side. There's this meme that banks are technologically backwards and all that, and I don't think that is true or a good frame of reference to have. The scale, complexity, regulatory environment, and risk-aversion when something bad happens are far and away more relevant factors than technology is.
For some systems, this is arguably a feature. Banks are rightly cautious about touching core transaction processing systems, systems that cost millions per minute when down.
But the use of COBOL generally doesn’t extend to the consumer facing product, or the APIs that support those consumer facing experiences.
Banks may be backwards, but the use of older languages is not one of the primary reasons.
What they run on their backend doesn't really matter. If they can provide a website with username/password login, they can have an OAuth layer as well. It isn't a technical problem but a business/priorities one.
I remember about 4 years ago I read online that most bank passwords did not even check for upper case or lowercase characters. I didn't believe it, but to my surprise I entered my password with RaNDoM cASe letters and it unbelievably logged me in. This was Chase bank, and I believe it has been fixed since then. But just goes to show how far behind banking systems have been.
