Aged & Decrepit Processes or better known as Automatic Data Processing, Inc. (ADP). I understand the problem here before I get into my rant. The ACH or American Clearing House system doesn’t have a way of confirming or authenticating bank accounts and their owners before transactions are completed.

The ACH system itself prioritizes how financial services companies and those that provide banking services can access the system. It’s a mixture of a gentleman’s agreement, programming interfaces, rules and more. Since the 2008 financial crisis, both the rules and the liquidity of the companies who participate at priority access level has been tightened.

All the banks have rules about financial transactions, who can make them, how often they make them and how much they can be. I’ve hit this so many times since moving to Colorado, buying a lot, paying a builder, buying major appliances, paying contractors etc. We’ve recently hit it again and again building out a new small business and doing construction there. It’s not they amount of money we have, it’s what the bank thinks of us and what restrictions it places on us as a business.

I’ve moved banks now 3x times since arriving in Colorado. I finally feel I have a banker and bank that are willing to work with us. It turned out to be a blessing as our current bank has closed the 3x nearest branches because, they want to be more profitable. Even before they announced the closures they were not efficient, it can’t get better.

I can’t speak for many other countries, but at least in the UK, banks generally(legally?) have to subscribe to an interbank switching service. You open a new account and your old bank provides all the details for you existing monthly, annual debits and your online bill pays etc. they make all the changes and coordinate the switchover ^[1]https://www.currentaccountswitch.co.uk/.

What Does That Have to do with ADP?

I have no idea how much ADP processes monthly or weekly in payroll, but it is likely to be in the billions of US dollars. ADP touches millions of ordinary Americans lives everyday. ADP could take a leadership role in fixing this, instead ADP focuses on additional revenue opportunities and having sales people call for services I could use, but have no time for, because simple things take forever.

My bet is ADP has done an assessment on us, or we’ve defaulted into a bucket of customers who are unimportant, and that means ADP makes us jump through hoops before they will do anything for us. We are not important and valuable enough to inconvenience. Honestly, that’s how most US banks treat their customers, they categorize them based on their transactions and daily balances, if you generate enough, they’ll invite you to pay for better service. You can’t make this shit-up.

Last Wednesday evening I logged on to our employer website to set-up for the next days payroll submission. The only thing I really had to do that night was submit a new bank account for ADP to withdraw the funds for payroll the next day, it’s generally done as three debits – 1. money for employees; 2. money for employee and employer taxes and 3. ADP fees. I went to the banking details page, selected add a bank, added the routing code and account number for our new bank.

It failed and told me to submit a support ticket. I submitted it at 11:36pm on August 21st, 2024. Adding “Any questions, please have someone call me after 7am Mountain. Mark Cathcart xxx xxx-xxxx” – It’s now 7-days later and I’ve had no telephone calls from ADP. Instead the support ticket has meandered through a long list of demands that I provide to ADP all of which must show full business name, bank account routing number and account code. They ever so helpfully allow you to upload screen shots of your online banking or cancelled aka void checks or a bank statement.

Voided Check With Fractionals?

While the rest of the of this post is “a ramble through 7-days of ADP” (a title for a financial crime thriller perhaps?) this part is actually informational. When ADP asked for a “void check with fractionals”, I was stumped. I emailed my business banker and asked. He didn’t know. His response was “Interesting. Checks are so out of date we never would have known if ADP didn’t still require them, lol”

Here, courtesy of Netpayadvance is a demo/example check. The number bottom rleft is your bank’s routing number, the second set of numbers are your full account number and the third set, “1001” in this example is the check number. Most paper checks are processed via huge check sorters that use the MCR line at the bottom and generate an automated transaction using OCR and visual confirmation for the amount. Checks are expensive to the banks to process.

The problem with this check is that the writing has obscured part of the number. You’d be surprised how often this happens or the check only gets part eaten by your dog and the number is unreadable.

Fractionals on paper checks are an even older banking practice. They are usually located in the upper right corner of the check, under the check number, again in this case “1001”. Originally they looked like a complex fraction, such as 50-7044/22191.

These fractional numbers were originally used to help banks identify the origin of the check and process it correctly. While they are less critical in today’s digital age, they still appear on checks for historical and verification purposes. The check shown isn’t really complete. A better example is the one I’ve listed above.

Here is how to interpret 50-7044/22191

Prefix: The first part (e.g., 50) indicates the Federal Reserve district.
Institution Identifier: The middle part (e.g., 7044) identifies the specific bank or financial institution.
Federal Reserve Bank: The last part (e.g., 2219) is the routing number of the Federal Reserve Bank that services the institution.

Archaic, but thats all your going to get, suffice to say my personal account checks from the same bank tell you 93-168/xxx (No I’m not giving you it all). First person who tells me who I bank with I’ll send a void check. Just add your account number and routing code so I know where to send it.

So my account number and routing code should be kept secret?

Anyone who uses a vaguely modernized bank knows that the account number and routing code shouldn’t be provided in full on almost anything you get from the bank.

They shouldn’t be on your statements, or web or app banking, and really you shouldn’t have to use paper checks, especially send void ones via email to anyone. Literally anyone shouldn’t ask for a void check to be sent via email, it’s a terrible idea. If you do have to supply them insist on uploading them to a website using https. Also ask that when they’ve finished doing what they need the void check for – that they securely erase the digital copy or picture.

Why? For your security. Remember the 1990’s, people going through your trash to get dirt on you? Yes it was real. Back then though physical security was still a the best defense, people were starting to learn. This newspaper clipping was from the Omaha Herald Sunday-world supplement on December 1995. In another 3-years or so every advice column was telling people to shred their documents. Do you do it in 2024?

To be honest I didn’t, well at least not directly. For years I used to collect them at home and take them to the office and put them in the corporate shredding secure storage. Only this year after we moved our office to all remotely stored client records did we free up a shredder and I bought it home.

No Checks Please

As a business we prefer not to do business with anyone who needs or provides us with checks. We can take Zelle, Venmo, Paypal and ACH deposits. We pay our employees through ADP and require them to all create a userid on the ADP system, so I am not involved with their banking details. Sadly ADP requires me to have them provide their social security numbers in order to send them an invite to participate. Good news, after the National Public Data leak I don’t even need to ask them, I can just look it up myself – hopefully just kidding. That’s a different fight on a different day with ADP.

Our vendors and practitioners pay us electronically as well. This is how I know that banks evaluate us, or at least put us in a default high risk bucket with bigger restrictions. In switching banks, I had to setup a different Zelle account as we couldn’t close the old one until ADP moved into the future.

A vendor that has for months paid us $1700 from their Chase bank account to our Chase bank account via Zelle, suddenly found out they couldn’t Zelle us the same $1700 a month later to our new bank. Why, because Chase Bank.

For anyone that doesn’t know, Zelle is owned by Early Warning Services, a private financial services company. Early Warning Services itself is owned by a consortium of major banks, including Bank of America, Wells Fargo, JPMorgan Chase, Capital One, PNC Bank, Truist, and U.S. Bank. If your bank isn’t one of those it has a different layer of access and different settlement rules. Those rules are then pushed down to you and I.

Let’s be clear, Zelle, Venmo and Paypal are largely lipstick on a pig services. They just mask the inadequacy of the ACH banking system. While those services exist outside of the USA financial market they are much less important. Why? Because retail banks can do what they do. I’ve written about this and the impacts of it many times before ^[2]https://markcathcart.com/category/banking/.

So this isn’t an ADP problem?

Oh yes it is. Very much so. I’ve discussed here how much so many of the problems of the ACH are a run-around through easily fraudulent or leaked information. You still need access to my ADP userid in order to be able to make a change.

Everyone I dealt with at ADP told me this was for my protection. It really wasn’t. If I change the bank account to one that didn’t exist our employees wouldn’t get paid. That would be a problem for ADP because despite there being perfectly good ways to do online verification, ADP was insisting on me sending paper facsimiles.

If I changed the account details to one that did exist, but someone else’s account, then the owners would be funding our payroll, lucky us. The payee would have an issue with ADP and would have to work out how to get the payments back from us.

How can they do that? See the opening paragraph, the ACH at it’s core has no way to authenticate if the debit or creditor in an ACH transaction are the right people. They depend on trust. If you could break into the secure ACH network and submit your own transactions securely you could. It’s mostly still based on physical security. The Payments Learning Center has an interesting summary ^[3]https://paymentslearningcenter.org/ach-risk.

The organization should consider having one computer in the office which is not used to browse the internet. Limiting internet access to the computer which is used to house and transmit ACH data will help avoid the accidental downloading of harmful programs or viruses that could potentially compromise the organization’s computer system.

Payments First, South Carolina – Managing ACH Risk — Payments Learning Center (accessed August 28th, 2024)

So the root of the problem is that in order to change my bank details, ADP’s processes currently require me to send a blank/void check, a statement with full details and a number of other items that are acceptable.

What’s wrong with that?

Did you see Leonardo DiCaprio in “Catch Me If You Can?”

As a reminder, the film was based on a real person and real frauds.

The real person portrayed in the film was Frank Abagnale Jr. Abagnale was primarily active in his criminal activities between the ages of 15 and 21, which corresponds to the mid- to late-1960s. During this time, he managed to defraud banks and businesses out of more than $2.5 million by forging fraudulent checks. That was almost two decades before people had home computers, color laser printers. scanners etc.

Literally every form of proof ADP asked for could have been easily faked. All I needed to do was obtain Internet web access to their systems and it’s done. Given all my personal data was leaked by National Public Data recently it shouldn’t be hard to get into my ADP account which disappointingly doesn’t REQUIRE 2-factor authentication.

Today, while it would be complex to fraudulently create all the documents ADP asked for, it would not be difficult to create any of them. Heck, with AI image generators, trained on my own dataset of blank checks from the banks I’ve had, it would likely be easy. But here we are.

Can This Problem Be Solved?

Yes. Absolutely. But here America is held back by it’s size and population. While America has thrived for 200-years and became the worlds default currency based off the “greenback” and a world leader through it’s natural resources, scale and number of people and businesses, that is also what holds it back. SO much change, so many places.

The ACH system was literally designed around Pony Express. The two tier banking network was designed around the time it took a wagon and horses to get from one banking center to another. You could get faster resolution by sending your financial instruments by individual Pony Express rider/stallion. It could take 10-days from west coast to east coast. Pony Express had some 153 stations where horses. riders etc. could be changed and mail routed.

When the Federal Reserve was founded they used basically many of the major cities that also served by Pony Express. Add in the wire service and you have what is still today the default maximum service delays in the clearing systems. There used to be an annual book issued with pictures of each banks checks and their local variations of Reserve printed dollar bills. Really, that’s how we got here. There is still a version of this today, the US Currency (.gov) website ^[4]https://www.uscurrency.gov/denominations

Real Time Networks and Settlement Systems

The real answer if for the ACH and Federal Banking System to implement “straight through processing” (STP) systems. Many countries already have this, including the UK, France, Germany, even Russia and the Philippines have complex STP systems. This document from 2016 by the globaltreasurer.com has details ^[5]https://www.theglobaltreasurer.com/2016/02/18/optimising-efficiency-striving-for-100-stp/ – and yet here we are almost 10-years later and apart from random noises and pilots projects, we are still being asked for fscking void checks. Don’t get me started on c-r-y-p-t-o and sh*t-c-o-i-n-s. But STP is sort of the same, so I understand their objectives.

Let me give you a personal example of how this works. I still have a UK bank. My son if I remember correctly lived in Berlin Germany until 2014. From time to time I wanted to send money, birthdays, Christmas etc.

I could send a wire from my bank, $30 fee and often a fee to the receiver or I could use another out of date US institution, Western Union to also wire the money. In the last 5-years or so, services such as Wise have become much easier and quicker, but ultimately they are all just another lipstick on a pig solution.

I’d log on to my UK bank, provide my son’s German bank details, the bank would ask if they were correct and after confirmation it would directly contact the German bank and return the name and ask if if this was the correct account? Again after confirmation, it would then execute the transaction, and the money would be deposited in my son’s bank account in 15-minutes or so in a different currency, the Euro. Yes, there are lots of ways this can be bad, yes the banks track the transaction and have limits, and they control the exchange rate, but they provide the service at no extra cost. What’s not to like?

Many US services use STP, Stripe and Paypal between their own customers, it’s possible that Zelle does. The banks use STP but do not surface it to retail banking customers. For many of it’s services the SWIFT network and Foreign Exchange (FX) networks also use STP. Again, we do not have direct access, even via our banks. Why not? Scale and cost.

Banks and financial companies would rather avoid spending the money and be dragged into the future (aka 2020) than just voluntarily deliver something useful. They’ll get there in the end. When, who knows when? Seriously, anyone?

What Should ADP do?

As soon as possible ADP should stop accepting bank routing codes and account numbers via facsimile copies. This is doomed to eventual failure and worse, ADP could leak all digital copies of documents which will have been or could be easily run through a scanner and Optical Character Read(OCR’d).

In the interim, ADP should

1. Implement 2-factor authentication on login. I’m actually not a fan of sending the login codes by text message, some form of authenticator app with Internet access is a much better solution.
2. Stop requiring easily forgeable documents for bank authentication. Specifically no more uploading facsimiles or copies of paper documents.
3. Provide a direct deposit service for verification either incoming or outgoing. For example ADP provide their bank details and/or ensures their details are whitelisted on all US Billpay services. The employer and employee can make a small deposit into an ADP account specifically set up for the service. The small amount then verified on their website and they have confirmed the bank account.
4. Stop requiring the employer to add the social security number in order to do invitations for Payroll. If they need the social security number they should get it from the employee.
5. As far as I am are, for it’s employment verification services, ADP uses Equifax which is one of the big-3 credit reporting agencies. ADP should, if they are using National Public Data, immediately cease any further contractual agreements. National Public data have broken everything and as far as I’m concerned need to be put out of business for a serious breach of public privacy and data security.

Failure to do the most important of these shows that ADP, and for that matter, any institution that requires same, is simply performative. It doesn’t really achieve what they say it does.

I’m open to debating and discussing this, as long as the requestor does some form of authentication, please send a void check.

Mark Cathcart

---

In 1983, the writer was headhunted from London to work in lower Manhattan on the worlds first home banking system at a major New York Bank. In 1985, he was appointed an “Assistant Treasurer” – at the time, he was their youngest assistant treasurer. In 1987, he returned to the UK to work in IBM’s London Banking Branch to help the financial industry create the infrastructure for Year 2000 testing and application updates. In 1997, he was part of a small team that won a Queens Industry commendation for their work on commercializing Internet servers. He gave a presentation to a major conference in the UK on secure e-commerce using private/public keys at a time when you still had to call Amazon and read out your credit card details to buy a book. He lead architect on a major UK bank’s Internet banking system. Currently retired, or as he puts it – “just too lazy to work for money, it has to be something really worthwhile”.

UPDATES:
August 29th, 2024 11:39am – Minor updates and proofing.