> A brief conversation with Claude about ACH

Remember, I got hit with one of these. I was asking Claude about other types of payment security, and as part of the conversation it gave me this:

----

The key legal framework is Regulation E — it covers electronic fund transfers
  and requires banks to investigate and reimburse unauthorized transactions. The
   problem Zelle creates is that most fraud involves authorized transfers (you
  sent the money, you just were deceived into doing it). Authorized fraud falls
  outside Reg E's core protections.

  ACH has one meaningful vulnerability though — ACH debit fraud (someone pulls
  money from your account) is common and the 60-day window can expire before
  victims notice.

  Bottom line: For sending money to strangers or merchants, a credit card is the
   only method with robust built-in buyer protection. ACH is reasonable for
  recurring known payees (utility bills, mortgage). Zelle is structurally
  unsuited for anything beyond trusted personal transfers.

✻ Crunched for 14s

❯ yes, i am very surprised to learn that it takes minimal information to pull   
  money from an account via ach                                                 
 
● It's one of the dirtier secrets of the US banking system. ACH debit
  authorization was designed in an era when the threat model was "did this
  business have a signed paper authorization form" — not "can a fraudster with a
   routing and account number drain your account."

  What ACH debit actually requires to initiate:
  - Routing number
  - Account number
  - Your name

  That's it. Both are printed on every check you've ever written. They're on
  invoices, statements, and documents shared routinely in business. There's no
  cryptographic verification, no real-time authentication, no confirmation sent
  to the account holder before the pull happens.

  The "protection" is entirely after the fact:
  - The pull happens
  - You notice it (maybe days later, maybe never if you don't watch statements
  closely)
  - You dispute it within 60 days
  - Your bank investigates and hopefully reverses it
 
  Why this persists:
  - NACHA (the ACH network operator) is governed by the banks that benefit from
  it
  - ACH is the backbone of US payroll, bill pay, and B2B payments — over $80
  trillion/year
  - Changing the authorization model would break enormous amounts of existing
  payment infrastructure
  - Banks are insulated from the fraud cost because Reg E disputes are
  manageable at their scale

  The contrast with other systems is stark:
  - Card networks (Visa/MC) require a cryptographic authorization token for
  every transaction
  - UK's Faster Payments has confirmation of payee
  - Most of Europe requires two-factor authentication for online transfers under
   PSD2
   
  The US ACH system is essentially running on 1970s trust assumptions in a 2026
  threat environment. It's a meaningful reason why check fraud and ACH fraud
  remain stubbornly common despite decades of "modernization."