Hi Mohammed and Bharath, Mohammed, your point regarding Granular Permissions and Auditability is very compelling.
While Bharath’s suggestion for a simpler API flow is efficient, the risk of a "front-line teller" accidentally overdrawing an account simply because a global config is on is a significant operational hazard. >From an implementation standpoint, having a dedicated withdrawal-force-debit command: Ensures Intent: It clearly distinguishes between a customer-initiated withdrawal and a bank-initiated regulatory levy. Simplifies Auditing: It allows auditors to easily filter for transactions that bypassed the standard balance check. Future-Proofs for Phase 2: It provides the perfect "hook" for the Reason Codes and Notifications we discussed earlier. I believe the added security of the separate command outweighs the overhead of a new API endpoint. I'm ready to help with the Unit Tests for this new command layer to ensure the permission checks are rock-solid. Best, Ayush Singh On Fri, Feb 6, 2026, 6:18 PM Mohammed Saifulhuq < [email protected]> wrote: > Hi Bharath, > > Thank you for the feedback and the kind words. I appreciate the guidance. > > I completely agree with the Acceptance Criteria regarding the 'Negative > Balance' behavior and the global limits. However, I would like to > double-check the approach regarding the Single API vs. Separate API > decision, specifically regarding Permissions and Risk Management. > > While using the existing withdrawal API is cleaner implementation-wise, > it introduces a significant security gap: > > 1. > > Granular Permissions: If we use the standard withdrawal command, we > rely on the standard WITHDRAW_SAVINGSACCOUNT permission. This means if > we enable the Global Config, any front-line staff (Teller) could > accidentally overdraft an account up to the global limit. > 2. > > Intent: As Anu mentioned, this feature is primarily for Regulatory > Levies or Charges (Force Post), which is distinct from a customer-initiated > withdrawal. > 3. > > Auditability: A separate withdrawal-force-debit command allows the > Bank to explicitly audit *who* bypassed the balance check and *why*. > > My Recommendation: I propose we stick to the Separate Command ( > withdrawal-force-debit) strategy. This allows us to attach a specific > WITHDRAW_SAVINGSACCOUNT_FORCE_DEBIT permission to it. > > - > > Teller: Has WITHDRAW_SAVINGSACCOUNT. Can withdraw only if funds exist. > - > > Manager/System: Has WITHDRAW_SAVINGSACCOUNT_FORCE_DEBIT. Can withdraw > into negative (up to limit). > > If we merge them into one API, we lose this control layer. Does that align > with your view on the security requirements? > > Best, Mohammed Saifulhuq > > On Fri, Feb 6, 2026 at 6:08 PM Bharath Gowda <[email protected]> wrote: > >> Hi All, >> >> This has been a very good discussion with great idea sharing around the >> topic. >> I really appreciate Mohammed for taking the initiative to work on this >> enhancement. >> >> Could we please have a story created in Fineract JIRA with all the >> required details captured? >> >> Regarding the acceptance criteria for this enhancement, I am aligned with >> the following points: >> >> >> - The system should allow debit transactions on a savings account >> even when there is an insufficient balance. >> - In such cases, the savings account should move into a negative >> balance, and any further debit transactions on the same account should be >> restricted until the negative balance is fully settled. >> - There should be a global configuration named >> allow-negative-balance-on-savings-account, which should be disabled by >> default. >> - There should be a configurable global limit on the maximum allowed >> negative balance. >> - Accounting behavior should remain unchanged and follow the existing >> accounting configuration for savings product debit transactions. >> >> >> My only concern is around introducing a new transaction type or a >> separate API for this functionality. From a customer perspective, this is >> still a standard withdrawal. >> >> Using the existing debit transaction flow should be sufficient and would >> help avoid the following scenarios: >> >> >> - Organizations must explicitly check account balances before >> initiating debit transactions. >> - Any additional complexity, when the existing configurations for >> “allow-negative-balance-on-savings-account” and the "negative balance >> limit" can already govern the behavior using current transaction types. >> >> So I believe the existing debit transaction mechanism with the above >> configurations should address the requirement cleanly without new API or >> new permissions for the same. >> >> >> >> Regards, >> Bharath >> Lead Implementation Analyst | Mifos Initiative >> PMC Member | Apache Fineract >> Mobile: +91.7019635592 >> http://mifos.org <http://facebook.com/mifos> >> <http://www.twitter.com/mifos> >> >> >> On Fri, Feb 6, 2026 at 5:59 PM Paul <[email protected]> wrote: >> >>> Great team work. 👍 >>> Thanks for the effort. >>> >>> -- >>> Paul >>> >>> On Fri, Feb 6, 2026, 5:33 AM Anu Omotayo via dev < >>> [email protected]> wrote: >>> >>>> Thanks Mohammed, you can go ahead please. >>>> >>>> In terms of naming convention, I think we should use "force debit" >>>> because its a banking terminology: >>>> >>>> API: withdrawal-force-debit >>>> >>>> Permissions: WITHDRAW SAVINGSACCOUNT FORCE DEBIT, WITHDRAW >>>> SAVINGSACCOUNT FORCE DEBIT CHECKER >>>> >>>> System configuration: allow-force-debit-on-savings-account, >>>> force-debit-on-savings-account-limit >>>> OR allow-negative-balance-on-savings-account, >>>> negative-balance-on-savings-account-limit >>>> >>>> Regards >>>> Anu Omotayo >>>> >>>> On Friday, February 6, 2026 at 05:39:58 AM GMT+1, Mohammed Saifulhuq < >>>> [email protected]> wrote: >>>> >>>> >>>> Hi Ayush, >>>> >>>> Thank you for sharing that real-world scenario. That is exactly the >>>> 'silent failure' risk we want to avoid. >>>> >>>> It seems we are converging on the *'Negative Balance with Limits'* >>>> approach as the most robust solution because: >>>> >>>> 1. >>>> >>>> *Accounting:* It respects GAAP/IFRS liability recognition >>>> immediately (General Ledger accuracy). >>>> 2. >>>> >>>> *Transparency:* As you noted, it prevents the 'missing money' >>>> confusion for the end-user. >>>> 3. >>>> >>>> *Safety:* The proposed min-overdraft-limit configuration prevents >>>> the infinite debt risk I mentioned earlier. >>>> >>>> @Anu / @Paul — seeing as we have consensus on both the technical and >>>> functional sides, are you happy for me to proceed with drafting the >>>> implementation plan for the *Negative Balance with Configurable Limits* >>>> model? >>>> >>>> Best, Mohammed Saifulhuq >>>> >>>> On Thu, Feb 5, 2026 at 10:07 PM AYUSH SINGH <[email protected]> >>>> wrote: >>>> >>>> Hi everyone, >>>> >>>> The discussion regarding "user confusion" vs. "accounting accuracy" is >>>> very relevant. I recently saw a real-world case where a user didn't >>>> maintain a minimum balance, resulting in a -₹3,000 state due to bank >>>> charges. >>>> When they eventually deposited funds, the money was "auto-deducted" to >>>> cover the debt. Because the system didn't make the negative balance >>>> transparent, the user was left confused, thinking their deposit had simply >>>> disappeared until they contacted the bank. >>>> >>>> This supports Mohammad's point about the importance of General Ledger >>>> accuracy and transparency. If we use a "shadow" or "pending" balance as >>>> Alberto suggested, we might actually increase user support tickets because >>>> the debt isn't visible to the customer until their new deposit vanishes. >>>> >>>> I suggest we prioritize a model that reflects the true liability on the >>>> user's dashboard to avoid this "missing money" experience. >>>> >>>> Best, >>>> Ayush Singh >>>> >>>> >>>> On Thu, Feb 5, 2026, 9:37 PM Mohammed Saifulhuq < >>>> [email protected]> wrote: >>>> >>>> Hi Alberto, >>>> That is an interesting approach, but I see a few architectural risks >>>> with a 'Pending Transaction' model versus a true 'Negative Balance' model >>>> for this specific use case: >>>> Regulatory Reality: When a 'Force Post' occurs (e.g., a tax levy or >>>> regulatory fee), the liability is often immediate. The customer is in debt >>>> to the bank at that exact second. Keeping the balance at 0 and hiding the >>>> debt in a 'pending' state might misrepresent the actual General Ledger (GL) >>>> position of the bank. >>>> Interest Calculation: If the account is effectively overdrawn, the bank >>>> usually needs to accrue interest on that debt immediately. Fineract's >>>> existing interest engine handles negative balances (overdrafts) naturally. >>>> If we use a 'pending' queue, we would need to rebuild the interest >>>> calculation logic to look at the 'shadow' balance, which adds significant >>>> complexity. >>>> Complexity on Deposit: Your approach requires a new event listener on >>>> every deposit to 'sweep' the pending queue. This introduces concurrency >>>> challenges. >>>> I believe the 'Negative Balance with Limits' approach stays closer to >>>> standard GAAP/IFRS accounting principles where a liability is recognized >>>> immediately on the ledger. >>>> Thoughts? >>>> >>>> Best, >>>> Mohammed Saifulhuq >>>> >>>> On Thu, 5 Feb, 2026, 9:27 pm Jose Alberto Hernandez, < >>>> [email protected]> wrote: >>>> >>>> Hello! >>>> >>>> I would like to propose a more robust method: >>>> >>>> 1. Keep the Savings Account as is, don't update the allowed overdraft >>>> or something else, >>>> 2. Generate a new transaction type that will be applied once the >>>> account has some balance, this can be added to the Savings Account with a >>>> new command >>>> 3. Include a new Balance amount, similar as we have now, totalBalance >>>> amount and available amount, to include those transactions, this new >>>> balance usually will be negative when the Savings Account has these >>>> transactions to be applied >>>> >>>> The idea of this new transaction type is to record the different >>>> pending stuff to be applied the next time the account has some deposit >>>> >>>> What do you think? >>>> >>>> Thanks and regards >>>> Alberto >>>> >>>> On Wed, Feb 4, 2026 at 8:09 PM Mohammed Saifulhuq < >>>> [email protected]> wrote: >>>> >>>> Hi Anu and Campbell, >>>> This is a critical feature for regulatory compliance, especially for >>>> institutions handling automated service charges or tax deductions where >>>> rejecting the debit is not a legal option. >>>> I agree with Anu's architectural approach, particularly separating this >>>> into a distinct API command (withdrawal-force-post). Mixing this logic into >>>> the standard withdrawal flow could create dangerous loopholes where >>>> overdrafts happen accidentally. >>>> One additional consideration: >>>> If we enable allow-negative-balance, we should also consider if this >>>> requires a 'Limit' configuration (e.g., 'Max Overdraft Amount'). Allowing >>>> infinite negative balance might pose a risk if a force-post API is abused >>>> or looped. >>>> I am happy to pick up the implementation of the Global Configuration >>>> and the Permission structure if we have consensus on the design. >>>> Best, >>>> Mohammed Saifulhuq >>>> >>>> On Thu, 5 Feb, 2026, 6:08 am Anu Omotayo via dev, < >>>> [email protected]> wrote: >>>> >>>> Hello, >>>> >>>> I had a similar discussion with my colleague on savings account with >>>> negative balance about two weeks ago. The ask was to debit customer savings >>>> accounts for regulatory reasons even if the account balance is 0. >>>> >>>> Also, I had a negative balance in my account with a commercial bank >>>> days ago due to a bank charge that I wasn't expecting. >>>> >>>> Below is a suggestion on how I think this feature can be implemented in >>>> fineract. >>>> >>>> 1. An "allow-negative-balance-on-savings-account" can be added to the >>>> global configuration to enable/disable this feature. >>>> >>>> 2. It should be implemented as a separate API due to its sensitive >>>> nature e.g (e.g ~ >>>> /fineract-provider/api/v1/savingsaccounts/14/transactions?command=withdrawal-force-post). >>>> The "allow-negative-balance-on-savings-account" setting should be >>>> checked before the transaction is posted. >>>> >>>> 3. New permissions such as WITHDRAW SAVINGSACCOUNT FORCE DEBIT, >>>> WITHDRAW SAVINGSACCOUNT FORCE DEBIT CHECKER should be created and used for >>>> the new API. >>>> >>>> Regards >>>> Anu Omotayo >>>> >>>> >>>> >>>> On Sunday, January 11, 2026 at 01:12:07 AM GMT+1, Campbell Burgess < >>>> [email protected]> wrote: >>>> >>>> >>>> Paul.... Very well laid out. Thank you. >>>> >>>> Bottom line... negative consumer deposit (savings accounts in Fineract) >>>> routinely go negative, with and without, formal arrangements and with (but >>>> also without) account holder opt-in. >>>> >>>> If what I am now guessing is correct, that Fineract does not readily >>>> support a force-post, what is the best path forward. >>>> >>>> Again, we are happy to do all the lifting and contribute the work >>>> product to the community, of course, expecting independent review and >>>> oversight. >>>> >>>> Campbell >>>> >>>> >>>> On 1/10/2026 10:37 AM, Paul wrote: >>>> >>>> *Regulation E (Electronic Fund Transfers):* For one-time debit card >>>> and ATM transactions, banks cannot charge an overdraft fee unless the >>>> consumer has explicitly *opted in*. However, even without an opt-in, a >>>> bank is legally permitted to pay the transaction (creating a negative >>>> balance) as long as it does *not* charge a fee. >>>> >>>> -- >>>> >>>> Herring BANCORP ® >>>> >>>> >>>> *C. Campbell Burgess *President/CEO >>>> Office: (806) 373-3921 | Direct: (806) 242-3704 >>>> >>>> [email protected] >>>> >>>> >>>> *Herring Bancorp* >>>> 2201 Civic Circle, Suite 1000 >>>> <https://www.google.com/maps/search/2201+Civic+Circle,+Suite+1000+%0D%0A++++++++++++Amarillo,+TX+79109?entry=gmail&source=g> >>>> Amarillo, TX 79109 >>>> <https://www.google.com/maps/search/2201+Civic+Circle,+Suite+1000+%0D%0A++++++++++++Amarillo,+TX+79109?entry=gmail&source=g> >>>> >>>> www.herringbank.com >>>> >>>> CONFIDENTIALITY NOTE: This e-mail is intended only for the use of the >>>> individual or entity to which it is addressed and may contain information >>>> that is privileged, confidential and exempt from disclosure under >>>> applicable law. If the reader of this e-mail message is not the intended >>>> recipient, or the employee or agent responsible for delivery of the message >>>> to the intended recipient, you are hereby notified that any dissemination, >>>> distribution or copying of this communication is prohibited. If you have >>>> received this e-mail in error, please notify us immediately by telephone at >>>> (303) 565-7001 and also indicate the sender's name. Thank you. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>
