As I said in my posting last Saturday with regard to making public providers' bank account and ABA routing numbers, some "liaisoning" with X12F Finance and NACHA might be in order.
So I did just that: some "liaisoning." I corresponded with both Richard Bort, a certified cash manager and financial consultant specializing in treasury management and electronic commerce, and the author of the classic reference "Corporate Cash Management Handbook;" and Priscilla Holland, Senior Director, International & Corporate Payments, at NACHA. I just love "liaisoning" and name-dropping - it beats real work any day. Both Bort and Holland agree that it would be none too wise to post account information (like the routing number and bank account number) in a public registry with no controls to limit access. They've graciously allowed me to share their remarks. Dick writes: As for the issue at hand, it highlights a conflict between reason and emotion, with a large dollop of fraud thrown in. Of course everyone to whom we write checks can know our bank transit routing number and account number. By the same token, we wouldn't plaster those numbers on a billboard alongside the highway (or in a publicly-accessible directory on the Web), though, for fear that some miscreant would misuse that information. I know what you're thinking: "In Europe they print their bank IDs and account numbers on their invoices to facilitate remittances, so why don't we do it?" The largest source of bank fraud in the U.S. is check fraud, most of which involves the creation of totally bogus checks using a PC and a laser printer. If I know the bank and account numbers of a deep-pocketed firm, like a hospital, I could make up a check (or, preferably, a series of modest size checks) purportedly drawn against that bank account and probably get away with it. The banking industry has created some effective defenses against this (e.g., "Positive Pay" service) but losses continue to be heavy. Therefore, it's just not wise to advertise one's bank account number to anyone who may be interested. (BTW, the bogus check need not have the MICR line printed in magnetic ink. The banks, "los brilliantes" that they are, will kindly repair unreadable MICR numbers with a readable strip pasted to the bottom of a check.) In the healthcare business, there are relatively few payers (hundreds, or maybe a thousand or so, but not an entire boatload). I see no reason why there could not be some central registry to which legitimate payers could gain controlled access. That registry could/should contain more than just the depository bank account numbers. It probably should also include a profile of the provider, such as preferred way to receive remittances (e.g., EFT/EDI, together or separated, check in the mail, etc. etc., and a contact person and phone number and e-mail address). There are just too many bad guys around who would really mess things up if we were to publicy post bank account numbers. It's that simple. I hope this is helpful. Priscilla adds: As far as publishing your account number - the biggest issue is fraud. NACHA has historically published information on all conference brochures on how to make an electronic payment for the conference registration and have published the routing & transit number and account number for our primary checking account (not a good idea). Last year we had 17 unauthorized debits to that account. It seems that the criminals are learning about the capabilities of ACH fraudulent debits. If you want to publish an account on the web - I would suggest that it be set with a debit block - that will prevent unauthorized debits - and the account be monitored very closely. [The Columbus Dispatch article] talks about finding additional funds as a windfall - finding that your account has no money because of unauthorized debits would be somewhat more likely. If you want to publish your account information - it would probably be better to have a separate account for this purpose and then transfer the funds into the general account. I think this settles the matter, though it's disappointing that banking account "security" relies on keeping these identifiers semi-secret. Perhaps we can accommodate protection of the financial account information in the directory some technical way to ensure it is revealed only to legitimate payers (insurance companies) - by restricting it to only those folks who possess a directory entry themselves or somesuch nonsense. Or the 837 claim could be changed to send the provider's routing and account numbers for EFT payments directly to the payer (I was surprised it wasn't there already), bypassing the Healthcare CPP directory altogether. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320
