I worked for a "systemically important financial institution" (known as SIFIs in the industry). I also worked on critical functionality, like payment processing, wire transfers, etc. Seeing how that sausage was made was eye-opening.
One time, there were reddit threads circulating where customers were complaining about logging into their bank accounts then seeing the information of another user. I brought up during stand up, and my team lead freaked out, took me around the corner in the hall way, and screamed at me for 10 mins straight about how I am compromising the security practices of the company (OK, guy). Weirdly, there was not mainstream media attention or any discussion internally. My guess is the policy is to suppress aggressively when flaws become public, especially with security.
Given the nature of the financial services business, you would think they would have the highest paid and most competent tech workers, but fuck no. For the most part, we would hook up FOSS components to talk to our legacy back end monoliths (usually mainframe dinosaur machines that should have been extinct a long time ago) and then render the desired output to a web or mobile interface. So the good news is that your security is as good as the open source engineer's implementation (which most of the time would be Java / Spring / Oracle / Pivotal, or C#/ .net / MS) bc that is the tooling we would build on. More good news is that, due to risk aversion, things do not change often at banks bc of fear of mistakes (downside being that there is les innovation).
In all honesty, I would rather trust amazon, google, or even netflix with my finances over big banks. Except facebook, never trust facebook.
I had something similar happen to me- my compensation included a big incentive bonus based on an annual target, but half was paid out in advance in like June to smooth out the income a bit. One year somebody in payroll royally screwed up and at the half year mark instead of 1/2 of the bonus everyone ended up with the full bonus.
The insane/awesome thing was how they clawed it back. The did require everyone pay back money, but only the money that was left after any payroll deductions. Between taxes, insurance, flexible spending accounts, retirement savings, and some other automatic deductions close to 50% of my pay check is deducted, so I walked off with what was effectively a 2.5% bonus. I was pretty happy to send back what they asked for at that point…
Full second payment, that’s why I was happy with it. Personally, I would have thought they’d have just not clawed back the money and then only paid/clawed back money at the of the year to adjust to exceeding/undershooting the target (the company is cash rich).
Almost a decade ago I deposited a 10k check at the bank and was told the usual (in my case) that it would take x days to clear. After x days and not even seeing a trace of it in online banking I went to the branch.
They were unable to find the deposit or transaction in their system, yikes!
Fortunately I had the little receipt they gave me at the time of the transaction and within half an hour 10k deposit was made available but interestingly the deposit did not come from the check writer but the bank itself. Always curious to me. Never got a clear explanation but I would have been SOL without that transaction receipt!
Banks have provisional accounts which they use to make customers whole. They don’t know where your check went either but they’ll make you whole while they figure it out. Your check will be credited to their provisional account if they find it!
I worked for a large bank and they ran into an “issue” which required making a whole lot of clients whole out of provisional accounts while they figured out what happened. I can tell the balance of those accounts became a metric which many people were evaluated by.
All of the payment system processes are structured around banks rather than individuals . What if a similar transaction error was committed by an individual or a business managed by an individual, the amount of hardship and pain they have to go through , before all those transactions could ever be reversed.
In my early 20s, I deposited a 5 figure check from a client for a contract gig. The bank cleared it. Then it turned out the client had a record of writing fraudulent checks.
Common sense would dictate I was a victim of fraud. But my bank (Wells Fargo) decided to close my lone bank account of 5 years for "suspicious activity."
They treat their clients so well that, out of fear of you not being able to access online banking, their passwords aren't case sensitive. Why yes, that does mean that they are storing passwords in plaintext, but it's just so they can make their clients lives easier.
> What if a similar transaction error was committed by an individual or a business managed by an individual, the amount of hardship and pain they have to go through , before all those transactions could ever be reversed.
What makes you think these transactions can be reversed? In the U.K. most inter-bank transactions are non-reversible for a whole host of reasons. When a bank “reverses” a transaction, what that usually means is they sent an email to the receiving bank to pretty please send the money back. There’s 50/50 odds the receiving bank still has the money and is interested in helping you.
There is no FPS message that allows you to unilaterally reverse a payment as a sending institution. It requires the consent of the receiving institution, and there’s no guarantee they’ll consent, or even have the ability to.
If the person receiving the money has moved it on, then it gone, FPS BER won’t save you. No receiving institution is going to voluntarily take on liability for another banks fuck up. At best they help you recover the money because the scheme makes them be helpful, but that’s no guarantee of actual recovery.
If someone drops their wallet by accident, and you take it, you are still stealing. The ultimate "source of truth" for payments is not the payment system, but the law, so if a payment was made in error, then the receiver has a legal responsibility to return the money.
> o receiving institution is going to voluntarily take on liability for another banks fuck up.
That's not how liability works at all...
If a large amount of money is erroneously deposited into your account, you don't get to keep it. Returning the money doesn't make you "liable" for anything, it's the opposite. If you spend that money, then you're going to have to pay it back, and if you can't, then you can end up in prison.
There’s a difference between the institution that receives the money, and the person that owns the account.
If the person owing the account move illegitimate find out of their account, then there’s nothing the receiving institution can do, they can’t return money no longer on their books. They could return money, and push the account owner into an overdraft, but now they’ve taken on the liability of recovering those funds. No bank is gonna do that voluntarily, especially to cover another banks fuck up.
Now the original sending bank could then ask the receiving bank who took the funds, and the receiving bank will tell the sending bank to come back with a court order, because they have a legal obligation to act in the best interest of their customer, even if they think their customer maybe doing something dodgy. Once the sending bank has rustled up a court order, then the receiving bank will hand over the account owners PII, and the sending bank can attempt to recover the money via the courts.
But a no point is the receiving institution ever going put their neck out to help a sending bank recover incorrectly sent funds. It’s the sending banks problem to use the legal system to both discover who received the funds, and pursue recovery directly from them. They can’t recover the funds from the receiving bank directly if the monies moved on and the account owner refuses to cooperate with the recovery process.
People forget there tends to be a very large gap between the law and its enforcement. Frequently it’s too much effort to actually enforce the law, so large sums just get written off instead.
If someone sends you money by mistake it is not yours and you should return it (the easiest way to do that is to call your bank and ask them to revert the transaction[1]). If you do not return it then it is theft and you may be prosecuted. If a company accidentally sends another company money then things are usually resolved quickly and professionally with a phone call.
If a company accidentally sends lots of people small amounts of money then the loss is balanced against the cost of getting it back by contacting all the people and likely some will be returned and some will be stolen.
If the accidental transfer is really accidental pay then undoing will be complicated/impossible so if the amount is small enough maybe just pay less the following month (if it’s allowed by minimum wage laws?) and write off people who quit before the company is made whole, though this can be complicated if the error happens towards the end of the tax year or because of taxes that are assessed e.g. monthly instead of annually.
[1] there’s a common scam that goes roughly like: 1. Someone sends you ‘too much’ money. 2. They ask you to return the money minus some goodwill payment. 3. They clawback their initial transfer but you can’t claw yours back. So that’s why trying to get the original transfer cancelled is better than trying to return or partially return funds manually.
This is not a coding error but partly a configuration error mixed up with poor general routines complemented by bad practice. Also the banking infrastructure doesn’t help.
Instead of fixing these issues this incident will most likely
change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
What consequences I can only speculate- but it might very well have severe negative effects.
> Instead of fixing these issues this incident will most likely change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
The U.K. FCA tends to be extremely consumer friendly and somewhat bank hostile. There will be no regulation change as a result of this, more likely fines and greater oversight from the FCA. They’ll no doubt be demanding incident post-mortems already, and the general expectation is that Santander will have to cover any lost funds that can’t be recovered by asking nicely. The FCA takes an extremely dim view of banks aggressively pursuing individuals for money after the bank fucked up.
Consumers (ie actual people) will be made whole by law. And most likely affected businesses won't end up out of pocket either, but the law doesn't protect them as much, on the rationale that they're not people. So banks do screw them over all the time too, just probably not this time.
But the Fundamentally Complicit Authority (no that isn't what their initials really stand for, it's a Private Eye recurring joke because of how useless they are) as regulator is unlikely to expect Santander to actually fix anything about their process, and so this will happen again. And again.
> But the Fundamentally Complicit Authority (no that isn't what their initials really stand for, it's a Private Eye recurring joke because of how useless they are) as regulator is unlikely to expect Santander to actually fix anything about their process, and so this will happen again. And again.
Having been at a bank after a similar level of fuck up, you can be sure the FCA will be asking some tough questions, and they absolutely will instruct institutions to fix their processes. Fail to do that enough times, and you’ll be forced to do a skilled persons report. Having experienced that, I can tell you, you don’t want it happening to your bank. It months of audits, followed by years of remediation.
> Instead of fixing these issues this incident will most likely change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
I think the rules are generally pretty clear on this: if you receive money by mistake, it is not your money, and you must return it (obviously if you don’t know where to return it to, you should try to find out where it is from and contact the sender, or try to get your bank to revert the transaction. Indeed asking your bank to revert it is probably the best way to return it). People who do spend the money that is accidentally sent to them can be prosecuted for theft.
Furthermore, accidental or incorrect transfers happen relatively frequently and sometimes with massive amounts of money. It is usually resolved with a phone call between companies.
There are some exceptions to these rules like the whole banque worms thing we saw recently, but that doesn’t really matter.
The problems here for the bank are:
- they are on the hook for any losses if they fail to get the money back
- there are a large number of transactions so there is a lot of work to do. Santander is probably trying to contact the other banks to process them in bulk.
I don’t think any regulations will or need to change.
If you’re wondering how crypto fixes this, I have two examples. 1. XRP let’s you mark one transaction as reverting a previous one, and 2. Binance accidentally duplicated a bunch of dogecoin withdrawals and then asked people to return the funds and suspended withdrawals hoping it would further motivate people to return funds.
From what I know of Santander systems I had the "pleasure" to interact with as a third party dev, it's probably a poor sob who triggered a method called "doTheRightThing" which ended up doing something completely different.
Only Citi has surprised me more than Santander when it comes to completely insane IT org (Citi spent 2 months on an automated export and when we went live after UAT, we realized they were not ready and had a monkey do the "automated export" manually, with completely wrong format and information, and they didnt feel the need to warn us when it happened at 11pm...)
I got paid twice 24th and 25th but didn't have to do anything. They just took the money back when they realised. I bank with a different bank to my company.
I wonder if someone could get legally get away with finagling this into a large bank loan, particularly from a bank with a partially or fully automated application process.
"Oh sure, here's my 2021 year-end statement (no additional comment)." (Let's just assume for the sake of argument that the money was left in the account long enough to be reflected in a statement.)
I'd be pretty surprised if the bank didn't have some generic term in loan contract along the lines of "the information/papers I gave $bank for this loan is accurate to the best of my knowledge", in which case you'd be explicitly defrauding them.
The banks are going to require you provide an explanation and documentation for where all funds came from for the past several months. Besides they’re going to be looking at your annual income anyways — one time cash drops are only useful for making a larger deposit. But they’re not dumb enough to use a one-time infusion to calculate your debt to income ratio.
Look up “seasoned funds”. Banks learned long ago that they need to trace the source of funds and confirm they’ve been in possession of the person for a long time before assuming it’s actually theirs. Otherwise people would get ultra-short loans from friends and family or even other moms and pretend it was their own.
The one time I got a mortgage, I was saving an unusually high % of my salary. After the mortgage company got a look at my bank account, they were nervous that I was possibly getting extra money from somewhere, and demanded a larger downpayment. Fortunately, I was able to hit that number by continuing to save at the same rate.
Back in the 1990s, I was living in another country and noticed that sometimes, when I used my home credit card, the purchases would simply never appear on my bill. The "free" purchases were always small (no free airline tickets or cameras) and the only pattern I could figure out was that a bookshop I frequented was always free. But I felt bad about (potentially) stiffing them, so I started buying my books with cash instead.
It wasn't the only place where this happened though, just the only one where it clearly happened every time. This was in the days of printed statements, so there was often a lag of several months until I would find out what was and was not actually charged.
Unless it's an error that is plausibly paying down a loan, in which case the error might actually work in your favor, depending on how Citigroup's appeal against the hedge funds goes.
Well... in that case, the sender actually owed the recipient the money. It just wasn't due at the moment.
From the article:
> Citibank sued, arguing that it was entitled to get the money back since the cash was sent out by mistake. Ordinarily, the law would be on Citibank's side here. Under New York law, someone who sends out an erroneous wire transfer—for example, sending a payment to the wrong account—is entitled to get the money back.
> But the law makes an exception when a debtor accidentally wires money to a creditor. In that case, if the creditor doesn't have prior knowledge the payment was a mistake, it's free to treat it as a repayment of the loan. Judge Furman ruled that that principle applies here, even though Citibank notified its creditors of the mistake the very next day. The defendants noted that the amounts they received matched the amounts Revlon owed down to the penny, making it reasonable for them to assume it was an early repayment of the loan.
Ebenezer Scrooge strikes on Christmas. This is unfortunate I have had something similar happen where I thought the funds were there and spent more money then I had. What happened was Microsoft lost the payment info or something on a laptop I purchased and did not take it from my account for 3 months. I did so much Christmas shopping at the time I honestly didn't realize they had not taken it out so I made another big purchase and then all of a sudden they took out $1500 catching me by surprise. Had I realized they did not take it right away I would have not continued to spend as I did. I know I am responsible for keeping track but the way it showed up and disappeared on my banking app honestly confused me initially. I feel sorry for these people who may have thought they had a bit more so made an extra purchase or two and now have this money taken back and stuck with their purchases.
Fairly standard in the UK. Businesses don't want to lose face and see the share price drop so they keep everything as private as possible and only release the bear minimum information. Look out for standard phrases like, "A small number of our customers", "We are working hard to...", "Learn lessons....", "No-one will be out of pocket". Of course, these are mostly weasel words and they don't account for the fact that the amount of hassle these mistakes can cause cannot be captured in a pithy soundbite.
The truth is, though, that the massive amount of regulation is both good and bad. It is good that the consumer is protected but it is bad that it is easier for a bank to stay with 50 year old technology that is already approved than risk releasing something brand-new since mistakes are penalised so badly. I think a more open regime would be better, obviously accepting that the bank has to ultimately make sure that their customers don't lose out.
For example, "Dear customer, we are moving all mortgages to a new system which will make it much cheaper to run. Just in case some of the calculated payments are out by a few pennies, we will be giving all customers £1000 towards their mortgage to account for these". Much cheaper in the long run but we seem to prefer the costs of flogging a dead horse with the small amount of "sweetener" we could pay instead.
I don’t remember a single instance of 50-year old banking technology costing customers money, so I don’t see what the supposed downside is. You refer to a “brand-new system” that is “much cheaper to run”. But as far as I can tell, the operational costs of a mortgage are little more than an (exquisitely analyzed) rounding error. There are some new bank(ish) startups here in Europe like N24 and there are some new rules for data portability. But I’ve yet to see any exciting ideas coming from such efforts.
You're not entitled to keep the money, but I always wonder what would happen to the interest if you dumped millions of dollars into your savings account. Do they take that away too?
The HN title says it was a "coding error" but the article title is "Bank accidentally deposits $176 million into people’s accounts on Christmas Day" and the article does not say it was a software error:
"The bank said the duplicate payments were caused by a “scheduling issue” that has now been rectified."
It could have been a software bug but it could also have been a human error.
Not following. The recipients received the payments twice. But did the affected business accounts also get debited twice? I'd assume some would have run out of funds or hit a credit line.
I know nothing about how real life banking software works. (I guess I'm glad not to know...) But I'd assume the blance of both affefted accounts are updated in an ACID transaction?
I know that it is not ACID on debit and credit as I was once transferring £70k between my co-founder and I at £10k per day.
For some reason the 5th transaction got credited to my account but not debited from his. We tried to return the money but both banks were adamant that no error had occurred.
Ha ha lol what? In the grand scheme of things its a tiny amount of money for a bank with a €1tr balance sheet, the overhead of recovering the cash, not to mention the poor publicity, will be enormously costly, but most of all, how exactly is paying out £100m from the banks own funds supposed to benefit the bank??
(btw this actually will increase the banks leverage, which according you i imagine they'd want to be reducing, plus will negatively impact the banks CET1 capital, so all in all not beneficial in anyway whatsoever)
European banks should have been let fail... Facts on the table, please.
People should check the statistics first before making such statements. An average US bank is probably 12-13% capitalized (own equity Vs total assets. An average European bank is probably 8-10%. It seems less at the first sight, but if you take negative rates into account in Europe Vs positive ones in US, that's not such big difference at all. In general,banks are well capitalized both in US and Europe. Of course, not all apples are good (we're got 3000 or so banks in Europe), some are surely close to going belly up if not the government support (Italian banks, I'm looking at you). But that's a far cry from all European banks should have been let to fail..
There have been places that use the one-time accounting trick of shifting payroll from paying at the end of the month to paying on the first day of the following month.
It reduces outgoing cash for a single fiscal year, once.
Err no. The payments get settled at BoE at the end of the cycle. This would have caused double draw on their settling account. They would have had less money.
One time, there were reddit threads circulating where customers were complaining about logging into their bank accounts then seeing the information of another user. I brought up during stand up, and my team lead freaked out, took me around the corner in the hall way, and screamed at me for 10 mins straight about how I am compromising the security practices of the company (OK, guy). Weirdly, there was not mainstream media attention or any discussion internally. My guess is the policy is to suppress aggressively when flaws become public, especially with security.
Given the nature of the financial services business, you would think they would have the highest paid and most competent tech workers, but fuck no. For the most part, we would hook up FOSS components to talk to our legacy back end monoliths (usually mainframe dinosaur machines that should have been extinct a long time ago) and then render the desired output to a web or mobile interface. So the good news is that your security is as good as the open source engineer's implementation (which most of the time would be Java / Spring / Oracle / Pivotal, or C#/ .net / MS) bc that is the tooling we would build on. More good news is that, due to risk aversion, things do not change often at banks bc of fear of mistakes (downside being that there is les innovation).
In all honesty, I would rather trust amazon, google, or even netflix with my finances over big banks. Except facebook, never trust facebook.