Business accounts
Positive Pay
Several banks offer a service called "Positive Pay" for business accounts, which basically offers the ability to create a list of checks you have issued and a list of merchants who are permitted to make ACH debits against the account.
Anytime someone attempts to cash a check against the account or make an ACH debit against the account, and the check or ACH debit is not on the list of authorized transactions, this will be considered an "exception item."
Whenever there is an exception item you will have the opportunity to review the transaction and either approve or return it. If you do not review the transaction by the deadline, most banks will automatically return the transaction.
A few things to keep in mind:
Some banks advertise that they offer "Positive Pay" but they actually only offer Check Positive Pay and not ACH Positive Pay. When looking for banks offering Positive Pay, ensure that they also offer ACH Positive Pay
Some banks will refer to ACH Positive Pay as "ACH Debit Filters"
Some banks will pay exception items by default instead of returning them if no decision is made. I would suggest using a bank that returns items by default.
For most banks, this service is offered as part of their "treasury management" or "cash management" services
ACH Debit Block
This is not as common as Positive Pay, but several banks do offer a service called "ACH Debit Block" which blanketly blocks (returns) all ACH debits.
Like Positive Pay, this is typically only offered on commercial accounts.
Note that simply using this will not block checks from cashing. You'll need to either place a "Check Block" (if offered) or enroll in Check Positive Pay to block checks from cashing.
Personal accounts
Account restrictions
Some banks offer consumers the ability to place a restriction on their accounts which blocks all withdrawals but still allows deposits. Some banks offer a similar option but the restriction blocks deposits as well.
At my primary bank, I keep one of my accounts with such a restriction in place and use this account to receive direct deposits. Because of the restriction, the direct deposits (ACH credits) go through but any ACH debits would be blocked.
Once I receive the direct deposit, I call the bank to temporarily lift the restriction, make an internal transfer to my other accounts, and then ask them to reinstate the restriction.
I also keep such a restriction in place with my "long term savings" account so that any attempt to withdraw money would fail until I call the bank to remove the restriction.
Some things to keep in mind:
Most banks do not offer this, but there are a sizable amount of banks which do
Make sure that you keep the account active, as inactive accounts can sometimes be automatically closed, and in some cases, they can be turned over to the state
Some banks will allow you to keep this restriction for as long as you want with no caveats (as long as the account remains active). However, other banks might automatically close the account if the restriction remains in place long enough
Of the banks that offer this, most banks allow you to place lift the restriction without delay by calling the bank. However, a few of the banks that offer this are not able to place or lift the restriction immediately and you may need to wait a few days for it to take effect
CD accounts
Most CD accounts are not able to accept ACH debits (or credits). Therefore, I would consider a CD account to be much more secure than a regular savings account.
Some banks offer "No Penalty CDs" which allow you to withdraw from the CD at any time without penalty.
Having multiple non-overdraftable accounts at the same bank
I would suggest having at least two accounts: one to make transactions, and one to hold money. When I am not expecting an ACH debit to come through, I keep the transactional account empty. I virtually never share the account number for the account which holds the money
Personally, I go beyond two accounts and have distinct accounts for different roles: one for credit card payments, one for external transfers, one for pushing money, one for debit card use, etc.
Therefore, if one of the account numbers is compromised, the worst case scenario is that only one of the accounts is drained and I keep most of my money.
However, it is important to note that this only works if the bank doesn't allow the accounts to be overdrafted. If the accounts do allow overdrafts, one of these accounts can go in the negative, which defeats the purpose of doing this.
Why this is a real issue
ACH fraud is a valid concern. Contrary to popular belief, you do NOT need to be a reputable business to initiate an ACH debit.
Most major Banks even offer a service called "ACH Debit Origination" (the ability to post ACH debits) as part of their treasury management solutions, which they will provide to almost any business willing to pay the fees needed to utilize this service.
It is my belief that the entire concept of "ACH debits" is extremely dumb. It makes zero sense to allow anyone with the account number to withdraw money, and then say "dOn'T wOrRy aBoUt fRaUd, yOu cAn DiSpUtE iT" (not to mention that there is no guarantee that they will rule in your favor, even if the transaction was actual fraud).
That's like saying "don't bother keeping a fire extinguisher in your house, home insurance will buy you a new house if your's burns down."
In any case, I have done significant research on the topic and these are the only solutions that I have been able to find.
Why banks rarely offer and sort of mitigation to this issue on consumer accounts
TL;DR: Because the system doesn't allow them to. Blame NACHA and blame the Fed.
ACH debits were originally created as an electronic equivalent to a check, and since checks would be debited from an account upon presentation, the ACH system was also (unfortunately) set up to allow debits.
Banks CANNOT reject ACH debits willy-nilly
Unlike credit or debit card charges, "declining" an ACH debit is not a straightforward thing that banks can do freely.
In most cases, banks CANNOT actually "decline" or "block" an ACH debit - instead, they can only "return" them, which is more akin to reversing them after the fact than to actually stopping them from happening.
A bank cannot return an ACH debit unless the return reason falls under one of the valid reason codes provided by NACHA (the organization managing ACH).
When banks receive an ACH debit, it is more along the lines of
FYI, this debit is being posted to this account, and you'll need to explicitly reverse / return it (and provide a valid reason code for doing so) if this debit is problematic.
more so than
This charge is being attempted, and you can approve or decline it at your own discretion. Would you like to approve it?
Banks are largely discouraged from returning ACH Debits
The way NACHA sees it, the burden to verify the identity of an individual and obtain authorization before debiting their account rests on the merchant debiting the account (but not all merchants actually do a good job at this, which is exactly why the whole "debit" model is extremely flawed).
Hence, merchants get penalized and can potentially even be barred from the ACH network if too many debits they initiate get returned.
(Because NACHA argues that trying to discourage merchants from initiating unauthorized debits is somehow a better solution than adding any sort of actual security to the network, which is like arguing that punishing arsonists more harshly is a better solution to housefires than allowing houses to have fire extinguishers or fireproof drywall, which in this analogy, are banned.)
Thus, merchants strongly discourage banks from returning ACH debits except when they absolutely have to, and merchants might even start to refuse to debit accounts from a specific bank (potentially causing that bank to lose customers) if a bank returns ACH debits too frequently.
Furthermore, banks need to pay a fee to the Fed every time they return a debit.
There is no return code suitable for "Positive Pay rejection" for consumer accounts
Not only is Positive Pay rarely requested by consumers, but on top of that, a reason code that allows for returns initiated via Positive Pay (or similar systems) exists for business accounts, but does NOT exist for personal accounts.
The "unauthorized debit" return reason for consumer accounts is R10, and a bank is only allowed to use this return reason after having collected a "Written Statement of Unauthorized Debit" from the consumer.
This doesn't mean that banks are completely unable to offer Positive Pay on consumer accounts, but rather, that doing so would require legal gymnastics and risk-taking, where they would have to take action to justify these returns under one of the other reasons.
The good news is that most financial institutions will return a debit automatically (no further questions asked) provided that a consumer submits a WSUD (Written Statement of Unauthorized Debit) within 60 calendar days of the ACH debit being posted. The bad news is that financial institutions usually don't disclose whether or not they actually follow this practice, and although most do, not all do.
