Your HOA’s Convenience Could Cost You
The Dangers of Unsafe ACH Payment Processors
Think of an ACH database like a vault full of gold. It’s packed with sensitive information and keeping it safe is crucial. Hackers are always looking for ways to crack the code and steal your riches (aka your hard-earned cash).
Brought to you by Drew McManus, your neighbor in 7908.
The Automated Clearing House (ACH) network facilitates millions of financial transactions daily, making it an essential tool for businesses and individuals alike. However, as reliance on ACH grows, that great convenience, comes great responsibility…to protect your financial data!
Think of your ACH database like a vault full of gold. It’s packed with sensitive information and keeping it safe is crucial. Hackers are always looking for ways to crack the code and steal your riches (aka your hard-earned cash).
Safeguarding Your Money
Why is ACH database security critical?
- A prime target: Hackers are constantly seeking vulnerabilities to exploit, and financial data remains a highly sought-after prize. A data breach involving ACH information can lead to significant financial losses, reputational damage, and even legal repercussions.
- Strict regulations: Organizations processing ACH transactions are subject to various regulations, including the NACHA Operating Rules and the Gramm-Leach-Bliley Act (GLBA). These regulations mandate specific security measures for protecting financial information. Failure to comply can result in hefty fines and penalties.
- Impact on owners: A data breach involving ACH information can erode trust and damage relationships with customers and partners. Protecting their sensitive data is essential for maintaining a positive reputation and fostering loyalty.
Know Your Rights
Consumer Protections for ACH Payments
To ensure fair and secure transactions, the Electronic Funds Transfer Act (EFTA) and Regulation E provide a framework for consumer protection. Payment processors and merchants are legally obligated to provide clear and upfront terms of service for ACH payments. These terms should explicitly disclose:
- Security measures: How the provider protects your financial data. Payment processors and merchants must implement robust security measures, including data encryption, access controls, and fraud detection systems.
- Privacy policy: How your personal information is collected, used, and shared.
- Disclosure requirements: Payment processors must clearly disclose the terms and conditions of ACH payments.
- Types of ACH payments processed: Whether the provider handles debits, credits, or both.
- Fees associated with ACH payments: Any transaction fees, service charges, or transfer fees, both direct and indirect.
- Authorization requirements: How you can authorize ACH debits from your account.
- Dispute resolution procedures: How to report and resolve errors or unauthorized transactions.
- Data retention policy: How long the provider stores your data and under what conditions it may be deleted.
- Error resolution assistance: Payment processors must provide assistance to consumers in resolving any errors or disputes related to ACH transactions.
How This Matters to You
Compromised In A SNAPP
This building’s current management company, Sudler/Associa, offers an automatic payment plan called SNAPP (Sudler’s No-check Automatic Payment Plan). However, you may have concerns about using this service. Consider the following:
- Data Breach: Sudler/Associa stores homeowner financial information in their “MySudler Database,” which was compromised in a data breach in 2023. This is the same database that was compromised in the 2023 data breach that is currently being settled via the Stauber v. Sudler Property Management Class Action Lawsuit.
- No Required Terms and Conditions: Despite repeated requests, Sudler/Associa has refused to provide basic terms and conditions for SNAPP, including information about fees, authorization requirements, and data security measures. Read the most recent exchange below in the Resources section.
- Preferential treatment: Board President, Scott Timmerman, has stated his goal is to see all homeowners use SNAPP, even though there are other approved automatic payment options available. You can find those comments starting at the 1:08 mark in the November, 2023 board meeting recording, which is available to all owners.
- Unfair practices: Timmerman has implemented harsh fee policies that push homeowners towards using SNAPP.
These concerns raise several questions:
- Why is SNAPP the only payment option eligible for a late fee waiver, even though Zego is also an approved automatic payment method?
- Why doesn’t Timmerman recognize the risk of using SNAPP without clear terms and conditions that guarantee basic consumer protections?
- Why are other Board members failing to question policies that pressure homeowners into using SNAPP?
Take Action
How You Can Protect Your Financial Data
I urge homeowners to be cautious about using SNAPP and to demand the board require Sudler/Associa to provide required terms and conditions about the service before signing up. We deserve transparency and security when it comes to our financial information. Failing to do so risks falling victim to the following serious consequences:
- Data Breaches = Increased Financial Risk: If the third-party provider’s security is lax, hackers could gain access to a treasure trove of personal data, including bank account numbers, routing numbers, and even social security numbers. This information can be used for identity theft, leading to financial losses and emotional distress for homeowners.
- Fraudulent Transactions: Hackers could also use stolen data to make unauthorized ACH payments from homeowner accounts. This could leave homeowners with insufficient funds, impacting their financial stability and credit scores.
- Damage to the HOA’s Reputation & Property Values: A data breach or series of fraudulent transactions can severely damage the HOA’s reputation. Homeowners may lose trust in the association’s ability to manage their finances responsibly, leading to resentment and potential lawsuits. News of these shortcomings will reduce the pool of potential buyers, artificially lowering property values.
- Legal and Financial Repercussions: In addition to reputational damage, the HOA could face legal and financial repercussions for failing to protect homeowner data. These could include fines from regulatory agencies, compensation to affected homeowners, and legal fees.
Investing in ACH database security is not just a compliance requirement, it’s a business imperative. By taking proactive steps to verify third party providers are securing owner’s financial data, HOA’s can protect themselves from financial losses, safeguard their reputation, and maintain the trust of their owners.
Ultimately, the responsibility for safeguarding financial information lies with the HOA. Homeowners need to be vigilant and hold their associations accountable for choosing reliable and secure payment processors. Remember: convenience shouldn’t come at the cost of your financial security.
Additional Resources
- Nacha Operating Rules: https://nacha.org/newrules
- Gramm-Leach-Bliley Act (GLBA): https://ffiec.gov/
- Consumer Financial Protection Bureau (CFPB): https://consumerfinance.gov/
- Federal Trade Commission (FTC): https://consumer.ftc.gov/
- Electronic Fund Transfer Act: https://federalreserve.gov/boarddocs/caletters/2008/0807/08-07_attachment.pdf
- Electronic Fund Transfers (Regulation E); Amendments: https://consumerfinance.gov/rules-policy/final-rules/electronic-fund-transfers-regulation-e
SNAPP’s Murky Terms
A Trail of Unanswered Questions
Here’s a copy of my most recent effort to obtain these basic consumer protection and disclosure requirements about SNAPP. Board President Scott Timmerman was copied on all of these messages and never responded.
Drew – 6/1/2023
Dear [Property Manager],
SNAPP will continue to be a non-option unless the agreement language has changed since the last time I reviewed it shortly after moving in. It allows the Association to debit the account on file for any disputed fees or back payments without notifying the owner, obtaining permission, nor contacting them in advance. This should be an unacceptable condition for any owner. Having said that, if you have a copy of the current agreement, feel free to send it along and I will be happy to review.
Drew – 6/2/2023
Dear Scott,
The last time I reviewed the SNAPP agreement language, it included a clause that allows the Association to deduct funds at any time without notifying the owner nor obtaining permission in advance.
If that has changed, I’m happy to review the updated language and will gladly enroll if it affords those owner protections. If so, we can consider this matter resolved. I requested a copy from the office but have not yet received it, I do not know why there has been a delay. Otherwise, how can the Association expect owners to agree to that clause? Moreover, assuming this policy is unchanged since I last reviewed it, was the board aware of this clause in the SNAPP agreement when they created the waiver policy?
Drew – 6/8/2023
Good morning [Property Manager],
As a reminder, I have not yet received a copy of the current SNAPP agreement.
Property Manager- 6/8/2023
Drew,
Please see attached.
Note: the attachment was a copy of the SNAPP application, which does not have any of the required terms and conditions.
Drew – 6/8/2023
Hi [Property Manager],
It looks like this is the SNAPP application but I am looking for the agreement. Thank you in advance for sending that along.
Property Manager- 6/8/2023
That is the only form we have.
Drew – 6/8/2023
Hi [Property Manager],
To confirm, you’re saying the Association does not provider owners with a copy of the Terms of Use for a feature that automatically deducts funds directly from their bank account? If that’s not the case, where can I find that agreement?
Property Manager- 6/8/2023
Drew,
The application form I emailed to you is the only document pertaining to SNAPP.
Drew – 6/9/2023
Hi [Property Manager],
I am formally submitting a Section 19 request for all agreements and documents related to the SNAPP payment option. This includes, but it is not limited to, all contracts and agreements in effect to which the association is a party or under which the association or the unit owners have obligations or liabilities. Currently, the Association is pressuring me to use the SNAPP payment option without knowing anything about the payment gateway provider, related terms of use and acceptable use policies, or any information about PCI compliance certification.
Both SNAPP and the Association approved payment option I am currently using [from Zego] would automatically deduct my assessment payments each month. The substantive difference I can see is my current option provides basic consumer protections against fraud and required regulatory compliance in the form of providing the Privacy Policy, Terms of Use, and Terms and Conditions agreements I have been asking for with SNAPP.
Property Manager- 6/21/2023
Mr. McManus,
We acknowledge receipt of your June 9, 2023 email which was received on Friday, June 9, 2023 at 4:50 PM.
The SNAPP payment program is an electronic fund transfer program offered by Sudler to the unit owners of the 175 E. Delaware Place Homeowners Association for payment of common expense assessments and other charges. No unit owner is obligated to participate in the SNAPP program, and there are other ways that owners may pay their assessments and other charges, including mailing a paper check accompanied by a payment stub, and submitting an electronic payment via the Zego system. If you are not comfortable using SNAPP, you are certainly under no obligation to do so.
In the first part of your June 9, 2023 email, you have requested, pursuant to Section 19 of the Illinois Condominium Property Act, that the Association provide you with all agreements and documents related to the SNAPP payment option. Section 19 requires that 175 provide you with a copy of any active contract or agreement “to which the association is a party” or “under which the association or the unit owners have obligations or liabilities”. The Association itself is not a party to any agreements concerning the SNAPP program offered to unit owners, so there are no such documents to provide to you.
Drew – 6/23/2023
Dear [Property Manager],
Thank you for your reply and regarding the Section 19 request for all agreements and documents related to the SNAPP payment option, it seems as though you’re saying the Association nor the Association’s management company has no documents related to any of the following for a payment program that included, but are not limited to:
- A list of fees charged to owners using the system and/or homeowners associations utilizing the service.
- Agreements with payment gateway provider(s) used to process payments.
- A data security policy related to any software that automates payments.
- PCI compliance for storing owner’s bank account and payment information.
- Data breach policies for servers and/or cloud-based data centers where Sudler’s No-check Automated Payment Program (SNAPP) related data is stored.
- Certification that the SNAPP program conforms to Nacha Operating Rules, which I’m sure you’re aware clarify the roles and responsibilities of Third-Party Senders in the ACH Network.
- Related terms of use and privacy policies.
- Disclosure of all integrations and partners connected to data storage and payment processing.
Currently, it appears the Association’s management company collects owner’s sensitive bank account and personally identifiable information via paper form and a non-PCI compliant web portal and stores that data in the same database that was recently compromised in a data security breach. Owners participating in the program are not provided with any information about how payments are initiated nor any of the above compliance documentation.
If any of these, and similar, documents were overlooked, thank you in advance for providing copies. Otherwise, I appreciate you confirming that the Association does not believe owners should have any of this critical information necessary to properly manage their personal finances and have confidence that their financial information is secure and the related Section 19 request is being denied.
Imagine handing over your bank details and authorizing unlimited withdrawals to an organization without verifying if they comply with essential consumer protection regulations. Sounds risky, right?
Yet, this is the situation facing homeowners using SNAPP. This raises a crucial question: why would anyone willingly trust an organization with such broad access to their finances without ensuring they meet basic security and transparency standards?
Remember: As a homeowner, you have the right to information and transparency. Don’t hesitate to ask questions and demand clarity when it comes to your financial information and the terms of services you agree to….assuming they even exist! Sudler/Associa needs to take concrete steps to address these concerns and demonstrate transparency by:
- Making the complete SNAPP terms of service readily available online and upon request.
- Responding promptly and comprehensively to inquiries regarding the terms of service.
- Ensuring that the terms of service are clear, concise, and easy to understand.
- Explaining to owners why terms of service aren’t currently available.
Contact Board President Scott Timmerman:
Be respectful, concise, and clear in articulating the negative impact it has had on you and your fellow homeowners. You are welcome to use the example language as-is, but feel free to personalize the example message before you send.
Curious to learn more about some of these issues? Feel free to get in touch, I’m happy to chat.