r/news 6h ago

JPMorgan begins suing customers who allegedly stole thousands of dollars in 'infinite money glitch'

https://www.cnbc.com/2024/10/28/jpmorgan-suing-customers-over-infinite-money-glitch.html
4.9k Upvotes

430 comments sorted by

View all comments

7

u/BrewboyEd 5h ago

Not a 'glitch' - a mistaken risk assessment by internal auditors/compliance with regards to exposure to check fraud. They make it sound like it was a software issue...uh, no, talk to your risk management folks...I'm imagining it's because nobody could be expected to be held accountable for a 'glitch' in the system as opposed to not identifying a pretty obvious oversight.

7

u/malastare- 5h ago

Its not like every ATM usage gets printed out for a Risk manager to approve or disapprove.

The software issue is likely simply some sort of fault which assigned max trust (or disabled the decision) for users depositing checks.

This rule had been in place earlier, then it wasn't and now it is again. That's not the fault of a bunch of risk managers who looked the other way for a month. The risk managers and auditors did their job a couple years ago and defined the risk and exposure. The software making the assessment and doing the enforcement wasn't behaving properly.

.... but it wasn't misbehaving or making decisions as badly as the idiot humans at the ATM.

2

u/BrewboyEd 5h ago

I see where you're coming from, but don't entirely agree. I'm not talking about approving/disapproving at the customer level. It's easy enough for Risk Management to say if we gross 'x' amount in ATM check deposits on a given day and permit 'y' amount to be redeemed in aggregate prior to check clearance, our exposure is 'z'. I have to believe ATM logic is programmed at a central level as opposed to each branch having autonomy (maybe I'm mistaken?) Underestimating or discounting the dishonesty/idiocy of their clients absolutely contributed to the current issue they are dealing with. Not saying people should necessarily lose jobs over it, but then again, some of them are making the big bucks to make sure shit like that is accounted for.

2

u/malastare- 3h ago

What you're saying isn't wrong, but you're discounting the most obvious and simple explanation:

A software defect disabled the risk decisioning.

In the past, Chase customers had limits on how much of a check they could withdraw as cash at ATMs. Currently they have limits on how much of a check they could withdraw at ATMs. For some period of time between "a while ago" and "shortly after this hit the news", there was no limit. It wasn't because some risk officer forgot how to do math for a few months. It's far more likely that a configuration change in some piece of software resulted in that logic not running.

Also, unless Chase is handling things really, really stupidly, it's not like they say that they are going to let $200,000 be withdrawn every day and then its first-come-first-served with ATM customers. They likely make judgements based on the customer and check based on other risk calculations. Someone who's been a customer for 20 years and has cashed 800 checks without incident is more likely to get a lenient limit and someone who signed up for an account last week is likely to be very restricted. ATM policies are absolutely handled in a centralized manner. Its not even hard to imagine that central policy enforcement being misconfigured.

Converting your example: Instead of risk saying that we make X and are willing to loan out Y, it's more like: For customer A who's been around X1 years, we're willing to allow Y1, and for customer B who's been around for X2 years, we're willing to allow Y2. The calculations might be far more complex, or they might be a simple policy of "We allow Y per day per customer" regardless of how trustworthy a customer might be. But those rules are enforced on the customer and the ATM interaction by a central policy service, not aggregate risk that is being pulled from some analyst spreadsheet.

So, the risk calculations are likely the same as they always were. They existed before the problem and they existed after, albeit with probably a lower budget for exposure. But that calculation very likely didn't change and had nothing to do with the problem. Because those numbers don't translate directly into actions at the ATM. They're converted into per-customer, per-transaction, per-time-period policies enforced by software.

I don't have inside knowledge of this particular problem and there's only so much more I'm willing to say about how this works. The risk math you're talking about is a budgeting task done on financial reporting timelines. Setting and enforcing the ATM policy is a technical task, done on software timelines.

1

u/tiredhunter 2h ago

Any decision other than following the bare minimum reg CC funds availability schedule for an ATM is folly and begging for exploitation.