I'm sure these were as far as the bank could tell proper and secure transactions.
Based on what? That the thief had the routing and checking account numbers? Those numbers are so easy to get it's equivalent to no security at all.
Agreed.
But that's how checks themselves work. In fact, a number of companies now digitize and then destroy the paper checks you send them, see the Check 21 Act for more details.
It's up to you to catch mistakes as well as fraud. Heck, I can't remember if I've ever gotten a bank statement that didn't have a form on the back for you to fill out to balance your checkbook.
Obviously the account of this guy was too complicated for that, but as others have noted, it's a bit unlikely he was personally filling out 1,000 checks per month. This is the sort of thing you hire a bookkeeper as well as a CPA to manage.
And who does his taxes? It's very unlikely he does them on his own, and if he's not proactively managing his money he'll pay quite a bit extra to that CPA who will have to do a fair amount of forensic accounting just to reconstruct the last year's taxable transactions. That's an equivalent of the classic nightmare of a CPA being handed a shoe box full of receipts, etc....
How about if automated clearing house transfers only worked if you'd authorized the payee in advance?
This would probably mean some practices would need to change, but isn't that better than what we have now, where anybody you've ever written a check to can scoop money out of your account any time they want?
Indeed. Practices would have to change, and given the flakiness of people that would be impractical, plus it would cost a lot of money.
How many would fail to proactively notify their bank? Plus they'd have to tell the bank correctly some magic info identifying the payee. This would really only work if they were the ones to initiate the whole thing through the bank instead of through the billing company. Wikipedia says that in Western Europe both methods are used, frequently to the exclusion of paper checks altogether.
If you want to keep the current system (at least in part) but insert your authorization requirement, then how many people, if called up ($$$) or otherwise asked in some way to authorize a payee, would either reflexively OK or deny it?
In practice (and not just in the US), everyone works on the assumption of honesty and verifies after the fact. Since you really really should reconcile your accounts each month to catch honest errors, extending that requirement to catching fraud is the cheaper approach.