Positive Pay for Law Firm Trust Accounts
A forged or altered check drawn on a law firm's trust account is a different kind of problem than fraud on an operating account. The money in an IOLTA or other client trust account does not belong to the firm. It belongs to clients, and the attorney who signs on that account is responsible for every dollar in it. When a counterfeit check clears against pooled client funds, the firm has to make the account whole regardless of who got defrauded, and a shortfall can trigger a bar inquiry on top of the financial loss.
Positive pay is the bank control most directly aimed at that risk. This page explains why firms put it on trust accounts, how the daily workflow runs, and how to produce the check-issue file your bank wants without buying desktop software.
Why the trust account changes the math
Two facts make check fraud on a business account worse than most people assume.
First, the liability rules are not the consumer rules. Under UCC Articles 3 and 4, a business customer generally has a short window, often one business day after the statement or item is made available, to report an unauthorized or altered check before the loss can shift away from the bank. Miss it, and the firm can end up eating the loss. Consumer accounts get up to 60 days; a commercial trust account does not.
Second, courts and treasury departments have repeatedly treated the availability of positive pay as significant. If a bank offers positive pay and the customer declines it, the customer is more likely to be held responsible for fraudulent items that the service would have caught. Several public fraud-prevention guides state this plainly: decline the tool the bank offered, and you have weakened your own position if a loss occurs. For a trust account, that is not a risk a firm should carry by default.
The ABA and state IOLTA programs frame trust-account safeguarding as an ethical duty, not just a banking preference. IOLTA rules explicitly permit attorneys to contract with their bank for fraud controls such as positive pay and ACH debit blocking on the trust account. The service is allowed precisely because regulators expect firms to protect client money.
What positive pay actually does
Positive pay is a daily match. Each time the firm issues checks, it sends the bank a list of those checks: check number, dollar amount, issue date, account, and on payee positive pay, the payee name. When checks come in for payment, the bank compares each one against that list. Anything that does not match, a wrong amount, an unknown check number, an altered payee, is flagged as an exception and held. Someone at the firm reviews the exceptions and decides pay or return, usually by a same-day cutoff.
That is the core idea. The fraudulent check never quietly clears, because it was never on the list. If you want the mechanics in more depth, see what positive pay is and how it works.
A related variant, reverse positive pay, flips the work to you: the firm uploads no issue file, the bank shows you every check presented, and you approve or return each one. It needs no file but more daily attention, and it catches less automatically. Most firms with any check volume prefer standard positive pay so the matching is done for them.
The daily workflow for a firm
In practice the routine looks like this:
- Print or record the checks. Whether checks come out of the practice-management system, QuickBooks, or a spreadsheet, you have a register of what was issued today.
- Build the check-issue file. The bank wants the day's checks in a specific layout, usually a CSV or fixed-width text file with the fields in a fixed order.
- Upload it before the cutoff. You submit the file through the bank's treasury or business-banking portal, often before checks can be presented.
- Work the exceptions. If the bank flags an item, you review it the same day and choose pay or return. No decision by the cutoff usually means the bank applies a default, sometimes pay, sometimes return.
For trust accounts specifically, pair positive pay with the reconciliation discipline the rules already require: a three-way reconciliation of bank balance, book balance, and the sum of individual client ledgers. Positive pay stops the fraudulent item at the front door; reconciliation catches anything that slips past and proves to a regulator that the account is in order.
The file is the part QuickBooks won't do
The friction is almost always step two. QuickBooks cannot export a bank positive pay file natively, and neither can most legal practice-management or trust-accounting tools. So firms end up reformatting the register by hand into the bank's exact layout, which is slow and error-prone, or paying for desktop software to do it.
The paid options work but carry trade-offs. Big Red Consulting's PositivePay File Creator runs roughly $119 the first year and about $99/year after, is Windows-only, and the QuickBooks Online edition needs Excel installed. Treasury Software's Bank Positive Pay is installed Windows software in the range of about $29.95 to $89.95/month with a library of 350-plus verified bank layouts. MoneyThumb and ProperSoft sell paid desktop converters as well. For a firm pushing high check volume across many accounts, or one that needs an obscure layout matched for them, that overhead can be worth it.
For a small or solo firm cutting a handful of trust and operating checks, paying monthly for a Windows install is a lot. PositivePayMaker is a free, browser-based alternative. You upload your check register as CSV or Excel, and it converts it to the bank's positive pay format. The conversion runs entirely in your browser, so the check data, including client names and amounts, never leaves your computer or touches a server. That client-side design matters for a trust account, where you do not want client payment detail passing through a third party.
Matching your specific bank
Every bank defines its own positive pay layout, and the exact field order is published through the bank's treasury or business-banking portal, not on a public marketing page. Banks deliver these specs through their treasury platform; many regional banks run on Centrix, Q2, Fiserv, or FIS, where you will find positive pay under cash management or fraud control in online banking. Get the spec sheet from your treasury contact or download it from the portal before you build anything.
PositivePayMaker ships with eleven bank layouts, six of them built from published specifications including Chase and Huntington, plus a custom format builder for anything not preset. If your bank hands you a layout, you can reproduce it field by field in the builder, or start from a generic CSV or fixed-width preset and adjust. A built-in validator checks the structure of a file before you send it.
Whatever tool you use, treat the first file as a test. Generate it, send it to the bank, and confirm the bank accepted and parsed it correctly before you rely on the format for daily trust-account use. A layout that is one column off can reject silently, and on a trust account a missed upload means real client checks sitting unprotected for a day. Once the bank confirms the first file is clean, the routine is the same every day after.
For format details and a quick orientation, see the positive pay file format reference.