[cweagans]

Try to find developers that work at the bank via LinkedIn or something. Ask if they have a bug bounty program, and disclose things appropriately. You won't ever get to the right person calling in on the customer support or abuse numbers. You need to go around.

EDIT: Also, how long does that money stick around in your account? I wonder if there is some kind reconciliation processes that go through and square everything up. The web software is probably just a replica of the actual ACH data, so maybe those processes would correct things and it's not as big of a deal as it seems to be?