diff --git a/ethereum/permissioning/src/main/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistController.java b/ethereum/permissioning/src/main/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistController.java
index 19fd54cbc2..b1acdafc90 100644
--- a/ethereum/permissioning/src/main/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistController.java
+++ b/ethereum/permissioning/src/main/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistController.java
@@ -151,6 +151,9 @@ public class AccountWhitelistController {
 
   static boolean isValidAccountString(final String account) {
     try {
+      if (account == null || !account.startsWith("0x")) {
+        return false;
+      }
       BytesValue bytesValue = BytesValue.fromHexString(account);
       return bytesValue.size() == ACCOUNT_BYTES_SIZE;
     } catch (NullPointerException | IndexOutOfBoundsException | IllegalArgumentException e) {
diff --git a/ethereum/permissioning/src/test/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistControllerTest.java b/ethereum/permissioning/src/test/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistControllerTest.java
index 74f9a75d6a..0a7803e769 100644
--- a/ethereum/permissioning/src/test/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistControllerTest.java
+++ b/ethereum/permissioning/src/test/java/tech/pegasys/pantheon/ethereum/permissioning/AccountWhitelistControllerTest.java
@@ -218,6 +218,19 @@ public class AccountWhitelistControllerTest {
         .containsExactly("0xfe3b557e8fb62b89f4916b721be55ceb828dbd73");
   }
 
+  @Test
+  public void accountThatDoesNotStartWith0xIsNotValid() {
+    assertThat(AccountWhitelistController.isValidAccountString("bob")).isFalse();
+    assertThat(
+            AccountWhitelistController.isValidAccountString(
+                "b9b81ee349c3807e46bc71aa2632203c5b462032"))
+        .isFalse();
+    assertThat(
+            AccountWhitelistController.isValidAccountString(
+                "0xb9b81ee349c3807e46bc71aa2632203c5b462032"))
+        .isTrue();
+  }
+
   private Path createPermissionsFileWithAccount(final String account) throws IOException {
     final String nodePermissionsFileContent = "accounts-whitelist=[\"" + account + "\"]";
     final Path permissionsFile = Files.createTempFile("account_permissions", "");