Businesses using ACH will soon have to comply with a new rule, the WEB Debit Account Validation Rule, related to account validation.
The effort – meant to help combat fraud and protect users – has also been a source of uncertainty. Despite the rule taking effect this month, on March 19, and Nacha taking steps to educate users, the rule is by design “neutral regarding specific methods or technologies,” citing that a “commercially reasonable fraudulent transaction detection system” is required for compliance. How do they define commercially reasonable? What solutions and processes will help your organization stay in compliance? And does the rule go far enough to reverse the risks associated with faster payments?
To unpack the upcoming rule, dispel some of the misinformation current in the market, and provide some advice for organizations, PaymentsJournal sat down with Melissa Townsley-Solis, Head of GIACT, Katie Hawkins, Associate at Hudson Cook, and Sarah Grotta, Director of Debit and Alternative Products Advisory Service at Mercator Advisory Group.
Many organizations utilize ACH and this rule will affect them all
The recently reported growth in the ACH is nothing short of remarkable. Oftentimes, when a product or company reaches the age and maturity level of the ACH, the growth is actually expected to decline. This has not been the experience in 2020, and fraudsters have taken note.
The ACH has benefited tremendously from the economic impact payments that have been disbursed by the federal government, as well as the many unemployment insurance payments that have been disbursed through the ACH from numerous state governments. But that’s just a part of it. “Overall, the ACH network has seen [an] 8.2% increase in transactions over 2019,” said Grotta, “and the value of the payments that have been processed through the ACH network has gone up even further…close to 11%, in 2020.”
There are certainly a few use cases that are related to the volume increase that happened during the pandemic. There was an upsurge in P2P payments, or money transfer apps, which consumers continue to find more and more uses for. For example, many people with older adult neighbors would buy their groceries for them and receive reimbursement through apps such as Venmo and Cash App. The ACH played a huge role in delivering many of those payments. There was also increased use of the ACH for other things such as bill payments and B2B, when in-person interactions became less frequent, making check cashing an inconvenience.
But this is all just part of the bigger picture. “What COVID really did was push digitalization forward,” interjected Townsley-Solis. “I know we were headed there, but I think it really sped that process up, and a lot of companies and consumers that maybe weren’t quite sure if they were ready for that change [were] forced [to adapt to] it.”
One of the biggest forms of unpreparedness for these companies was outdated security software. Fortunately, there are fraud detection services like GIACT that go beyond simply confirming if an account is active, thereby reducing the risk of fraud. With the help of these services, companies were able to adapt to the digitalization more seamlessly and with greater peace of mind.
Where there is growth fraud is bound to follow
Across the globe, there’s a lot happening in the fraud risk space. Many processors have not kept up with the increasingly digital trends in the payments industry and are suffering the consequences of an outdated solution via an increase in fraudulent activity.
“Fraudsters are smart [and] well-funded. They’re innovative, patient, [and] they’re organized,” explained Townsley-Solis. “They have access to most of the data that the Bureaus and the fraud risk providers have [from] all the data breaches, and they have our information.” As a result, fraud is happening faster than before and surpassing the capabilities of the outdated security software.
“That’s why you see all the fraud around the unemployment,” continued Townsley-Solis. “You see stimulus payments being paid out to dead people, you see fraud happening with companies that are processing ACH and credit card payments, and that’s because the solutions that they are using have not kept up with the ever-changing tide.”
COVID-19 certainly pushed the world towards digitalization, and now fraud solutions must also evolve, a task that GIACT has since faced head-on with constant innovation and a mind for the changing landscape.
The WEB Account Validation Rule
The WEB Account Validation Rule is a supplement to an already existing rule. “Originators of WEB debit entries, which are internet initiated debits from consumer accounts, need to use a commercially reasonable fraud detection service to screen web debits for fraud. That still stands,” said Townsley-Solis. “But as part of that fraud deterrent detection service, now originators need to add in this account validation piece, and that becomes the heart of that commercially reasonable fraud detection system.”
So what does this all mean?
Well, the first time that a user is initiating a WEB debit from a consumer’s account, they must validate that account by A) making sure it is a valid account that accepts ACH debit, and B) performing the same validation of the account each time the consumer makes a change to it. For example, if the consumer sets up a recurring monthly payment to their electric company, there is only a need to validate that account when it is initiated. However, if the user adds a new bank account, the same validation must be redone.
Hawkins noted another perk of this validation: “if you are, at the outset, confirming that this account is valid and can accept this ACH transaction, then not only are you cutting down on fraud, you’re also cutting down on sending these transactions in error to the account that cannot accept them, or otherwise may lead to a return.”
The rule does not require the originator to validate ownership of the account, or any other records associated with the consumer. The point here is simply to prove that the account in question is a valid one.
Misinformation vs. Reality: the truth about the new rule
There has been some misinformation around the requirements of the new rule. The minimum requirement of the WEB Account Validation Rule is to validate that the account being debited is a valid account. It is an extension of a previously existing rule that requires originators to have a fraud detection service in place, within the limitations of their business. “[The merchant] needs to really think about what is commercially reasonable for [their] business, based on the size of the business, the types of transactions that [they’re] doing, the volume of transactions, and also what [their] peers might be doing,” elaborated Hawkins.
For some businesses, simple validation of a consumer’s account may be enough. For other, larger businesses, the merchant may want to not only confirm the account is valid, but also check the validity of ownership through additional steps. Additionally, the business may want to work with their own fraud detection services and with other third parties that can provide added layers of validation.
The other area of confusion relates to the effective date. The rule goes into effect on March 19, 2021. However, Hawkins acknowledges that there are many participants in the network who are dealing with staff shortages, operational issues, and demands on their resources due to COVID-19. She states that because of the unusual circumstances, any business that is making an effort to execute the new rule has until March 2022 to do so.
“I don’t think that’s a free pass to not do anything right now. [Business owners] need to be able to demonstrate that [they] are making a good faith effort to move towards this [requirement],” concluded Hawkins.
If participants are interested in learning more about the WEB Account Validation Rule, they can visit the Account Validation Resource Center, which is located on Nacha’s website. There are helpful FAQs and details about the new rule, as well as others. Participants are also encouraged to contact an attorney to work with them on payment issues, as well as any third party vendors, such as GIACT, who can provide additional support.
“This is not just a rule,” Townsley-Solis concluded. “We all have an obligation to protect the consumers that do business with us… each one of us play a role in making sure we stop fraud.”