Podcast: Play in new window | Download
Let’s face it: fraudsters follow the money. As the digitization of payments has accelerated, fueled by high customer satisfaction, convenience, and cost efficiency, bad actors have shifted their sights accordingly.
In response to the uptick in fraudulent activity targeting electronic transactions, including ACH transactions, the WEB Debit Account Validation Rule was put into effect on March 19, 2021. To further discuss how the new Nacha WEB Debit Rule can impact fraud, PaymentsJournal sat down with Andy Barnett, Aggregation and Information Services Solutions Consultant at Fiserv, and Sarah Grotta, Director of Debit and Alternative Products Advisory Service at Mercator Advisory Group.
ACH volume and dollar value growth
It has been a fantastic year for ACH volume growth. The chart below shows that there were 26.8 billion credit and debit transactions in 2020, totaling $61.9 trillion. This represents an 8.2% increase in volume and a 10.8% increase in dollar value from 2019.
Both ACH volume and dollar value continue to grow, year-over-year. “In fact, these have grown by more than a trillion dollars every year for the last eight years, and by more than a billion transactions every [year for the] last six years,” elaborated Barnett. With the cost efficiency and convenience of the ACH network, and its ability to reach every checking account in the country, this transaction growth shouldn’t come as a surprise.
Additionally, there was a 15% increase in ACH internet transactions from 2019 to 2020 (not displayed here). “That’s a pretty amazing statistic in and of itself, as we start to move more and more of our transactions to online and other types of remote channels,” added Grotta. While this massive growth is predominantly a good thing, it is reasonable to believe that fraudsters will see it as an opportunity to target a growing transaction stream.
The new Nacha WEB Debit Account Validation rule
The Nacha Web Debit rule is not a new thing, but there has been a slight modification made to it. “Currently, ACH originators of web debit entries are required to use what Nacha calls a commercially reasonable fraudulent detection system to screen web debits for fraud,” explained Barnett.
The altered rule will supplement the existing screening requirement to make explicit that account validation is included in a commercially reasonable fraudulent transaction detection system. This additional requirement applies to the first use of an account number or changes to an account number that is on file.
This rule was implemented to:
- Help prevent fraud on the ACH network.
- Protect FIs from posting unauthorized payments that are fraudulent or incorrect.
- Make payments more secure, improve risk management, and enhance quality within the ACH network.
- Meet consumer demand for “fast, frictionless payments.”
“While this rule applies only to web debit specifically, it’s something that, as an organization, if the correct controls are put in place, will also cover WEB credits as well,” added Barnett.
How can organizations comply with the Nacha WEB debit rule?
There are a number of ways for organizations to satisfy the Nacha WEB Debit rule account validation requirement.
First, they can do this manually with a voided check. The organization would obtain the check from an end user and call the FI directly to validate the check. “That is still a method that would work, even though it’s probably the worst user experience because it’s the most friction prone,” explained Barnett.
The next option for compliance is with an ACH prenote. The organization sends a $0 transaction to the FI specified by the end user. The transaction will contain the routing and account numbers and is used to determine whether or not the transaction made it to the institution. If the transaction arrives, it qualifies as a status check for that account.
The third choice is through trial and micro deposits. Essentially, an organization deposits two small amounts, usually just a few cents, into the end user’s bank account. At a later date, the end user can access their bank account to validate that those deposits were successful. This validation method is a bit stronger than the previous two, but is not an ideal user experience due to the wait time between sending and receiving the transactions.
An even stronger account validation mechanism is database verification. “This is where the organization would take the end user’s first name, last name, account [number], routing number and any other pieces of identifiable information that would help validate [the account], and bounce that information off of a database, such as EWS, or Early Warning Systems,” said Barnett. While this database does not include all the FIs in the U.S., it covers nearly two-thirds and provides instant, frictionless status verification and ownership. An example of a tool that can leverage this method is VerifyNow™ from Fiserv, which adds instant verification along with risk protection and can help facilitate Nacha compliance.
Any of these options will facilitate compliance with the Nacha WEB Debit rule.
The “best” ways to comply
Of the five compliance methods listed above, organizations are not confined to only one option. Multiple combinations can be used in conjunction with one another.
“As a best practice, businesses and financial institutions should consider combining database, financial institution credentials and micro deposits in a waterfall type fashion,” suggested Barnett. He expects this combination to provide organizations with the best fraud protection and user experience, all in one.
Additionally, Barnett advises that organizations looking to manage risk around ACH debit and credit transactions start with the database approach.
If this approach is not successful, the next step is to utilize the FI credentials method. The user will be presented with a screen to log into their FI. If this is also unsuccessful, then the organization should use micro deposits to try and obtain validation status.
“That waterfall approach, and those specific verification methods, in my opinion, are the strongest in terms of providing the best protection [and] best user experience, in combination with one another,” concluded Barnett.