Diminishing Fraud and Risk on the ACH Network
The Automated Clearing House (ACH) has had roughly $72.6 trillion in payments flow through its network in 2021. And as payments continue to flow, fraud is also increasing.
Mitigating fraud has been an especially hot topic for ACH. In a recent webinar, Amy Morris, Senior Director for ACH Network Rules at NACHA, George Remennik, Senior Compliance Manager at Settle, Eric Greenstein, Product Manager, Compliance at Modern Treasury, and Pranav Deshpande, Head of Product Marketing at Modern Treasury, discussed how companies and their bank partners can mitigate fraud and manage risk when using ACH payments. They also offered solutions and best practices that businesses can implement to protect themselves against fraud.
“The ACH Network is thriving”, Deshpande said, “and it’s undoubtedly the most widespread electronic payments network in the U.S. From Payroll and direct deposit to newer use cases like marketplace payments and embedded finance, use the ACH Network.
This rapid growth in payment volumes, combined with diversity in payment use cases has made fraud and risk mitigation for ACH payments more important than ever before.”
NACHA’S ACH Fraud Prevention Tools and Requirements
As the governing body of the ACH Network, NACHA has requirements as to how ACH payments are initiated. The Originator—be it a company, government agency, or organization—of the ACH transaction must submit the payment through a financial institution. It’s 99% likely that an organization will not have direct access to the ACH Network.
Therefore, the organization is required to submit a file through their own financial institution or through the Originating Depository Financial Institution (ODFI), which enters that transaction into the ACH network. That ODFI is “warrantying each transaction that they submit into the network,” said Morris.
This ensures that everything is authorized and accurate. It also demonstrates that the originator has all the necessary agreements between the ODFI and the originator.Both parties must agree to abide by all the rules and regulations set forth by the NACHA operating rules.
If NACHA receives notice of a possible rules violation from another party within the network, it will approach the financial institution (ODFI). “There are rules that require originators and third parties to perform certain activities, but it is the ODFI that is warrantying that they are doing so,” said Morris
Recent Trends in ACH Fraud and Risk
As ACH fraud continues to accelerate, NACHA has stepped up its rules. “We’ve been very risk-focused over the last several years,” said Morris.
Account Validation for WEB Debits is one of the most recent rules. If a consumer account is being used for the first time, the account number must be validated.
“Micro-Entries” (or “Penny Tests”) are an important new tool for originators to use as a form of account validation. They are defined as ACH credits of less than $1 as well as offsetting ACH debits in order to verify the receiver’s account.
Fraud Prevention Best Practices for Companies and Their Bank Partners
In order to remain in compliance, companies leverage a number of payment operations and fraud systems. It’s time-consuming to integrate and manage all these tools. “We see companies that are slow to set up tools in this space, they are trying to integrate different vendors,” said Greenstein. “But this is really hard, it’s not anyone’s core competency, especially for younger companies. It takes time and resources away from their principal activities.”
Despite the ever-present threat of fraud, many financial institutions cannot protect themselves against a potential attack.
“The shortcoming of many financial institutions is that a lot of them have legacy systems in place. They have placed their compliance program on top of systems that have been around for decades,” said Remennik.
Startups are a prime target for fraudsters. Because they typically don’t have the robust investment in compliance that banks such as Citibank have. According to Remennik, it’s important for startups to remain diligent to ensure they have strong programs.
It’s also important to have well-trained and experienced staff ready to identify account takeovers. They are harder to deal with. Fraudsters can easily pass through the Know Your Customer (KYC) checks.
They are also prone to using clone websites. A transaction monitoring program will prove helpful in combating these types of fraudulent attacks and identifying anomalies in transactions, which in turn mitigates the potential loss.
The Road Ahead
Many companies are simply stitching together solutions to handle all aspects of fraud prevention. The problem with this is that it requires specialized engineering expertise and other resources. Main business operations and deliverables require these resources. For some companies, particularly startups, this makeshift solution could significantly increase the risk of violating compliance and impacting revenue.
Many fintech companies are hard at work, developing solutions that incorporate all the necessary fraud prevention capabilities, eliminating their exposure to fraudulent attacks.