Account validation has always been an important aspect of the payment lifecycle. The verification of an account leads to reduced rates of fraud, chargebacks, and other costly mistakes. Despite the benefits of verifying an account prior to approving a transaction, not all merchants have a protocol in place to do so. But soon merchants using the ACH network will be required to implement some form of account verification.
NACHA, the Electronic Payments Association overseeing the ACH network, changed its Operating Rules governing account ACH payments. According to the rules, originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen for fraud. Beginning on March 19, 2021, the rule will change to explicitly require “account validation” to be part of fraud detection system.
Merchants who do not already have account validation capabilities built into their fraud detection systems should educate themselves about the rule change and explore ways to ensure compliance. The white paper “Securing Faster Payments: Modernizing Account Validation” published by GIACT is a great resource to start with.
Account validation and fraud
As the white paper notes, NACHA’s rule change comes as faster payment services, including NACHA’s Same Day ACH, have seen a significant uptick in traffic recently. For example, since 2017, Same Day ACH volume exploded by 137% to $159.9 billion it total payments. Experts believe that the rise of faster payments could make it easier for fraudsters.
“As the adage goes, with faster payments comes faster fraud, so implementing preventative measures upfront to identify fraudulent activity before it is set in motion is receiving the most focus,” said Sarah Grotta, director of Debit and Alternative Products Advisory Service at Mercator Advisory Group. “When transactions occur within seconds rather than hours or days, there isn’t the time to assess the transaction itself, so ensuring the validity of the account is critical.”
Because of how crucial account verification is, NACHA is making it mandatory. When the changes take effect, any payment originator (merchant) that processes WEB debits will need to have some form of account verification. GIACT’s white paper notes that all merchants using the ACH network will be obligated to do so, regardless of their size or industry. Everyone originating WEB debits, from insurance companies to loan providers, will need to abide by the rules.
Since such a large assortment of companies use the ACH network, a whole range of use cases may be impacted by the new rules. While the list is by no means exhaustive, here are some key payment examples that GIACT identified, specifically if account information is being collected by the originator:
- Insurance company payments
- Contributions to Individual Retirement Accounts, SEPs, 401Ks
- Point of sale purchases
- Utility payments
- Tax payments
- Charitable donations
- Installment loan payments, including car loans, credit cards, mortgages, HELOCs
- Membership payments.
Not all solutions are created equal
Luckily for merchants who need to change their fraud evaluation services in light of the rule change, there are numerous solutions to become compliant with the rules. However, not all the solutions are as effective at stopping fraud or working within a faster payments context.
This is crucial because even if NACHA did not change the rules, merchants would be wise to take account verification seriously.
One solution is an ACH prenotification, commonly referred to as a prenote. It is a zero-dollar transaction that an originator sends to the issuing bank prior to an actual debit or credit. The goal is to validate the routing and account number at the issuing bank prior to sending through the actual transaction.
However, while the prenote is effective at validating the account number, it does not offer any information about the account itself, including the activity levels, status, or ownership. It also takes up to three days to complete, making it ineffective for faster payments. Another glaring problem is that the issuing bank is only required to respond to the prenote if the account does not exist, meaning that payments can still be sent to the wrong account so long as it’s a valid account number.
Another solution is the trial deposit, also called a micro deposit. This approach entails making a small deposit to the receiver’s account prior to the actual transaction in order to verify the account. However, similar to the prenote, there are issues that should be considered. First, it takes one to two business days for the trial deposit to be deposited in the account, making it incompatible with faster payments. Second, it only validates that the account can accept a payment, not who owns the account.
The white paper also explores solutions called account aggregators which are third parties that are provided with the username and password of an account in order to login to the system and verify the account is open. When considering this solution, it is important to note that the account owner must trust a third party with their sensitive data. Moreover, account aggregators can only confirm that an account is open, and not the account’s standing with the financial institution.
Even though these three solutions may result in a merchant’s being compliant with the new rules, they have their associated problems. GIACT identified four areas that an ideal verification system would validate:
- Account status
- Payment history, particularly NSF or chargeback history
- Ownership, and matching ownership to the payment originator
- Consistency of PII, including name, address, phone number, email and more
Merchants interested in having a robust fraud detection system should consider looking for solutions that meet these four criteria. One solution is offered by GIACT called the EPIC Platform. It can be implemented using a single API and covers these four areas. It also works in real-time, allowing merchants to provide a seamless experience to their customers.
If you’d like to learn more about NACHA’s rules or the EPIC Platform, you can read the white paper here.