The automated clearing house payment system reaches all U.S. bank accounts and is an extremely cost-effective way to move money. This helps explain the ACH Network’s steady growth.
Nacha says the ACH Network processed 7.6 billion in payments worth $19.2 trillion in the third quarter of 2022. Meanwhile, ACH same-day payments reached 176.6 million, up 23.5% from the third quarter of 2021. And Forrester Research says that “2023 will be the year when at least one major global retailer begins accepting ACH-based payments on their site, as some challenger brands already have.”
As the volume and value of ACH transactions continues growing, ACH fraud has been surging.
Our real-time world, financial system complexity, the lack of an ACH dispute mediator and the fact that pandemic relief funds inadvertently provided fraudsters with the resources to launch more (and more sophisticated) attacks also contribute to the ACH fraud problem.
ACH has been around for more than 50 years. It was built in a 9-to-5, Monday-through-Friday banking world. But we now live in an on-demand world in which financial services occur at all hours and every day.
The rise of two-sided marketplaces, a plethora of new banks and bank-like organizations that connect to them, peer-to-peer transfers and other complicated payment flows created more entry points and opportunities for attack.
Also, unlike card networks, for which MasterCard and Visa mediate between card issuers, consumers and merchants, no one mediates and resolves disputes in the ACH arena. That’s why ACH is less expensive than card networks. It’s also why ACH has seen higher levels of fraud.
The U.S. government’s Paycheck Protection Program (PPP) and other Coronavirus Aid, Relief and Economic Security (CARES) Act programs also “have placed lenders and borrowers at significant risk for criminal and civil liability,” as law firm Arnold & Porter explains. The PPP inadvertently gave some mom-and-pop cyberattackers access to funding, which they invested in more people and technology. That, in turn, has made some of these smaller bad actors bolder and more ambitious.
So, what should fintech startups that are developing and promoting applications be aware of when they are suddenly hit with fraud? And how can they limit ACH returns so that they don’t face penalties from Nacha, regulators and their suppliers? Let’s take a look.
Architecture and data matter
Fraudsters can be extremely inventive. A two-sided marketplace company once saw a fraudster create a business, apply for money on one side of the marketplace and go to the other side of the marketplace to fund the loan. The fraudster then transferred it over, moved the money to a separate bank account and then did an unauthorized return — and the money vanished.
Be aware that ACH fraud is almost unavoidable. ACH is batch-based. It’s a technology that was created in the 1970s. And there is no authentication or authorization baked into ACH.
How best to address ACH fraud varies by organization. But if you have any kind of fraud controls, you’re going to decline some people because you’re concerned their requests are not legitimate. However, you really won’t know whether those requests actually are fraudulent. So, collect data both from the people that you approve and from those that you decline over concerns of fraud. Learn from that data and be willing to rethink your fraud controls over time.
Understand fraud prevention is not a one-and-done endeavor
A customer might have a good first or second transaction. But 18 months later, that same customer might want to do a $10,000 transaction, which would be a signal in itself.
Small transactions can also signal a fraudster has overtaken an account. If account transfers are typically $5,000 and you see a $5 transaction, it may indicate a fraudster is testing the waters.
Stay vigilant. Implement fraud controls up front. And continue to fine tune those controls.
Review Nacha’s Risk Management Framework, which helps those who use the ACH Network and other payment systems using credit-push payments with guidance on how to address new and persistent fraud. Nacha says, “The most significant fraud threats to bank account holders involve fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards and other instant and digital payments.”
Get to know the Office of Foreign Assets Control (OFAC) guidelines and ACH fraud mitigation guidelines under National Institute of Standards and Technology cybersecurity maturity levels. And wait 48 hours to process ACH return codes.
Implement good, old-fashioned velocity controls
When a new customer comes in, sometimes that customer is clearly a fraudster.
But there’s also a lot of gray area, where you see some signals of fraud, but you’re not entirely sure that they’re fraudulent. For example, folks who usually do transactions from home might just be on vacation. You don’t necessarily want to decline all people due to their locations.
Implement velocity controls that look at how the user’s 10th transaction is different from their sixth, second or first transactions. Consider what other parameters are different among those transactions. And, above all, take steps to ensure customers are who they say they are.
Leverage biometric verification. You might not need it on Day One, but you may find it extremely useful as you scale. Employ technologies that allow you to add security easily, because if it takes six months to get biometric verification in place, you’re going to lose a lot of money. Without velocity controls and biometric verification, you will have to rely exclusively on know-your-customer data, and your business will suffer mightily from fraud.
Most organizations experience fraud somewhere between their 50th friend-and-family user and their 5 millionth customer. So, if you think about it, you can look at fraud as a badge of success. It means that your business has achieved enough scale to draw fraudsters’ attention.
But leaving fraud unchecked will have serious implications for your organization. So, take the steps above to control ACH fraud. And adopt a payments-as-a-service solution and trusted partner that arm you with the technology and know-how that you need to combat fraud.
Shamir Karkal is a co-founder and chief strategy officer of Sila, a fintech software platform that provides payment infrastructure as a service.