The Automated Clearing House (ACH) Network is a popular money transfer method used by financial institutions (FIs) to handle checks, direct deposits, cash transfers, and bill payments between businesses and individuals.
And until recently, ACH was not considered a high-risk payment method because bad actors have historically been concentrated on checks and wire transfers. However, recent data suggests that ACH fraud is on the rise.
While it appears that payments fraud was on the decline in 2021, according to the 2022 AFP Payments Fraud and Control Survey, the share of respondents reporting payments fraud via ACH debits actually increased to 37%, up 12% from the prior year.
Unfortunately, this form of fraud is simple to execute. All the bad actor needs is an account number and a bank routing number. Once they have this information, they can use it to initiate payments to make purchases or pay off debts.
When it comes to your organization, having the proper procedures (and tools) to protect against financial crime is imperative. So, what can you do to ensure that your business doesn’t fall victim to ACH fraud?
Here, we’ll cover how ACH fraud works and what controls your company should put in place to minimize risk.
Automated Clearing House (ACH) Basics
ACH Debits vs. ACH Credits
Merchants use an ACH debit transaction type to pull money directly from customer accounts. The process begins when a customer provides a routing number and account information to a merchant and then authorizes them to make a transaction.
Conversely, an ACH credit is when money gets deposited into a receiver’s account instead of being deducted like an ACH debit.
What is ACH Fraud, and When Does it Happen?
ACH fraud is when money is sent via the ACH network from one bank account to another where the transaction is, for some reason, illegitimate.
Usually, this occurs when the sender did not actually intend to send the money, either because their account was compromised or they were manipulated into performing a transaction.
Or, it can happen when the sender themselves are illegitimate, meaning they have opened an unlawful account and are trying to transfer money from one bogus account to another in their control to access the funds more easily.
Finally, with regard to ACH debits, if the receiving bank isn’t doing a good enough job to ensure that the account in their bank was opened legitimately or that the person who opened the account in their bank also owns the bank account the money is being pulled from, that can make it very easy for fraudsters to draw money directly out of victim’s bank accounts.
ACH Fraud in Money Laundering
ACH fraud is also a tactic used in money laundering. Fraudsters will move the money from one illegitimate source to another (this is known as “layering”) to make it difficult for institutions and authorities to track the original source of the illicit funds.
ACH Fraud vs. Wire Fraud and Fast Money Movement Processes
In payments fraud, ACH typically competes with wire fraud and other faster money movement processes like Zelle or Venmo. The main difference with ACH is that depending on the policy of the receiving bank, the money might be in limbo for a few days.
Because banks usually don’t give access to the receiving party of the funds until the money clears (which is generally a two to three-day process), that offers the sending financial institution additional time to react, which is not great for the fraudster.
However, they would go to ACH fraud instead of some other tactic because ACH transfers have more relaxed controls than faster money movement processes. For example, wire transfers have tighter controls and significantly more eyes looking at each transaction, which is why some bad actors would take the risk of ACH.
Impacts of ACH Fraud on Organizations
As with any form of fraud, several negative consequences impact financial organizations that have fallen victim to ACH fraud. The first has to do with liability, and the second relates to reputation.
ACH Fraud Liability: Who is Accountable?
One of the main differences between ACH and other payment methods is that it’s one of the few types where the receiving financial institution can be held financially liable when they receive a return (equivalent to a chargeback).
When your institution is the receiving party of an ACH, you may face financial liability if you allow your customer to use the funds before they are fully cleared. In addition, most ACH return notices must be issued within two business days (this includes “insufficient funds” and “account closed”). Therefore allowing customers access to funds within less than three business days becomes, in essence, a form of credit.
In addition, as the receiving institution, if your institution was the one who initiated the ACH transaction through an ACH debit order, there is a 60 days window for the sending party to challenge whether the sender correctly authorized the transaction.
You may be able to provide proof of authorization. However, if the return is upheld, you will be required to return the funds to the sender, whether the receiving account has the funds to cover the cost.
If your institution is on the sending side of the ACH transaction, your customers will expect you to compensate them for any unauthorized ACH transaction that you’ve allowed to leave their account.
This is likely to include cases where your customer was the victim of social engineering and was tricked into participating in the unauthorized ACH transaction. Additionally, in cases of ACH credit (where the sender is the one who initiated the transaction) that are identified after more than two business days, recovering funds from the receiving institution is unlikely though worth attempting.
It is entirely based on the good faith and cooperation of the receiving institution and the availability of funds in the receiving account. In cases of ACH debit (where the receiver is the one who initiated the transaction), if identified and a return is filed within 60 days, you are very likely to be able to recoup the unauthorized funds from the receiving institution.
Beware of Reputational Risk
Aside from the risk of being held liable in the event of a return, FIs facing ACH fraud also deal with the risk of a ruined reputation.
For instance, if a neobank falls victim to a large-scale ACH fraud attack, their organization might be considered “higher risk” by other institutions, who might then flag transactions going to and from the neobank as requiring additional oversight. This has a measurable impact on the neobanking customers as they now will have a more challenging time receiving their money, thus impacting customer experience and satisfaction.
Not only that, but once an organization is viewed as compromised, they will see lower engagement from their partners like their sponsor bank, for instance, while experiencing higher engagement from fraudsters (a lose-lose).
Then there are also NACHA rules to consider. For example, suppose an organization has a disproportionate amount of returns. In that case, this can create a violation that can jeopardize an organization’s ability to send and receive ACH transfers, which could be detrimental to the business and negatively impact its customers.
So, it is clear that ACH fraud is detrimental to FIs for many reasons, but what can be done to stop it?
Controls to Protect Against ACH Fraud
Aside from the standard level of defenses (like keeping bad actors out of your system, not letting them get unauthorized access to your customer’s accounts, and preventing them from opening illegitimate accounts), organizations can come to the table with a multi-tiered approach here.
But before we dive into the specifics around ACH fraud prevention, it is crucial to offer some broader context.
Almost all financial transactions have liability at the center. For example, if someone hacked into a bank account and misused the funds, the customer is likely to complain to the bank. Then, once the bank decides that they want to retain the customer, they are likely to refund the money whether they’re able to recoup the cost or not. So, any form of money movement going out of the account creates a baseline level of exposure.
As noted earlier, when it comes to ACH, this method is one of the few cases where it also creates some exposure for the institution where the money is coming in (the receiver). From the perspective of controls for ACH, the benefit of the way ACH works is that you often have some time to react because the process is not instantaneous. This allows organizations to create multiple layers of defense against ACH fraud.
As such, when it comes to implementing internal controls to detect and prevent ACH fraud, there are four main components to consider:
- The Customer
- The Second Party (sender / receiver)
- The Known Relationship Between the Two Parties
- The Transaction Itself
When reviewing your customer, look for any abnormalities in their standard behavior and note whether they are already identified as being of a higher or lower risk category. For example, determine how old the customer’s bank account is.
A new account opened within the last seven days will be a higher risk than an account that has been in existence for two years, for instance. Also, note recent account accesses that seem out of place. For example, a new computer accessing the account for the first time is a bigger red flag than if your customer is only using their regular device.
The Second Party (Sender / Receiver)
When looking at the second party, it is critical to note whether it is a person or a business and their perceived risk levels. Reviewing information related to the second party, like their name, the account name, the financial institution receiving the funds, etc., is an excellent first step to determine if it is legitimate or not and if it presents an elevated level of risk.
Another critical element to the puzzle is understanding the relationship between the sender and the receiver. It is wise to consider whether the sender has ever sent money to the receiver in the past and if they have some form of identifiable real-world connection.
While it is harder to establish threat levels by reviewing the relationship, it is often a good way to identify lower-risk cases. For example, an ACH transaction sent between two accounts that share the same last name and have been sending funds to each other regularly over the past three years can often be considered very low risk.
As a first-line defense, organizations can create controls at the transaction time. Many questions should be addressed here, including:
- Is it a high amount transaction?
- Is there something about this transaction that makes it abnormal for your organization or this account?
- Is it part of a very distinct transaction pattern that has been identified either across multiple accounts or in this specific account?
- Is this transaction occurring after a recent money-in movement?
However, this is just the baseline for getting to the bottom of whether a transaction is a high risk or not. Once each of these determinations has been made, the organization can join together all of the elements mentioned above to try and identify the actual level of risk of this transaction and your customer.
The benefit of having the payment be an ACH transfer is that the company doesn’t have to have all of this information at the time of the transaction.
When the user is already off their computer or physically out of the bank, “after the fact” controls can be put in place to catch and block the very high-risk transaction fast enough before there is true financial exposure for either financial institution. If the transaction is canceled within the same business day, the organization is very likely to be able to recoup the funds.
Therefore, institutions can decide to do less at the time of the transaction and still flag the extreme cases for a secondary review later in the day when more information is available and when investigators may be able to identify interesting patterns the transaction may be a part of.
A Note About ACH Debit
In addition to monitoring transactions and identifying high-risk events, if your institution allows ACH debits, you should also have meaningful controls to ensure the party setting up the debit is authorized to do so. For most institutions, that would mean that your customer (the receiver) also owns the bank account being debited (the ACH sender).
When verifying authorization, it is crucial to remember to verify access (open banking, penny-test, etc.) and verify ownership (sending a bank account is in the name of your customer). Bad actors tend to exploit gaps with institutions that only verify access or ownership as part of their ACH debit set-up process, so it is critical to verify both.
In addition to good authorization verification practices, it is also essential to create a good audit trail of the provided authorization and its verification process. This will allow you to challenge claims of unauthorized ACH debits that you believe to be false claims.
ACH Fraud Prevention: Final Thoughts
While ACH fraud is on the rise, it is very containable with proper measures and controls.
In a recent report, Jim Kaitz, president and CEO of AFP, notes that “we must remain vigilant in our pursuit of education, training, and innovation in order to remain one step ahead of our sophisticated adversaries.”
As such, having the right tools and partners to help your organization fight against fraud is crucial. Platforms like Unit21 allow for the identification and investigation of ACH fraud red flags.
To learn more about how Unit21 can help your organization avoid falling victim to ACH fraud and other financial crimes, get in touch to schedule a demo today.