ACH Fraud Protection: How to Keep Your Organization Safe
The Automated Clearing House (ACH) Network is a popular money transfer method used by financial institutions (FIs) to handle checks, direct deposits, cash transfers, and bill payments between businesses and individuals.
And until recently, ACH was not considered a high-risk payment method because bad actors have historically been concentrated on checks and wire transfers. However, recent data suggests that ACH fraud is on the rise.
While it appears that payments fraud was on the decline in 2021, according to the 2022 AFP Payments Fraud and Control Survey, the share of respondents reporting payments fraud via ACH debits actually increased to 37%, up 12% from the prior year.
Unfortunately, this form of fraud is simple to execute. All the bad actor needs is an account number and a bank routing number. Once they have this information, they can use it to initiate payments to make purchases or pay off debts.
When it comes to your organization, having the proper procedures (and tools) to protect against financial crime is imperative. So, what can you do to ensure that your business doesn’t fall victim to ACH fraud?
In this post, we’ll cover:
Let’s start with a deep dive into how to detect and prevent ACH fraud by covering the controls your company should put in place to minimize risk.
ACH fraud is when money is sent via the ACH network from one bank account to another where the transaction is, for some reason, illegitimate.
Usually, this occurs when the sender did not actually intend to send the money, either because their account was compromised or they were manipulated into performing a transaction.
Or, it can happen when the sender themselves are illegitimate, meaning they have opened an unlawful account and are trying to transfer money from one bogus account to another in their control to access the funds more easily.
Finally, with regard to ACH debits, if the receiving bank isn’t doing a good enough job to ensure that the account in their bank was opened legitimately or that the person who opened the account in their bank also owns the bank account the money is being pulled from, that can make it very easy for fraudsters to draw money directly out of victim’s bank accounts.
The Difference Between ACH Debits and ACH Credits
Merchants use an ACH debit transaction type to pull money directly from customer accounts. The process begins when a customer provides a routing number and account information to a merchant and then authorizes them to make a transaction.
Conversely, an ACH credit is when money gets deposited into a receiver’s account instead of being deducted like an ACH debit.
ACH Fraud in Money Laundering
ACH fraud is also a tactic used in money laundering. Fraudsters will move the money from one illegitimate source to another (this is known as “layering”) to make it difficult for institutions and authorities to track the original source of the illicit funds.
It’s just as important to watch for fraud as it is money laundering, and organizations should have proper AML regulations in place to prevent money laundering from occurring.
Aside from the standard level of defenses (like keeping bad actors out of your system, not letting them get unauthorized access to your customer’s accounts, and preventing them from opening illegitimate accounts), organizations can come to the table with a multi-tiered approach here.
But before we dive into the specifics around ACH fraud prevention, it is crucial to offer some broader context.
Almost all financial transactions have liability at the center. For example, if someone hacked into a bank account and misused the funds, the customer is likely to complain to the bank. Then, once the bank decides that they want to retain the customer, they are likely to refund the money whether they’re able to recoup the cost or not. So, any form of money movement going out of the account creates a baseline level of exposure.
As noted earlier, when it comes to ACH, this method is one of the few cases where it also creates some exposure for the institution where the money is coming in (the receiver). From the perspective of controls for ACH, the benefit of the way ACH works is that you often have some time to react because the process is not instantaneous. This allows organizations to create multiple layers of defense against ACH fraud.
As such, when it comes to implementing internal controls to detect and prevent ACH fraud, there are four main components to consider:
- The Customer
- The Second Party (Sender / Receiver)
- The Known Relationship Between the Two Parties
- The Transaction Itself
We’ll cover each in detail below:
Your Customer
When reviewing your customer, look for any abnormalities in their standard behavior and note whether they are already identified as being of a higher or lower risk category. For example, determine how old the customer’s bank account is.
A new account opened within the last seven days will be a higher risk than an account that has been in existence for two years, for instance. Also, note recent account accesses that seem out of place. For example, a new computer accessing the account for the first time is a bigger red flag than if your customer is using their regular device.
The Second Party (Sender / Receiver)
When looking at the second party, it is critical to note whether it is a person or a business and their perceived risk levels. Reviewing information related to the second party, like their name, the account name, the financial institution receiving the funds, etc., is an excellent first step to determine if it is legitimate or not and if it presents an elevated level of risk.
The Relationship Between the Two Parties
Another critical element to the puzzle is understanding the relationship between the sender and the receiver. It is wise to consider whether the sender has ever sent money to the receiver in the past and if they have some form of identifiable real-world connection.
While it is harder to establish threat levels by reviewing the relationship, it is often a good way to identify lower-risk cases. For example, an ACH transaction sent between two accounts that share the same last name and have been sending funds to each other regularly over the past three years can often be considered very low risk.
The Transaction
As a first-line defense, organizations can create controls at the transaction time. Many questions should be addressed here, including:
- Is it a high amount transaction?
- Is there something about this transaction that makes it abnormal for your organization or this account?
- Is it part of a very distinct transaction pattern that has been identified either across multiple accounts or in this specific account?
- Is this transaction occurring after a recent money-in movement?
However, this is just the baseline for getting to the bottom of whether a transaction is a high risk or not. Once each of these determinations has been made, the organization can join together all of the elements mentioned above to try and identify the actual level of risk of this transaction and your customer.
The benefit of having the payment be an ACH transfer is that the company doesn’t have to have all of this information at the time of the transaction.
When the user is already off their computer or physically out of the bank, “after the fact” controls can be put in place to catch and block the very high-risk transaction fast enough before there is true financial exposure for either financial institution. If the transaction is canceled within the same business day, the organization is very likely to be able to recoup the funds.
Therefore, institutions can decide to do less at the time of the transaction and still flag the extreme cases for a secondary review later in the day when more information is available and when investigators may be able to identify interesting patterns the transaction may be a part of.
As with other types of fraud, there are many ways it can be conducted - which means detecting and preventing it isn’t exactly straightforward. Any organization that seriously wants to prevent ACH fraud will have to truly analyze and understand how fraud is occurring in their ecosystem, and choose methods that directly address those problems.
It will take practice, and you’ll need to apply a method, see how it performs, and then fine-tune your rules to perfect it for your organization.
Fraudsters will change their behavior, and you’ll need to adapt to keep up. Over time, you’ll find the right mix of elements to effectively combat fraud. Be sure to reiterate over time to make sure you’re staying on top of fraudsters.
First, your organization can set controls for how ACH transactions are being processed altogether.
- Use an ACH Block: One of the easiest ways to prevent ACH fraud is to implement a block on all accounts. No transactions will be automatically processed, and each case will need to be manually reviewed and approved before it will be processed.
- One-time authorization: Transactions are pre-authorized on a case-by-case basis. The entity and value of the transaction is pre-approved, so that it is able to process automatically, but without pre-approval, no transactions can be automatically processed.
- Authorized user list: An authorized-user list dictates which entities can have automated transactions; while all others need to be manually reviewed to process. You can control dollar limits, date ranges, and other restrictions to control this further, but essentially, approved businesses can have transactions processed immediately and smoothly.
These controls allow you to clamp down on fraud that is running rampant, but having to manually review so many transactions poses serious operational problems. It’s best to do all you can to enable automated authorization, saving your team significant time manually reviewing and approving cases.
Below, we cover some other tips that will help you prevent ACH fraud:
- Follow the NACHA Operating Rules for ACH payments
- Follow KYC standards and procedures during customer onboarding and throughout their lifecycle
- Follow the recommended protections under the NIST cybersecurity framework to ensure adequate cybersecurity standards
- Employ risk-based models that weigh various indicators to better determine fraudulent activity, narrowing in on actual instances of fraud and reducing false positives
- Establish multi-factor authentication (MFA) and other identity authorization methods to ensure users are who they claim to be
- Use a secure, encrypted network for storing and submitting sensitive personal information
- Educate customers about ACH fraud, including how it works, the consequences, popular ACH fraud scams, and how to avoid falling victim
- Use sophisticated fraud detection and prevention solutions to manage - and mitigate - ACH fraud
To make sure you’re not just adequately preventing fraud, but actually improving your efforts to reduce fraud losses and false positives, you’ll want to try a variety of these methods.
The fact of the matter is, depending on the types of fraud that you see trending with your organization, some of the methods may work better than others. Be sure to reiterate your prevention efforts to make sure you’re consistently optimizing for best performance.
ACH Fraud Prevention: Final Thoughts
While ACH fraud is on the rise, it is very containable with proper measures and controls.
In a recent report, Jim Kaitz, president and CEO of AFP, notes that “we must remain vigilant in our pursuit of education, training, and innovation in order to remain one step ahead of our sophisticated adversaries.”
As such, having the right tools and partners to help your organization fight against fraud is crucial. Platforms like Unit21 allow for the identification and investigation of ACH fraud red flags.
Make sure you're also watching out for other types of fraud as well (like money muling, account takeover fraud, etc.) to ensure complete protection. Fraud threats are constantly changing, so it's crucial to know the latest fraud trends.
To learn more about how Unit21 can help your organization avoid falling victim to ACH fraud and other financial crimes, get in touch to schedule a demo today.
