Whether they know it or not, individuals and businesses alike rely on the ACH network to settle payments, including direct deposits, checks, cash transfers, and so much more. Unfortunately, since it’s responsible for transferring a massive amount of funds daily, fraudsters are constantly looking for ways to exploit it.
To help you catch - and stop - ACH fraud, we’ll explore what it is, how it works, who is liable, and the impact it has on businesses.
What is ACH Fraud?
Automated Clearing House (ACH) fraud is the process of engaging in illegitimate transactions using the ACH network, typically with the intent to garner illicit funds. Fraudsters achieve this by opening new, illegitimate accounts under a fake identity and by taking over legitimate users’ accounts.
When investigating ACH fraud, it’s important to remember that the account holder may not be the fraudster. The user could have their account compromised or they could be manipulated into performing a transaction for the fraudster. Either way, the transaction itself - and the person that conducted it - is still a good starting point for an investigation.
The fraudster can also open fake accounts and transfer money from one bogus account to another in an attempt to access the funds more easily.
ACH Debits vs. ACH Credits
The ACH network uses a standard debit and credit system, much like any other financial institution. Merchants use an ACH debit transaction to withdraw money from users’ accounts. This is started when a customer initiates a transaction. After the transaction clears through the network, an ACH credit transaction deposits the money in the receiver’s account.
Merchants use an ACH debit transaction type to pull money directly from customer accounts. The process begins when a customer provides a routing number and account information to a merchant and then authorizes them to make a transaction.
Conversely, an ACH credit is when money gets deposited into a receiver’s account instead of being deducted like an ACH debit.
In addition to monitoring transactions and identifying high-risk events, if your institution allows ACH debits, you should also have meaningful controls to ensure the party setting up the debit is authorized to do so. For most institutions, that would mean that your customer (the receiver) also owns the debited bank account (the ACH sender).
If the receiving bank isn’t doing a good enough job to ensure that the account in their bank was opened legitimately or that the person who opened the account in their bank also owns the bank account the money is being pulled from, that can make it very easy for fraudsters to draw money directly out of victim’s bank accounts.
When verifying authorization, it is crucial to remember to verify access (through a tool like open banking, penny-test, etc.) and verify ownership (checking that a bank account is in the name of your customer). Bad actors tend to exploit gaps with institutions that only verify access or ownership as part of their ACH debit set-up process, so it is critical to verify both.
In addition to good authorization verification practices, it is also essential to create a good audit trail of the provided authorization and its verification process. This will allow you to challenge claims of unauthorized ACH debits that you believe to be false claims.
ACH Fraud vs. Wire Fraud and Fast Money Movement Processes
In payments fraud, ACH typically competes with wire fraud and other faster money movement processes like Zelle or Venmo. The main difference with ACH is that depending on the policy of the receiving bank, the money might be in limbo for a few days.
Because banks usually don’t give access to the receiving party of the funds until the money clears (which is generally a two to three-day process), that offers the sending financial institution additional time to react, which is not great for the fraudster.
However, they would use ACH fraud instead of other tactics because ACH transfers have more relaxed controls than faster money movement processes. For example, wire transfers have tighter controls and significantly more eyes looking at each transaction, which is why some bad actors would take the risk of ACH.
Who is Liable for ACH Fraud?
One of the main differences between ACH and other payment methods is that it’s one of the few types where the receiving financial institution can be held financially liable when they receive a return (equivalent to a chargeback). Ultimately, merchants and financial institutions that process the transactions are liable for ACH fraud.
When your institution is the receiving party of an ACH, you may face financial liability if you allow your customer to use the funds before they are fully cleared. In addition, most ACH return notices must be issued within two business days (this includes “insufficient funds” and “account closed”). Therefore allowing customers access to funds within less than three business days becomes, in essence, a form of credit.
In addition, as the receiving institution, if your institution was the one who initiated the ACH transaction through an ACH debit order, there is a 60 days window for the sending party to challenge whether the sender correctly authorized the transaction.
You may be able to provide proof of authorization. However, if the return is upheld, you will be required to return the funds to the sender, whether or not the receiving account has the funds to cover the cost.
If your institution is on the sending side of the ACH transaction, your customers will expect you to compensate them for any unauthorized ACH transaction that you’ve allowed to leave their account.
This is likely to include cases where your customer was the victim of social engineering and was tricked into participating in the unauthorized ACH transaction. Additionally, in cases of ACH credit (where the sender is the one who initiated the transaction) that are identified after more than two business days, recovering funds from the receiving institution is unlikely, though worth attempting.
It is entirely based on the good faith and cooperation of the receiving institution and the availability of funds in the receiving account. In cases of ACH debit (where the receiver is the one who initiated the transaction), if identified and a return is filed within 60 days, you are very likely to be able to recoup the unauthorized funds from the receiving institution.
The Impact of ACH Fraud on Organizations
As with many types of fraud, ACH fraud has both direct and indirect consequences, some of which are felt (and absorbed) by the institutions, and others that are felt by the victims.
Unfortunately for financial institutions, there are permanent, long-lasting consequences of ACH fraud attacks.
- Fraud Losses: Since the receiving financial institution is typically financially liable for chargebacks, financial fraud losses can add up significantly if left unchecked.
- Reputational Damage: Falling victim to a large-scale ACH fraud attack could cause an organization to fall under ‘higher risk’ categories, which could lead to challenges doing future business with customers and forging partnerships in the industry.
- Restriction (or loss) of Services: Companies that have suffered compliance violations in relation to ACH fraud could have trouble with future access to the service, deteriorating the level of service customers receive, leading to slower payments and more friction in the process.
To mitigate the impact of these problems, it’s essential to work proactively to prevent ACH fraud.
Examples of ACH Fraud: How it’s Done
Since the ACH network is used for a variety of transactions, there are a number of ways it can be exploited by fraudsters. Below, we cover some of the ways fraudsters can commit ACH fraud.
- Payroll Fraud: In this version of payroll fraud, the fraudster uses the ACH network account and empties the funds. Essentially, they divert the payroll value so they receive it themselves.
- Check Kiting: The fraudster transfers money back and forth between accounts at separate banks so that transactions will clear ACH validation. Fraudsters take advantage of the lag time on the transfers, removing money before the transactions clear.
- Phishing: The fraudster phishes for personal credentials (by using malware or stealing personal information). They then use the credentials to execute, divert, or otherwise alter transactions for personal gain.
- Data Breach: The fraudster gains access to personal credentials for a variety of people in a massive data breach. They then use the credentials to commit fraud through the ACH network, in much the same way as they would a phishing scam.
- Debit Card Fraud: Since the ACH network is commonly used for debit transactions at financial institutions, stolen debit cards can be used to commit ACH fraud by making purchases.
While this covers some of the commonly attempted methods, because any transaction that abuses the ACH network is ACH fraud, there are many ways it can be conducted.
Leverage ACH Fraud Prevention Tools for Best Results
Although ACH fraud is a growing problem, it can be managed and contained with the right tools and techniques.
Leverage high-quality fraud detection solutions that empower fast, effective identity verification and payment screening will provide an added layer of protection. Robust data monitoring for transactions will allow teams to analyze payments in detail and mitigate risk more effectively.
Now that you know the basics of ACH fraud, read on to learn how organizations can prevent ACH fraud.