Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Payments Spotlight podcast explores impact of economic downturn on insider bank fraud | Main | Is KYC DOA? The tribulations of trying to know your customer »

August 30, 2010

Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control

Play Play podcast (MP3 15:07) TranscriptTranscript

NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.

In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.

Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.

Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.

ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.

Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.

Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

August 30, 2010 in account takeovers , ACH , fraud | Permalink


To underscore the blog post, please see the folowing post from my blog: thepaymentsblog.com

Everything You Read Is Not Always Accurate

Last week I Tweeted about an article published by Digital Transactions on August 19, 2010 whose headline "A Survey Reveals a Rising Volume of Disputed ACH Debits" could have led readers to believe that all hell was breaking loose within the ACH industry. The article cited a survey conducted by eGistics in which financial institutions and payment processors indicated a 63% rise in disputed or unauthorized ACH transactions in 2009 when compared to 2008.

Well that article troubled me because I know through firsthand experience in running ACH businesses and as a NACHA Board member, how much real progress has been made to effectively manage ACH risk, especially the risks posed by unauthorized ACH transactions. So much work has been done by NACHA, the Risk Management Group and subsequent rules changes to reduce return item risk and volumes. Therefore, I did some investigation to better understand how eGistics came up with their numbers and cross-referenced them to the return numbers tracked and published by NACHA - the organization responsible for establishing and enforcing adherence to ACH rules within the network and NACHA’s numbers depict a far different picture than eGistics.

eGistics conducted a webinar last week to discuss their survey results. In that webinar, eGistics was asked to better describe the processors and financial institutions participating in the survey. eGitics indicated that many of their respondents experienced ACH growth far beyond the industry rate of 2%. These respondents had actually seen their ACH volume grow 20% or more - which then explains how return rates for these specific FI's and processors were higher due their individual origination growth rates; not a true indication that return rates, as an industry, were once gain climbing; nor a true reflection of the experience of all ACH originators. But it did explain to me the Digital Transaction headline – that is and was not representative of all ACH participants. The simple truth is that return rates of all kinds will increase as one’s origination volumes grow. However, the experience of a few does not a trend make and returns ARE going down, not up.

So I hope this provides a more complete picture; dispels any unwarranted fear and set the record straight - return item volume has been declining ever since NACHA’s network rules and enforcement efforts became more robust.
So don’t believe everything you read (and I say that to me too) and ask questions to see what is really behind the headlines.

Posted by: Marcie J. Haitema | August 31, 2010 at 06:00 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad