About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« The Personal Cost of Fraud | Main | The Simple Consider Three but Four is the Key »

August 22, 2016


As with Nuclear Disarmament, So with ACH: Trust, but Verify

During his remarks at the signing of a nuclear disarmament treaty with the U.S.S.R. in 1987, President Ronald Reagan drew upon the old Russian maxim, "Doveryai, no proveryai," or "Trust, but verify." As with disarmament, businesses and others that originate automated clearing house (ACH) payments should be offered some way to verify an account, something more than hope and a prayer that the payment recipient's routing/transit number and account number are correct and that the recipient is an owner of the account.

The lack of efficient account validation options is a common complaint against the ACH. Surveys that NACHA conducted in 2012 and 2015 attest that account validation, as judged by a majority of respondents, is ACH's chief improvement need. Failing to perform account validation creates different levels of risk, depending on the payment application, whether a credit is pushed or debit is pulled and whether it is a recurring or one-time payment.

On July 19, NACHA's Payments Innovation Alliance and Board Advisory Group released two papers reviewing and critiquing existing methods for verifying bank accounts by financial institutions and businesses. The papers also suggest that a remedy to the account validation problem may be in the offing.

In both papers, NACHA defined account validation as follows:

A service wherein a business or financial institution can validate the accuracy of the account information received from a consumer or business, and the ability of that account to receive electronic payments.

Following are the various methods that NACHA identifies—and that I've complemented with my own research—that are used today to validate accounts:

  • Manual validation—A consumer's check verifies the account and identification verifies the consumer's identity. Alternatively, the originator can call the recipient's bank to confirm account details, assuming the bank is willing to provide the information, though it is risky for the bank to share such information over the phone.
  • ACH validation, via a zero-dollar prenote verification payment—If the account number is incorrect, the recipient's bank responds within three business days, though this timeframe can be shortened by using same-day ACH. As the papers state, this is a "no news is good news" form of verification. NACHA is exploring opportunities to improve the prenote process beginning in late 2016.
  • Challenge deposit validation—Typically, two micro-deposits of random amounts are made to the recipient's account and subsequently verified by the accountholder to the payment originator. Even if the account is successfully verified, the originator may subsequently be unable to debit the account because that account blocks debit payments. To identify debit blocked accounts, some originators debit the bank account equal to the micro-deposits. This method is fraught with a high abandonment rate by the consumer due to the hassle of verifying the deposits. One large online originator says that about 30 percent of consumers selecting the deposit validation method fail to verify the payment amounts. This method can take from five to seven business days—though, as with prenoting, the process can be expedited by using same-day ACH.
  • Instant validation—The customer logs into his or her bank from the company's website to establish ownership of the account. The same online originator said that 25 percent of its customers selected this validation method over deposit validation. Many consumers hesitate to use this method because the use of a third party increases the chance their banking credentials will be compromised.
  • Validation services—Service providers with access to a large number of accounts, offer scoring services that simulate or predict the likelihood an account number is "good." Though improving, these service offerings are limited for non-financial institution originators.

A solution to the problem may be in store through the World Wide Web Consortium and others working to develop a standardized application programming interface, or API, for account validation. This would allow payment originators or their service providers restricted access to bank data to verify accounts using a universal, standardized process while protecting banking credentials. Let's hope that key stakeholders rally around this important initiative and push for a speedy implementation so that we carry through with a new maxim of "Trust, but truly verify."

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 22, 2016 in ACH , authentication | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad