About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

November 25, 2019


We Are Thankful For...

Several years ago, I began the practice of making a list around Thanksgiving of things I am thankful for. I was pondering what I might include on my list this year while I was stuck in traffic behind an awful wreck I was thankful I wasn’t involved in. And then the idea hit me that maybe we at the Risk Forum should create our own list focused on what we are thankful for in payments.

To keep the list at proper blog length, I asked each Risk Forum member to name just one item. Without further ado, the Risk Forum presents to you our 2019 Thanksgiving week "What we are thankful for in payments" list.

  • Nancy Donahue, project manager: I’m thankful that my debit card has only been breached once this year and although the criminal lived it up at several fast food restaurants and c-stores, it was less than $100 total and I got my money back!
  • Claire Greene, payments risk expert: I am thankful that direct deposit lets me put my finances on autopilot. I’ve split my paycheck into different accounts: one for retirement, one for the mortgage, one for saving, and one for everyday expenses.
  • Douglas King, payments risk expert: I am thankful for the ability to pay via self-checkout at my local grocery store and receive cash back when using my debit card.

The Retail Payments Risk Forum folks: Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene

Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene

  • Dave Lott, payments risk expert: I am thankful for law enforcement and other security professionals who work diligently to protect the integrity of our payments system.
  • Catherine Thaliath, project management expert: I am thankful for credit card rewards programs. It is nice to get rewarded with cash back or even a free plane ticket just by using your credit card for everyday purchases!
  • Jessica Washington. payments risk expert: I am thankful for payments industry collaboration. This year I have seen improvements in fraud information sharing across stakeholders; partnerships between fintechs, financial institutions, and payment networks to promote financial inclusion; and working groups embracing emerging payment innovations.
  • Julius Weyman, vice president and forum director: I am thankful that I can write a check where it makes sense; pay online where it makes sense; get paid via ACH (no choice in that, but wouldn’t choose otherwise); pull bills from a real wallet (not the fake kind) and pay that way, where it makes sense; and use a card (and get rewards), which almost always makes sense and is the one I use the most.

And we are thankful for YOU: our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2019, we wish you and yours a wonderful holiday season.

November 25, 2019 in ACH, checks, credit cards, debit cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 6, 2019


Business Email Compromise Moves Mainstream

The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.

When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.

In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.

In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."

And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."

IM screenshot

To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.

How are you attacking this growing threat, and what are you doing to educate your employees and customers?

May 6, 2019 in ACH, data security, P2P, wire transfer fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 19, 2019


Acute Audit Appendicitis

My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.

But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:

  • Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
  • Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.

FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.

The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.

These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.

Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 19, 2019 in ACH, banks and banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 5, 2018


Webinar to Explore Faster Settlement and Funds Availability

"I'd gladly pay you Tuesday for a hamburger today." Have you ever thought of this comical catchphrase, spoken by the character J. Wellington Wimpy in the long-running comic strip Popeye, when you hear conversations about faster payments? Hamburgers and jokes aside, there are important considerations for getting paid tomorrow for an agreement or exchange made today. That's why the main ingredient to faster payments is settlement.

Settlement provides the decisive transfer of funds between participants. In today's world, we want everything fast, especially money owed to us. A business that waits two to four days for an ACH transaction to process may be waiting too long. The ACH network has recently expedited settlement and now funds availability. Effective March 16, 2018, phase 3 of Same-Day ACH will roll out, making ACH funds availability faster than ever. However, there are still options and business cases that influence how services might be made available to participants. After all, a faster settlement is more than a credit risk discussion.

The Atlanta Fed's Retail Payments Risk Forum is hosting a Talk About Payments (TAP) webinar to discuss the new faster funds availability that Phase 3 of Same-Day ACH will usher in.

The TAP discussion will explore opportunities this faster payment option makes available, along with risk considerations. We encourage financial institutions, retailers, payments processors, law enforcement, academics, and other payments system stakeholders to participate. Participants will be able to submit questions during the webinar.

The TAP webinar—titled "A New Faster Payment Settlement"—will take place on Wednesday, March 14, from 1 to 2 p.m. (ET). Participation in the webinar is complimentary, but you must register in advance at the TAP webinar web page. After completing registration, you will receive a confirmation email with all the log-in and toll-free call-in information.

We hope you will join us for our next TAP webinar March 14.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 5, 2018 in ACH | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 14, 2017


Extra! Extra! Triennial Payments Data Available in Excel!

In countless old black-and-white movies, street newspaper vendors would shout out the latest sensational news from hot-off-the-press special editions. The Fed is no different in that we want to shout out that it is no longer necessary to mine the PDF-based Federal Reserve Payments Study report to extract the study's data. For the first time, we are offering our entire aggregated data set of estimated noncash payments in an Excel file. The report accompanying the data is here.

The data set is very rich and covers the following categories:

Accounts and cards
Private-label credit processors
Checks Person-to-person and money transfer
ACH Online bill pay
Non-prepaid debit Walk-in bill pay
General-purpose prepaid Private-label ACH debit
Private-label prepaid issuers & processors Online payment authentication
General-purpose credit Mobile wallet
Private-label credit merchant issuers  

Here is another table that is just one extract from the non-prepaid debit card portion of the extensive payments data available.

To get a taste of what this data can teach us, let's look closer at the cumulative volume distribution by payment dollar value threshold for non-prepaid debit cards (the data are shown above) along with general-purpose credit cards. The number and value of both types of payments grew substantially from 2012 to 2015, the last two survey periods. The chart compares these distributions, showing more vividly how this growth affected the relative proportions of payments of different dollar values.

Chart-two

For example, debit card payments below $25 accounted for 59.1 percent of all payments in 2012 versus 61.8 percent in 2015—evidence that debit card purchases are migrating to lower ticket amounts. The trend is even more dramatic over the same time span for general-purpose credit cards.

Because this is a distribution, increases in the relative number of small-value payments must be offset by decreases in the relative number of large-value payments. Unfortunately, our previous survey capped the payment threshold at $50 in 2012. Otherwise, we would see the dashed 2012 lines crossing over the solid 2015 lines at some payment value threshold above $50. In brief, the results suggest cash payments are continuing to migrate to debit cards, while credit cards may be garnering some share at the expense of both cash and debit cards.

The challenge is on for you data analysts out there. Please share your findings.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 14, 2017 in ACH, cards, checks, debit cards, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 7, 2017


Are Business Payments Directories Coming to the Fore?

Financial institutions (FIs), service providers, and particularly businesses have been dreaming of a ubiquitous payments directory for business-to-business (B2B) payments over the last five years or so. Payments directories give payers the ability to quickly look up accurate account and routing information to originate payments of all types to payees. Directories reduce friction and time needed to efficiently and accurately make payments and accelerate the transition away from checks.

That the dream is getting closer to reality became obvious to me in April, when I attended a NACHA Payments Conference that included the panel discussion "Can a B2B Directory Service Advance e-Payments?" Significantly, one of the panelists was the chair of the Business Payments Directory Association (BPDA), a nonprofit initiative to advance an open, nonproprietary B2B directory for small and large businesses. The independent BPDA has the support of the Business Payments Coalition comprising banks, industry associations, service providers, and businesses.

Businesses wanting to pay other businesses have a variety of payment instruments to choose from—check, ACH credit, wire, and card—with consequential differences among them such as costs, payment reconciliation, and funds availability. Though ACH has made significant inroads into B2B payments, particularly for large businesses, checks are still the fallback payment method when payers are not sure if the payee is willing to accept anything else. Checks are still widely accepted, and attaching associated remittance information with the check is straightforward. The ease of paying by check contrasts with the potential difficulty of determining whether the payee is willing to accept electronic payments and of getting accurate account and routing information.

Essentially, any B2B directory should contain all the information a payer needs to specify the payee’s payment account and route the payment electronically. Typically, directories by themselves do not clear and settle payments. The idea behind the BPDA initiative is that each payee in the directory is provided an electronic payment identity (EPI). That EPI uniquely identifies a payee and supports multiple payment accounts. It also specifies the payee’s preferred way to be paid, the type of remittance information needed, and preferred remittance delivery methods. A payee owns its EPI, which is portable across multiple subdirectory providers. As envisioned, a central node would link multiple subdirectories containing EPIs, each managed by a subdirectory provider that validates payee information so that it can be trusted. Subdirectory providers can include FIs, service providers, and payment networks. All of this is managed by the BPDA that sets rules, credentials subdirectory providers, payees and payers, and oversees the central node.

The image illustrates the process. Payers query the system to retrieve account and routing information from payees. They can then use this information to originate a payment through existing payment rails.

Chart-one

The BPDA lists several advantages of this approach, including these:

  • Payees can centrally communicate preferred payment methods and the information needed to effect payments by payers.
  • Payers can centrally retrieve accurate payee payment and remittance content and delivery preferences.
  • Friction for noncheck payments between payees and payers is reduced.
  • Minimizes misdirected payments.

One lingering concern about having a centralized directory is the risk that fraudsters could gain access to account numbers of large businesses for producing counterfeit checks or unauthorized transactions. In addition to the need for robust credentialing, one mitigant the system offers is that account information can be made private and restricted to specific payers.

It will be interesting to see how this nascent service shakes out given hurdles in governance framework, garnering industry support, developing a funding model, and, of course, getting businesses to enroll and participate. What are your views on the future of B2B directories?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 7, 2017 in ACH, banks and banking | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 26, 2017


Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?

In my last post, I introduced themes from a summit that the Retail Payments Risk Forum cohosted with the United Kingdom's Department for International Trade. The summit gathered payments industry participants to discuss faster payments and their effects on community financial institutions (FIs). This post, the second of three in a series, tackles the question of whether community FIs and their customers actually have an appetite for increasing the speed of payments.

A summit attendee from WesPay, a membership-based payments association in the United States, presented the findings of a survey of 430 U.S. FIs about current payments initiatives. An important discovery was that awareness and adoption of faster payments solutions remains low, as the responses to two survey questions indicate:

  • For same-day ACH, a majority (57 percent) indicated that the first phase—faster credits—"has had no measurable impact on our customers'/members' transactions."
  • When asked about the Federal Reserve Faster Payment Task Force, 34 percent of respondents indicated they were unaware of the initiative, and 46 percent indicated they had only high-level knowledge.

Responses to another of WesPay's survey questions suggest that, although there may be low awareness of many current initiatives, many financial institutions are recognizing that faster payments are inevitable. A majority (60 percent) agreed that faster payments initiatives are "an important development in the industry. However, our institution will be watching to see which platform becomes the standard."

NACHA's representative presented statistics from phase one of same-day ACH, with reminders about the phases to come.

  • Same-day ACH reached a total of 13 million transactions in the first three months (launched September 23, 2016).
  • Phase 2 will allow for direct debits to clear on the same day (to launch September 15, 2017).
  • Phase 3 will mandate funds availability for same-day items by 5 p.m. local time (to launch March 16, 2018).
  • The current transaction limit is $25,000, and international ACH is not eligible.

Results of a study by ACI Worldwide, a global payments processor, look a little different from WesPay's survey results. The study looked at small to medium-size enterprises to gauge real-time payments demand. For the U.S. respondents, the research revealed that:

  • Fifty-one percent are frustrated by delays in receiving payments.
  • Forty-two percent are frustrated by outgoing payments-delivery timeframes.
  • Sixty-five percent would consider switching banks for real-time payments.

We don't know yet what U.S. adoption rates will be, but Faster Payments Scheme Ltd. (FPS) in the United Kingdom already has a story to tell. U.K. panelists attending the summit at the Atlanta Fed stated that FPS has had constant adoption growth due to cultural change and customer expectations.

  • FPS reached a total of 19 million transactions in the first three months (launched May 27, 2008).
  • The FPS transaction limit increased in 2010 from £10k to £100k, and then to £250k in 2015.
  • On April 2014, Paym, a mobile payments service provider, launched, using FPS. Paym handles person-to-person and small business payments, similar to Zelle in the United States, which started up in June 2017, using ACH.
  • FPS had a total volume of 1.4 billion items in 2016.

For payment networks offering new solutions, community FIs are the critical mass that ensures adoption. Their participation will require practical benefits with a lot of support before they are willing to commit. Some community FIs might be forced to adopt new systems because everyone else has. Will new networks in the United States contest same-day ACH, which already has the advantage of ubiquity? Likely, as options develop, so will customer culture and expectations.

In the final installment of this "Responsible Innovation" series, I will look at future impacts of faster payments.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 26, 2017 in ACH, banks and banking, financial services | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 19, 2017


Calculating Fraud: Part 2

Part 1 of this two-part series outlined an approach for whittling down credit card transactions to the value or number of authorized and settled payments as the denominator for calculating a fraud rate. This post reviews the elements needed to quantify the numerator.

To summarize from the previous post, when analyzing credit card fraud rates, you should consider what is being measured and compared. To calculate a fraud rate based on value or number, you need a fraud tally in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator
                      Denominator

Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.

Before calculating the numerator value, you must first decide what types of fraud to include in the measurement. One stratification method divides fraud into the following two categories:

  • First-party payments fraud results when a dishonest but seemingly legitimate consumer exploits a merchant or financial institution (FI). That is, the legitimate cardholder authorizes a credit card transaction as part of a scam. One manifestation of this is "friendly fraud," whereby a consumer purchases items online and then falsely claims not to receive the merchandise.
  • Third-party payments fraud occurs when a legitimate cardholder does not authorize goods or services purchased with his or her credit card. Besides the victimized cardholder, the other two parties to the transaction are the fraudster and the unsuspecting merchant or FI.

Sometimes no clear delineation between first-party and third-party fraud exists. For example, a valid cardholder may authorize a payment in collusion with a merchant to commit fraud.

The 2016 Federal Reserve Payments Study used only third-party unauthorized transactions that were cleared and settled in tabulating fraud. The study measured and counted fraud as having occurred regardless of whether a subsequent recovery or chargeback occurred. Survey results had to be adjusted because some card networks report gross fraud while others report net fraud, after recoveries and chargebacks. Furthermore, the study made no effort to determine which party, if any, in the payment chain may ultimately bear the loss. Finally, the study did not measure attempted fraud.

Excluding first-party payments fraud
The study excluded first-party fraud due to the greater ambiguity around identifying and measuring it along with the idea that it is difficult to eliminate, given that controls are relatively limited. One control option would be to place repeat offenders on a negative list that, unfortunately, might not be shared with other parties. As a result of excluding first-party fraud, the study focused on fraud specific to the characteristics of the payment instrument being used.

Paraphrasing from page 30 of the 2013 Federal Reserve Payments Study, first-party fraud, while important, is an account-relationship type of fraud and typically would not be included as unauthorized third-party payments fraud because the card or account holder is by definition authorized to make payments. Consequently, first-party fraud can occur no matter how secure the payment method.

As with tallying payments, you could follow a similar process for tallying fraudulent payments for other types of cards payments, with more questionnaire definitions and wording changes needed for other instruments such as ACH and checks.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

June 19, 2017 in ACH, cards, checks, debit cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 8, 2017


Calculating Fraud: Part 1

When analyzing payments fraud rates, we have to consider what is being measured and compared. Should we measure fraud attempts that might have been thwarted—fraud that penetrated the system but might not necessarily have resulted in a loss—or fraud losses? Whatever the measure, it is important that the definition of what is included in the numerator and denominator be consistent to properly represent a fraud rate.

In calculating a fraud rate based on value or number, a fraud tally is needed in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator
                     Denominator

Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.

This post offers a process for tallying payments for the denominator. Part 2 of this series will focus on tallying the numerator, basing its approach on the process that the Federal Reserve Payments Study 2016 used. That process includes fraud that initially cleared and settled, not attempts, and does not exclude losses subsequently recovered.

The Fed’s 2016 payments study offers a method for whittling down all payment transactions to a subset of transactions suitable for calculating a fraud rate. Below is an extract, with clarifying commentary, from one of the study’s questionnaires, which asked card networks for both the value and number of payments.

Chart-one2

At first blush, totals for value or number under questions 1, 2, 3, and 4 could conceivably be used to provide a comparison tally for fraud. However, we should rule out the total from question 1 since the definition includes declined authorizations, making it unnecessarily broad. Question 2, "total authorized transactions," has the disadvantage of including pre-authorization only (authorized but not settled). While some of these transactions could have been initiated as part of a fraud attempt, they were never settled and consequently posed no opportunity for the fraudster to take off with ill-gotten gains. On balance, the preferred measure for payments is the result of question 3, which measures "net, authorized, and settled transactions." Unlike "net, purchased transactions" under question 4, this measure has the benefit of not excluding some of the fraud captured by chargebacks under question 3b.1. Other types of fraud are not covered under chargebacks, including when card issuers elect to absorb losses on low-value payments to avoid the costs of submitting a chargeback.

We could follow a similar process for tallying payments for ACH and checks, with adjustments to account for potential fraud resulting from the lack of an authorization system like that for cards, which requests authorization from the paying bank.

Part 2 of this series, which covers the process for calculating the numerator, will appear in June.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

May 8, 2017 in ACH, checks, debit cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 6, 2017


ACH: No Trace Left Behind

In my payments research role, I believe that one problem with ACH is the lack of any definitive method for identifying a payment and any associated return, dishonored return, or contested-dishonored return using only the existing 15-digit trace number. Ideally, the trace number alone should facilitate the correct retrieval of payment or return details even if other payments contain duplicate payment details, such as for recurring payments.

This PDF file contains an image that outlines the complex web of relationships that can be used to trace back returns to the original payment. Without the benefit of a unique trace number, the identification of the original payment could involve using common data elements to minimize misidentifying the payment.

A unique trace number would offer the following advantages:

  • Unambiguously identify a specific payment
  • Facilitate tracking features similar to what is available from package delivery services such as transmittal, settlement and receipt date/time, and similar tracking of any associated return(s)
  • Enhance risk-monitoring capability
  • Simplify reconciliation and auditing
  • Flag or prevent a return from settling before its associated forward payment
  • Identify "orphan" returns sent across the public network when the original payment was sent privately between financial institutions (FI)
  • Link together forward and return payments for certain international payment applications that are not possible today

Under NACHA rules, the FI originating the payment assigns a unique 15-digit trace number; the trace number's uniqueness is necessary to differentiate each payment in the batch. Uniqueness is not mandated across payments in other batches in the same payments file. Consequently, a trace number could be repeated in multiple payment files on the same day or across many days—and, even more troublesome, within the same payments file. NACHA strives for uniqueness by mating the trace number with an associated batch number, transmission (file creation) date, and a file ID modifier. Unfortunately, any return of a payment only passes along the original trace number without the benefit of the mated data.

A possible solution that could overcome the current limitations of the trace number would be a one-time-use, ACH-operator-assigned, 15-character alphanumeric trace number. When the originating network operator receives a file, the operator would replace the FI trace number with a unique trace number that he or she would forward to the receiving FI. Any return sent back to the originating FI would have the unique operator trace number converted back to the original FI trace number. For convenience, a cross-reference file associating operator trace numbers with FI trace numbers could help facilitate non-network communication between originating and receiving banks.

Operators could guarantee uniqueness by allowing an operator trace number to contain digits and upper and lowercase letters. Expanding to a 62-character set results in over 3.5 trillion distinct values using the last seven characters of the trace number (the first eight characters are the originating FI's routing and transit number). Further requiring at least one non-numeric character allows differentiation with FI numeric-only trace numbers.

What are your views on the benefits and disadvantages of non-repeatable trace numbers?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

February 6, 2017 in ACH, payments | Permalink

Comments

If the unique trace number could be assigned on the FI side, it would eliminate the extra step of forwarding of a unique number (which has its own chance of failing to forward) and some possible non-repudiation risks.

Perhaps this could be done by assigning each FI their own identifier, and pair that identifier with a unique number which is never used across batches, file IDs or dates. (A unique ID which is never reused since the FI Identifier would always make it unique across all FIs).

This would mean changes on the FI side and so some analysis would have to be done to find the cost benefits for NACHA, FI and FRS.

Posted by: B. Guhanick | February 8, 2017 at 09:40 AM

I like this idea. It would also make it extremely easy for an FI to research a transaction within their records by using the unique trace number. You are looking at around 20 billion transactions per year so the 3.5 trillion should easily cover the 6 year record retention requirement.

Posted by: David L Payne | February 7, 2017 at 06:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad