Podcast Episode
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed